Do true security product managers exist? This is the question I began asking myself a few years now since I started to move from a pure security role into leading the effort with a team to build a product. After a few years, I transitioned into product management and then transitioned back into full engineering. During this time, I realized there are very few true security product managers. Many product managers have never really penetration tested, conducted a risk assessment, taken formal security training or even attended a defcon conference. I found it very interesting that these were the people prioritizing the solution to protect organizations. Over the past two years I’ve searched to see are there any true security product managers and the result is not really.
The security industry is struggling to find real security people to drive the right priorities into our products. We need people that live and breathe security. Without the right skills building our products we will not only be 1 step behind the attackers and accidental breaches we will be several.
Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required. The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats. Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.
The people although good at monitoring lacked the attack and threat mind set. The staff was not able to figure out when an actual attack was happening.
Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.
As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes. Although I don’t address item number one above, this paper explains in detail the following.
Defining the SOC
Determining the Processes
Understanding the Environment that needs protected
There has been a large amount of security information and recent attacks posted in the media. We have Mandiant’s report on China as well as several issues concerning Java. The pure volume of information over the past year has made it difficult to keep up without a combination sources. As a result InfoSecAlways has done a few modifications to the site. Please check out the new “Security Feeds” in the right column (4th Block Down). This is a combination of about 20 different security RSS feeds piping into the blog now. You can check the site daily to get the latest news and updates in the industry.
Also, check out the links page as there are several new Threat and Vulnerability links added. These are great if you are looking for specific attacks, breaches, or threats.
Hands down Day 1 of Recon the Magic Bus by Travis Goodspeed and Sergey Bratus took the show. Great informational and entertaining presentation! I encourage anyone to check out the hardware Travis has developed and his papers if you are into understanding key security issues with the Bus.
Next I found the presentation by Rolf Rolles some of the best work I’ve seen in this field. The presentation was focused on Syntax and Semantic based methods for reverse engineering.
Under the Syntax based methods Rolf talked about looking for patterns that can help identify signatures such as packers, FLlRT, etc. It seems like this could be a good idea for an offshoot tool. However, it important to note that he said an attacker could possibly avert these patterns when a reverser is using Syntactic methods by recompiling or doing complex obfuscation. Guess this is another reason we should all be doing obfuscation in the commercial world.
For this discussion Rolf described scenarios for an automated key generator, automated bug discovery, etc. Most of the talk was explaining the mathematics behind the analysis which overall appear to very basic in nature. However the way Rolf has applied the math in the analysis is quiet interesting and very intelligent.
Without going into too much detail he simply replaced concrete semantics (i.e. x,y) with abstract semantics (i.e. +(positive), – (negative)). Then using truth tables on Bits (standard bit analysis either 0 or 1) (unknown bit analysis using 0,1, ½; ½ represents unknown) he is able to map out patterns.
In general the rest of the day was filled with other speakers who were interesting but just didn’t seem to catch my full attention. With that said Tarjei Mandt did a good job explaining atoms and string based attacks.
All and all a pretty good first day especially since Montreal had a music festival running with Dissonant Nation, which made a great evening of entertainment.
Wikipedia truly is amazing. Check out the list of worldwide security conferences. This is a great place to look for any professionals wanting to speak or attend high profile conferences. Definitely a good site to add to my links page.