News Stay informed about the latest enterprise technology news and product updates.

Black Hat 2016 keynote: We need sharing, not competition, in security

Black Hat 2016 keynote speaker Dan Kaminsky called for more information sharing and in security and more long-term public work in the cybersecurity space.

Las Vegas -- The Black Hat 2016 conference keynote was a call to action in both the public and private sectors to focus on ways to make dealing with cyberthreats faster and more efficient.

Dan Kaminsky, security researcher, co-founder and chief scientist of White Ops, began by saying it is important not to underestimate speed when it comes to making security decisions.

"Speed has totally changed, what was once months has become minutes. Everything has changed," Kaminsky said. "What you can build, what gets broken and how long we have to learn and adapt from our experiences, those cycles have gotten so fast. And our need to make things secure and functional and effective has just exploded."

Kaminsky described a number of different things, from large projects to small moments in development, that can impact security.

"People think that it's a zero sum game, that if you're going to get security everyone else has to suffer. Well, if we want to get security, let's make life better for everybody else. Let's go ahead and give people environments that are easy to work with," Kaminsky said. "Think in terms of milliseconds. Think in terms of the lines that you're impacting, the time that you're taking, the difficulty in making something scale out not just for your own use but for the use of the world. This is the game to play."

Kaminsky dug deep into the history of the internet and the gritty details of code to identify ways to improve speed, but two themes came back time and again in his talk.

First, Kaminsky said information sharing is a critical way to improve security in the short-term. He said managers have all had the experience of assigning engineers to fix a security issue "that has probably been fixed a thousand times, so maybe we should start actually releasing the code that we're doing … If you actually want your coworkers to solve a problem not repeatedly, it might be cheaper and [more] cost effective for you to just give it to the world."

"Bugs are not random. Fixes are not random either. We're not taking all of the lessons we have to deal with and actually dealing with them," Kaminsky said. He noted talking to a group of bankers who shared code and fixes with each other. "He said, 'Yeah, we don't compete on security. If one of us gets hit, we're all going down so we should probably share our information.'"

For longer term projects, Kaminsky said we needed to see more work from the public sector.

"I believe in all projects in terms of timelines," Kaminsky said in a press conference following his keynote. "How long is it going to take to do this? Some things are just going to take three years of effort and the longer the timeline, the less it's something that private sector is good at and the more it's something the public sector is good at. How do I get a hundred nerds working on a project for ten years and not getting interrupted and not getting harassed and not getting told to do different things? The way you don't make it happen is how we're doing it in infosec today, which is the spare time of a small number of highly paid consultants. We can do better than that."

Kaminsky said he wants something like the National Institutes of Health (NIH) for cyber -- a public works organization to take on long-term research projects with stable funding.

"I want an organization dedicated to the extended study of infosec, that can fund and implement the hard and sometimes really boring work that fixing all these problems is going to take," Kaminsky said.

One example of such an effort was the work done by the Software Assurance Metrics And Tool Evaluation (SAMATE) project at the National Institute of Standards and Technology (NIST), which Kaminsky described as "the greatest scut work" he's ever seen.

"They went ahead and they collected variants of every single vulnerability in C and Java, and there's like thousands, and they went ahead and made it so you can compile them into one program," Kaminsky said, and he described the value of such a body of work for all of the companies working on static analysis tools. "That stuff may exist in the bowels of Microsoft or Oracle or many other companies, but it was NIST that got it out the door."

No matter the aim, short-term or long, Kaminsky stressed the value in sharing information and being open with knowledge.

"Experts and users have different things in mind for their technology. I don't mind if you just want to work on your own stuff," Kaminsky said. "But the real magic comes when you take the expertise that you've got in security and you translate it and you rebuild it and you reform it. Don't be afraid to take the knowledge you have and make it accessible to vastly more people."

Next Steps

Learn more how to shift IT security budgets to focus on attack detection and response.

Find out how to use security tools to automate incident response.

Get more information on the differences between dynamic code analysis and static analysis for source code testing.

Dig Deeper on Security industry market trends, predictions and forecasts

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you see any obstacles to increased sharing of information security information? If so, what are they?
Thanks for this Michael - Dan Kaminsky makes some very incisive points, especially over short term and long term effort. He mentions the private sector and the public sector in relation to those time-lined efforts - yet there is another option, the third sector - non profit.

Apologies if this comes over as a sales pitch - it's meant to be a case example - its just that security is our space:

We're trying to do the big things that Dan alludes to in the IoT end of the cyber security domain - at the IoT Security Foundation. Today we see quite a lot of fragmented effort across IoT in security... it is often good, it is mostly useful, yet the whole mission would be better addressed from a centralised entity with security as its raison d'etre (as opposed to a sub group from a bigger initiative say). In this model there are many overlapping contributions from the private sector which aggregate as an annuity of effort, it is funded by many small contributions (i.e. members), it has a long term goal and it is driven by those who contribute. That's what we aim to do - address the security issues in IoT holistically, system wide and for the long term (driven by the experts).

I am sure you'll find other case examples in other sectors too, for the simple reason that "it works".