The Daily Incite - March 17, 2008 - Dan Geer's SourceBoston Keynote

March 17, 2008 - Volume 3, #27

Good Day:
So, it's not morning, and I was fully intending to pass on posting a TDI today. I have a lot of mop up work remaining from Source Boston last week, which was going to wait until tomorrow. But when motivation strikes, you need to indulge it. Maybe it's more procrastination, than motivation - but all the same. We have so few actual heroes in security - so when a guy like Dan Geer gets up and speaks to you for 50 minutes, you listen. All of us that were able to attend the conference last week received a real treat. Dan of the mutton-chop sideburns looked into the fog of the future and gave us all some perspectives.

To be clear, Dan has forgotten more about security and risk management than you or I have known. And he's so soft-spoken and uses words so judiciously, sometimes it takes a week before you get what Dan is trying to tell you. But it's there. He doesn't give it to you, you need to grab it for yourself. That's what makes being Dan's friend so rewarding. He makes you think. I can only hope that someday my friends say the same about me.

You can get the full text here: I suggest you do so, and you read it at least 5 times. You can't appreciate the depth of Dan's perspectives and the breadth of his vision until you do so. Don't argue with me, just do it.

I love the quote from Niels Bohr: "Prediction is very difficult, especially of the future." It just says so much. Anyone who does what I do tries to look into the future. Sometimes you are close, other times not so much.

So what did Dan have to say? At it's unbridled core, Dan's message was really focused on the fact that the future is a messy business. Change doesn't happen linearly or pleasantly. Businesses are disrupted, life forms are disrupted - usually into extinction. Yes, the future is certainly a messy business.

He laid out a doom scenario, where the E911 virus was hooked up to a NIMDA propagation scheme in 2001 and all hell could have broken loose. It didn't, and for that we are lucky. Better to be lucky than to be good. But that's really the point. You tend not to see, expect or plan for the thing that ultimately kills you. Whether it's a Black Swan or not, most of us never see it coming.

Dan then transitioned to discussing metrics, but really as the arbiter of decision support. He's exactly right that we cannot use "words anymore," now we have to use numbers to describe security. But which numbers and how? Thus the rub. But Dan doesn't sugarcoat the challenge of getting to a relative/ratio scale of quantifying security - which would really be useful.

Dan had some interesting perspectives on parasites and bot-nets. It's an astute observation that we've seen less virus activity and much more parasitic activity that doesn't not want to kill the host, rather siphoning off life a little bit at a time. And the points about the bot-masters taking care of their herds much more effectively than most organizations secure their endpoints made me laugh. But only because it's true. The odds are great that Trojans now include anti-malware and other anti-bot defenses because the masters need to keep control. They certainly wouldn't want to lose their minions to another opportunistic network operator.

Ultimately Dan circles around to the monoculture discussion because he pretty much had to. For better or worse, everyone has their legacy and monoculture is Dan's. It's too bad because there is so much more to his body of work, but whatever. At least he acknowledges it and accepts it, and goes to great lengths to show that he ultimately will be right. Given that we've basically accepted the operating system monoculture, then the only outcome is that we are to "win decisively or fail catastrophically" as a hive genetically alike is certain to do. Given the trends of what we do, you don't need to be Dan Geer to figure out which end of the scorecard we'll end up. Yet to draw that conclusion 5 years ago, you did need to be Dan Geer.

Thankfully, Dan did not wear his Chicken Little suit. His advice is to start thinking of our computers as limited time life forms, which need to be refreshed and renewed frequently. That's kind of the idea with an entirely virtualized desktop or even one-time use browser images, which do not have access to the core aspects (and data) of the mother ship. It's an interesting model, yet still too complex and expensive to make work across a large global enterprise. But that's today. I can assure you that tomorrow this kind of model will prevail. It has to. Biology says so. Dan says so. And that's good enough for me.

Yet at the end of the day it gets back to the fundamental question: "How much security do we want?" That, my friends, is a business decision. It's a risk-based line of thinking and it's the fundamental truth of security. We all need to understand our own organization's thresholds for pain and suffering and act accordingly.

Dan leaves us with a hopeful message - at least that's how I interpreted it. We do security because we are interested in the unknown unknowns. The problems that seem to have no answers, which are questions brought on by "a love of knowing how things work and by satisfying that love by knowing how they fail." Dan reminds us that our profession is noble. Maybe the most noble of professions - at least in the IT world anyway.

Don't forget that. I have no idea whether there will even be a security industry in 10 years. You certainly could paint a picture of our demise based on Dan's words and the published thinking of many other pundits (including yours truly). But ultimately what we call ourselves and who we work for is of little consequence. As long as there is information, there will be the need to protect it. As long as there is money, there will be fraud. As long as we have children, we'll want to keep them from seeing the world as it is, for as long as we can. And thus there will always be a place for nobility.

I figure even Kurzweil's machines will understand that. I should hope so because by then I will probably need a job.

Have a great day.

Photo Credit: The Future by CaptPiper

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com