If only one thing impressed me at last week's FIRST conference in Miami, it was the extent to which the security community is moving toward collaboration. The FIRST community, now in its 23rd year, has long been about collaboration. Even so, this year's event highlighted companies, organizations and even international law enforcement deeply exploring the ways in which they can collaborate further and better to hold the line against the increasingly virulent opposition -- the bad guys.
Still reeling from the sophistication and dimensions of attacks such as Conficker, the FIRST community is looking at issues such as 1) how to categorize attacks and attackers, 2) how to format data regarding incidents so that it would be most easily transmitted, 3) how to understand each other's cultures and 4) the sheer benefit of getting to know enough of their national and international compatriots on a first name basis that we can all begin the kind of dialog that can lead to a much needed sharing of information on a global scale.
I heard a lot about how different organizations are setting up incident response teams and where these teams are situated within these organizations to be effective. I got some excellent advice on why understanding insider threats needs to not be just an IT issue; in fact, the people best able to see a problem coming might be so remote from IT that IT is the last to suspect a problem.
I learned not just about DNS vulnerabilities, but about a working group collaborating to work on DNS issues and DNSSEC (DNS Security Extensions) -- an effort to protect the Internet from certain types of attacks, such as cache poisoning. DNSSEC is a set of extensions to DNS, which provide: a) origin authentication of DNS data, b) data integrity, and c) authenticated denial of existence.
I learned about malicious PDF files and the sorry security state of the wild wild cloud frontier.
Yet, the thread that mostly tied it all together for me was the idea that we're all in this together. If we don't collaborate to resolve security problems and counter security attacks, we will not be effective against the international and highly sophisticated nature of tomorrow's attacks.
In one series of talks I attended, representatives from law enforcement from maybe 12 or 20 countries, including Interpol (headquartered in Lyon, France) met to brainstorm on how they could work together more effectively.
And the conversations ran as deep as they ran wide. Even I, a Unix devotee for more than 25 years, found myself chatting with a representative from Microsoft about their SDL (software development lifecycle) process -- a security assurance process that is focused on software development. The rep told me that MS developers go to security training every year now -- much different than was the case only several years earlier. The threat landscape is changing. Attacks will continue to get uglier. But the good guys are taking stock. And I went home with an "Elevation of Privilege (EoP)" card game -- an interesting way to teach developers about threat modelling. See http://www.microsoft.com/security/sdl/eop.aspx for more information.