#eweekchat - CrowdChat

Trends in New-Gen IT Security

JOIN US: This is a chat-based conversation about what you think we can expect to see--or won't see--in data security this year. We'll have expert commentators!

#eweekchat @valb00 @editingwhiz @jasongarbis @makitadremel @careandkickbutt @cscobie @m11sec datasecurity secops itsecurity

LeaderBoard

#eweekchatPredictions/Wild Guesses 2020JOIN US: This is a chat-based conversation about what you think we can expect to see--or maybe shouldn't see--in IT next year.

#eweekchatTrends in Data OrchestrationJOIN US: This is a chat-based conversation about what we're seeing in the organization of all that data we're collecting. Data orchestration--using Kubernetes or other platforms--is a key topic right about now. We'll have expert guest hosts!

Stream Ended

Establishing a secure connection

A2: Almost all attacks on enterprises came from email in the last decade. I don't see it changing much in 2020, I believe it will still be a big issue.
In addition, API security becomes more and more important since they are exposed to the whole world and susceptible to attacks

[+] Show Hidden Comments

Vittorio Viarengo

yes, plus the new vast surface of cloud properties, SaaS/IaaS and PaaS

Could you elaborate on this one? In particular, I find SaaS/IaaS tend to improve security because:

Agree. Attack surface should be reduced

A2: 1) The company is actually paying attention when they adopt new tech (old security fell lax) . 2) The providers have a lot more concentrated focus and expertise on security.

While the core of a cloud service may be secure, it can still be used in an insecure way. I have met people who are underestimating the cloud problem because they are just looking at the low level security features delivered by the vendor themselves

if users can share a folder when they mean to share a file, open up the settings to other people without realising it, then the risk is large

Stephen Manley8

A4: That leads to a question I've had... how do we as an industry help regulators and government officials pass laws/regs that make sense?

[+] Show Hidden Comments

Chris Preimesberger

Especially difficult in this biforcated political world we inhibit.

Chris Preimesberger

OOps.. bifurcate. I'm a EDITOR!

If laws are based on the basics they can continue to be useful in the future, don't base laws on the technology per se. Such as in GDPR YOU own YOUR data, everything else follows.

Vittorio Viarengo

he he. I am glad I am not the only one mistyping :)

@makitadreme very good question. Especially in our fast-moving world.

Chris Preimesberger

We think faster than we can type well, it seems!

Val Bercovici - 2020 Hindsight8

3a: That means mitigating '3D vulnerabilities' by mathematically 'Provable Computing' in our words - where all infra, code, models and especially all data/log pipelines are verified off a decentralized integrity base BEFORE consumption.

#ZTX https://www.crowdchat.net/s/55x2q

[+] Show Hidden Comments

I like that idea. (And the chart)

interesting. I view that as very useful metadata (service attributed) to be included in a policy model

(edited)

Vittorio Viarengo

you had me at "mathematically 'Provable Computing'"

that is, a #zeroTrust policy model should include that as a requirement before a workload can be eligible for access across a network

Val Bercovici - 2020 Hindsight

Yes, we need broadest possible #ZeroTrust deployment on info access - but why not for all back-end resources providing the info being accessed as well?
eg. No new code deployed before decentralized verification

Chris Preimesberger6

This has been a wonderful discussion. Outstanding interaction and engagement. Don't know about anybody else, but I certainly learned some new ideas here today. Some good seed for articles on @eweeknews.

[+] Show Hidden Comments

Thanks!

Thanks you very much Chris, it was great!

Vittorio Viarengo

@editingwhizThank you for having me. I en joyed the stimulating conversation. Let's go make the world more secure now

Thanks for the chance to Tweet for @DruvaInc with the great panel. Special shout out to @valb00 as always!

(edited)

Vittorio Viarengo6

A5: Passwords will be obsolete.... no wait, that's a wish...

[+] Show Hidden Comments

yes please

Ha! I love this!

Val Bercovici - 2020 Hindsight

seamless identity #AuthN & #AuthZ throughout all digital services

Vittorio Viarengo

well, face recognition is out the window with deep fake, so scratch that...

Val Bercovici - 2020 Hindsight

yeah, turns out trusted biometrics at scale is yet another hard problem ;)

Vittorio Viarengo6

A5: shift left in development security

[+] Show Hidden Comments

Vittorio Viarengo

That is looking at security vulnerabilities in application code and configuration before it ever goes into production

This is done for a long time for the GAMFA companies. It's still too expensive for smaller entities

Val Bercovici - 2020 Hindsight

Zero Trust DevOps is really: #SecDevSecOpsSec :)

Vittorio Viarengo

I think that shift left is still new to many late majority type of companies

Chris Preimesberger6

Q4: What do Facebook, YouTube, Google and other public networks need to do to continue to make improvements in their data privacy and protection processes in 2020?

[+] Show Hidden Comments

A4: some of the "improvements" have been forced upon them by regulators and lawsuits, I think regulators need to keep pushing organisations hard that collect and use our data

(edited)

Val Bercovici - 2020 Hindsight

I've become a massive skeptic about progress in this area. Nevertheless, priority needs to be tough legislation with more teeth (enforcement) than GDPR so far. Also lots of thought needs to be given to unintended consequences of any legislation.

Val Bercovici - 2020 Hindsight

i.e. having more corp lawyers on staff shouldn't be the easy button for large biz to bypass legislation - and smallbiz should not be penalized via overbearing legislation. Balance here is elusive - but essential. We need more policy students to graduate!

Eric Kavanagh on #DMRadio

Would love to see much more in-depth collaboration between these companies to identify threats, share intelligence and seriously cooperate. Would love more of this in #FinTech and #GovTech and elsewhere! #eWeekChat

Vittorio Viarengo6

A2: Broader Deepfakes Capabilities for Less-skilled Threat Actors

[+] Show Hidden Comments

agree that this will be a huge problem that we need to solve - the detection & flagging of these

I fear that people will die because of this - too easy to use this to instigate protests, riots, even wars

Chris Preimesberger

I'm in this camp. Deepfakes REALLY worry me because the general population is so image-oriented.

Another strong agreement from me.

Stephen Manley5

A5: In 2018, we saw Ransomware as a Service (no joke). In 2020, you'll see vendors offer integrated Ransomware Protection as a Service - recovery as well as improved detection.

[+] Show Hidden Comments

Val Bercovici - 2020 Hindsight

you know this is harder than it sounds - but absolutely necessary. Big issue is separate domains of data control to prevent adversarial encryption / deletion of DR copies, backups, archives, etc...

This is where I think cloud and SaaS can make a big difference. #biased

A4 - in some jurisdictions there is definitely risk of legislation being imposed upon them, or even anti-trust threats. Which is kind of crazy, to think that it could come to that.

[+] Show Hidden Comments

From the European side of the Atlantic, it doesn't seem cray at all that regulators care, I support their efforts to rein in misuse of data in all forms

@wheresnigel Why do you think the European side of the world cares more about privacy than, say, the US? Because I think it does - curious as to the underlying causes...

I think the regulations are needed and that their use/abuse of data is out of control. My "crazy" comment was more about the power these firms have, that that's even a consideration in response.

Aha, I'm with you