Needed: A 'Turing machine' for security
- By William Jackson
- Apr 11, 2008
SAN FRANCISCO'In his opening remarks at last year's RSA Security conference, company chief executive officer Art Coviello emphasized the need for information technology security to become information-centric rather than focusing on networks or systems.
'We haven't focused on information security at all,' he said. The focus has been on the perimeter, which has for all practical purposes been eliminated by the Internet and mobile networking.
In the past 14 months, that situation has only gotten worse with the proliferation of wireless access, mobile computing, peer-to-peer communications and Web-based applications. At the same time, the ability to manage and secure information has been hampered by the sheer volume of information IT systems are inundated with. Security workers spend their time reacting to yesterday's threats rather than managing risk.
We need a new paradigm, Coviello said at this year's RSA conference, which drew15,000 to 20,000 security specialists.
'Static perimeter defenses and rigid rules of hard-and-fast security policy are crumbling,' he said. So he asked himself, 'What would Alan Turing do? How would he advise us?'
Turing, the 20th-century British mathematician, code breaker and father of computer science, was the theme of this year's conference. He came up with the concept of the Turing machine, a thinking machine that could emulate the human brain closely enough that a person holding a conversation with it would not be able to tell if he were dealing with a machine or a person.
Coviello's answer is a Turing machine for security; functionality built into the infrastructure that could take over the chore of intelligently managing risk in the enterprise. This is the logical extension of Coviello's declaration last year that stand-alone security is obsolete and stand-alone security companies soon will be a thing of the past.
Intelligent, autonomous security would free security managers to concentrate on the larger job of encouraging innovation rather than constraining progress. Coviello offered a list of recommendations for security practitioners in using their newfound time to help security become a business enabler rather than a necessary evil. He also produced a wish list for Congress to help enterprises achieve meaningful security rather than mere regulatory compliance.
The Turing security machine is not a total flight of fancy. Elements of the needed functionality exist on the conference's show floor, although they are a long way from being integrated into an organic whole. A thinking security system still would rely on high-level policy created by people, but the system would be able to understand and predict human behavior. It would know what content is important to which people and be familiar with how it is accessed and used. This understanding could be used to recognize patterns and identify anomalies that could pose risks, either in the behavior of users or by data and code on the networks and in systems.
Credit card companies already use pattern-based recognition to detect unusual behavior in credit card accounts, allowing them to identify problems and notify customers quickly ' and possibly nip fraudulent use in the bud.
Other elements of thinking security already in use today include zero-day exploit prevention and rootkit detection tools that use behavior rather than static signatures to spot problems, data loss prevention tools and risk-based authentication schemes that understand patterns, and security information and event management tools.
'We're a long way from being there, but that's the endgame,' Coviello said.
That endgame would encourage greater innovation, he said. 'We live in a time of unprecedented innovation' that too often is stifled by security considerations and regulation, he added. To foster it, security managers must:
- Have a mind-set that looks for ways to allow activities rather than denying them because they present some level of risk.
- Have a thorough knowledge of an organization's mission and needs so risk can be evaluated.
- Establish relationships with other teams within the organization so needs can be anticipated.
- Evaluate risk, considering the probability of an exploit and its consequences and ways to manage these factors.
- Recognize and seize opportunities to use security to add value to the mission.
- Build repeatable processes.
- Take time to think in terms of managing risk rather confronting problems.
None of these ideas is revolutionary, but putting them into practice has been difficult in an environment in which security teams are constantly fighting fires and working toward regulatory compliance. Coviello acknowledged the need for regulation but called for common sense. He urged security officials to comply with the spirit of regulations but to push back against extreme interpretations that do not contributed to genuine security.
'We do some ridiculous things in the name of perceived security,' he said.
From Congress he wants:
- A federal data break notification act that will replace the current patchwork of state laws.
- More investment in education to produce a better and bigger talent pool of security professionals.
- A higher priority on research and development for innovative security techniques and technologies.
- A cybercrime bill to close current loopholes in computer crime laws and put the focus on prosecution rather than regulatory requirements.
'Let's punish the criminal, not businesses,' he said.
William Jackson is freelance writer and the author of the CyberEye blog.