The keynote was quite entertaining mainly because it used references to the Greek and Babylonian mythology but on the other side it was very difficult to really understand the message and the ideas that the presenter tried to promote.
But here some ideas that I was able to catch:
- assume compromise
- business people do not understand the security goals
- perimeter defense; you have to win every time; one single mistake and the perimeter can be breach.
- attackers are using the speed; the defenders have never the initiative.
The presenter believes that the security is seen by the casual user/client as a burden. The security peoples should try to understand why the users try to circumvent the security, try to understand how the peoples are working and must try to adapt the security to fit the user needs.
The possible solutions are not from the IT world; try to apply the design thinking. A good design solution should have the following properties:
- is innovative
- makes a product useful
- makes a product understandable
- is long-lasting
- is unobtrusive
Some examples of products/companies that are trying to understand better the client: 2g Tuesday at Facebook
The problems with the security testing today :
- limited metrics
- increase technical debt.
- gives limited experience.
Another major problem is that the read team and blue team are acting independently, do not really share knowledge.
The speakers proposed some solutions to this problem; some of the interesting points that I was able to catch:
- predict the likelihood of successful attacks before they happen.
- creation of an information sharing platform and knowledge base.
- assemble your team and tools
- create defensive measurements/metrics.