2015 Duo Security Summit Recap + Adventures in SF
The Duo Security Summit was hosted at the Automattic Lounge in San Francisco this year, welcoming information security professionals and industry leaders alike to discuss new security strategies and technologies. If you couldn’t make it, check out a recap of the talks below, including speakers from Google, Palantir, Box, Microsoft, Dropbox and more!
Duo’s Viewpoint and Vision
The event kicked off with a word from Duo’s co-founders on Duo’s Viewpoint and Vision, with CEO Dug Song and CTO Jon Oberheide.
In their opening statement, they acknowledged that the information security industry has advanced to offer more specialization and better security - freeing customers from the need to develop or maintain their own app services.
Yet, even as security gets better, data breaches are getting worse. The tech terrain has shifted dramatically - even though we’re deploying the same technology as we used to, the ground beneath us is starting to shift. “The world has changed. Security has not.”
Dug and Jon proposed three ways to evolve security to this new world:
- Move from bolt-on to built-in security. In the past, we’ve deployed antivirus, IDS, firewalls, etc. onto our insecure networks, trying to add some type of security. This doesn’t work anymore - we need to plan better for security upfront.
- Make security the ‘yes’ department. While previously, security has gotten a bad rap for denying the use of applications and technology due to security concerns, we need to find a way to make that technology secure and viable.
- Radically simplify IT and security. Defense-in-depth is actually expense-in-depth. Companies must hire teams to manage and deploy all of those solutions, sometimes not very effective ones. Security solutions have moved to the response side, bringing a defeatist attitude by assuming that you will be breached, no matter what. But Duo believes you can build effective security controls that are both pragmatic and secure.
We need to figure out how to stop attacks and our responses to them - as well as how to secure ourselves, as a community.
Security Strategy Panel
Moderated by Dug, the strategy panel featured the following security professionals panel:
- Zane Lackey, CSO, Signal Sciences
- Geoff Belknap, CISO, Palantir
- Joel de la Garza, Security Officer, Box
- John Lambert, General Manager, Microsoft Threat Intelligence Center, Microsoft
While we’re working on providing a video of the talks, here’s a summary of a few takeaways from the panel:
Dug: How are you simplifying security?
Zane: We’re giving people the ability to make their own decisions with the necessary tools and data. The central part of an organization may not know why alerts are going off because of a lack of context. But we’re simplifying security by giving them the visibility and capability to do handle issues themselves.
Geoff: We’re looking to build a solution that you don’t have to think about. Palantir had a very complex authentication environment - some people could use tokens and others could not. Duo Security enabled them to use self-registration and push notifications [Duo Push] as authentication - that was huge.
Dug: We’re seeing more and more organizations delegate and leverage BYOD. By 2017, some banks want to do away with computers and desktops, and provide their employees with stipends to buy their own devices.
Joel: Mobile is growing at a fast rate - nowadays, we’re working a radically different world in which mobile is the new reality. BYOD solutions and mobile security solutions (security theater) don’t actually provide the controls needed. We’re pushing to provider greater contorl over mobile endpoints.
Financial services are typically very cloud-adverse. Not all cloud vendors are created equally. Organizations should take a risk-based approach with a third-party risk assessment process. Evaluate vendors and you’ll find that they can probably run things better than you can.
Dug: Capital One [the bank] wants things to be 100 percent cloud.
Geoff: Cloud is just stuff running in a slightly different data center. A strong risk assessment approach is key. Establishing the credibility of a security solution and trusting a provider is difficult. However, cloud providers are incentivized to build secure solutions to meet the needs of their customers.
Dug: Why are startups popping up for security?
Joel: There’s the fundamental problem - we can’t find enough practitioners out there that know what they’re doing. Security now is about building technology that requires more people to maintain them - we’re stuck in a death spiral.
On building a security culture: Geoff: Being more transparent with internal employees made them more willing to engage, take responsibility and own their protections. We also provide incentives for employees to report security incidents in order to drive the culture internally.
Joel: We communicate the consequences to people using a simplified message, making it clear that attackers are trying to rob employees or the company.
Gaining Control and Visibility with Duo
Next, Duo’s Director of Product Marketing Ash Devata gave a detailed walkthrough and product demo of Duo Platform Edition, Duo’s latest and greatest enterprise security solution slated for release in May (any current customers can upgrade, or request access to beta to test the new edition features).
Platform Edition solves new problems around securing access. As the 2015 Verizon Data Breach Investigations Report found, of breaches that happened in the past two years, 95 percent of breaches involved attackers using stolen credentials.
Ash demoed the edition’s capabilities for Device Insights and Policy & Controls, showing how administrators can restrict authentication based on location, user, application type and more. With Device Insights, you can inventory all of the mobile devices in your network without the help of any agents, by taking advantage of APIs that send information to the administrative console.
Likewise, you can get visibility into authentication devices without changing the settings on people’s personal devices. While not enforcing control directly (changing your users’ settings), you can still gain visibility. Learn more about Duo Platform Edition.
Technology Strategy Panel
Moderated by Jon Oberheide, the technology panel featured security professionals and practitioners, including:
- Ryan Seu, Security Engineer, Dropbox
- Ivan Leichtling, Engineering Manager, Yelp
- Andy Zmolek, Partnerships, Android for Work, Google
- Chris Palmer, Chrome Security Engineer, Google
- Aisha Visram, Founder, Mobile Guroo (formerly: MobileIron)
Jon: How do you measure security success?
Ryan: Success means being worthy of trust - having data where you want it, when you want it - it implies that users can trust them.
Ivan: Establish trust and well-founded trust. Data and transactions must have the highest integrity.
Jon: What’s happened in the last five years, and what kind of real attacks have you seen?
Aisha: Five years ago, we weren’t able to lock down mobile devices. Supporting both mobile and PC security was challenging - PC solutions are not going to work on mobile. Many organizations, even in the Bay Area, don’t have basic mobile security, such as selective mobile wipe when employees leave an organization. It’s ideal to start with the basics and then layer on.
Ryan: The focus of security has shifted off of the network side, going down the host side, lower and lower down the stack to the kernal, OS layer. The offensive can move very fast. Since it’s harder to secure, and requires more momentum to build it, we’re not quite there. Lower stack security is a byproduct of how our industry is evolving. Threat intel sharing has become a keyword, but people are just focusing on it because it’s effective.
Jon: Platform providers have focused on building security on the lowest level possible, trying to do hardware stack security and extending thru APIs.
Andy: We like passwords [as a security solution] because of non-zero signal rate - we’re afraid to use things that aren’t as deterministic as we could. In the enterprise, we’re unwilling to use anything not as deterministic as a password. It takes a long time for the enterprise community to embrace security models they’re unfamiliar with.
Jon: What concerns are there around mobile and BYOD security?
Andy: Most concerns are around being able to manage enterprise data. On mobile, it’s more difficult to separate data between enterprise and personal, consumer data.
Aisha: The issue is really corporate data leakage on BYOD. How do we know that credentials aren’t actually compromised on mobile? We need to find out how company contacts are making their way into different mobile applications - we need to know where your personal data is going, and what app it is being shared with.
Jon: Have you ever removed a security product?
Ryan: We removed RSA.
What’s a unicorn solution? It’s a security solution that doesn’t have a tradeoff, and has both good usability and security at the same time.
Ivan: Typically there’s the tradeoff of usability and security. Our job is to find pain points of an existing product and then find solutions that can do usability and security.
Jon: How does legacy infrastructure and security impact you?
Aisha: A lot of people want to rip out MDM [mobile device management] solutions. Legacy is what MDM was two years ago. There’s a lot of room for improvement. It’s still a pretty painful process - we’re leaning on the side of security at the cost of usability. When people don’t want to use a solution, that’s when you get shadow IT. Success is when security is in place, not intrusive, and is running in the background.
Andy: There’s the idea that you must give up privileged access in order to get protection.
Chris: Software is a thing that we keep doing - it’s a process. If you think it’s done when you’ve shipped it, it’s going to be legacy by the end of the week, and it’s something you have to live with.
Andy: People are trying to apply norms that don’t even exist. Cloud mobile computing isn’t going to solve problems that you couldn’t solve in Security 2.0, just because we’re in another generation. Many times, the assumption is, with a tool in place, in the PC world, the same thing applies and should be repeated in cloud mobile.
Thanks to everyone that came out to Duo’s cocktail hour after - it was great to meet you!