Structure Security 2016 full event coverage

Our first security conference couldn’t have come at a better time. Amid Russian hacks on the U.S. political system, the debate over encryption on the iPhone, Yahoo’s historic privacy breach, and the rise of the long-predicted Internet of Things attacks, 2016 might be seen as an inflection point by computer security historians in how we responded to those challenges.

We featured dozens of the best and brightest minds in security — the ones who will have to figure this out — at Structure Security 2016, last September in San Francisco. On this page, we’ll feature links to a writeup and video embed of every single session, just in case you missed it the first time around.

Thanks to all the speakers, sponsors, moderators, and (of course) attendees who made Structure Security 2016 such an awesome event.

Day One:

Day Two:
Exclusive: Yahoo CISO Bob Lord discusses historic breach, security culture at Structure Security 2016
Level3 and Akamai previewed the Mirai botnet IoT attack at Structure Security 2016

Level3 and Akamai previewed the Mirai botnet IoT attack at Structure Security 2016

A few seconds before Dale Drew of Level3 and Andy Ellis of Akamai took the stage at Structure Security 2016 about a month ago, I whispered my last-minute suggestion for their discussion: “Krebs!” I was referring, of course, to what was considered (at the time) a massive botnet of hijacked Internet of Things devices that took down a site belonging to security journalist Brian Krebs.

What followed during their session was an eerie preview of the Mirai botnet attack on Dyn last Friday that brought the internet to a crawl. That attack, which Dyn said used “10s of millions” of IP cameras and other devices that were easily exploited and harnessed, brought hundreds of sites that used Dyn’s DNS services to their knees

“When we look at the history of DDoS attacks, we see these harbinger things come up,” Ellis said, referring to a few much smaller but interesting botnet attacks in recent years. Turns out, he was quite right, but the Krebs attack was a preview of the damage that could be caused by such an attack, not the main event.

“I don’t think we’re going to stop the expansion of the internet of things,” Davis said. The problem, as we learned over the weekend, is that some fledgling IoT companies “deploy (a product) before securing it.”

“What’s happened over the last few years, because the largest DDoS attacks weren’t growing, everybody assumed that the age of big DDoS was over,” Ellis said. Clearly, that’s not the case.

Check out the rest of our Structure Security 2016 coverage here, and a video embed of the session follows below.

Keeping The Pipelines Secure from Structure on Vimeo.

Exclusive: Yahoo CISO Bob Lord discusses historic breach, security culture at Structure Security 2016

Yahoo’s security team has learned a lot of hard lessons over the past month. While Yahoo CISO Bob Lord didn’t shed a ton of new light on some of the security issues recently suffered by the company during his appearance last week at Structure Security, he did vow to share more information about how the theft of personal information from nearly 500 million Yahoo users occurred once the investigations are complete.

I interviewed Lord for about 20 minutes on stage at Structure Security last Wednesday, after the company disclosed that historic privacy breach, but before we learned this week that Yahoo has been scanning incoming emails at the behest of the U.S. government using a tool that was reportedly modified without the knowledge of its security team and later discovered by that team, which is kind of crazy.

We rushed the video into production, and it’s embedded below. Lord clarified the timeline of the incidents to some extent, and reiterated that be believes “state-sponsored” attackers were behind the theft, but was restricted by what he could say in public. Honestly, I didn’t completely believe he was going to show up until he walked in the door, and I would like to thank Bob and Yahoo for showing up and taking questions; I’m pretty sure this is the only interview Yahoo has granted since the breach was disclosed.

We also spent some time talking about our original subject, which took on new meaning in light of the breach: how do security professionals convince product-driven companies to take security seriously? The New York Times and others reported ahead of Structure Security that Yahoo CEO Marissa Mayer was loath to employ security measures that might frustrate Yahoo users right as she was trying to sell the company, and while Lord wouldn’t comment directly on that article, he acknowledged that convincing executives obsessed with product details to put the same value on security is one of the biggest parts of his job.

Check out our full Structure Security 2016 coverage here, and a video embed of the session follows below: the video below.

Are the Demands on High-Profile Product Development Teams Making Us Less Secure? from Structure on Vimeo.

Five things we learned planning Structure Security 2016

A very interesting year unfolded as we planned our first security conference.

It’s a year that witnessed a showdown over the right to encryption between the FBI and Apple, two of the most important organizations in their respective fields. It’s a year in which, at this point, it’s fairly well understood that Russian hacking groups — working with or without the knowledge of the Russian government — have attempted to interfere with a presidential election. And it was a year in which even the NSA itself was hacked, making it clear that a determined adversary will find its way into targets that take security as seriously as oxygen.

Next week Structure Security will bring together the people who are setting the tone for the future of information security, and you shouldn’t miss it. Security industry legend Art Coviello will kick off the conference next Tuesday, Sept. 27th, with a presentation on the state of modern information security. Alex Polvi, CEO of CoreOS, will close the conference on Sept 28th by emphasizing how one of the hottest developments in cloud computing can make us more secure. And we’ll showcase dozens of security leaders in between, from RSA Chief Strategy Officer Niloofar Howe to FBI CISO Arlette Hart to Okta CEO Todd McKinnon.

We’ve learned five things about the modern information security world over the last six months of planning, ranked in no particular order.

  • There is a massive shortfall of qualified information security professionals expected over the next five years.

    If you’re oriented toward a technical career, and have a good head on your shoulders, you might want to consider working in security. Rich companies are throwing money at the best of the best information security engineers, the same way Ruby on Rails experts made bank in the Web 2.0 era and Java engineers outperformed their peers in the first dot-com boom. But this is a little different: security thinking requires a unique set of skills and a different way of approaching software development, and companies desperately trying to improve their information security practices are finding it very hard to hire qualified people on in both leadership and day-to-day roles.

  • The frantic pace of modern tech development often forces security to be an afterthought or a bolted-on-later solution.

    Product development engineers have ruled Silicon Valley for a long time now, and inside many companies, those engineers are evaluated on how quickly they can ship projects to market. There are a lot of very good reasons why speed is so valuable, but the need for speed can create vulnerabilities; not just in your code, but in how you respond to security issues. Solving this tension between your engineering department and your security department will not be easy, but it will be harder the longer you wait.

  • Your security people don’t have all the answers. They need to share information with others and employ crowd-sourced bug testing.

    Information security is one of those difficult fields in which you’re only really noticed when you screw up, despite how many times you’ve saved your company or client from serious harm. That unfortunate reality creates a bunker mentality in which security professionals in similar industries are very reluctant to share information about attacks and threats with each other, making everyone less secure. Yet at the same time, more and more companies are realizing that they can’t expect their own security teams to catch everything. If Apple, Google, and the Department of Defense are willing to embrace bug bounty programs, then everyone should at least consider the benefits of crowd-sourced bug hunting.

  • Just as open-source software took over the enterprise computing market over the last decade, open-source software is poised to take over the information security market.

    The maturation of open-source enterprise software revolutionized the practice of building and scaling information technology departments; this year, Microsoft employees became the leading contributor to open-source projects on Github, which is a staggering change to anyone who remembers the software giant’s epic battles against the very nature of open-source software. We believe that something similar is going to happen to the information security market as well, and you’ll see a preview of that future at Structure Security.

  • Machine learning and cloud computing are changing how information security tools are designed, developed, and deployed.

    One of the biggest problems in modern information security is that it’s nearly impossible to protect yourself against the sheer number of threats and exploits out in the wild, not even counting the ones we don’t know about yet. But what if we could train powerful systems to understand threat and vulnerability patterns? And is putting our workloads in the cloud making us more secure, or concentrating of some of the world’s most valuable data in three or four places that will be irresistible to the best criminals? We don’t know yet, because these trends are still evolving in the mass market, but we’re going to talk about it.

Security is one of the most fascinating subject areas in technology. It’s full of heroes and charlatans, stone-faced government automatons and delightfully punk-rock hackers, and, for the most part, hard-working people who are trying to protect our most valuable institutions and organizations against a growing tide of determined attackers.

They know that our world will only become more and more digital every year until Earth gets hit by an asteroid or runs out of energy. Willie Sutton, when asked why he became the most notorious bank robber of the 1930s, supposedly said “because that’s where the money is.” In 2016, the money is in our networks, and protecting it against the spiritual heirs of Willie Sutton is one of the most important jobs in technology.

Join us at Structure Security next week to learn more about the future of information security. I’d like to thank all the advisors and friends who helped us plan this important conference, and we promise two days of stimulating discussion at the beautiful Golden Gate Club in San Francisco’s Presidio district.

Why CISOs should take a page from the Secret Service when securing their networks

A human being with relatively modest athletic ability can scale the fence that surrounds the White House in Washington, D.C. Once inside, though, good luck getting more than twenty feet from that perimeter before being tackled by a Secret Service agent who played linebacker in high school.

Nathaniel Gleicher, who saw firsthand the obsession with physical security that surrounds the White House while developing information security policies for the Obama Administration, doesn’t understand why more of us aren’t taking the same approach to cybersecurity.

“The job of the Secret Service is managing risk,” said Gleicher, now the head of cybersecurity for Illumio. The federal agency that protects the president is one of those groups that only makes the news when it screws up; however, the Secret Service has prevented an untold number of attacks on presidents and other government officials through careful analysis of threats and by understanding that you can’t lock down the entire area in which a president moves. In other words, you don’t invest all your resources in protecting the perimeter, you identify the key strategic points that you simply can’t allow any threat to access and employ more basic protection tactics to the outer rings of that location.

Makes sense, right? This is a topic that’s come up time and time again as we get ready for Structure Security, September 27th and 28th at the Golden Gate Club in San Francisco, and Gleicher plans to expand on it in a talk at the conference. Art Coviello touched on it last month, and several other members of our advisory board are focused on getting companies to move past perimeter defense and focus on more layered approaches to securing their data.

As with most things that make sense, it’s easier said than done. If the Secret Service needs to prepare for a presidential address at a football stadium, for example, it can obtain detailed maps of that stadium and make educated decisions about which parts of that stadium to defend. But your average IT organization doesn’t have quality maps.

“Most defenders don’t know what the interior of their datacenter looks like, and most people don’t know what’s connected to their network,” Gleicher said. Say an attacker manages to get control of a server: what else can they access from there? What kind of paths can they carve to the truly sensitive data? An awful lot of tech organizations can’t answer that question with the speed required in an active situation, and even if they had that map at their disposal, they often lack the tools needed to cordon off the compromised parts of their network from the crown jewels.

“Attackers think in graphs. Defenders think in lists,” Gleicher said, as a way of illustrating how defensive security needs to understand how its adversaries operate in order to properly defend their networks.

So how can you start thinking strategically about defending your networks? Gleicher plans to outline several steps you can take, and I won’t spoil the surprise here. But he’ll explain how to set up real-world defenses that work across multiple datacenters and public cloud providers as well as the tons of devices that have legitimate reasons to access your corporate network. Don’t miss his talk, scheduled for Day One (9/27) at 3:15 p.m.

Gleicher is just one of dozens of amazing speakers we’ll feature at Structure Security, including Bugcrowd CEO Casey Ellis, Okta CEO Todd McKinnon, and Ixia CEO Bethany Meyer. The complete agenda for the show can be found here, and you can register for tickets here.

Where machine learning helps enhance information security, and where it doesn’t

Machine learning is transforming almost every area of computing; the natural evolution of big data, advances in computing power, and a growing understanding of how to train machines to anticipate external events and react accordingly. This movement is starting to have a big impact on security thinking, and we plan to showcase several companies and individuals working on machine-learning advances this September at Structure Security.

I recently had a chance to chat with Kevin Mahaffey, CTO and co-founder of Lookout Security (pictured), about the rise of machine learning in security applications. Mahaffey will be on a panel discussion with Carson Sweet of Cloud Passage and Mark Terenzoni of SQRRL during Structure Security that will give us more details on the current state of machine learning in security applications.

It’s quite trendy in 2016 to use “machine learning” as an adjective for any tech startup’s products or services (“it’s like the truffle oil of security,” Mahaffey joked), but Lookout has been working on machine-learning applications for its mobile security products for years, and the results are starting to show.

It turns out that machine learning is useful for a set of security applications, but doesn’t necessarily help you solve all security problems, Mahaffey said. Machine learning is very good at finding zero-day threats that we haven’t seen before: they’re brand-new, and therefore deviate from existing patterns, which is something that can be spotted by computers trained to look for deviations from existing patterns, he said.

This could be especially helpful for securing the internet of things. Most connected devices on the internet of things or in industrial internet deployments have limited tasks and therefore will have relatively simple and consistent data flows. If you see even a small deviation in data that is almost always constant, you know you’ve got a problem, and that’s something sophisticated machines can do with ease.

However, machine learning doesn’t really help the threats faced by most organizations, which are usually older and less sophisticated than eye-popping zero-day threats. Channeling the hacker mentality, Mahaffey explained, “I don’t come in everyday and try to find the hardest possible surface to bang my head against. I try to find the easiest exploit and drive a semi truck through it.”

Machine learning also has the tendency to produce a lot of false positives or false negatives, time wasters that create headaches for information security professionals. And you still need a good team of professionals to train and evaluate your machine-learning activities. Proper machine learning requires a ton of clean, reliable data (which requires human intervention) and clever analysts to make sure the learning model is on track.

But as we talked about last week with Art Coviello, the more forward-thinking security organizations at companies are starting to deal much more in risk assessment than playing whack-a-mole with perimeter security holes. Machine learning is great for this, especially at financial institutions that are constantly under attack and need to know when they are dealing with something unique and dangerous.

At Structure Security, you’ll have a chance to listen to several experts in machine learning in security explain how machine learning can benefit your organization, or why you can probably afford to spend your security budget on more basic defenses. In addition to the panel mentioned above, Stuart McClure, CEO of Cylance, and Oren Falkowitz, CEO of Area1 Security, will talk about their work on machine learning techniques for security applications. Don’t miss this chance to separate the hype from the reality when it comes to machine learning and security.

More information on Structure Security, scheduled for September 27th and 28th in San Francisco, can be found here. You can register for tickets here.

Former RSA chairman Art Coviello: Security is too confusing, and that needs to change

If you’re in charge of keeping your company’s information assets secure, and you think the state of modern information security is overly and needlessly confusing, you’re not alone.

With over 30 years of insight into information security triumphs and failures in his mental database, Art Coviello has been in a unique position to observe how technology and security companies have responded to the explosion in internet connectivity and criminal activity. The former chairman and longtime executive at RSA Security is one of our principal advisors involved in the planning of Structure Security, and we’re thrilled that he’ll be kicking off the conference on September 27th with a talk on the modern state of security.

Coviello observed a shift in security thinking about five or six years ago from reactive security (finding and plugging holes in perimeter defenses) to intelligence-based security, in which the notion of risk is much more thoroughly identified and analyzed. However, while that concept has been embraced by the information security world, applying that concept to real-world situations has proven more difficult, he said in a recent interview.

“The problem isn’t just expanding attack surfaces,” he said, referencing the explosive growth of cloud and mobile computing as well as the coming challenge of the internet of things, “but the ability to take the model from the 50,000-foot level to street level.”

There are three somewhat-overlapping issues that contribute to that problem, Coviello said:

  • The Skills Shortage: I’ve heard this time and time again in conversations leading up to Structure Security, and it’s going to be discussed in several sessions: information security leaders are having an extremely difficult time finding (and retaining) qualified security professionals. (Coviello’s fellow Structure Security advisor, Jay Leak of Blackstone, touched on this earlier this year.) All the modern proactive security-focused thinking in the world doesn’t matter if you can’t find people who understand how to make those concepts work in practice.
  • The Firefighters: Assume you’ve managed to hire the right people to implement the right risk-based strategy. Can you figure out a way to allow those people the time and space to get that job done while making sure your organization is safe in the interim? People like to bemoan “fighting fires” — the notion of dashing around fixing security problem after security problem — but deciding which fires can quietly smolder and which fires need attention right now (after all, fires are bad) is not a simple process.
  • The Decision-Makers: Information security has been treated as an afterthought in many organizations for too long, and the people who are running those companies — executives and board members — can have wildly different perspectives on the importance of security thinking balanced against time to market, overhead, or strategic focus. Think about financial services companies, which purchase and implement a ton of technology products and services every year to manage vast amounts of money, yet who are often run by people that lack technology expertise, let alone security knowledge.

So how do we move forward? Coviello plans to outline some strategies for getting past these obstacles in his talk, and I won’t spoil the surprise here. But here’s a hint: strategies you consider vital to your core business — such as careful resource planning and treating your vendors with healthy skepticism — will serve you well as you look to protect your organization in a world of growing threats.

Join Art Coviello at Structure Security this September 27th and 28th at the Golden Gate Club in San Francisco. More details about the event are available here, and you can register for tickets here.

Okta CEO Todd McKinnon is building tools that help secure the cloud and mobile revolutions

As he watched’s cloud services really take off around a decade ago, Okta CEO Todd McKinnon recalls that he and his colleagues soon realized that literally every aspect of enterprise technology was going to be overturned by the promise of cloud computing. McKinnon, who oversaw software development at Marc Benioff’s company until 2009, then noticed that this explosion in cloud services was catching many CIOs off guard.

“They didn’t know what they had,” McKinnon said in a recent interview. “There was no rhyme or reason to what they had, and there was no security.”

McKinnon, who will be one of our featured speakers at Structure Security this September, has turned that realization into one of the hottest companies in security and cloud computing at the moment and a likely IPO candidate right around the time of the conference. Okta, which has around 800 employees, helps companies develop ways to better secure their cloud applications with identity management technology, and CIOs are responding.

“We enable companies to roll out services and applications faster,” said McKinnon, who co-founded the company in 2009 along with current COO Frederic Kerrest, another Salesforce alum.

Once a CIO has even figured out which cloud services his or her employees are using — which was sometimes no small feat in the era of rogue IT — the next step is to make sure those employees are following proper security practices while logging into and using those applications. Single sign-on and identity management technology has been around for a while, but products like Microsoft’s Active Directory were built for a different era of computing.

A sample dashboard of Okta's identity management product.

A sample dashboard of Okta’s identity management product.

“It was like, ‘my 20 years of (security and identity management) stuff doesn’t work,’” McKinnon said, quoting the CIOs he talked to in the early days of Okta as they struggled with balancing the need to provide their employees with state-of-the-art cloud services while ensuring that company data was being used properly inside those services. And it’s not just employees: a lot of companies have close partnerships with other companies that require data sharing in cloud apps, and even if you’ve locked down your own data, there’s no guarantee that the company on the other side of your partnership is as diligent.

That’s part of the problem that has allowed Okta to thrive: the original internet protocols designed in that era of computing didn’t have secure identity services built directly into the protocol, McKinnon said. SSL helped amend this situation, but that only addressed server-side identity, not user identity.

So we’re stuck with usernames and passwords as the primary authentication process in just about every web service we use, and managing those passwords is pretty difficult for people who aren’t software engineers or information security professionals. That has a lot of ramifications in our personal computing lives, and CIOs and CISOs are looking for ways to securely use the cloud services that have allowed companies to get off the ground with a fraction of the investment once required to scale a technology company.

Several large, complex technology organizations have adopted Okta’s products and services, including MGM Resorts, Western Union, and Dish Network. The company has raised around $230 million in funding at a valuation that grants it unicorn status, and is widely expected to be planning for an IPO at some point in 2016. (McKinnon won’t talk about these plans right now, of course, but maybe we can wrangle more out of him at Structure Security.)

McKinnon and Okta would like to build a better protocol for managing identity on the internet, but that is going to take a while. Smartphones can do a lot of interesting things to verify and manage identity data, and machine learning is allowing companies like Okta to try different strategies to manage the back end of identity verification and quickly spot problems or opportunities. A consumer identity management or password manager isn’t on the product roadmap right now, he said, but Okta is focused on connections.

“At work, we’re making a lot of progress, people have less passwords at work because of us,” McKinnon said. He believes, however that he opportunity is bigger than just your work dashboards; it’s likely there are lots of great ideas for products and services that haven’t taken off because of cumbersome identity verification technology.

Join Okta CEO Todd McKinnon at Structure Security this September 27th and 28th at the Golden Gate Club in San Francisco. More details about the event are available here, and you can register for tickets here.

Four more reasons why Structure Security should be on your calendar this September

With two months to go before Structure Security, we’re putting the finishing touches on the lineup for what promises to be a great show in the beautiful Presidio district of San Francisco this September 27th and 28th. We’ve outlined a few themes in the past here, but I wanted to showcase a few new speakers we’ve added as the agenda settles out.

Andy Ellis, CSO, Akamai

Andy Ellis, CSO, Akamai

— Andy Ellis, CSO of Akamai (pictured), will be joining us at Structure Security. Akamai is uniquely positioned to see the threat landscape and its effects on global networks, and networking security is an extremely important part of the company’s mission. We’ll try and wrangle a few war stories out of Andy about defensive strategies and try to understand where tomorrow’s threats will surface.

— We’ve tapped Jessy Irwin, security advocate extraordinaire, and Stacy Stubblefield, CEO of TeleSign, to lead a discussion on the future of the password. Busy people with poor security awareness tend to have very poor password hygiene, but do we try to fix that problem or do we try to find another way to authenticate ourselves online?

— And Asheem Chandra, one of our advisors and a partner with Greylock, has agreed to join us on stage to talk about investment opportunities in security. Asheem, who has shepherded prominent security companies like Palo Alto Networks and Sourcefire into success, was also a key executive in the rise of CheckPoint Software as a security force.

Stay tuned for a few more speakers over the next few weeks, as we have a few more ideas for great sessions that will improve your perspective on information security and the pressures of modern tech product development. But there are more than enough great speakers already booked for you to register right now, and save yourself a little money before the prices go up as we get closer to the show.

Bridging the gap between infosec and tech at Structure Security

Golden Gate Club

One important reason why the modern technology industry has become so powerful is the speed at which it has unleashed life-altering innovation, forever changing the world in less than a generation. Very few people are able to keep up with the speed at which we manipulate technology to solve our problems, and some of those people just want to watch the world burn.

As we get ready for Structure Security this September in San Francisco, we’re building a thesis on the state of information security in 2016. While it’s clear that the architects of tech innovation take security as seriously as they ever have, it’s also clear there remains a disconnect between the day-to-day lives of information security professionals and the engineers who are moving fast and breaking things.

A hyper-connected world means danger can enter your corporation (or bank account) without leaving a trace, through vectors you would have never considered dangerous a few years ago. Software that wasn’t written with security in mind, or with a cursory nod towards security, can suddenly present a massive problem when it becomes widely used across an enterprise. And one of the main threats to corporate security in 2016 remains the people who click on links or attachments they have no excuse clicking on in 2016.

One benefit from this scourge of cyber criminals (as well as inquisitive governments around the world)? A ton of data is being produced that information security professionals can use in evaluating threats and recommending countermeasures. Yet too many in the security world are reluctant to share that information that could address the problems with external organizations (or even within their own company) given concerns about the negative implications of sharing data on breaches.

Everyone with a vested interest in information security — CISOs, CIOs, tech companies, security vendors, and investors — needs to come together to discuss these issues and learn from each other. Along those lines, a world-class team of advisors is helping Structure Security set the stage for discussions about these topics, because we all believe very strongly that more discussion between those creating technology and those protecting us from harm is the only way to ensure effective information security in the 21st century. Those advisors include:

Read more