Carbon Black Connect 2019: Cloud will revolutionise cyber security strategies
Company's annual conference highlights importance of security infrastructure, diversity and understanding the hacking community
This year's Carbon Black Connect cyber security conference, held in London last week, had a little something for everyone.
While keynote speeches were devoted to how the cloud will "revolutionise" the way IT security is delivered to end-user customers, delegates heard elsewhere how a change of perception about who hackers really are could prevent more attacks.
There were also talks on what clauses organisations should have in contracts for cloud services to ensure better security and data privacy, and whether queues for the women's toilet at tech conferences were a sign that diversity initiatives were finally working.
Cloud will revolutionise security
Perhaps the most prevalent theme of the day, however, was the role of cloud in how organisations protect themselves from threats in future.
Patrick Morley, CEO of Carbon Black, said that thanks to the firm's acquisition by VMware earlier in the year, it was able to put more of its analytics into the cloud.
"We fundamentally believe the cloud is going to revolutionise security over the coming years. Again, I'll say this, it does not lessen our commitment to our on-premise products, we just recognise the power of being able to do a lot of analysis in the cloud," said Morley.
He added that cloud-based analytics would help identify and thwart potential hackers more effectively, reduce operational overheads for customers, and deliver "faster time to value".
"It's going to revolutionise security. It allows us to innovate faster, because every time we build new services on that platform, we deliver those to you without actually having to deploy anything inside of your data centre," said Morley.
Safeguarding your security contracts
Yet, the event also served as a warning for those businesses looking to adopt cloud-based security themselves to understand the additional contractual headaches that can occur as a result.
Specifically, organisations going into the cloud should make sure any contracts with service providers have a number of clauses inserted to protect their security, according to Enza Iannopollo, senior analyst at Forrester.
In her speech to delegates, she said that organisations should ensure that if a service provider uses a new sub-contractor, the organisation should be told about it and have the choice as to whether it wants to tear up the contract or not.
The reasons for ditching a cloud contract could be that "the sub-contractor doesn't make you feel comfortable or doesn't align with the privacy policies of the organisation".
There should also be termination conditions on how long it takes for data to be deleted after a contract lapses and how data is returned to an organisation. Iannopollo also argued that there should be clauses on data subject rights to ensure that organisations, should they receive a subject access request, can quickly and easily source this data from their service provider.
Iannopollo said that organisations should only work with service providers that they trust, and only those that can provide evidence of how they are securing data, particularly as data regulators will ask organisations if they have carried out due diligence on those companies that provide them with a cloud service.
Thinking of hackers as normal office workers
While a great deal of the conference looked at the evolving nature of cyber security infrastructure, it also forced organisations to question their attitudes towards cyber crime in general specifically, what they think of when they use the word 'hacker'.
Scott Lundgren, CTO at Carbon Black, said that it is all too easy for those in the industry to think of hackers as being a bogeyman or infallible. They forget that they're real people, "stumbling through their days trying to get through their business goals of breaking in and stealing data".
"These are people who can be beaten," he said. "It is a positive fight, one that we can come out ahead on and one that we can apply ourselves to with a sense of optimism."
He said that the focus of IT security should be on how tools, processes and capabilities can be used to observe, detect and prevent hacking behaviour that is: "watching what the bad guys are doing and how they are doing it".
Carbon Black's Morley argued that the ultimate goal of this approach was to encourage organisations to be more proactive in how they defend themselves.
"Each time we force the adversary to adapt, we are winning, we are causing them to have to react," he said.
Thinking of hackers as just people, with responsibilities to their own version of a manager, means that if they are faced with a system with particularly tough network security they may need to raise this as an issue to someone more senior. If they are not around, this gets forgotten by the hacker and they don't go back to the problem network. "That's a victory for us," Morely explained.
Diversity is about building a community
Regardless of what stage your company is at when it comes to security, one thing that everyone can benefit from is greater diversity.
More and more women are coming into IT security and making a success of it but work still needs to be done to ensure greater gender parity and greater representation in the workplace. According to a number of industry panellists, the humble restroom can be an important tool for benchmarking gender diversity.
Sue Daley, associate director of technology and innovation at techUK, was keen to showcase an initiative called "Queue for the Loo", one that her organisation had been promoting for some time. Given that for most tech events and conferences, the queue for the men's toilet is far longer than the women's, the growing waiting time for the female toilets is considered a clear sign that things are improving.
The initiative provides an online portal for resources and information to encourage more women to tech events, as well as holding its own events, workshops, and networking in order to create an active community.
Daley said that the campaign will be judged a success when more women attend tech conferences. "I think we'll win when there is a huge queue for the ladies," she added.
Diana-Maria Molaovan, UKI cyber operations lead at Aviva, said that "sometimes you have to be the change if you want to see the change".
She has started to collaborate more with groups, such as Ladies of London Hacking Society, which promotes women in cybersecurity. She also encourages women to appear as often as they can at events such as this, and to share specialist knowledge with others.
"This empowers women to say, 'I want to share what I'm doing at work'," she added. "It's important to have your voices heard."