After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again.
The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs, and a slew of prominent security commentators: Lares founder Chris Nickerson, Mach37 Cyber’s managing director Mary Beth Borgwing, Veracode CTO Chris Wysopal, and Josh Corman of the Atlantic Council and I Am The Cavalry. We skipped last year's on-stage drinking but kept the lively debate, which started with automation and moved swiftly through machine learning, theories on the future of software and security policy, and time frames for security’s being integrated into teams organization-wide.
There was little wholesale agreement (that’d make for a boring debate, after all!) but much overlap in the group’s opinions and predictions: Yes, automation is important, and automating what everyone can do frees us as a community to focus on what we, uniquely, can do; machine learning isn’t magic and requires focus on the right problems and the right incentives; there’s plenty of need—and hope—for input and engagement on policy, even and especially when getting it right is difficult; reducing complexity and making it possible for everyone in organizations to do the every-day work of security is key. The panel wrapped up with a lighthearted question: What’s your #1 prediction for the future of infosec? Click through for the respective answers from Chris Nickerson, Josh Corman, Chris Wysopal, and Mary Beth Borgwing.
There’s nothing like a fast-talking panel of smart people to get conference-goers geared up for a bunch of action-packed sessions, and that’s exactly what we had in store for UNITED attendees after our fireside chat concluded. Rapid7’s data science team talked about how Rapid7 builds and maintains internet-scale active and passive telemetry platforms (and what we learn from them) in the Research & Collaborate track. Folks listening to talks in the Assess & Remediate track got insight into how to talk to their boards about information security. Phish, Pwn, & Pivot attendees learned how to keep pen testers (and attackers!) out of their networks. And Rapid7’s transportation security director Craig Smith led a brilliant session on self-driving vehicles and their relationship to security. The afternoon was no less bountiful in information and engagement opportunities: the Detect & Respond track revealed the hidden value in log management, we dug into how organizations around the world can prepare for GDPR, and Rapid7 Threat Intelligence Lead Rebekah Brown and the DoJ’s Leonard Bailey discussed information exchange with the government. Research Director Tod Beardsley closed out the Research & Collaborate track with a succinct-yet-cheerful statement: “You’ve got 0-day! Here’s how to deal with it.”
As the end of 2017’s UNITED Summit drew near, Chief Marketing Officer Carol Meyers took the stage to deliver thanks to Rapid7’s partners, speakers, and—of course—our incredible customers and community attendees. She then introduced Dan Geer, CISO of In-Q-Tel, iconic security futurist and commentator, and undeniable facial hair inspiration (though there’s no defeating Rapid7’s Deral Heiland). Geer invoked a litany of philosophers, scientists, public servants, and writers as he drove home some beautifully, impactfully-delivered points: The attack surface in the world is expanding, and it’s doing so faster than the security skill umbrella can match. What we do here, in this field and everything that touches it, isn’t so much a ‘profession’ as it is an occupation—or as some might have put it, a vocation. Geer referenced the lessons he’s learned in engineering and biostatistics, respectively: First, that getting the problem statement right is essential, and second, that correcting for data bias in an imperfect world will be, necessarily, imperfect. “My principal challenge,” he told the audience, “has been the balance between getting the problem statement right and choosing tolerable failure modes based on the data available...This hasn’t changed: You have to know what problem you’re trying to solve and which data you need to solve it.”
This theme kept resurfacing as Geer took the UNITED audience through some of security and technology’s fundamental tensions, particularly when building models and thinking about the future: causality vs. control, optimization vs. resiliency, automation vs. sentience. Our problem statement, he said, is not cybersecurity itself, but rather the side effects of the pursuit of it. If the future is data-rich and the technologies acting upon all that data are dual-use, how do we ensure integrity of that data and the supply chain that underpins it? What, as an industry, are our ‘tolerable failure modes’—do we trust the data we have? Do we make and keep algorithms interrogatable? Do we keep humans in the loop as we move further and further toward automation? And is it a good thing when we do?
Big questions deserve deeply-considered answers—your engagement at UNITED and beyond is critical to helping us at Rapid7 and the industry as a whole understand and address our proverbial problem statements. Rapid7 thanks all of you at UNITED for your much-valued participation and your continued attention to the big questions and the big problems that drive us. As Dan said in closing: “There’s never enough time. I thank you for yours.”
You can find the full transcript of Geer's speech here. For a limited time, you can watch both UNITED’s fireside chat and Dan Geer’s closing keynote on-demand here. For more UNITED blog content, check out these posts.