Security reflections – yesterday, today and the future

Share this post:

Author: Chris Hockings, regional CTO for IBM Security in A/NZ

Chris HockingsLast week I had the pleasure of welcoming Bruce Schneier to Sydney. Bruce is much more than just the CTO of IBM Resilient and Special Advisor to IBM Security. He is an internationally renowned security technologist, called a “security guru” by the Economist. He is the author of 15 books – including the New York Times best-seller “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World” – as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard University, a fellow at the Belfer Center at Harvard’s Kennedy School of Government, and a board member of the Electronic Frontier Foundation.

In the beginning

When I first started my career in a security start-up in 1998, I was handed two books, “TCP/IP Illustrated” and Bruce’s first book “Applied Cryptography.”  This classic, details how cryptography – the technique of enciphering and deciphering messages – can maintain the privacy of computer data. Bruce has said that “when it’s done right, strong encryption is unbreakable encryption. Any weakness in encryption will be exploited — by hackers, criminals, and foreign governments. Many of the hacks that make the news can be attributed to weak or — even worse — non-existent encryption.”

During this time, IBM was ramping up its software business, supporting clients in delivering new offerings. We realised that developers needed tools that allowed them to identify vulnerabilities inadvertently introduced into their code.  Recognising the importance of application security and to help customers also detect code vulnerabilities, IBM acquired Watchfire and Ounce labs for white/black box and code scanning.  Once developers were able to identify issues, they could remediate issues by developing fixes, often in the form of patches.  They and many of our clients were able to rely on patch distribution technologies like BigFix to deliver fixes to their platforms and application in an efficient manner.  Even today, software relies on patching as a way to deliver better security.

Enterprise also started to reflect on the inherent risk of privileged insiders and IBM started to think about how to identify and protect client’s crown jewels.  Early capabilities delivered as part of Tivoli, for both identity management and strong authentication were key requirements in addressing this challenge. Organisations storing their crown jewels in relational databases and filesystems were still vulnerable from inadvertent insiders or the growing threat from outsiders.  IBM acquired Guardium to help address this issue, and since have since added encryption capabilities and advanced activity monitoring using AI.

By the time we had done this, Bruce had published 4 more books, and IBM was building security offerings, across multiple IBM divisions

A year of change

Bruce published his 13th book, Liars and Outliers around 2012 and it was a year of change for IBM Security. “Trust and cooperation are the first problems we had to solve before we could become a social species,” said Bruce. In the 21st century, they have become the most important problems we need to solve—again. Our global society has become so large and complex that our traditional trust mechanisms no longer work.”

In this year, IBM made a strategic move to better organise their security capability.  We formed a new division called IBM Security, where all of these technologies and services I’ve mentioned (and others I haven’t) would be delivered.  IBM was able to deliver an ecosystem of integrated solutions that could detect and protect against enterprise threats, which we coined the IBM Security immune system.

But IBM didn’t stop there, we needed to understand the systems being used to attack our clients, and that required a global perspective.  IBM has hundreds of thousands of employees, and we manage some of the world’s largest organisation’s systems, and through collaborating with others and partnerships like Quad9, we started to gain a lot of insight about what that global threat looked like.  We made this insight available (obviously with privacy, etc., in mind) and free of charge through the X-Force Exchange cloud service and we supported open standards for efficiently distributing this to all systems through STIX and TAXII. IBM has always been an active contributor to security open standards, to drive widespread adoption of solutions benefiting industry.  Even more recently, Shane Weeden participated in the first interoperability for FIDO2 in the authentication space, which you can read more about here.

Where to next?

Bruce defines security as a combination of protection, detection, and response. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realised that detection needed to be formalised as well, and the industry was full of detection products and services.

This decade is one of response.

“The Internet of Things fuses products with communications technology to make daily life more effortless,” says Bruce. But like nearly all innovation, there are risks involved. And for products borne out of the Internet of Things, this means the risk of having personal information stolen or devices being overtaken and controlled remotely. For devices that affect the world in a direct physical manner—cars, pacemakers, thermostats—the risks include loss of life and property.”

So, what is IBM doing next?  I recall a story from our global CISO, Shamla Naidoo. When the global outbreaks were happening around WannaCry and Petya, our CEO, Ginni Rometty asked how IBM or our clients were affected.  WannaCry spread to over 100,000 organisations in over 100 countries within 48 hours without any user interaction.

In today’s world where data breaches reach the board level, it is not good enough to have limited visibility into your infrastructure to quantify that threat. So, we’re planning on doing something about that. A few weeks ago, we announced IBM Security Connect as a single platform to gather security data from across your existing tools and products and to help you understand new or emerging threats.

Initially, we want to answer the question “Are you affected?” and if the answer is YES, what do we need to do about it. IBM Security Cloud will also be the basis for delivering new cloud based offerings in the future.  We are in open field trials now, so I am looking for those clients interested in getting into these next-generation solutions – to help free you from the security operations big data problem. We know where we are going, and I extend an open invitation if you are reading this to join me on that journey by contacting our sales team at 1800 557 343 (Priority code: Security).


More Security stories

What would a data breach do to your company?

The landmark 2019 Cost of a Data Breach study from the Ponemon Institute surveyed 500 companies around the world and reviewed 10 years of historical data to get a comprehensive view of the impact of data breaches. The results are compelling. The costs of data breaches are increasing – as is the time it takes […]

Continue reading

Navigating cybersecurity standards for financial institutions

Learn how to prepare for APRA Security Standard CPS 234 Authors: Chris Hockings, CTO IBM Security A/NZ IBM Global Markets – Cognitive Solutions Unit Industry Platforms & Ruby Li, Associate Partner, IBM Security From 01 July, 2019 APRA Security Standard CPS 234 will impose new cybersecurity requirements on financial institutions. The standard aims to improve […]

Continue reading