LAS VEGAS – When it comes to finding security talent, Blackhat and DEFCON are good places to look. We old timers are used to government agencies with three-letter acronyms mingling with these highly-talented and technically inquisitive attendees. Some, like the NSA, even set up recruiting booths, although they were absent this year.
However, this was the fist time the likes of Nike and Twitter – two huge private sector companies with large customer bases – hosted rooms in the “Business Center” at the end of the show floor. They were both listed as supporters of the con and held private parties that were nice enough to create a buzz among those attending the parties.
They were obviously there for recruiting.
Twitter has been subject of many social networking worms. As late as June, Twitter was hit by a cross-site-scripting worm impacting nearly 90,000 Twitter users and touching millions of followers, according to an article by Dan Goodin of arstechnica.
Nike, while not on a hot seat at the moment for information leakages, has joined the Retail Cyber Intelligence Sharing Center announced in May in order to share retail-related threat information and prevention tips.
Along with Nike and Twitter, a growing number of “non-security” IT vendors were there presenting security suites: Blackberry; General Dynamics Fidelis Cybersecurity; Hexis (part of KeyW a general IT services firm); Intel Security; and Raytheon Cyber Security were among them.
While the number of products, technologies and pain points continue to confuse, there is no denying that product vendors continue to innovate. While many technologies were represented, the concept of security analytics and visibility into threats and vulnerabilities dominated a lot of the product suites.
This puts Nike, with its membership in the retail information-sharing center, right in the thick of IT security trends. The analytics piece is critically tied to information sharing, something that keynoter Dan Geer, “father of the Internet,” suggested could and probably should be made mandatory at some point just like reporting risky defects in auto, aviation and other industries is mandatory.
The cybercrime wave is pressing and there isn't much time to implement methods for assuring system integrity, applying liability, and embedding security at the development and operations level it needs to be in order to protect and respond to cyber events. Geer suggests acting now, in a phased approach, to bring about change over the next five years.