Breaking the security status quo: Let’s make security easy(er)

As the dust settles on last week's DDoS attack, it’s time to ask—and act on—the question of “Now what?”

By Courtney Allen
October 28, 2016
Illustration of a fire from "Marvels of the new West" Illustration of a fire from "Marvels of the new West" (source: Internet Archive Book Images via Flickr)

When we announced our new O’Reilly Security Conference this past spring in an article titled “Building better defenses,” we started by discussing how we’re barraged daily with inflammatory news stories about the seemingly desperate state of security in the U.S. and abroad. Never has this been more true than with last week’s coverage of the massive DDoS attack on Dyn.

To be clear, we’re not suggesting that this event wasn’t newsworthy. The breadth of the attack, the sheer numbers of devices involved, the business, monetary, and long-term effects of this attack were all worth the frontpage headlines by mainstream media that they received. This attack affected many significant enterprises, millions of users, and quite frankly, it felt ominous. It has been suggested that the perpetrators of this attack were experimenting with taking down the Internet. It also garnered the attention and outrage (if only briefly) of the general public.

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

We can hope the awareness created by this event denotes another step in the march toward security being taken more seriously—not by security professionals who already understand the importance, but by others who have such a profound effect on ultimate security posture. The greater awareness of threats leads to opportunities for focused and effective security conversations. In respect to this particular event, there’s an obvious business case to be made for funding a backup DNS service.

If you’re struggling with how to have those conversations with either the larger business unit or with members of your organization in general, we’ll have some great presentations at our upcoming events in the human element track (“Security FORCE: A model for highly reliable security behaviors and cultures,” “Security by consent”) and the bridging the gap between security and business track (“Continuous security,” “Link complex regulation to practical security”), that address these challenges directly. Full talks and sessions will be also available after the events on Safari

Everything is (still) on fire 

Ultimately though, while the details differ, this narrative is hardly new. A malicious actor (still unknown) used nefarious means (the Mirai botnet) to wreak havoc, this time on our beloved Internet. Outside of those very focused steps forward mentioned above, the truth is that the security landscape is largely the same as it was a week ago. In-the-trenches security professionals weren’t surprised by this turn of events. They’ve been decrying IoT security for as long as the IoT has existed. Nor will security pros be surprised by the next, likely larger attack. Defenders aren’t the shocked masses. They’re Nostradamus in the server room foretelling crises to come.

As the headlines fade and public attention turns back to other issues, we return to a problematic status quo. The dust is settling and the same challenges that existed before this latest news cycle—insufficient resources, communication gaps between security and other stakeholders, and technical challenges, to name just a few—remain, which leads us to the eternal question: Now what? 

We’ve joined the fire brigade (and we brought a truck)

That constant echo of “Now what?” along with its counterpart “How can we help?” has defined our recent and upcoming initiatives in the security realm. We felt not only a need, but a responsibility, to offer our resources to the effort. Because asking thoughtful questions has tremendous power, but change only comes when those questions are followed by action.

To that end, we’re hosting our first hackathon this week in San Francisco with Dan Kaminsky, Chief Scientist at White Ops. With this event, we aim to make TLS/HTTPS trivial to deploy. We see the value and the importance of making strong isolation of insecure code a smooth experience. Dan wants to put better DevOps in place so that people can find and fix bigger things faster, and we saw the opportunity to help. Let’s break the status quo. Let’s make security easy(er).

We’ll be unveiling the results of this hackathon next week at the O’Reilly Security Conference in New York. We’ll also be talking about the broader security landscape, with an aim to address the most common problem areas in defensive security—the same immutable problems that keep coming up in our discussions with the defensive security community at large. We saw the opportunity to have a broad positive impact on security: to create content, events, and a structure for helping individuals, organizations, and the security community build and use the tools they need to make our world safer. Of course, we’re not doing this alone. We’re immensely appreciative of our League of Extraordinary Defenders for their role in shaping and supporting the event.

If you’d like to learn more about our security initiatives:

Post topics: Security