We regard Shmoo(Con) as one of the most important community events at all and it allows us to meet fellow researchers from the US who we can’t easily sit down with to chat very often.
And some lucky guys from ERNW will even continue the trip to head to San Diego (!) for NANOG and NDSS. Not to mention they stay in some fancy beach resort ;-), while I myself fly back today. (Getting older I don’t enjoy staying away from home for a week anymore and I have been missing my kids since some days…)
So what can I report to good ole Germany?
On Friday, Peter Gutmann delivered the keynote (mainly) on how taking a dynamic risk assessment approach based on a number of factors (allowing to rate the overall trustworthiness of a website visited) could heavily contribute to browser security and phishing prevention. While I had the impression there was some room for improvement as for the presentation style, it provided a number of interesting thoughts and on the technical level I really liked it.
[furthermore I learned about the “Crime prevention through environmental design” (CPTED) approach which I wasn’t aware of beforehand].
Next talk I was really looking forward to was Toby Kohlenberg’s “A New Model for Enterprise Defense” piece.
Toby and I had been following each other’s work for some years, so when Intel published this whitepaper he co-authored and he subsequently gave a talk on the stuff at T2 I decided to invite him to speak about the approach at Troopers 2012. Which unfortunately doesn’t work out due to some conflict on his side and he seems at least as unhappy as I am about this 😉
Still ShmooCon provided an opportunity to see his stuff live (btw: at 10:00 AM on Saturday morning which traditionally happens to be one of the least grateful speaking slots at Shmoo ;-)) and discuss it over lunch afterwards.
Dear readers, this is great stuff!
Looking at the current attack and overall security landscape some guys at Intel asked themselves “If we were starting from scratch what would we do differently?” and created a small, focused team that tried to answer that exact question. They came up with an architecture based on four ideas:
- Dynamic Trust Calculation
- Isolated Security Zones
- Aggressively balanced controls
- Additional “perimeters” added (User, Data)
The approach is centered around a step they call “dynamic trust calculation” which in turn can be split up into calculating the trust(worthiness) of first the source of an access request to an information entity, taking into account the user identity (“who are you?”), the device and feature set (“what you have”?) and the physical location (“where are you?”), and second the trust(worthiness) of the destination, based on the application, the data’s classification and the data’s location. The “quality” (trustworthiness) of the actual authentication method used might come into play as well (e.g. OTPs or cert based auth providing better numbers in the overall trust calculation then, say, username/password). Evaluating these factors then determines the type of access granted. So a corporate sales guy using a smartphone from an untrusted location might only read customer information or place orders while being able to modify pricing only when using a system within an organization’s network.
[btw: this is a little bit similar to the table I used in bottom of this post, with the difference that the approach laid out there (in that post) is much less flexible and does not provide the security benefit the Intel approach might offer]
So far they’ve started implementing the architecture with own tools and based on currently existing technologies (he mentioned they heavily use proxies when crossing the boundaries of trust zones), so none of this stuff is “readily available as commercial tools”. Still he mentioned that a number of vendors they discussed this with are working on such approaches as well. Hopefully this does not take the road of NAC (which, from my perspective, is fully dead due to the inherent complexity and operational effort it induced].
In addition to the technical aspects of the talk it was actually fascinating to hear how they build and maintained (over time) that “security innovation” team. I might take some lessons as for the way we do such stuff at ERNW…
I’ll keep you updated once Toby’s slides are publicly available (in the interim see the whitepaper mentioned above) and might even find the time to discuss other interesting talks. For the moment have a great Sunday everybody