Conf42 DevSecOps 2023 - Online

CyberSecurity is too general: Why we need Security Domains

Video size:

Abstract

Whether you’re developing your Cybersecurity career, or searching for talent- Security is too general a term. It’s time to start using Security Domains to map out career paths in Security. Using Security Domains will increase diversity & cure imposter syndrome for those of us who aren’t hackers

Summary

  • Michael Davidson is a software architect at Dell. He's passionate about increasing diversity in the field of cybersecurity. He says we need to break security up into different domains in order to create communities and networks.
  • Network security has evolved in the last few years because of cloud security and because of zero trust. The single sign on multifactor authentication, identity and access management is critical in cloud security. Other aspects like cryptography too.
  • monitoring is seeing a ton of growth in the last few years, I would say, because of cloud security. Most experts in developing and designing monitoring tools are not going to be necessarily with a security background, rather with an AI background. This is a whole cool new developing domain with a lot of potential.
  • Cryptography is what initially kind of drew me into security. If you have a math background, it's a great way to work in the field of security. Within cryptography, there are niche fields like embedded security. There are a lot of courses available online for free.
  • I'm going to provide now some resources. Like I mentioned, cryptography. There's a great introduction to cryptography course on Coursera available for free. Cyber is a great resource if you are interested in ethical white hat hacking and penetration testing. I just love if you follow my blog on Medium is Architect.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hi, I'm Michael Davidson. I'm going to be speaking about security domains, what they are, why they're so important. I'm going to start with a bit of background about myself because I think that will help explain my passion for this topic. Nowadays I work as a software architect at Dell, where I lead the public cloud cybersecurity for youre Powerflex product, which is a software defined storage product. In the past, I've worked both as software architect and a security architect at a number of different companies. Before that, I was a software developer. I sometimes lecture academic courses in cybersecurity and in agile and software development methods. And the reason I started thinking about why we need security domains is because I was thinking, why isn't there enough diversity in the field of cybersecurity? I think if you look at security, for instance, if you look at women in security, those are less women in the security field than are in tech in general. And it's definitely not at 51%, which is why I'd like to see. So I started to think that this is happening because we're looking at security as those single blob, those single thing of like either you know security or you don't. Either you're a security expert or you don't. And usually using a security expert was kind of thought of as being a hacker. I mean, a white hat hacker, someone who's doing it for a valid organization and a legal purpose, but still someone who has that capabilities of reverse engineering, of hacking. And I think when some of us were seeing those films and tv shows where youre see a teenager in the basement, like tapping away a keyboard for two or 3 minutes and then breaking into these really impressive security systems like a bank or the Mafia or the CIA or whatever. So it could have us feeling like, okay, I can't do this. So I guess this isn't the field for me. And that's something that I want to change because there's a love room for many diverse perspectives in security with many diverse backgrounds. I want to encourage all of you who are interested in security to listen during this talk, see what fields you're interested in, what domains within security are interested in, and then maybe that will help you pursue your passion to become an expert in those specific security domains without necessarily having the capabilities of being a hacker. And we're also going to see later on how this whole hacking thing of tap tap and you're in a system is a myth. So that was my first motivation for this talk. I'm very passionate about increasing diversity in the field of cybersecurity. I write a blog on medium about developing your cybersecurity career, your software architecture career, the broken rung, which is something I find very interested in and being able to help women promote their careers. I also write there about software security and about software architecture, zero trust cloud security. So youre welcome to follow me there. Michael Davidson at Miss Architect on medium. Another reason I thought this talk was so important was because we talk about security as a single thing. You're going to then not necessarily know how to develop your career in security because you're not going to necessarily know what paths to take within security. And also in terms of creating community. Let's create communities around these subdomains of software security instead of having like a general security. General security conferences are great, but sometimes youre need to find those niches and help those bloom. And they're not actually niches, they're like pretty large industries with thousands of people working in them. Just, we've never actually made that division that happens in other aspects of computers, like you have hardware and software in computers, networking, storage, AI. And we need to, within security, stop kind of breaking this up into different domains in order to create these communities and networks, develop our careers. And also if you're looking for talent instead of, I often see these titles, security expert, security engineer, security architect, and the title is going to be the same and then the listing underneath is going to be like a whole different set of capabilities because you need to think what is the expertise you're looking for? And zoom in on that instead of finding a security expert who's really good at one thing and doesn't really have background in something else. So that would help you when you're searching for career expertise as well, or it could help you say, hey, this is a field that's really interesting to me. I may not think of myself as a security expert, but maybe this is a field I'd like to learn or I want to give the opportunity to someone else in my team to develop their expertise in that category. And I think that's something that could really be impactful. But from those technical point of view, I would say actually the most important part of this talk is developing holistic security, which means when you don't just think of one aspect of security, you're not going to be in those situation where you really zone in. In one aspect, maybe one aspect of security, you know, well, personally, one aspect, your customers are asking for federal compliance. That actually often happens and you're going to say, you're just going to really put all your attention there. You're going to have this door that's locked and bolted with like 20 padlocks, security point of view, and then you're going to have a wide open window next to it, which an attacker can easily get through. That's not what you want to have happening. Instead, youre want to be going around your system, which is kind of like going around your house from the outside and bolting every single window and every single door and your garage door. Right. And I think that's kind of thinking about security holistically. That's looking at every single security domain and thinking, did I think about that? Did I address that to have your holistically secure system? So I did is I was thinking, okay, security is just like too much of a single blob. I want to break it into domains. Now, when I was thinking about it, I broke it into these six domains. Now, you may come along and say, I don't agree, I want to categorize it differently. I think there should be five domains or four domains or ten domains, and I'm going to give them different names. That's fine, right? That's actually great. What I'm trying to encourage here is this, thinking like, okay, security, let's break it down. Let's address all those different aspects. Let's understand those are different domains with different knowledge, different background you need to know and different things you need to think of. And that's the main message that I want to get across here. So I'm going to go through these domains. If you afters want to, I'm actually really interested to hear how you would split up the domains. If you want to drop me a note, I'd be really interested in discussing that further. I wrote a few blog posts on this. I'm always happy to update them with different ideas. The main thing is we start thinking about how we break security into these domains. I'm going to start with compliance because compliance often gets the most attention and focus, often because of money, right. We're trying to sell our products, and youre customers are often asking, are you compliant? Are you compliant with SoC? Are you compliant with ISO 27001? If your customers provide federal suppliers, then they often may need to be compliant with the federal program. Fed wrap. There's also the executive order that came out relatively recently. Youre also going to see compliance around specific industries like the HIPAA for healthcare, PCI, DSS for credit cards. Youre using to see compliance around specific features and domains like GDPR for privacy and the El for logging. But what's unified about all these compliance is, first of all, they're third party standards that we need to comply with. And that kind of leads us to the second point, which is they have to be generic, right? They have to be a template that any system can try and comply with. Any system can work through that checklist. The result of that is, first of all, is a lot of focus on the process, on creating the process in your company. And the second one is that because of that, it's really impossible with this single generic compliance requirement list to capture all the complexities of your system. So it's going to capture a lot. Going through compliance is definitely going to make your system, typically, unless you're already extremely security conscious, but in most cases, going through compliance is going to make your system more secure. But I don't want you to think if your system is compliant, that means your system is secure because there's always going to be that gap, right? There's going to be that place. So the compliance didn't necessarily think of or address because it is this cookie cutter thing. And that's why it really is important to think of compliance as just one aspect of your security profile. In other words, it's not like, okay, I'm compliant with either 27001, therefore I am secure. It's just our way of being able to publicly state to the world and to our customers what process we went through. And I see that kind of as the initial stepping stone. It's always good to also have that internal understanding of your system to see where else you can improve it. Now I'm going to speak about network security, which I would say from the technical point of view is really what's been getting the most attention in a long time. Because network security classically was about protecting data centers on prem networks, on prem preventing really physical network access, and then always checking who is trying to gain access to my system. That's the authentication, who are youre, who are, who is your device? And then the authorization, which is the, what do you want? Do I want to let you do this or not? Based on that giving network access or giving system access, right. That has evolved in the last few years, I would say because of cloud security and because of zero trust, which kind of came together. There's this concept, okay, we can't just be asking who and what, but youre suddenly asking why? Why are you doing this? And youre need to be constantly asking that. That's kind of a big part of the zero trust principle. You're not just saying who you are and what youre want, but like why? And you constantly do this, why? And that way you're hopefully, if there's a malicious attacker who maybe has stole someone's valid identity or is doing something malicious, or maybe you have a malicious user who is authenticated and is authorized for certain actions, but why are they doing this kind of anomalous behavior? Maybe there's a risk here. Maybe there's a threat here. By this constant automation, youre improving the security of your system. So network security has evolved, right? It's more than just the original network protocols we learned about. We have the SSO piece, right? The single sign on multifactor authentication, identity and access management. Im is something that you often see critical in cloud security. Let's say the closed data center networks have kind of evolved into a virtual private cloud in the cloud. It's those concept of this network, even virtually, that you don't want others to gain access to. Even things like firewalls, which youre going to see on permian, is he translated into security groups on AWS. So there is a huge amount of importance in network security. You definitely have to be tackling your network security thinking about this piece, which is really a lot more than the network security. It's also the identity and access management security. But it's still not going to be 100% enough because I sometimes see systems where let's say there's mutual tls, right, and there's mutual authentication and using the latest protocol, but then when you actually start analyzing the system, you're saying, okay, but this TLS, right, is using a certificate with a key pair. How are you protecting your private key? Can a malicious user actually come and steal your private key and kind of spoof those tls or all these kind of points where network security alone isn't enough. And like we're going to see, we're going to need other aspects like cryptography too. So when you're putting together the security of your product, maybe you're starting with a compliance, you're speaking about the network security, but we're going to go on and see other domains that matter. Too often people who are experts in network security, they may be coming here with a security background or a development background. They may be coming here with an IT background, which is incredibly useful here. So there are really a lot of different ways to kind of develop in the network security field. Now I'm going to speak about monitoring. The idea of monitoring is this automation of looking at the system and seeing when someone is perhaps an intruder, right? Maybe they're doing, you want to detect the intruders. Ideally you'd like to prevent the intruders, and it's not going to be those static analyst analysis of, okay, are you valid or are you not? You're going to need a learning piece because you want to first see what is as typical behavior, and then you're going to be able to identify anomalies, what's unusual behavior? Maybe this is a threat, right? Maybe this is a risk. It doesn't mean it is, but let's start looking at it better. Let's start analyzing it. And what I find interesting about the monitoring domain is it's an anomaly within itself. Or in other words, most people who are experts in developing and designing monitoring tools are not going to be necessarily with a security background, rather with an AI background. Really useful nowadays, data science, machine learning, because those are really the key skills you need in order to develop these systems. Now, yeah, they're going to be developing security monitoring systems and definitely a lot of collaboration with security experts, but often the expertise here is actually more from the machine learning field. And monitoring is seeing a ton of growth in the last few years, I would say, because of cloud security. Just in general, like the scale of our deployments on the cloud and the fast pace means that really those static security review is not enough. You want to have tools that are constantly monitoring as well. You don't want to rely on a single human being or even a few human beings. And because of that, you need that automation, you need those capabilities and you need that monitoring. So that's really developing. And if you look at cloud security, by the way, a lot of what youre using to be seeing, that's kind of called cloud security is using to be these monitoring tools developed for the cloud, right, like CNAP and CSPM and CWPP, the cloud workload protection. It's all about developing your systems the same way, not the same, but similar to how you would on Prem with kind of slightly different cloud constructs. But then on top of adding in those security, these cloud monitoring tools to give you that extra level of protection. So this is like a whole cool new developing domain with a lot of potential where if you're interested in security and perhaps you're coming with a different background like data science or AI or ML, this could be a great way for you to kind of enter the security world. Now I'm going to speak about cryptography. Cryptography is what initially kind of drew me into security. I did a regular computer science degree. I didn't even do a cryptography course. I didn't do security course. I'm kind of embarrassed to say that, but I really knew nothing about security when I started off my career as a software developer. And then I started developing smart cards. And through that I needed to understand what these smart cards were doing. And I started to study cryptography. And I discovered that from my point of view, I thought it was like a fascinating field because youre taking maths and it's not particularly complex paths. As quantum cryptography evolves and elliptic curves and stuff is getting more complex in general, you're taking these mass concepts that really anyone can, with some kind of mass background can understand, and you're using those to protect the security of the whole world wide web. Right. I thought that was amazing. And I just started learning more and more about cryptography and liking it. So if you have a math background, it doesn't need to be a very advanced math background, but just if you maybe like paths, it's a great way to kind of work in the field of security is cryptography. Youre often using to see advanced mathematicians with pretty advanced paths, backgrounds working in the field of cryptography. And something I want to say to all of you is if you're interested in security or you're already working security and you don't have this crypto background, I think it's a really great thing to have. Like there are a lot of courses available online for free. I'm going to link to some at the end and just understanding about private keys and public keys and asymmetric cryptography, what asymmetric cryptography is, what symmetric cryptography is, what's those difference between encryption and decryption versus signing and verification? Just kind of those basics are going to help you so much because then when you look at protocols, security protocols like TLS and network security, youre going to understand them much better, much more in depth. You're going to be able to have a much more in depth conversation, and I think that's really invaluable. So my recommendation to everyone who's interested in security is to look at cryptography just a little bit to get the introductory concepts. Within cryptography, there are niche fields. And I called out here embedded security, because embedded security is its own field. It really looks at the security of chips. Nowadays, we have trusted execution environments. For instance, if you have bring your own device, so you're going to have your smartphone, right, with all your photos and everything. And you want to be able to install whatever app you want there, and then you're going to have maybe youre employer's email account there, and your employer wants to make sure their email is safe. So then in those cases, maybe youre employer is going to be utilizing, for instance, a trusted execution environment in your device to make sure that that specific area is running in a youre secure mode. So there's a lot of work about those security of chips, the security of runtime environments on chips secure boot, which means validating every single stage of your software to make sure it's trusted, because security is a lot about trust here. Can you trust this application that's running? Can you make sure it's not created by someone malicious and embedded security, often people go there with a background in electrical engineering, and then within electrical engineering, you can start getting into embedded security, or you could come to it from a different security background, but it's a really cool domain. And crypto analysis is actually, I find the fun part of cryptography because it's kind of trying to attack the cryptography and trying to figure out where the floors are, where you're going to break it. And there's that kind of cat and mouse game there that there is in general in security, which is another reason I love security. Right. It's never going to be static. There's always going to be, okay, this is the system we're designing in now. Let's try and attack it and let's try and improve it. And security and cryptography kind of go together because like I said before, if you're using a security protocol, youre do need to be thinking about things like how do you protect your keys? How do you protect the cryptography that's using those keys and putting the effort to think about those are going to help you develop this more holistically secure system. Now, security architecture is those field that I love because it kind of pulls a lot of what we discussed before together, right. You want to be thinking about a lot of different aspects and thinking, okay, how do I create a secure system? Many people, when they hear security architect, they think of the security review process, because many products have the security process where you look at the analyze the whole system, perhaps you do threat modeling and you try and think where are the flaws, where are the vulnerabilities? How can I improve the security of those system? And what I want to say there is, if you're doing, and I really hope you are, this security review process, please do it as early as possible in the process so it can have the maximum impact because what often happens is a company is going to come and do those security review at the end, and at that point, maybe someone's going to come along with this whole list of flaws, but the company is going to be like, okay, we need to reduce it, right? We need to get this product to market. We're going to postpone this list. Like, thanks for finding this all out, maybe in the next release, but it's not something we're able to tackle now. And often the whole thing's been developed, so it's a lot more effort to change it versus if you did security review right at the beginning of the process. It's also going to be less effort to make changes before development is complete, and it's also going to give you more time to be able to make these changes. So the same review with the same amount of effort invested in the review is just going to improve the security of your product and have more impact if you move that to earlier in the development cycle. But the other thing I wanted to add here was security architecture could also be not necessarily just reviewing a product, but developing a security product. What's a security product? It could be a monitoring tool youre spoke about. It could be a new protocol for a new industry. Sometimes security architects, security engineers are actually looking at new products. How do you, from the bottom up, design them securely? And that's really interesting field. And what you're going to usually do that is use these building blocks. Like we mentioned before, you're going to use the network security available when possible. You're going to use the cryptography available when possible. There's always this idea of don't spin your own crypto, which is like, don't rely. It's always better to rely on cryptography that's been tried and tested and validated rather than trying to invent the wheel. But taking those building blocks together and then building something secure and making sure that it's not vulnerable to attack is something that is a really interesting aspect. And domain. Now, I those, I've shown you that there are so many different domains in security and we haven't even touched on hacking and reverse engineering yet. So if any of those domains interested you, maybe you have a background I mentioned, maybe you're just interested in want to learn. I just want to start by wishing you good luck because you see, it is possible to become a security expert without necessarily knowing hacking. Now, when I say hacking here, I'm obviously speaking about white hat hacking, which is legal hacking, when the company is actually hiring those hackers to develop the vulnerabilities in their system because they'd rather they find out and not malicious attackers. There's also pen testing, which kind of ties in with the security review I mentioned before, where you're looking at the system and trying to analyze it kind of theoretically to find the vulnerabilities. But I also want to speak about reverse engineering, because, like I said, when you see these films of, like, okay, tap, tap, and you're in a system and you're not able to do that, it can cause imposter syndrome. So I personally was already kind of in the security field for a few years, and I felt, okay, I want to know how to do reverse engineering. And I did actually study a bit. And what you discovered then was quite interesting if you want to study it. First of all, there's, like, great resources, for instance, in cybery on how to do reverse engineering, there are tools like IDa and Letty bug that can really help you look at binaries, find passwords there, find places where there are vulnerabilities. But why discovered is there's a huge amount of time and patience discovered. It's really not that tapped up on the keyboard that you may be seeing. And I'd like to compare it to Sherlock. If anyone has read or seen where Sherlock needs to take together this shredded stack of papers and piece it together very painstakingly to find out the message. So it shows him with this huge stack of shredded papers. It shows him sitting for like, 2 minutes. It actually shows him sitting with the papers. In practice, he does it for like a week, and then at the end, he has this message put together, and it's too boring to watch that whole thing. So just kind of pulling that into here. There's a huge amount of effort, time, and patience involved in hacking. So if you do see someone just run something in one, 2 minutes and crack into a system, they're usually using it off work that someone else did in order to put that script together and actually find the vulnerabilities. So you shouldn't think that if you're not able to do that, youre not able to be a security expert. So, to summarize, we spoke about these different domains. Youre could divide them differently. I hope I was able to convince you that security is more than one field. There are many subdomains there. They're all interesting. Within your career, if you're interested in security, you could continuously build your expertise in different domains, and that means you're going to be able to, at the end, provide a much more holistic security for your system. But it's really okay just to start with one or two of the domains and develop your expertise in those. I'm going to provide now some resources. Like I mentioned, cryptography. There's a great introduction to cryptography course on Coursera available for free. There's a software security course which is more focused on applied cryptography. We have here. Cyber is a great resource if you are interested in ethical white hat hacking and penetration testing. These are things that youre can learn. And there are some really interesting blogs on medium. I personally really like cloud security guy on Medium's blog because he really writes about what's developing in the cloud security field. And Professor Bill Bulhanan speaks in cryptography in a very interesting and relatable way. I just love if you follow my blog on Medium is Architect, where I speak about cloud security and zero trust security and software architecture and developing your career as a software architect. So I hope we can stay in touch and thank you. And thank you to consolidate for this lecture.
...

Michal Davidson

Software & Security Architect @ Dell Technologies

Michal Davidson's LinkedIn account Michal Davidson's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)