John PescatoreYesterday I spoke at the 5th annual NIST Security Content Automation conference in Baltimore. A few years ago I spoke at the 2nd or 3rd SCAP conference, which was then a much smaller event held at NIST headquarters in Gaithersburg. The conference attendees then were mostly government security staff and managers, with a few small table top exhibits for vendors. This year’s event was much more a vendor show – at least half the attendees were from vendors and a very large proportion of the sessions were basically vendor pitches.
Now, this may sound like the pot calling the kettle mercenary – Gartner has lots of conferences where lots of vendors pay Gartner lots of money. But, I dunno – I sort of expect a government-run security conference to be different than one run by private industry. I miss the old National Information Systems Security Conference (NISSC) that NIST and NSA used to hold.
Especially for a conference focused on the Security Content Automation Protocol. SCAP is a great idea – anything that makes it easier for security information to be more easily accessed, exchanged and correlated is a good thing. Being able to feed vulnerability information from any vendor’s assessment product into any other vendor’s mitigation or intrusion prevention product can be a very good thing.
However, the end goal always has to be to increase security by reducing damage – not to have more spending on more security products that will do nothing but send vulnerability and threat information back and forth in the name of “situation awareness” or “risk management.” There was way too little of the former and way too much of the latter being discussed.
Category: Uncategorized Tags:
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment