Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/11/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Window Snyder Shares Her Plans for Intel Security

The security leader, known for her role in securing Microsoft, Apple, and Mozilla, discusses her new gig and what she's working on now.

It has been less than four months since Intel appointed Window Snyder as its chief software security officer and vice president and general manager of its Intel Platform Security Division. But Snyder, it seems, has been preparing to take on this position for years.

"This role ties into everything I've been working on in my career until now," she says. "By the time I learned more … there was no way I was going to say no."

Snyder is an industry veteran best known for her work in advancing security efforts at Apple, Microsoft, and Mozilla. She started her career as a software engineer, and later shifted to consulting before joining Microsoft as senior security strategist in 2002. It was a difficult time for businesses, which were grappling with an onslaught of cyberattacks.

"It wasn't just Microsoft," she recalls. "A lot of the industry was looking at vulnerabilities, viruses, worms, and trying to figure out how to get ahead of this set of threats that were causing a lot of pain."

The way the systems were organized, they "really had to be rearchitected to a significant degree," she says, and this meant starting from scratch – it wasn't just one vulnerability they had to address. There were hundreds. From 2002 through 2005, Snyder worked at Microsoft creating methods for addressing security at every stage of the development lifecycle.

"We were not just developing mitigations for specific threats, but securing the platform altogether," she explains. The attack surface was designed to be open and interoperable. Her team had to create categories of mitigation to address industry changes and evolving threats.

In 2010, after holding security leadership roles at Matasano Security and Mozilla, Snyder joined Apple's privacy division. It was a shift from her previous focus at Microsoft; now, she was working with consumers in mind. "I was excited about making security usable," she says.

During her time at Apple, Snyder took responsibility for privacy and security features in iOS and OS X. Her goal was to design security features people could understand, and it was hard at first to demonstrate there could be value in security protections. Simple things made people feel like they were in control: "Can we have access to your photos" alerts, for example.

"A growing awareness made folks more willing to make those choices, and then happy to make these choices, because they recognized they were in control," she explains.

(Image: Window Snyder)

(Image: Window Snyder)

While modern users have greater awareness of security and privacy, Snyder believes there is more work to be done. "Security features were not built for people to use," she points out. The security industry often puts blame on users, which she says isn't fair. Usually it means something wasn't properly designed and could have been built in a more accessible way.

Bringing it Back to the Business

Snyder now has brought her skills from earlier roles to Intel, where she's the strategic lead of the product roadmap for its security portfolio. She's evaluating and understanding the kinds of problems Intel customers are facing, what their priorities are, and how they want to use tech.

"It's so broad in scope," she says of her new role. "But it's still people at the end of the day."

Whether the person using a tool is a CIO, CISO, or business executive, they still want security to be robust and easy to deploy. Access control is a problem for many, she notes, as is complexity. Employees want to simplify problems so they can make decisions more easily.

When asked about her future plans for Intel, Snyder says three categories come to mind.

The first is protection technologies with mitigations designed to make systems more resilient. There are security components every system needs to consider, she explains, and one of her plans is to create mechanisms that support the foundational security of each platform.

Second is understanding how the system is running. "Everything from key signing to code signing to validation to updates, anything that helps understand the state of the system." She wants to create ways to expose this information to industry tools so they can evaluate security.

Snyder's third priority is enablement. A lot of technologies may not specifically be security systems but they use security technology to protect data, onboard users, or authenticate. There are ways we can leverage those technologies to deploy security onto systems.

It has been a rough year for Intel, which has been in the spotlight for major flaws in its microprocessor products, namely the Meltdown and Spectre vulnerabilities exposed earlier this year. Hardware is tough to patch, and Snyder says Intel is working on tools that enable administrators for easily “getting back to a known good state.”

When you go to update low-level components, you have to be sure the update is highly resilient, she explains. Developing that sort of capability for all of Intel's partners, and throughout the industry, is what is needed to support this robust ecosystem, she explains.

We're at a point, Snyder adds, where organizations must operate with the expectation they are compromised. "Designing for compromise, designing for vulnerability, is a different approach," Snyder explains. You may have to operate without confidence that you know everything on your network, but knowing if one thing was affected, not everything was affected.

"We're building systems designed to be resilient against future threats," she says.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
mejarkonsaj
50%
50%
mejarkonsaj,
User Rank: Apprentice
10/30/2018 | 6:20:49 AM
Having error 0xe8000015
Appreciated
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.