Berkeley CISO/CSO study/ &Cornell Scalable Data Distribution Research - Plus April 10 reminder

*Dear Security SCOM members and W3C Colleagues *- we have two requests from Universities (Cornell and Berkeley) regarding studies they are conducting.  Please let me know if you have any interest:

The Berkeley CISO/CSO study is described in the att. and the Cornell research is described below.  
*
Please remember to dial in* for our monthly meeting this coming Thursday, April 10 at 1pm - 
512-225-3050, pc 272373#.  (details at the bottom of this email*)

Regards,

Roger 

*
Cornell research on scalable data distribution* 

Goal: We would like to develop a new generation of powerful, scalable
platform technologies for data distribution and event notification in
settings such as large financial installations.  Cornell is one of the
research groups in this area, but we're working with an IBM research group
from Haifa and with the folks that did the ACE/TAO and DDS platforms at
Vanderbilt.  Others worldwide are interested in similar topics.  So the goal
is really a broad one.

Benefit to the banks: They need these technologies to keep up with the
tsunami of data and the soaring event rates seen in modern trading systems.
Existing solutions are known to be unstable under stress.  By catalyzing
research they benefit when solutions find their way into products, companies
are launched, etc.  They also hire the students who worked on and with the
research prototype systems.

Risk to the banks: instrumentation from their trading systems could create a
competitive risk -- their competitors are all looking for ways to gain a
small edge, for example in arbitrage situations.  

Proposed solution: FSTC works as a neutral third party, collecting the data
sets, designing and executing protocols to anonymize the data, and providing
multiple data sets.  End users see data from five banks, not just one, and
have no idea which data corresponds to which bank, not to mention when the
data was collected or other specifics.  

The proposed trace: The data set of greatest interest to us at this time
would list groups (corresponding to equity symbols), subscribers
(corresponding to traders) and message rates (data rates, average message
sizes, for example at a minute by minute resolution).

The anonymity plan: we replace true group names with random symbols: IBM
becomes G571

We replace trader workstation IDs with random symbols: 123.75.68.1231 becomes
W1991

We report averages for statistics such as message size, rate, etc.

We remove any indication of the name of the bank from which the trace was
produced, and we eliminate any indication of when it was produced.

Other questions one could raise: Who owns the IP?  We are hoping that FSTC
would make these traces public domain and not assert any rights at all.  The
view here is that the members gain so much more by ending up with technology
advances that they can buy then they could possibly gain by fussing over
rights associated with access to the traces that the big win outweighs
anything else.  Moreover, they WANT to buy these technologies: they want
guarantees of support, help integrating them, etc.  A product from IBM or Red
Hat is far more appealing than a situation in which FSTC somehow ends up
"owning" all IP generated in connection with these trace data sets.

Precedent?  Yahoo and Google are both releasing all sorts of data sets, with
similar things in mind.  But none comes from a trading environment.

*Biography: Professor Ken Birman *(http://www.cs.cornell.edu/ken) is a
researcher at Cornell University, where he heads a team working to develop
new ways of programming distributed systems and new fault-tolerance tools.  A
long-time friend of the banking community, Professor Birman founded and led
three companies that sold technologies to Wall Street, and in particular,
developed communication solutions that ran the NYSE and SX systems for more
than a decade.  His team invented the first publish-subscribe system, and his
Isis Toolkit was widely used for financial systems fault-tolerance during an
extended period. He has a long record of consulting for major banks, stock
exchanges, the US Dept. of the Treasury, and other government organizations.
With his academic hat on, Professor Birman has authored hundreds of papers,
written several widely used textbooks, and worked with some of the world's
best young researchers to create dozens of innovative software systems, many
of which entered into wide use. FSTC members saw a different element of
Professor Birman's recent work "in action" in a March teleconference call,
during which he ran a demo of his new Live Objects platform.  The demo was
captured on DVD, and can be seen at http://liveobjects.cs.cornell.edu.

*______________________
*

**Please join our Monthly FSTC Security Committee Meeting and our 
excellent speakers this coming Thursday April 10^th at 1pm.  The call-in 
number is 512-2250-3050; pass-code:  272373#    (See presentation 
materials, att.)*

 

*Our meeting will focus on  /Improving the Security of Our Applications.
/*

*Following an intro and overview by/ /Dan Schutzer:/  /
*

·         *Robin Bloor from Hurwitz Associates *will speak about a paper 
he wrote, and that we recently circulated: /The Anti Virus is Dead -- 
The Advent of the Graylist Approach.  /This generated a good deal of 
discussion from our members, so we are pleased that Robin will 
personally summarize his observations and the current state of these 
technologies.*
*

·         *Warren Axelrod, from Bank of America *will extend the 
discussion to discuss his presentation, Meaningful Metrics for 
Application Security.  (Warren's ideas are his own and do not represent 
the official position for Bank of America) **

*Remember to register for this year's FSTC Annual Conference in Sonoma, 
California.  Details on our impressive list of speakers and interactive 
panel discussions at www.fstc.org <http://www.fstc.org/> *

 

-- 
Roger D. Lang
FSTC Security SCOM
(O) 201-389-3571
(C) 917-538-8041

Forwarded message 1

  • From: Dan Schutzer <dan.schutzer@fstc.org>
  • Date: Fri, 28 Mar 2008 12:40:34 -0400
  • Subject: FW: CISO/CSO study
  • To: "'Roger Lang'" <roger.lang@fstc.org>
  • Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>
  • Message-ID: <01ac01c890f2$72ce0990$6400a8c0@dschutzer> 
Roger,

Could you take this request and send it to the Security SCOM to see if there
is any interest on the part of our members to be willing to be interviewed
by Deirdre

Thanks

Dan

-----Original Message-----
From: Deirdre Mulligan [mailto:dmulligan@law.berkeley.edu] 
Sent: Wednesday, February 27, 2008 1:34 PM
To: dan.schutzer@fstc.org
Cc: Deirdre Mulligan
Subject: CISO/CSO study

Hi Dan --
Hope this email finds you well. Nice to speak with you on the TRUST call
last month.
I'm writing to ask for a bit of help.

I'm in the process of lining up interviews with CISO/CSOs within a set
of sectors (infrastructure, financial, retail, healthcare) for a
research project examining the role law plays in influencing decisions
about security.  I discussed this at the I3P mtg in Miami, so hopefully
it will ring a bell. I've attached a one pager on the project.

As you know, the project is funded by the Institute for Information
Infrastructure Protection and is part of a larger effort to consider the
business and legal forces shaping security investment, policy and
practice. Information about I3P, for additional context, can be found
here http://www.thei3p.org/

I was hoping that you might be able to connect me with CSO/CISO folks
within the financial services sector. I'm well on my way in several of
the other areas, but my connections in financial services are slimmer
since my time in the bay area. I am seeking folks who will be willing to
participate in a 1.5 to 2 hour interview. I would be happy to do
it by phone or come to them. Because of the financial services extensive
background and relative maturity with respect to security related to
some other sectors, I view it's participation and representation as
essential to this work. I hope you might help persuade some of your
colleagues that I'm a worthwhile person to speak with and that this
research will be useful to them in their work.

My ideal list would be

0. An i-bank: GOLDMAN SACHS, CREDIT SUISSE, OR JP MORGAN

1. Citigroup
Reasons:  Major national bank, credit card issuer, etc. with online
services for banking, lending, investing.  Their operations cover all of
consumer/commercial banking, financing, equity, etc.

2. Bank of America
Reasons:  Analog to Citibank but has taken some notably different
approaches to both online security and financial product offerings.

3. VeriFone
Reasons:  They have provided a lot of the hardware and "virtual"
infrastructure for payment processing, and according to their company
overview and product directions seem to have a forward-looking view of
where the payment/authentication/exchange industry is going (e.g.,
RFID-based authentication, integrated multi-purpose authenticators, etc.)

4. e*Trade
Reasons:  One of the first-movers in the online-trading space; have
successfully maintained a presence in this arena post-dot-com bust,
likely a forward-thinking company.  Also conducts business almost
exclusively online.

5. PayPal
Reasons:  Alternate business model for payment exchange; extensive
integration with and exchange of information among other financial
institutions.  Another (prospering) survivor of the dot-com era.

6. Equifax
Reasons:  Credit-reporting agencies are responsible not only for the
back-end transaction of tremendous amounts of
personally-identifiable/sensitive financial information, but are now
also moving into the space of direct consumer-oriented sales of various
credit repoting, protection, monitoring, and other related products.



Many thanks in advance for any assistance you can provide.

Best,
Deirdre

Attachments for message 1

Received on Monday, 7 April 2008 19:54:06 UTC