Skip to content ↓ | Skip to navigation ↓

RSA Conference USA, one of Tripwire’s top 11 information security conferences for 2016, is now well underway! With so many events planned for this week, you might miss a few keynotes and panels.

Don’t worry. We at The State of Security have prepared synopses of a few notable RSA presentations that have occurred thus far. We hope you enjoy them!

The Sleeper Awakes

Speaker: Amit Yoran (@ayoran), President, RSA

Amit Yoran, President of RSA, discussed the security industry’s “common experiences.” He spoke about prevention being a failed strategy and the movement of authentication and identity management back to the forefront of our discussions.

Mandy Huth, Director of Cyber Security at Belden, says what struck her the most about his presentation was his comment that “there is no magic that will save us all.”

“It resonates because as security practitioners, we have to adjust to ever changing rules and ‘counter move’ our adversaries,” Huth said.

We can do that by leveraging what Amit called our ‘hunters’ – the curious – problem solving analysts.

“I believe that fueling a culture of curiosity will drive us into an investigative spirit that can help propel us ahead of our adversaries,” Huth said.

Trust in the Cloud in Tumultuous Times

Speaker: Brad Smith (@bradsmi), President and Chief Legal Officer, Microsoft

President and Chief Legal Officer Brad Smith of Microsoft gave a compelling keynote on privacy rights and the importance of encryption – an issue receiving much attention recently in the wake of the Apple vs. FBI debate.

Smith made several strong statements reiterating the company’s full support of Apple, adding that Microsoft underwent a similar situation last November following the attacks in Paris. The company received 14 requests for information about at-large terrorist suspects. Ultimately, Microsoft determined that the requests were lawful. It therefore pulled the content on the suspected terrorists and turned it over to law enforcement in an average response time of less than 30 minutes.

Smith referenced these incidents as a way to echo the notion that today, “there is no national security without cybersecurity.” In the midst of this, he also stressed that encryption is vital to keeping people safe and our information secure.

“Whatever the intention, one thing is clear: the path to hell starts at the back door. We need to make sure encryption technology remains strong,” said Smith.

Furthermore, Smith noted that U.S. laws need to be significantly updated by stating, “The world is going to trust technology only if the law can catch up.”

Louder Than Words

Speaker: Christopher D. Young (@youngdchris), Senior Vice President and General Manager at Intel Security Group

Intel’s Senior Vice President and General Manager Christopher Young discussed two main issues in his keynote – the value of threat intelligence sharing and the cybersecurity talent shortage.

First, he noted the importance of companies focusing their efforts with a single mindedness that allows them depth and visibility that they might otherwise overlook when dealing with large volumes of data.

He went on to explain Intel’s collaboration with other major vendors in the security space, including Symantec, Palo Alto Networks, and Fortinet, to deeply analyze and research CryptoWall– a strain of ransomware that has caused more than $325M in global damages today.

“The value of threat intelligence is only as good as the counter measures it enables,” said Young. “Addressing threats is bigger than one person, one company – it’ll take a partnership,” stressing that collectively, we can bring more value to the industry and to the people we want to protect.

Secondly, Young addressed the growing issue of talent shortage in the industry.

Huth noted that he brought a powerful message by introducing Morgan, a freshman at Purdue who is participating in a joint internship program called “Pathmaker” hosted between his university and the state of Indiana.

“By enabling our youth to participate and engage in our cyber concerns, we are growing a community of hunters that will protect us as we journey through our ever-evolving cyberworld,” Huth said.

“We’re capable and confident, and we can dive into these problems with new ideas,” said the student.

Hot Topics in Privacy: A Conversation with Adobe, Google and Microsoft

Speakers:

  • Moderator: Trevor Hughes (@jtrevorhughes), President & CEO, IAPP
  • Panelist: Brendon Lynch (@brendonlynch), Chief Privacy Officer, Microsoft Corporation
  • Panelist: Keith Enright (@keith_enright), Legal Director, Privacy, Google
  • Panelist: MeMe Rasmussen (Meme Jacobs Rasmussen), VP, Chief Privacy Officer, Adobe Systems

With Microsoft’s keynote being so relevant and interesting, I thought it would be good to also hear from the privacy leaders of other major players in technology.

The panelists in this presentation answered questions around some of the most debated topics today. One of the issues discussed revolved around innovative data usage and dealing with product managers who may want do something that is not quite right.

Microsoft’s Brendon Lynch stated that this case is likely inevitable, as we are beginning to recognize that data is the key to innovation. The best way to turn these discussions into healthy tension is by focusing on what’s right for customers.

Meanwhile, Keith Enright from Google said their employees are encouraged to take risks and that it’s important to foster this notion in conversations. But this came with a caveat.

“Let’s remember the trust of our users is essential to Google’s success,” Enright said.

Another topic touched upon was the GDPR introduced in Europe. All of the panelists believed this is an issue that is still up in the air. Adobe’s MeMe Rasmussen said it’s clear the document was written by people who don’t run businesses, including numerous countries that all have their own agendas.

“A lot will be up to interpretation, and we’re waiting for guidance on what certain terms mean,” said Rasmussen. “We will have to wait until the dust settles, and that won’t be for a few years from now.”

Meanwhile, Enright added that he and other leaders around privacy practices need to negotiate and draw out rationality as much as they can.

“Ultimately, our interests are aligned. We want to protect users to the greatest extent – the GDPR gives us a framework to do so. We have to bring our programs to the next level of privacy and make them more robust in demonstrating compliance externally,” Enright said.

Converging IT and OT for Secure, Reliable, Resilient Industrial Networks

Speakers:

The security of critical infrastructure has been in the spotlight recently following a power outage in the Ukraine, which the U.S. government has confirmed was caused by a cyber attack. What David Meltzer and Jeff Caldwell stressed is that these incidents are a real issue – not FUD (fear, uncertainly and doubt).

However, the latter part of this problem that doesn’t receive as much attention is the fact that the overwhelming majority (80%) of incidents on ICS networks are unintentional – caused by human errors, software flaws, or an untargeted malware infection.

Meltzer and Caldwell discussed an approach to industrial cybersecurity and defending against ICS incidents, including how IT and OT teams can work together to secure industrial networks, PCs, and controls.

Responding to today’s threats requires improved communications between the two areas as well as cooperation on a consistent security strategy. Although OT engineers and IT security professionals bring different skill sets and perspectives to these cyber security challenges, it’s important to note that both teams can learn significantly from each other.

Lastly, the speakers outlined a few keys to successful convergence:

  • In the next week: commit to improving your ICS security skills, such as by reading a book or taking a course.
  • In the next three months: begin to build relationships with the IT staff or ask to get a tour of the plant.
  • In the next six months: drive or support a collaborative environment and metrics that both emphasize teamwork.

ConvergingIT&OT-web (1).png

Bro, Do You Even Cybercrime? Key 2016 Trends

Speaker: James Lyne (@jameslyne), Global Head of Security Research, Sophos & SANS

James Lyne gave a very entertaining yet informative presentation on key trends in cybercrime for 2016.

The main premise underpinning his presentation was how users tend to cling to the security truisms taught to them by the security industry – otherwise known as “user expectation.”

According to session attendee Lane Thames, Lyne pointed out that cybercriminals are good at making their techniques highly effective. He provided an example of an online cybercriminal system that markets and sells stolen data such as user names and credit card account information and described how the system uses techniques, such as reputation management to provide a “good” product in the form of exploits and keyloggers to customers.

Script kiddies are buying these tools and packaging them into their own brands, whereas more experienced criminals are both building their own products and purchasing them from the underground.

In both cases, Lyne stated, cybercriminals are able to succeed because they are very good at gauging the effectiveness of their approaches because of their “measure, learn, and repeat” loops.

Another trend identified by the presenter was cybercriminals’ ongoing use of security techniques to optimize their efforts. For example, bad actors commonly employ tools, such as encryption to trick users, and by extension, exploit user expectations based on security truisms they have learned.

As a result, if a user receives an email with an encrypted file containing instructions on how to decrypt the file, the user is more likely to be duped because they will say to themselves: “Surely, it must be safe if it is encrypted.”

Bruh! Do You Even Diff? – Diffing Microsoft Patches to Find Vulnerabilities

Speaker: Stephen Sims (@steph3nsims), Security Researcher, SANS Institute

Stephen Sims provided a very informative presentation on diffing files, which generally speaking, is the act of comparing the difference between a set of files.

Sims’ talk focused on binary diffing – a method of diffing which works with binary files in particular, such as executables and DLLs.

Thames noted that the purpose of his talk was to introduce the audience to binary diffing for the purpose of finding software bugs and vulnerabilities. He illustrated this technique using various software tools, such as IDA, BinDiff, and Diaphora.

He also discussed various aspects of Microsoft patching and patch distribution. Reverse engineers use binary diffing tools in order to develop exploits for systems after patches have been released.

“This is an important fact for IT administrators to understand because once a patch had been provided for a system, the clock starts ticking,” said Thames.

Good reverse engineers can analyze patches from vendors, such as Microsoft with binary diff tools and can sometimes deliver exploits to the underground cybercriminal market within a matter of hours.

According to Sims, the price for a one-day exploit (an exploit based on a vulnerability fixed by a recent patch) depends on the severity of the vulnerability, the number of users that are affected, and the amount of time since the associated patch has been released. He demonstrated these ideas using CVE-2016-0041, a DLL Loading vulnerability, and illustrated how the patches provided by MS16-014 and MS16-009 could be reversed engineered with binary diffing to deliver an exploit payload that targets Internet Explorer users.

The main point – and this is a very important point – is that time is of the essence when it comes to patching systems. Once vendors deliver patches, exploit developers and cybercriminals will work fast and hard to take advantage of the amount of time most users and organizations spend patching their systems.

Please click here to view Sims’ slides.

 

Are you attending RSA this year? If you are, please visit us at Booth #3301 to learn about all the exciting things Tripwire has planned for this year’s conference.

In the meantime, please stay tuned for more coverage of RSA Conference 2016!

Editor’s Note: This article was partially co-written by Lane Thames.