Infosecurity Europe 2014 was by all accounts a great success, drawing thousands of security pros from around Europe and the globe. Tripwire was there and active on multiple fronts, with unique events at our booth, providing several speakers for the sessions at the show and some concurrent conferences, and taking home the Best Corporate Blog award from the European Security Blogger’s Meetup.
What a fantastic week!
Attendees at Infosec14 who dropped by Tripwire’s booth had the opportunity to get themselves immortalized in the fashion of a true conference zombie, and we are pleased that so many have shared there caricatures so widely, and many are even using them for their avatars on platforms like Twitter. Take a look at the gallery of ghouls below!
Many also joined us for our in-booth Happy Hour where we had plenty of libations to go around, and we gave away hundreds of customized t-shirts we were printing on the spot, we also gave away some Xbox Kinects, and much much more!
Tripwire’s Chief Technology Officer Dwayne Melancon (@ThatDwayne), moderated a session at Infose14 titled One Big Threat to Cyber Security: IT Geeks Can’t Talk to Management, with panelists that included Stephen Bonner (@StephenBonner), and Thom Langford (@ThomLangford).
This session drew from the experience of seasoned CISOs with proven track records in enabling core business objectives by influencing key stakeholders in the organization. These risk and information security leaders shared their advice on how to effectively create and demonstrate security’s value to the entire business while ensuring that security efforts are more visible to the rest of the organization.
Some wisdom shared includes:
- Thom Langford: You need to understand your business and align to what motivates the business. You need to get out and compare yourself with the industry. It’s your job to translate it upwards, not management needing to understand it. we have a document with formulas where we put all that in. Check it with industry and peers, and also with our internal departments.
- Stephen Bonner: How do you quantify risks that may be too impactful, but very rare? One of the problems of IT risks s that they are intangible.
- Dwayne Melancon: You need to establish a risk and security oversight board to prioritize your risks and understand the perspective of other departments. Find people in your organization who already provides info to execs and learn
Melancon also presented a session titled Continuous Compliance Best Practices at the 4th Annual PCI-DSS European Roadshow, which examined how to create a continuous, automated approach to satisfy the compliance requirements for PCI, as well as techniques to achieve security and business value beyond compliance and increase organization’s awareness of suspicious activities often associated with data breaches.
Key takeaways from Melancon’s session included the following:
- Establish, document and communicate priorities and processes and key controls – and enforce separation of duties
- Define and deploy continuous monitoring approach and create reports
- Implement preventive controls (roles and responsibilities– find out what is good and bad and your policies), detective controls (configuration assessment, change auditing. If you don’t do preventive controls, your detective controls are harder)
- Don’t jump into automation too quickly b/c you don’t want to automate bad processes. Corrective controls
In addition to Melancon’s session, Craig Young (@CraigTweets), a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (@TripwireVERT), delivered a talk titled A Day In the Life (Of A Security Researcher) at the Security BSides London event.
The tools and methodology outlined by Young provided an excellent foundation for exposing security flaws by combining free software with security intuition. Vulnerabilities affecting both open source and proprietary products were presented along with commentary regarding how the discoveries were made, how the issues may have been introduced, and what remediation steps resolved the issues.
The talk ranged from common and generally well understood web vulnerabilities to less obvious application logic errors including a heap memory disclosure with some similarities to the OpenSSL Heartbleed vulnerability which has turned the Internet on its head.
Last but not least, we were thrilled to have been nominated for several awards at the European Security Bloggers Meetup, and even more so that we were voted by our audience, peers and an expert panel as the Best Corporate Blog – truly an honor, and a great followup to our winning the Most Entertaining Blog at the U.S. awards which were held last February during The RSA Conference.
Thanks to all for your continued support!
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock