The RSA Conference for 2014 is wrapping up today, and the consensus is we are all ready to get back home after an fantastic week here in San Francisco with our colleagues from around the world – always the best part of the trip.
The following are some more highlights from some of the sessions we attended and the awesome artwork of Kelly Kingman who attended some sessions to “visualize” the presentations in real-time as the talks were being given, like this one from the first session review to follow:
Disrupting the Progression of a Cyber Attack
Session Abstract: Before medieval marauders had any hope of capturing the castle, they first had to overcome a series of obstacles designed to keep them from reaching their goal. By analyzing your adversary steps, you are in a better position to segment, analyze and mitigate an attack. In addition, firms can build a fortress of proactive defense controls and provide the time to react decisively.
- Brian Honan Owner and Chief Executive Officer, BH Consulting (@BrianHonan)
- Dwayne Melancon Chief Technology Officer, Tripwire (@ThatDwayne)
Anthony M. Freed (attendee): “For all the full hour sessions at RSAC that had little to offer in the way of anything new, this session with Honan and Melancon – which was only twenty minutes – should definitely been longer, as it had a lot of good information to offer. In a nutshell, the speakers presented a bullet list of strategies for making life hell for an attacker by throwing obstacle after obstacle in their path to not only slow the progress of their attack, but also to force the assailant to have to devote more resources to the operation and spend more time trying to get to their objective, which significantly increases the level of intelligence that can be gathered about their methods, intentions, and in some cases their identity. This would be a great subject for an entire day long seminar.”
Security vs. Privacy: Who’s Winning (DSP-R01)
Session Abstract: What is more important “Security” or “Privacy”? Surveillance, information sharing, website collection, merged media everywhere and then data breaches! Who wins? If security breaches are the main focus of privacy professionals then it may be. If the responsible use of information is the main focus then privacy is different.This lively discussion takes on items in the news.
- Christopher Pierson, Executive Vice President, Chief Security and Compliance Officer, Viewpost
- James Shreve, Attorney, BuckleySandler LLP
Tim Erlin (attendee): “James Shreve and Christopher Pierson presented a picture of tension between security and privacy, followed by a debate-style discussion of 4 scenarios of tension around government surveillance, personal monitoring, insider risks and anonymity. This polarized discussion gave way to a further discussion of how privacy and security can converge around common goals, as well. The overall message seemed to be that separate silos of privacy and security create unnecessary tension, and that more effective (over)communication can help bridge that gap towards convergence.”
Security Metrics: Can They Be Effectively Measured Across the Enterprise? (CISO-W01)
Session Abstract: Like every business function, security should be measured. The reality is that most have no idea how to measure it. What metrics matter to both security operations and the boardroom? Number of attacks detected and stopped before data was lost? Industry leaders from hospitality and financial services shared their experiences and pragmatic best practices that can be put to use immediately.
Moderator: Alan Shimel, Managing Partner, The CISO Group (@ashimmy)
- Andrew McCullough, ESS Expert Consultant, Hewlett-Packard Enterprise Security Services (@Rati0nal_0n3)
- Ivana Cojbasic, Vice President, FIS
- Jody Brazil, President and CTO, FireMon (@jodybrazil)
Kelly Hoeffner (attendee): “This bright and early session really attracted the crowds! The panel of security experts shared with us how to communicate effectively to the board in a way that is meaningful for them, as well as you. But that’s where it starts: you need to know what they want to know and understand or you’ll never be on the same page. The issue with reporting up to the C-level suite is that there is a ton of information that you can report up on, but choosing which information is relevant to them is the key to making you successful.There are a wide variety of groups that you have to share your information with, so knowing who owns who and what is important to them and their team is critical in your success. However, be careful and make sure you are truly reporting on what the company needs to know to improve, not just what looks good. Report on metrics, not on numbers. One main point that I thought was interesting is that they spoke about showing the metrics that may not look good; being in the security industry, it’s tough to show what you’re not doing well for fear you may be fired. But you should focus on trending these incidents and bad things—that’s the only way that they’re going to get better.”
Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy (KEY-W07)
Session Abstract: Organizations worldwide spent approximately $46B on cyber security in 2013, but successful breaches increased 20% and the cost of an individual breach increased 30%. While the security industry looks for silver bullets, criminals are investing more, sharing more and working harder. We can change the way we invest in and approach security—if we think like our adversaries.
Speaker: Art Gilliland, Senior Vice President, HP Software Enterprise Security Products, HP
Tim Erlin (attendee): “Gilliland created a presentation based on research that HP conducted with the Ponemon institute since last year’s RSA conference. In essence, we are succeeding at information security, but we believe we’re failing because we’re chasing perfection as the measure of success. While I’m not sure that’s true, it also wasn’t particularly relevant to his conclusion. We spend too much money on technology that we believe will solve a problem, when the evidence points to a broader system of security intelligence as the most effective solution. We should do three things: invest in people and process, align security to the business and build and share actionable intelligence. Those kinds of statements are hard to argue with.”
Operation Full Circle (KEY-W08)
Session Abstract: This session presented the findings of ongoing research into sophisticated never-before-seen Advanced Persistent Threat campaigns.
Speaker: Michael Fey, GM of Corporate Products and CTO, McAfee, an Intel Security company
Tim Erlin (attendee): “Michael Fey walked through what he called the ‘connected architecture,’ which can be summarized as a standards based data exchange layer and central repository for querying real-time threat data. He then gave an example of a honeypot experiment (spoiler: the honeypot was compromised), followed by a walk-through of how the connected architecture would have prevented the successful compromise. This is, fundamentally, a threat-centric approach. That’s right at the top of the RSA Conference hype-cycle, but it ignores the security fundamentals evidenced by approaches like the Critical Security Controls. It’s hard to argue that an industry that does a relatively poor job of implementation with one set of technologies will somehow improve with more technology. It might have been far more interesting to see Fey argue with Gillard instead of two separate key notes.”
The Future of Security (KEY-W09)
Session Abstract: How do you stop a motivated attacker who has unlimited resources from compromising your enterprise’s most critical data and services? Not by deploying 50 stand-alone security products and hiring a stable of expensive experts to monitor each of them. That approach doesn’t scale, it has too many blind spots and it’s way too expensive. So what’s the solution? This session took a look into the future to see.
Speaker: Stephen Trilling, Senior Vice President of Security Intelligence and Technology, Symantec Corp.
Kelly Hoeffner (attendee): “This was a really cool session entertaining the idea of what security will look like 10 years from today. Trilling advocated that there would be no more managing of expensive security solutions, connecting the dots manually, or ‘being alone on an island of security.’ Security in the next 10 years has the potential to be so much more: a world where companies act as a community to share their potential attacks to help prevent them; dashboards that can show you how other companies like you have been attacked, so you don’t follow in their steps; shared integrated platforms that can manage the security solutions for you, so you don’t have to manually connect the dots; and complex attacks can be discovered within hours, instead of days or months. There are a multitude of ways the security industry can develop in the next 10 years, but it will take a new way of thinking between all of the security companies to get there. We have to think big.”
Previous RSAC 2014 Session Reviews: