RSAC 2013 has finally come to an end. All in all, if you can look beyond the hype and rampant commercialism that is the trademark of this, the biggest security conference, there is still a lot of value in actually attending the show.
For some, it’s all about the chance to hear the best and brightest expound upon the latest and greatest in tracks that focus on their interests, and the chance to dialogue with peers in breakout sessions. For others, it’s a opportunity to catch up colleagues, reestablish relationships, or discover new people of interest. And for some it’s just a chance to get away from the office and have a really good time with those who can best identify with the challenges they face during the other 51 weeks of the year.
For me, it’s all about the people – it’s about the chance to put faces to names, and transform those online friendships into flesh and blood relationships. It’s about getting to be in the presence of people who really matter to the industry – the folks who birthed infosec, built the tools, conceived the techniques, defined the concepts and terminology we use daily. It’s about the chance to potentially witness the unveiling of what may be the next ubiquitous archetype we will all later take for granted.
Sure, there are plenty of things to knock the RSA Conference for, but in the end they are not the things that really matter to our industry, they are just the things that are pretty much standard to any such event in any field. That’s just how big conference and expos are. We should instead all try to focus on what makes RSA important to the field, whatever that may be as you see fit to define it. For me it’s all of you.
The following are a few brief session recaps from some of the Tripwire crew – we hope they provide a little insight and give you a good jumping off point to investigate the subject matter further.
Adam Montville (@adammontville)
The Secret to Effective Cyber Threat Intelligence and Information Sharing (DSP-R31)
This was a mildly attended session, but I was pleased to see about 80 show up. STIX is the Structured Threat Information eXpression being developed by MITRE with funding from DHS. The presentation followed the white paper STIX has up on their site, so reading that would be of benefit if you find this information interesting. Here are the highlights:
- Threats are diverse and evolving
- Holistic Threat Intelligence is not a single-player sport – information sharing is critical
- STIX is a language to specify, capture, characterize, and communicate threat information
STIX consists of a lot of different parts, but it’s separable – you don’t need to use every piece of the language. For example, if you’re not as interested in threat actors and attack campaigns, and would rather focus on indicators, incidents and actions, you can do that. In fact, smaller enterprises might only care about expressing that subset.
Criminal Education: Lessons from the Criminals and their Methods (KEY-R37)
This was an interesting presentation, but only because it gave some useful statistics, which, we must assume, are up-to-date (see below). The main perspective described the “attack chain” as: Research, infiltration, discovery, capture, exfiltration. It might be academic, but I’d add one step where they leverage whatever information has been exfiltrated. We were then told that more than 80% of our security spend is spent on blocking at the infiltration stage. Well, given the following stats, that might not be the best place to spend:
- 94% of breaches informed by 3rd party
- 416 days average time to detect breach
- 71% – increase in breach remediation time since 2010
- 84% of breaches occur at the application layer
The Lifecycle of Cybercrime (KEY-R38)
This keynote didn’t sit well with me. It’s not the content that bothered me, it’s the content. You see, this content was great for, say, five years ago – it’s all valid. But, if people are going to RSA, they probably know all the information that was presented here: Top 9 countries that are attacked, top 9 countries that do the attacking, methods of attack, criminal organizations are businesses, and so on. I hope that most people attending this conference would know this already. Give us more next time. The saving grace was the attack demonstration, which showed the Facebook phish to drop an executable that stole files in less than a second, and the same thing again, but using Java (no love for Java lately).
Mind Over Matter: Managing Risk with Psychology Instead of Brute Force (KEY-R39)
Andy Ellis (@csoandy) gave a very good presentation on managing risk with psychology. The premise is that organizations do not manage risk, but people do. So, we need to understand that people have goals, aspirations, and responsibilities. Consider the following about whether to build a widget: The CEO wants to know if it’s going to be profitable, sales wants to know if they’ll be able to make their quota, the CFO wants to know whether this investment is the best one to make, the business owner wants to know if the P/L will be good and market share will be gained. The Security guy? …needs to know if the widget is “safe.” Addressing these questions are psychological issues because risk is a perception that we (humans) have.
Managing Enterprise Risk: Y U NO HAZ METRICS? (GRC-W23)
By far the best session I’ve attended thus far. The panel was full of life and discourse, which I certainly appreciate. The room was so packed that they were turning people away in favor of holding an encore session later in the day. But, that’s not why you’re reading this, so let’s get down to business.
David Mortman (@mortman), Jack Jones (@JonesFAIRiq), @AlexHutton, and Caroline Wong (@CarolineWMWong) were the panelists and John Johnson (from John Deere) was the moderator. Some of the best things I heard:
- Our solution to Risk Management can’t be to build a $200 fence around every $5 asset
- Metrics are essential to ensure you’re practicing effective Risk Management – it’s a informing circle where metrics are derived from your risk model, but your risk model is informed by your metrics.
- You can’t simply “buy” Risk Management – it takes people using the right tools
- To get the most out of compliance, measure everything and you’ll keep your auditors happy (and be able to defend those “gray” areas in most control frameworks)
- Don’t present the details to executives – generalize. But, be able to back it up
Finally, the best advice I heard (probably because I’ve done this myself) is this: If you can’t hire a statistician, beg hours from someone who knows the field in the Finance Department!
Will They (EVER) Get Security (PROF-M02)
Jack Jones (of FAIR fame) gave an overview presentation titled, “Will they ever get security?” The key things I took away from this presentation were as follows. Internalize information security’s value proposition, which is to contribute to the minimization of loss (i.e. be party to risk management). In recognizing this value proposition, we can speak in business terms to business people – don’t fear risk management, embrace it. If you feel that you can’t quantify, and therefore measure, “risk” then pick up a copy of Douglas Hubbard’s book, “How to measure anything” (I’ve read this book – it’s worth the read). Remember that, as an information security professional communicating to the business, you’re job is to help the business make well-informed decisions, and that your quantification of the “unquantifiable” need not be huge undertakings – they may take just a couple of hours.
I was blind but now I see… (CISO-T17)
This panel was interesting. I thought it was going to be more about communicating up and out based on aggregate data from “big” sources. It wasn’t. It was far more technical than I expected, which is not to say that they were in the weeds. But, the panel (Carter Lee from Overstock.com, Alex Tosheff from X.commerce, Praveen Money from Data Shield, and Ramin Safai from Jeffries & Co, Inc.) all had excellent things to say about embracing big data as a source of correlation. The highlights:
- Big data doesn’t mean go higher and suck it all up, instead it means that you need to get closer to the right data (there’s simply too much of it out there to look at it all, and these guys were talking on the order of 5000-10000 events per second and anywhere from 25GB to nearly 1 PB of data captured – they didn’t give timeframes).
- Network segmentation is critical – don’t try to do big data analysis on a flat, unsegmented network, because you’re going to be conflating traffic types and mixing priorities, which will make your job more difficult.
- Threat Intelligence sources can be useful, but only when they’re provided in some actionable form.
- Use honeypots to learn how to tune what you’re looking for – two of the panelists, if I may, had a look on their face that conveyed: “well, duh…”
- Tool integration is critically important – your analytics engine needs to integrate with everything in your enterprise (at least everything from which you’re interested in gathering data).
The most interesting thing I heard, though, was something I did not expect: It takes two minutes to get data out of the enterprise, but 24-hours to respond to that incident on a SIEM-based architecture. There are assumptions being made on my part, but I’ve been thinking, based on Verizon data primarily, that the time period between hack and exfiltraiton was greater than two minutes.
Data Analysis and Visualization for Security Professionals ( GRC-T18)
This was an outstanding session presented by two people I respect in the field of Security Metrics – Jay Jacobs (Verizon) and Bob Rudis (Liberty Mutual). I’ll steal the key learning points directly from them:
- Solutions are more from thinking than buying – use the tools you have at your disposal already and think about solving your problem – allusion is that there’s no silver bullet in the security visualization space.
- Data helps us understand our environment – this is increasingly important when it comes to the increasing complexity of our infrastructure.
- Data visualization is not a natural skill, it must be learned – this is where it takes practice and, unfortunately, failure from time to time; don’t be afraid to try new methods to see what works in your organization.
- Be truthful – this one is near and dear to my heart and cannot be overstated. If you value your information security program in any way, then always tell the truth and match the message to your numbers.
- Simple tools can be, data scientist you need not be – this was (for me anyway) a rather confusing way to say: Tools can be simple enough for you to use and you don’t need to be a data scientist to get the job done.
In addition to the take aways listed above, they provided a litany of excellent resource. They recommended reading Stephen Few’s book, Show Me The Numbers, and a boatload of tools: After Glow, MongoDB, crush-tools, Color Brewer, the programming language R. Great session and I have more than enough to keep my wandering mind occupied!
Getting to the Board Level: Evolving Security and RM in FSIs (CISO-T19)
This session was informative. On the panel were Oswin Deally (Liberty Mutual), John Schramm (Manulife), and Chauncy Holden (Fidelity), and they clearly represented a wide swath of CISO roles from just reporting to the Board to having four Boards of Directors. Regardless of their time in communicating with the BOD, they all had similar advice:
- Be prepared with concise, meaningful, traceable information
- Understand your information and back it up with data when needed
- If your Board is “new” to information security, don’t talk down to them
- Hold pre-meetings with peers (i.e. CFO, Legal Counsel, etc. to socialize)
The most interesting thing I found was that the panel indicated that the most common question they’re asked by the BOD is this: How do we compare? They want to know how they’re doing against others in their industry/vertical.
Dwayne Melancon (@ThatDwayne)
Managing Enterprise Risk: WHY U HAZ NO METRICS? GRC-W23
[Note: Updated 28-Feb to correct an error in attributing “calibrated experts.” This term was coined by Doug Hubbard, and the name and link below have been corrected.]
Moderator: John D. Johnson, John Deere
Alex Hutton, Zions Bank
David Mortman, enStratus
Jack Jones, CXOWare
Caroline Wong, Symantec
This was a panel discussion, and some good discussion ensued. Some key takeaways and quotes:
– Jack Jones: “You can’t manage what you can’t measure, but you can’t measure what you haven’t defined.”
– “The alternative to risk management is not ‘no risk management’ – it’s ‘bad risk management'”
– “Governance without metrics is dogma. Governance with metrics is risk management.”
– When you present a metric, your audience will automatically apply a risk model, whether they recognize it or not. The moment you begin to envision bad outcomes, worst-case scenarios, etc. you are assessing risk.
– In small organizations, you can use a ‘calibrated expert’ (i.e. an experienced person) vs. a quantitative approach – this is something that Doug Hubbard has written extensively about.
– Gut feel is always a part of risk management, but that doesn’t mean you can’t enumerate the assumptions behind your gut feel. – Find a way to express and test your “gut feel” with a model, and it can help you frame your assertions in a defensible way.
– “Risk is not about management – it is about making informed decisions.”
– Don’t seek a “mathematically correct” answer – it isn’t there. Numbers can help you evaluate the relative priority of different risks, but the numbers aren’t inherently precise.
– Alex Hutton advised us to “Find ways to represent the health of your risk management program – don’t focus only on its diseases.”
– Jack Jones said, “If I abdicate my decisions to a compliance framework, I lose my ability to protect my organization.”
– David Mortman countered, “”I don’t mind compliance. It’s easy to measure against and provides a framework for discussion with the exec team.”
– Caroline Wong recommended we “Start with a conversation about goals, then build metrics that enable you to defend those goals.”
Special Forum on Cybersecurity: New Directions from the White House (FRM-T16)
This was a good discussion of the expected impact of the Executive Order that Pres. Obama signed this month. The panel was moderated by Jim Lewis, the Program Director of CSIS; panelists (both wearing yellow ties) were former DHS Secretary Michael Chertoff, and Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator.
The key take-away was that this order is geared to facilitate / encourage information sharing (threats, etc.), and seeks to help us better prepare all to deal with attacks on critical infrastructure and sensitive elements of our economy. One of the challenges is that it makes it easier for the government to share information with private companies, but doesn’t add any significant new tools to help private companies share information in a streamlined fashion. There was also discussion about how it will be difficult to get everyone moving in the same direction without some specific guidelines and standards to focus the effort. One concerning notion was that we may end up with a kind of “TSA for the Internet,” which doesn’t sound too appealing.
There was some good discussion about problems with keeping the talent pool flowing when it comes to cyber security and related skills. For example, how can we leverage students, or people without the right psychological profiles to thrive in industry? They often have skill that can help, but will not be successful if they are forced into a normal corporate mold.
Lindsey Smith (@turbodog)
Improving Your Chances in the Eternal Quest for Security Funding (P2P1-T17)
An engaged group of security leaders, CISOs and Security Architects discussed their experiences is obtaining and maintaining budgets for their teams. Key points from the discussion were:
- Buying products is easy but it’s a challenge to finding qualified and skilled personnel. Get creative in finding candidates: LinkedIn, social media, looking in other areas
- When discussing budget, explicitly state what the business WON’T get in addition to what the business will get
- Focus on complacence is a budgetary dead end. Compliance is you pass and then you’re done. Frame conversation in terms of security and risk
- There’s always an investment pool, if you can find it. But expect to answer ROI questions to get it.
Lead with a long-term roadmap about the direction you want to take the business instead of focusing on specific projects or tools. Use the roadmap as an umbrella over individual initiatives.
Getting to the Board Level: Evolving Security and Risk Managment in FSIs (CISO-T19 )
A panel of three CISOs of large financial service industries discussed their challenges working with the boards of directors. All agreed that it is increasingly important to get in front of the board and that you should not wait to be summoned. They know attitude toward security is changing by increased numbers of emails directly from the CEO and changes in reporting structure from the CIO to the CFO or CRO. Key tips for working successfully with your board of directors included: know the composition of the board; stress security awareness at all levels, including theirs; educate them that closing audit findings isn’t the same as reducing real risk.
Cindy Valladares (@CindyV)
I was blind, but now I see: CISOs discuss visibility with big data security (CISO-T17)
- Carter Lee of Overstock.com
- Praveen Money of Data Shield
- Ramin Safei of Jeffries & Company
- Alex Tosheff of X.Commerce , an eBay company
- Richard Stiennon of IT Harvest (moderator)
Most of the CISOs are having problems with the complexity of their environments and filtering the most relevant information, especially when talking about big data. They see threat intelligence as a complement to their existing solutions, and see the need to apply more discipline in order to get more reliable sources of information. Carter Lee from Overstock.com mentions that having threat intelligence that you can’t act upon is useless. My take is that you need add the necessary contest to make it more actionable. Praveen Money made a good point, saying that collecting data is easy, since it can be solved with money, but the hard part is the analysis of the data. Alex Tosheff says that not responding to attacks is sometimes advantageous because we can see the attackers in action.
Data Analysis and Visualization for Security Professionals (GRC-T18)
- Jay Jacobs, Verizon Business
- Bob Rudis, Liberty Mutual Insurance
Excellent point that most solutions in data visualization and analysis come from thinking, NOT buying. Many people utilize data to make their point, but some abuse it and use the data to lie or misinterpret the truth. Really good examples were given to showcase bad uses of charts and graphs that misinterpret the data. Several good tools were mentioned to help with data visualization: ColorBrewer, json and mongoDB.
Making Rugged DevOps and Infosec Work (ASEC-T19)
- Josh Corman
- Nick Galbreath
- Gene Kim
- David Mortman
- Dwayne Melancon
I didn’t take many notes, but have some notable quotes and links. Josh Corman “Complexity is the enemy of stability’. They talked about the wicked Chaos Monkey project from Amazon/Netflix ht.ly/1SQ9ka . Gene also mentioned a really good way to do secure DevOps processes and how Twitter is using it. The twitter infosec talk is here http://itrevolution.com/heres-how-the-amazing-twitter-infosec-team-helps-devops/