It’s odd, given the large number of security conferences I attend, how few sessions I get to see. I am always meeting with clients around events, but I rarely get to see the sessions. Secure360 is an exception, and that’s one of the reasons I like to go. I figured I’d share some of better ones – at least sessions where I not only learned something but got to laugh along the way:
Marcus Ranum had an excellent presentation on “Directions in system log analysis”, effectively offering a superior architecture and design for log parsing – encouraging the audience anyone to build their own log analysis engines. What he sketched out will perform and scale as well as any existing commercial product. The analysis tree approach to making quick evaluations of log entries – which is successfully used in SQL statement analysis – can quickly isolate bad statements from good and spotlight previously unseen entries. I have a small quibble with Marcus’s assertion that you don’t need “big data” – especially given that he recommended Splunk several times, because Splunk is a flavor of NoSQL, and also because many NoSQL platforms are open source (meaning inexpensive), can store logs longer, and provide infrastructure for forensic analysis. Parsing at the edge may work great for alerting, but once you have detected something you are likely to need the raw logs for forensic analysis – at which point you can be looking for stuff that you threw away. Regardless, a great preso, and I encourage you to get the slides if you can.
One of my favorite presentations the second day was Terenece Spies’ talk on “Defending the future” of payment security, talking about things like PoS security, P2P encryption, tokenization – all interwoven in a brief crypto history – and ending up with Bitcoin technology. The perspective he offered on how we got where we are today with payment security was excellent – you can see the natural progression of both payment and security technologies, and the points at which they intersect. This highlights how business and technology each occasionally overrun their dance partner to make the other look silly. Sure, I disagree with his assertion that tokenization means encryption – it doesn’t – but it was a very educational presentation on why specific security approaches are used in payment security.
David Mortman did “Oh, the PaaS-abilities: Is PaaS Securable?”, offering a realistic assessment of where you can implement security controls and – just as importantly – where you can’t. David worked his way through each layer of the PaaS stack, contrasting what people normally handle with traditional IT against what they should do in the cloud, and what needs to be done vs. what can be performed. The audience was small but they stayed throughout, despite the advanced subject matter. Well, advanced in the sense that not many people are using PaaS yet, but many of us here at Securosis expect the cloud to end up there in the long run. With PaaS security thus, David’s security concepts are right at the cutting edge. David could probably keep doing this presentation for the next couple years – it’s right on the mark. If you are looking at PaaS find a copy of his presentation.
Finally I had to choose between Rothman’s NGFUFW talk and Gunnar’s Mobile AppSec talk. Even though I work with Mike every day, I don’t get to see him present very often, so I watched Mike. You can read all his blogs and download his papers but it’s just not the same as seeing him present the material live – replete with stories decidedly unsuitable for print about some colorful pros. Good stuff!
We are all traveling again this week, so we are light on links and news, and had no comment of the week. On to the Summary!
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Adrian Lane: Firestarter: 3 for 5 – McAfee, XP, and CEOs. The well groomed edition.
Other Securosis Posts
Favorite Outside Posts
- Mike Rothman: Undocumented Vulnerability In Enterprise Security. Look who’s now a Forbes contributor… Our own Dave Lewis. Nice post on the importance of documentation.
- Adrian Lane: The Mad, Mad Dash to Update Flash. The adoption charts are worth the read.
Research Reports and Presentations
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
Reader interactions
2 Replies to “Friday Summary: May 16, 2014”
Thanks for the thoughtful words about my talk at 360 — it’s encouraging to see how many people are interested in the technology fundamentals at play here.
(And on the tokenization thing, it may be time to start using a different word given how the EMVCo and TCH efforts have started taking over the mental real estate here. I’ve tried to use the term “de-identification” to refer to the generic process of building a valueless replacement for data, as opposed to the limited PANs that will soon be the default meaning of “token”.)
I attended Sec360 and found both Marcus and Mike entertaining and informative. Maybe it’s the webcams, but Mike looks thinner in person 😉
Marcus’s advice was awesome, but I had to wonder why he doesn’t have Tenable just BUILD the tools he’s talking about and sell them. Devise an architecture, pre-load the LEX library with common stuff, generate some (prettier) charts — seems like they could make some real money.
ESPECIALLY if they include the “Big Red Line o’ WTF” detector — my favorite quote of the show.