To stir the pot a bit before the RSA Conference, I did a FireStarter wondering out loud if social media would ever replace big industry conferences. Between the comments and my experiences last week, I’d say no. Though I can say social media provides the opportunity to make business acquaintances into friends and let loudmouths like Rich, Adrian and myself make a living having on an opinion (often 3 or 4 between us).

The rise of the anti-con...So I figured this week, I’d do a Top 10 list of things I can’t do on Twitter, which will keep me going to the RSA Conference as long as they keep letting me in.

  1. This is your life – Where else can I see 3 CEOs who fired me in one room (the AGC conference)? Thankfully I left my ice pick in the hotel room that morning.
  2. Everybody knows your name – Walk into the W Hotel after 9pm, and if you’ve been in the business more than a week, odds are you’ll see plenty of people you know.
  3. Trend spotting – As we expected, there was lots of APT puffery at the show, but I also saw lots of activity on wireless security – that was mildly surprising. And group conversations provided additional unexpected perspectives. Can’t do that on Twitter.
  4. Evasive maneuvers – To save some coin, I don’t stay in the fancy hotels. But that means you have to run the panhandler gauntlet between the parties and the hotel. I was a bit out of practice, but escaped largely unscathed.
  5. Rennaissance security folks – It seems lots of security folks are pretty adept at some useful skills. Like procuring entire bottles of top shelf liquor at parties. Yes, very useful indeed.
  6. Seeing the sights – I know Shimmy doesn’t like booth babes, but that’s his problem. I thought I took a wrong turn when I got to the Barracuda party and ended up at the Gold Club, though I was happy I had a stack of $1s in my pocket.
  7. Making new friends – The fine folks at SafeNet held a book signing for The Pragmatic CSO at the show. I got to meet lots of folks and they even got to take home copies. Can’t do that on Twitter either.
  8. Splinter conferences – Given the centralization of people that go to RSA, a lot of alternative gatherings happen during RSA week. Whether it’s BSides, Cloud Security Alliance, Metricon, AGC, or others, most folks have alternatives to RSA Conference panel staples.
  9. Recovery Breakfast – Once again, we held our Disaster Recovery Breakfast and it was the place to be on Thursday morning. A who’s who of security royalty passed through to enjoy the coffee, bloody mary’s, and hot tasty breakfast. Thanks to Threatpost for co-sponsoring with us.
  10. Elfin underwear – Where else can your business partner pull down his pants in front of 500 people and not get put in the slammer? That’s right, RSA. Check it out – it was really funny.

So in a nutshell, from an educational standpoint I’m not sure spending a week at the RSA Conference makes sense for most practitioners. But from a networking and fun perspective, it remains the best week of the year. And thankfully I have 12 months to dry out and rest my liver for next year’s show.

– Mike

Photo credit: “Frank Chu Bsides SF” originally uploaded by my pal St0rmz

Incite 4 U

Ah, digging out from under the RSA mayhem is always fun. There was lots to see, many meaningless announcements, and plenty of shiny objects. Here is a little smattering of stuff that happened at the show, as well as a few goodies not there.

  1. AP(ressure)T Explained – As Rich pointed out, APT was in full swing last week at RSA and Richard Bejtlich has been calling out folks with extreme malice for this kind of behavior – which we all think is awesome. But to really understand the idiocy, you need to relate it to something you can understand. Which is why I absolutely loved Richard’s analogy of how martial arts folks dealt with a new technique based on pressure points. Read this a post a few times and it will click. Folks either jump on the bandwagon or say the bandwagon is stupid. Not many realize something new and novel is happening and act accordingly. – MR
  2. Patch Tuesday, Exploit Monday – You have to feel for the guys in the Microsoft security center. They line up their latest patch set, and some bad guys blow it by attacking unpatched vulnerabilities before Microsoft can include them in the latest release. I’m a big fan of the Patch Tuesday cycle, but that means anything released on “Exploit Wednesday” or even close to Patch Tuesday potentially has a month to run before Microsoft can fix it. MS is pretty good at releasing out of band patches if something is being widely exploited, and they’re the ones providing the warning, but it makes me long for the days when an 0day was so rare as to be nearly mythical. This latest attack hits IE 6 and 7 on various platforms, and you can mitigate with a content filtering gateway or an alternative browser, or by following some suggestions in the linked article (setting IE security zone settings to High). – RM
  3. Creating the Insecurity Index – If we know that your A/V and anti-malware only catch 20% of malicious code, or your firewall only blocks 20%, and your WAF only blocks 60% of application flaws, and so on, can we create some meaningful metrics on application security FAIL? Kind of a Mean Time Between Failure analysis for IT? I got to thinking about this when talking to Kelly Jackson Higgins at RSA about her post on Dark Reading regarding application testing, which found that 60% of applications they tested remained vulnerable. To me this is not a surprise at all, given that most adopt a security model to surround applications with add-on services and appliances to protect the application from the nasty attackers and viruses rather than fix the code itself. For most large organizations the amount of work necessary to fix their crappy code would be monumental, and a rewrite would mean years of development time. I have never fully bought into that idea, and given that most open source projects are very large and still manage to fix flaws within the code, Veracode’s report does support the idea that we should dedicate more resources to development. Survey results do expose how much organization rely upon internally developed web-based applications and, quite frankly, how bad most of them are in terms of security. Still, I wonder how people will react to this data, and whether it will change the amount of in-house development, or how they develop. – AL
  4. Finding Value in Site Certifications – We’ve all made fun of these $99 web site certifications that ‘prove’ security. Most aren’t any better than ScanlessPCI. But that isn’t stopping all sorts of folks from trying to get at the market that ScanAlert, now McAfee (through its HackerSafe offering) pioneered. You had QualysDasient, and VeriSign talking about their new programs. But a word to the wise: make sure your lawyers are all over whatever claims of security go along with the marketing puffery of these services. ControlScan found this out the hard way. Good job by Raf of digging into the settlement and what it means. – MR
  5. Selling the Conference – One of the under-appreciated aspects of professional conferences is employee retention and motivation. We talk about the need for education, which can certainly be a benefit, but it’s secondary IMHO. As a VP of Engineering, getting budget to send employees to conferences, or finding local conferences that were free, was a priority. As opposed to this poor sap mentioned on the InfoSec Leaders blog, my folks never really had to make the case to go to a conference, since I’d make it for them. Whatever productivity was lost during the sessions was more than made up for in the subsequent days (yes, days) after the conference. My team member usually learned something – perhaps a new technology, or in some cases what not to do – from the lectures. And usually they learned about new technologies in the sessions, and met new peers outside. In all cases I saw enthusiasm and renewed interest in their careers. Maybe it is the change of scenery, maybe it is thinking about new things related to work but outside the office, that stirs creativity and interest. I am not sure exactly how it works, but productivity and retention were motivators enough to send people. I know times are tough, and we all know that some conferences are very expensive, but I have seen the benefits conferences provide above and beyond those ‘team building’ miniature golf events and the like that HR is so fond of organizing. Give it a try and see for yourself! – AL
  6. Pr0n Stick Is on the Way – I realize that 90% of the time my mind is in the gutter. I’m not sure which gutter at any given time, but, well, you know… So when I see IronKey and TrueCrypt partnering up for a trusted OS on a stick, and then Check Point announcing something similar (with more enterprise control), my first thought is how this is a boon to all those folks trying to peruse sites they shouldn’t be from machines they don’t own. But that’s just me. The use case for this is pretty compelling, especially for folks who embrace desktop virtualization and have folks accessing sensitive data in sleazy places. Which kind of proves a hypothesis I’ve been playing with: security innovation will be driven by things that can be sold to the DoD or makes pr0n more accessible. That’s a lot different than the last 10 years. – MR
  7. Numbers Good. Nom Nom Nom – I like numbers. I mean I really like good information security numbers, and they are few and far between. I’m not talking the risk/threat garbage that’s mostly imaginary, but hard data to help support our security decisions. That’s why I think it’s so great that Verizon is releasing their Incident Sharing Framework that I even joined their advisory board (a non-compensated, no-conflicts outside position). I’ve written and spoken about the Data Breach Investigations Report before, as well as Trustwave’s similar report and the Dataloss Database. We do a terrible job in security of sharing information, because we’re worried about the consequences of breaches becoming public. But without that sharing, we don’t have a chance of properly orienting our security controls. Tools like these reports and the Incident Sharing Framework help us gather real-world information without exposing individual organizations to the consequences of going public. – RM
  8. The First SIEM Domino Falls – Finally it seems the long awaited consolidation in the SIEM and Log Management business is starting. Many of us have been calling for this for a while, but the only deals to date were a couple years ago (Cisco/Protego, RSA/Network Intelligence) or strictly technology deals (TripWire/ActiveWorx). But now TrustWave continues its bargain basement shopping spree by acquiring Intellitactics. At first glance you say, “Intellitactics? Really?” but then after looking at it, you realize TrustWave just needs “something” in the space. They do a lot of PCI work, so having Requirement 10 in a box (or packaged as a service) isn’t a bad thing. Truth be told, most companies aren’t pushing on these solutions more than gathering some logs and pumping out a report for the auditor. Good enough probably is. Also factor in the price tag (a reported $20 million in stock), and you don’t have to sell too much to make the deal pay. But let’s be clear: there will be a number of transactions in the space this year, at least if the conversations I had at RSA about potential targets were any indication. – MR
  9. You Want Fries with That? – I am not quite clear on Anton’s motivation for “An Analyst in the box, Part II”. And it’s not clear who this rant is aimed at. Yeah, it’s tongue in cheek, but who in the vendor community has not gone through this before? I have seen customers ask for technologies that they knew we could not provide. Sometimes it was to see if we were really reading the RFP. Sometimes it was to see if we would lie to them. Sometimes it was to see if we would push back and tell them it was not important. Sometimes they would ask about technology purely because they had experience with it or were interested in it, yet it was completely unrelated to the project that motivated their research. Sometimes customers ask because they are whiny and want someone to commiserate with them on how hard their job is, and think every vendor is obliged to be a good listener in order to earn the business. I know when I evaluated products, for the prices some vendors charged I expected their appliances keep me secure – but also to wash, fold, and iron my laundry as well. Whatever the reason may be, “Analyst in the box” is just part of the game. Suck it up and cash the check. – AL