RSA Day 5 – That’s a Wrap

Alec Baldwin at a Security Conference

Alec Baldwin at a Security Conference

Most conference I go to tend to just fade away at the end, RSA ended on a bit of a bang. The theme for the show was “Change” and the last keynote was all about the impact of security. It began with a video interview of Lulzsec founder and FBI informant Hector Monsegur talking about the mind of a hacker. We then heard from a professor on the way the hacked person feels, and how you can prepare yourself not to become paralyzed with fear. And finally we heard from Alec Baldwin on how a public person feels when their private emails are made public, i.e. the Sony Hack. Was a nice high note to end on… understand the impact of security – a nice touch.
In the morning I went to four breakout sessions:
The first one I walked out and switched over to a different one. The initial sounded like it was going to go into how to go from the hunted to the hunter in security. It ended up being a discussion on process… not what I wanted to hear on the final day, so instead I went to a detailed technical discussion on how the accelerometer can be used to identify a phone and generate your own unique identifier. The researchers also discussed how you can use the accelerometer can be used to identify someone vocally and potentially what they were saying. Cool science!
The second session was about building a CSOC for critical infrastructure. While the topic again sounded like it would be very interesting, it turned into how to build your business case. It wasn’t what I wanted to hear, but it was detailed.
The final session was how to use the techniques for building Game Consoles and mobile applications should be used to address the security issues in the development of Internet of Things devices. A very good presentation and I hope to talk to the speaker Matthew Clapham again – Go follow him on Twitter at @prodsec.

RSA Day 4 – Keynotes and Sessions

I had a great plan today to make my way thru south hall for chats with tons of companies. I also had a few interesting sessions I wanted to be at first thing in the morning. I had a scheduled a quick customer meeting and a quick touch base with a team member I had not met yet. And then keynotes. Well the plan went well, except the customer meeting was really good, so it went long, very long. A very good thing. The team member meeting was late, and by the time were finished the show floor was closed. So I made it to the keynotes.

The sessions I went to were as follows:
1) The twenty books on security you should have read by now. The speaker – Rick Howard is the Chief Security Office for Palo Alto Networks and was a very engaging speaker. He’s been trying to build the Canon for security books. This is not just technical books, but fiction books that get the tech right, and those non-fiction books about security events. By the time he was done talking I had bought three new books for my kindle. I recommend that you check out his blog – Terebrate. Each year he is getting a panel together to vote on the books that deserve to be in the canon. I am looking forward to this project.

2) Security Data Science from Theory to Reality – was another great session on how to re-look at security data science. The two speakers from Verizon – Jay Jacobs and Bob Rudis explained a few techniques that they use to analyze data. There view of the IPv4 Space – by visualization via Hilbert Curves you are able to represent the IPv4 space via the relationships of the IP addresses and see interesting patterns, that you would not see if you looked at IP’s on a global map. You can do your own visualization by looking at the ipv4 heatmap project on github – here. Also, go check out the IPv4 Heatmaps project.

The afternoon keynotes were a mix of interesting and ads. I came in and heard a panel on Cyber Safety, the panel was a powerful reminder of how kids are targeted and exploited on the internet. The one problem I had was that the FBI panelist discussed how they leveraged the patriot act to cut the red tape and save one of the other panelists who had been kidnapped and sexually torched as a child. They did this within a month of passing the Patriot Act. To me, this act was done by a depraved individual not a terrorist, and as such it shows how the act was being used beyond its remit.

Both Cisco and CA did presentations, unfortunately I missed most of the Cisco presentation, but what I did see of it seemed appropriate to the conference. The CA presentation, unfortunately seemed a bit too much like a marketing presentation. The final speaker was Doris Kearns Godwin. She talked about Lincoln, Teddy Roosevelt, and Franklin D. Roosevelt. I’ve seen here on both the Daily Show and the Colbert Report, and have always enjoyed hearing her. It was a great presentation on the leadership styles of these three presidents. She then signed copies of her book. Was glad to pick one up for my wife.

RSA Day 3 – Time on the Floor

Today I sat thru multiple interesting sessions, and one really bad one.  Okay, that’s wasn’t fair, it wasn’t bad, it was just badly presented and managed.  And one of the sessions I sat in was boring, until the Q&A period, at which point a full press attack occurred.  I then spent the afternoon walking the show floor and talking to interesting sercurity vendors.   So let’s talk about the breakout sessions first.

1) Managing supply chain security as presented by the CSO of Huawei US was a very dry, but informative presentation of how they manage the full supply chain from a security perspective.  What were the processes they were implementing in order to improve security from their suppliers, and how were they responding to security audits, etc. from their customers.  Overall the session was informative, but not very exciting – Unilt the Q&A.  At this point two different people questioned the speaker on the Chinese  government’s policy related to geographic and localization security concerns.  Net-net was a position of state security over corporate security.  While I think this is an important discussion that needs to be had in a public forum, the CSO of Huawei US could only respond by pointing to a comment of the CSO of Huaewei global (based in China).  This confortational discussion by the questioner could not be resolved in this dicussion, and I felt the speaker did a good job of keeping his cool.

2) Insurance and assurance, as it related to security was the second session I sat in.  The presentation was led by a professor and an industriy person.  This did a good job of describing how the insurance industry, corporations, and government need to work together to address this.  I was a bit dismayed by the obvious political bent to the one industry speaker,  but felt the content was very helpful.  

3) The final presentation was with a speaker from HP – discussing their POC efforts in helping a hunt team to address cyber vunerabilites in HP.  At first I was very excited for this talk.  The charts looked great, and the visualization aspect for advance threat analysis was promsing.  However, the speaker began with a disclamier that the 18 Billion records (roughly 1 week of data) that the did against their production environment, was replaced for this talk with synthetic data.  At this point 10% of the room left.  Next his dry talking to the chart caused another 10-20% of the people to leave before he got to the questions slide.  He did a wrap up that implied he was not going to questions.  A mad exodus occurred before he finally got the room under control and indicated he would open the floor for questions.  with less than 10% of the room left, we finally got to metrics on how the data was captured and processed.  While much of this was a commercial for an HP product, we learned that they forked the data in production and were able to start doing detailed threat analysis withing hours of data capture.   Changing from weeks to hours would have a very positive impact on reducting the problems of cyber attacks.

The afternoon I spent talking with the IBM, HP, Microsoft, Infineon, Intel, Akami, Fireeye, and RSA booths. I was particularly  amazed by the way FireEye processes information.  By decompiling unknown executables and basically dynamically testing them in VM’s they are able to identify malicious code in an environment.  Really cool.

RSA Day 2 – Hacking the sessions

As day two of RSA started I was in customer meetings until after lunch time, and then a long (LONG) drive back to the conference.  The cool thing about RSA is that the content is seriously overwhelming.  I missed a few items on Monday’s post, so I want to start by talking about a few startups that were in the Sandbox.  The Sandbox is a mini-show area where 10 companies show their new innovations and you can vote on the best of show via text messaging.   At the end of day on Monday an award was given… I’ve not seen the outcome, but I did get a chance to briefly listen to each of the 10 startups talk about their innovation.

Innovation Sandbox Agenda
BugCrowd – A crowd sourcing platform for PEN testing.  They provide both private (small group of select security analysts) and public security testing of your applications.  These can be your actually website, or other code provided in VM images.  A former TopCoder guy was their asking a ton of good questions on vetting the crowd, and any liability that may be implied by this approach.  The speaker did not fully understand the questions, however I do agree that the public crowd approach is no different than people just trying to hack your site today.

CyberReason – A machine learning and algorithms platform to prioritize and identify incidents in real-time.  Help your analysts to not only understand an attack is happening, but what is being impacted, etc.

FortScale – A Cyber Incident analytics system.  Their tools help identify those events in your SOC that analysts should focus on.  They indicated that you don’t need “predefined” rules, so that their algorithms will help you focus on those events that are critical to focus on.

NexDefense – Security for ICS (Industrail Control Systems), their Sophia system provides a (Patent Pending) set of anomaly detection algorithms for SCADA and other ICS.

SecurityDo – They are using a term I’ve not heard before (maybe it’s just marketing) – BIEM (Breach Information Event Management) system.  Over simplificaiton is they provide a dashboard, search, and reports on breach events, identifying where you need to focus due to a event getting past your defenses.

SentinelOne – End point protection with algorithms for threat identification, prediction (what will it do), and prevention (stop that predicted activity).

TicTo – An interesting way of addressing having physical access with additional audit and controls.  The company provides a security badge, with an e-ink display to show the level of authority an individual has based on geolocation information.  There’s also a red, yellow, green light that is on the badge to provide a second way of identifying that you are allowed to be where you are.

Trust In Soft – Source Code analytics to identify potential security problems.  This space is interesting to me, I was a long time user of PC-Lint back in the day.

Vectra – An APT analytics platform which uses machine learning and correlation to identify, prioritize and provide attack information in context.  They claim multiple patents (pending) in this space.

WaraTek – Developing and maintaining security for Java Apps.  This company not only provides CloudVMs for Java apps, they provide a JVM that addresses the security aspects necessary for Java Apps.  WaraTek puts the securirty in the JVM itself, so you can protect legacy Java applications, without rewriting, etc.

I spend the after on Tuesday in a few sessions… The two most interesting were a session on Mobile security and one on IoT attack vectors.  The first was done by a company out of Israel (Skycure) which went thru how a security bug in IOS could create a iOS free zone by causing a constant reboot of your iOS device.  Cool discussion, and as responsible researchers they have already provided information to Apple on this flaw.  The second session was a principal at HP talking about their OWASP project on IoT Security vulnerabilities.  Go check it out here at the OWASP site.

RSA Day 1 – The Mini-IoT Conference sessions

So I am at the RSA Conference this week, and it was huge!  I had been warned that this is one of the biggest conferences that hits San Francisco each year, but I didn’t believe it.  Having said that, I am amazed at how small the mini-conference is.  It is being run by the Trusted Computing Group and is showcasing about 20 vendors.  The primary message is that TPM can be used by IoT devices.  Intel was showing off a set of GeoFenced capabilities for both VM images and Data Images on Open Stack.  The images capabilities are already in the Open Stack standard you can get to today, but the data services are still in early development.

  • Microsoft and Fraunhofer and many others showed off how they can inline the TPM to allow for more “correct” security in IoT devices.  Each were showing their own full stack solution; which to me is still the biggest problem for mainstream IoT adoption.  Enterprises and consumers do not have full stack lives.  We live in a ecosystem of devices, platforms, operating systems, and things.  Until we get that working across our development stacks too, we will have a hodgepodge of IoT solutions that don’t play well together.
  • Green Hills software showed their Development Lifecycle of trust for embedded systems.  Their approach is to enable libraries for various embedded device platforms and languages, so that you can have a way of managing updates and certificates.  They have various foot prints so that you can deploy to smaller sensors and edge devices.  
  • Fujitsu showed their work with Toyota on enabling over the air and remote updates for connected vehicles.  By leveraging a TPM in the vehicle they were able to provide secure updates.  This will be enabled in vehicles soon.

I then spent some quality time at displays for security programs for kids.  This was cool, and I hoping to get a few speakers for my podcast over at  Games At Work.  A key function of this area was to showcase various programs to help kids understand security and privacy on the internet.  HacKid was there promoting their conference on STE(A)M – Science, Technology, Engineering, (Arts), and Mathematics. One voluenteer from Hacker High School was showing off very inexpensive devices for getting kids into programming and security with cool hardware.  The Tech – Musuem of Innovation – was showing off a game that will be in their San Jose museum coming up to teach kids about Cyber Forensics.  I got a chance to talk to their developer and this simple game mechanic is awesome in explaing how to do packet inspection etc. in order to improve your network health.  They are hoping to make this available on line.  They also showed off their Spam and Scam training.  I know a ton of people who could use this one :).  And finally, the Cyber Patriot program talked about how their competition works.  They had 2200 teams last year and the final 20 or so get an all expense paid trip to the finals.  They are about to launch an elementry school program that I hope to have on my podcast soon.

This afternoon I am in a detailed session that I will not blog about… What do you think it is about??