The SOURCE Conference held in Boston last week was a terrific opportunity to meet a lot of fascinating industry folks while sharing great ideas about the intersection of business, technology, and security. I attended some outstanding presentations, which I’ve highlighted below, and also gave my own talk, “How Security Changes In the Cloud and Why You Care,” which I’ll summarize in a later post.
Richard Thieme opened the conference by delivering “Play Through the Pain? The Impact of Forbidden Knowledge on Security and Intelligence Professionals.” Using his unique background as a former priest as well as his diverse experience in the technology world, he discussed a variety of ethical dilemmas, focusing on the human element of keeping secrets, and the secondary trauma that occurs when dealing with secrets. While this keynote mostly targeted intelligence professionals, I found it more applicable to the extra-curricular parts of my life. But it definitely made me think!
Information Security industry veteran Chris Nickerson gave my favorite presentation: “Nightmares of a Pentester.” This hilarious talk was full of great information, but I’ll condense it to a few thought-provoking quotes along with his Seven Rules:
“Talks are like blog posts: they may or not be true; it’s up to you and how you consume them.”
“Security is quite literally the worst investment in the history of humanity.”
“Good security programs are built in and not bolt on.”
Seven Rules for Defending your Network
- Don’t talk to strangers.
- If you are going to talk, be sure you know who it is.
- Your internal network is a HOSTILE environment. Treat it as such.
- Users have the ability to use the company’s resources.
- Servers have a specific purpose.
- Awareness > Knowledge.
- In order to say you have an information security program, you need to have an Incident Response Plan.
In “Defending the Cloud from the Full Stack Hack,” Erik Peterson, painted a very scary picture of how API access in the cloud is roughly equivalent to physical access on premises, which means we must absolutely protect our API keys. In light of this, Erik emphasized two take-aways: First, we need to turn on Cloud Trail in order to track all API activity, and second, we need to think of the cloud — not as a series of discrete entities — but as an integrated operating system. He ended his presentation with a luck dragon, and it’s always a good thing when one of those shows up.
In his talk, “DGA Antivenom: Stopping New Configuration Before Analysis,” security researcher Chip McSweeny described how he can automatically block domains generated from a DGA (domain generation algorithm) without needing the seed. The numbers he touted when dealing with TINBA and BANJORI variants simply blew my mind: 51,000 unique edges and 35,000 blocked domains.
Having done some limited threat modeling before, I looked forward to “Developing a Threat Modeling Mindset” by security consultant Robert Hurlbut. I enjoy any situation that can legitimately use the Kobayashi Maru scenario, and that’s how this session started. He reminded us that, as with most issues in security, there’s no silver bullet. However, he did suggest Cornucopia and EoP as a couple of games that might facilitate adoption of a security risk management program. He also recommended Evan Wheeler’s book Security Risk Management as an excellent place to start learning about this subject.
In “Upstream Without A Paddle: Lessons Learnt,” Matt Coles and Tania Ward asserted that introducing improved security is similar to trying to go upstream without a paddle. The trick is to find joy in the journey, your own paddle, and good navigational techniques.
In “Emerald City of Cyber Security,” Ben Herzberg used the metaphor of the Emerald City from The Wonderful Wizard of Oz to illustrate the pitfalls of walking around with tinted glasses. (For at least part of his talk the attendees actually wore red-filtering glasses.) For lessons on how to escape the Emerald City, Ben visited each member of Dorothy’s group, advising the following:
- Embedding security is better than added security.
- Don’t filter criticism; embrace it.
- Balance your defenses.
- Don’t be afraid to fail. Fail forward.
I got fairly worked up (for me) by the discussion that surrounded “The CyberSecurity Education Gap – What We Do Now?” Roy Wattanasin and Ming Chow led the room in an interesting discussion about what needs to be done to improve the teaching of security in computer science education. I found myself both frustrated and sympathetic. Too often, this conversation ends up as a collision between two groups with strongly opposing views: those who have an idealistic and wishful point of view divorced from business imperatives, and those who see a need to address the problem with a practical, real-world solution. The passion generated during the talk kept the discussion going after the formal session ended and spilled over into lunch.
I only caught the tail end of “Talk Security to Me: Case Studies for Communicating Security Issues” where Sandra Carielli and Rick Cleary explained how presenting at the board level is really a social engineering challenge whose end goal is speaking each other’s language. The key points were basic but valuable: Don’t be adversarial and do assume competence.
Matthew Morency presented “Delivering Effective Business Impact Through Comprehensive Security Assessments.” He pointed out that we often see a huge gap between where our organization is and where we want to go, but cautioned that we must resist the urge for revolution and instead opt for evolution. He also emphasized that security is always competing with other revenue-generating features, and a good strategy is to find and develop champions who can further our cause.
The SOURCE Conference in Boston was exceptionally well-planned, with great speakers and a multi-faceted program that touched on a broad spectrum of topics that ranged from complex technical issues, to human factors, to ethics, education, and more. I’m definitely looking forward to my next SOURCE event.