Welcome to the RSA Wrapup show. Except it’s not a wrapup where we talk about the things we saw and did so much as a discussion of our very different views of what the RSA experience was for us. This was Zach’s first RSA, Martin has been to half a dozen and Rich has been coming to the show since he was a young pup. And just as the three of us come at many news stories from different directions, we also view the RSA Convention very differently from one another.
As long time veterans of the event, Martin and Rich see a lot of the behind the scenes action and spend a considerable amount of time in meetings with vendors and other security professionals, especially Rich, who spends almost every waking moment either in a meeting or running to the next meeting. For Martin, it was the first time he’s attended RSA as a vendor in addiion to his blogging and podcasting duties. And Zach’s experience as delegate are close to on par with what the average RSA going is going to see. Which frustrated him greatly.
If you’re already tired of hearing about RSA and everything that goes on there, you may want to skip this podcast. But if you’re curious to hear a little bit about what it’s like to attend the single biggest convention in the security industry, you’ll want to listen. We actually believe this is one of the better podcasts we’ve done recently.
If you’ve been anywhere near security during the last 18 months, you probably have a nervous twitch every time you hear someone mention the term Advanced Persistant Threat. Much like Cloud is the big term of this year’s RSA Conference, APT was last year’s buzzword. But that doesn’t mean that APT isn’t still a real issue and isn’t important; it just means marketing teams burnt out the industry on an important issue. Dave Merkel from Mandiant took a few minutes to talk to me about the panel he was on yesterday, as well as the PCI Council’s new PCI Forensics Investigator program. And yes, the two are more closely connected than is immediately obvious.
NSP Microcast, RSA 2011: Dave Merkel, Mandiant
There’s almost no one here at RSA who’s going to argue against the thought of Cloud being overhyped this year. Every other talk seems to be about some aspect of the Cloud, even the talk I’m doing with Mike Dahn tomorrow. But I seem to be a bit of a contrarian, saince I think that the hype is good, since it’s one of the few times that the security concerns around a technology are taking a bigger role than the push by the business to use the technology. In other words, I believe the fact that it’s being overhyped now may mean we actually have a more secure solution over the next couple of years. Or maybe I’m just naive.
David Spark caught up with me yesterday and asked about the hype behind the Cloud. David had been told by a lot of people about the overhype, but I seem to be one of the few who see it as good. Time will tell.
PCI compliance in the cloud is real, and Amazon is the first major cloud service provider to claim a PCI Compliant Cloud Solution. Robert Zigweid, the Principal Compliance Consultant at IOActive, was the QSA who performed the assessment on Amazon’s environment. We talk about what exactly Amazon is claiming is compliant in their PaaS solution, what a merchant should know this means and the difficulties of scoping and cutting up such a complex environment so you can assess it.
Today’s interview turned out to be rather fortuitous; Dr. Mike Lloyd from RedSeal gave one of the opening talks at this year’s Security BSides San Francisco and through a series of unfortunate events there was no stream of his talk nor did it get recorded. But since I was scheduled to talk to him today anyway, heres a small taste of what his talk was like. There’s a chance his talk may get re-recorded, we’ll let you know.
We all know that firewalls are very complex beasts when you have to start figuring what the resultant rule set is from several layers of systems. Even dealing with one firewall can be hard when you realize the difference a zero in the wrong part of the subnet can cause. People aren’t good at dealing with this complex relationship between devices, while machines are. Machines can’t make the strategic decision, they need the backing of a human intellegence to decide which dataflows are appropriate. So why is these both so important?
Day one of RSA and BSides SF is over, more microcasts to come soon.
Where in the world is Rich Mogull? Our secret network of spy satellites (are they really that
secret?) suggests that he’s somewhere in Ukraine, though he may have
hacked them to throw us off. So, while Rich is continuing his duties as
NSP’s resident International Man of Mystery, Zach “I’m Still Sick”
Lanier and Martin “Captain Acronym” McKeay run the show (it’s probably
safer that way…fewer disgruntled ex-KGB agents coming after us).