Archive for February, 2012

Feb 26 2012

My todo list for RSAC

Published by under Blogging,Podcast

The RSA Conference is one of the most stressful times of year for me, as well as for thousands of other security professionals who descend on the Moscone Center every year.  It’s great to see all the friends that you may only see at RSAC because your paths don’t cross otherwise, as well as the friends you haven’t seen since some other event.  But to make that possible, there’s thousands of moving parts that have to all align properly or chaos ensues.  In my own case, I’m wearing three hats this year (press, speaker and vendor) and making them all work together has been difficult.  I think I’ve spent more time in the last month preparing for RSAC than I’ll actually spend at RSAC.

I’m glad to say that my employer, Akamai, agrees that the work I do podcasting is important enough that it takes first priority on my time at the convention, followed closely by my speaking engagements.  I still have work responsibilities and it’s possible you’ll find me in booth #851 from time to time, but mostly my co-workers will be taking care of booth duty for me.  Thursday morning I’ll be doing an Akamai webinar with Andy Ellis (@csoandy) live from RSAC, where we’ll, among other things, rate some of the tchotchkies we find at the show.  If you see some really interesting giveaways, stop by the booth.  I think we’ll be giving away coffee.

I’m speaking 3 times this week, twice on panels, once by myself at BSidesSF.  We’ve got a lot of new data for the stress panel, which I’m sure preparations for RSAC will leave people empathizing with.  The Data Mining panel should be interesting, because I fully admit I’m the new kid on the block, with the least experience with data mining of anyone on the panel; I’m there primarily to learn.  And my Fundamental Flaws talk seems to be resonating with a lot of people, so I’ll be giving that at BSides on Tuesday.

RSAC 2012: Stress and Burnout in the Information Security Community

Data Mining Methods for Enterprise Level Security

Fundamental Flaws in Security Thinking

Then there’s the interviews I have scheduled.  This is not an exhaustive list, but I think it’ll cover most of my interviews:  Good Harbor, Abaca, Dell Secureworks, Sophos, Adam Shostack from New School of Security, VSS, Checkpoint, and a few others.  In fact, I should probably add double-checking my calendar to the to-do list for today.  I’ll be getting a couple of these out Monday-Thursday, with any stragglers coming the week after RSAC.  The microcasts I do at RSAC are a lot of fun and introduce me to some interesting people and companies. 

Finally, there’s the parties.  I’m helping put on the Security Bloggers Meetup again this year, though Jennifer Leggio does most of the real work.  I’ve been nominated for a couple of Social Security Awards as well, for Best Podcast and Best Blog Post, so wish me luck on those.  Akamai has a small party, then there’s the dozens of other parties that are going on, primarily on Tuesday and Wednesday nights.  And we can’t forget the Securosis Recovery Breakfast on Thursday morning.  I will be attempting to drink lightly this week, since I’m going as a company representative for once, rather than having to take time off to attend.

So it’ll be a busy week.  Somewhere amongst the chaos, I need to find a little time to walk the showroom floor as well as socialize.  Looking at the slim gaps in my calendar, that’s going to be catch as you can.  By Friday, you’ll see thousands of very tired security professionals streaming out of San Francisco and SFO.  I’m lucky, I get to drive home Friday night, though I’m hopping on a plane again the Monday after.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Feb 21 2012

Network Security Podcast, Episode 268

Published by under Podcast

With the 2012 RSA Conference less than a week away, we decided to try to record a short podcast focused on the event this week.  Of course, since Rich and Martin are involved, things ran away and the show ended up being the same length it normally is.  Zach won’t be at the RSA Conference this year and offers a counterbalance to Martin and Rich’s opinions

Network Security Podcast, Episode 268, February 21, 2012

Time:  28:51

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 15 2012

Why are we talking philosophy instead of technology?

Published by under General,Risk,Simple Security

A friend of mine recently complained in Twitter that, according to his count, nearly 80% of all talks given at the security conferences he’d looked at recently were now non-technical.  It might be in part because he’s @ramblinpeck on twitter, aka Daniel Peck, Research Scientist or something like that at Barracuda Networks.  Which is my way of saying his idea of a technical talk might be a little more technical than many peoples’.  But whether you’re at his level of technical expertise or mine, I think he’s got a valid point in saying that at most security conferences, the majority of the talks are less about the technical aspects of security and more about the philosophy or generalities of security.  And that’s probably the way it should be.

Why should most talks be more about principles of security and less about the technical aspects of security?  The first reason is that, with a few exceptions, the whole reason that conferences exist is to get butts in seats and to a place where vendors can get at them.  Even community led events like the BSides movement are about getting people to attend and mingle, the goal is still to create an atmosphere that draws people into the event and around other like minded individuals.  And many technical talks are counter to that goal, not in their content, but in who they pull in.  For example, a talk about a bug in a compiler on a OS X box is great for the few individuals in the crowd of attendees who a) work on Apple b) are worried about bugs in compilers and c) have enough technical knowledge and interest to travel the distance to attend an event.  But for the other 98% of the people interested in security who might be willing to travel to an event, they’ll take a look at the subject matter and decide it’s not for them.  Finding the right audience for any deeply technical talk is an art form at best and in most cases is more closely akin to guesswork than anything resembling a science.

A second reason it’s hard to have technical talks at security conferences is because of the wide variety in skill levels attained by security professionals.  I’m fairly smart, I’ve been in security for a long time and I understand at least the basics behind most of the technologies that make the Internet tick.  There are even one or two aspects of security that I can do the deep geek dive with almost anyone.  But when a talk is given that assumes a level of expertise that may not exist in more than a dozen people worldwide, I’m going to be left out and leave the talk annoyed and confused.  Or worse, if a talk was advertised as being technical but I find out when I attend that it’s a primer level of technical and I already know most of what’s being presented, I’m going to be annoyed, probably vocally so, and tell people that the talk was mislabeled.  It’s very hard, if not impossible, to create a presentation that captures multiple levels of technical background and it’s even harder to look at an abstract for a talk and decide what level of technical expertise it’s appropriate for.  Which, again, makes it less likely that the talk will be selected for a conference.

The third, and possibly most important, reason we’re talking about the philosophy behind security more than the technology is that so many of the assumptions that have gone into building the technology are wrong!  Security isn’t something that was designed into the Internet and corporate networks from the start, it was bolted on after, the cracks were spackled over and huge loads of duct tape were wrapped around the whole thing and it was called ‘secure’.  Or, more often, security has simply been ignored as a cost center until a compromise happens and data is lost.  Instead of building a cohesive, multilayered approach, we’ve built a collection of point solutions, few of which actually deliver on their promises and even fewer of which are properly configured to fully deliver what they’re capable of.  Given some of the compromises we’ve seen over the last year, we have every reason to believe what we’re doing isn’t working.

We’re at a point where we need to re-examine the fundamental thinking that underlies how security works.  It’s not an issue of flipping the evil bit off in a packet, it’s an issue of engineering a new set of solutions from the ground up.  The technical aspects of these solutions will be vitally important, but unless we can understand the underlying assumptions we’ve made, we’re going to make the same mistakes again on an even larger scale.

Security professionals come in all levels of technical expertise, but all of us benefit from a better understanding the philosophy that underlies our decision making processes.  I think that understanding where your decisions are coming from is even more important than the technical details of how those decisions are implemented.  I’ve seen many technical decisions made that looked good in the short term, but led to dead ends both in terms of the technology and the opportunities that the decisions limited.

This is all my way of saying that I believe an 80/20 split of non-technical to technical talks is probably appropriate for most security conferences.  The majority of people aren’t going to care about a specific technology because it simply doesn’t affect them directly.  But so many of us want to understand the underlying foundations of our chosen field.  It’s great to dig into the deeply geeky details of a protocol, but the vast majority of professionals will never need to do that for fun or for profit.  But every person who works in the security field needs to understand the philosophy that goes into making security decisions at all levels.

PS.  I’ll be giving a related talk, ‘Fundamental Flaws in Security Thinking’ at BSidesSF on Tuesday, February 28th at 1pm.  Come tell me how I’m wrong.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 14 2012

Network Security Podcast, Episode 267

Published by under Podcast

On this wonderful (?) Valentine’s Day, we are joined by guest-host and friend-to-the-show Michelle Klinger, while Rich is overcoming some throat-in-tube type illness (feel better, Rich!).

Network Security Podcast, Episode 267, February 14, 2012

Time:  34:41

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 01 2012

Network Security Podcast, Episode 266

Published by under Podcast,Privacy,Risk

We’re a day late, but we still managed to get this week’s show recorded! Rich is soaking up sun (or “teaching”, as he claims) in Cancún, Mexico, so we decided to rope in the illustrious Mike “Rybolov” Smith to discuss, surprise-surprise, privacy and monitoring.

Network Security Podcast, Episode 266, February 1, 2012

Time:  42:36

Show Notes:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

7ads6x98y