Sunday, February 12, 2012

Read this…

You know those posts where I just phone it in and suggest you go read something?  This is one of those.  Take a few minutes and head over to the Idoneous Security Blog and read Insecure at any speed, it is a great post from someone who kows what she’s talking about.  You’ll probably want to read the rest of what you find over there, too.

Now, back to digesting the Trustwave report.  Where’s my coffee?



Tuesday, February 7, 2012

Speaking at RSA

I’ll be moderating a panel at RSA on Monday, Feb 27 between 12:30 and 1:40, session PROF-001.  The topic is a continuation of the work we have done in the past year on Stress and Burnout in the Information Security Community.  Although the ongoing “attitudes in infosec careers” survey covers a much broader range of topics than stress and burnout, some of the relevant data collected from that survey will be discussed in the panel.  A reminder: the Career Attitudes in InfoSec survey is open for another week, please see this blog post for details and I would appreciate it if you consider taking the survey.  And thanks to everyone who took the survey and helped to spread the word about it.

Cross section of tree trunk showing growth rings

I’ll also be leading a peer-to-peer session on “What works in log analysis”.  The session is P2P-205C on Wednesday Feb. 29, from 2:10 to 3:00.  I really want this to be a peer-to-peer discussion and exchange of ideas, so if you are interested please come ready to share your thoughts and experiences.  We gather a lot of information in logs, but we don’t always gather the right information, or use it wisely.  The Verizon DBIRs show that log analysis hasn’t led to incident detection in the cases they have worked, but that over 60% of the time there was relevant information in the logs.  Does that mean we aren’t using the data properly (or at all)?  Or does that mean that the folks who do log management and analysis properly don’t end up having to call Verizon for incident response services?  Hmm.

The rest of the week you can find me at BSides San Francisco, wandering the floor and talks at RSA, at the Tenable booth at RSA, and of course, at the Tonga Room (and probably Jack’s Cannery Bar).



Friday, February 3, 2012

How much sharing is too much?

We always hear calls for more information sharing in InfoSec, but is it really needed or helpful?  What is the point of me telling you I was compromised by spear phishing, SQL injection, cross site scripting, cross site request forgery, default credentials, or anything else we’ve know about for years?  If you are ignoring all of the well-known risks, it is a waste of my time preparing the data and sharing it, and it is a waste of your time reading it.  This isn’t as disturbing as some of the oversharing we see on the internet, but it may be more distracting. 


Maybe you should just do what you already know needs to be done.  Don’t give me that look, you know exactly what I mean.  We need to talk about security sometimes, but more often we need to shut up and DO security.

On the other hand, if you are taking things seriously and are at least making a good faith effort- then knowing the specifics of what attacks are in the wild, who they are targeting, and details of the compromise timeline could be very valuable in prioritizing your defenses and focusing your monitoring.  The New School folks are much more eloquent in explaining the value of information sharing done properly, so I’ll refer you to them for more on that.

Oh, and if you do choose to share information, the more RAW DATA you share, the better.  Add context and color, share observations, theories, and maybe even a conclusion or two- but give us the data whenever possible.  And go easy on the images, a good infographic is a thing of beauty (probably because of their scarcity), but overthought and underdelivered graphics seem to be the norm. Don’t do that.



Wednesday, February 1, 2012

Put away the pitchforks…

It looks like all is well, or at least functional.  The folks at the RSA Conference are issuing waivers for RSA sponsors and exhibitors to participate in BSides San Francisco.  I’ve swapped messages with one of our friends at RSA- I do not know how things got as tense as they did as quickly as they did, but it seems that it has been resolved almost as quickly.


Let’s be honest, there will be tension in situations like this- the events are adjacent, occur on overlapping days, and people cannot be two places at once.  The RSA Conference is an enormous undertaking and the people who put it on are protective of their enterprise- and those of us in the BSides community are even more protective of our community.  BSiders are all volunteers, busy with jobs, modern life, and the challenges of running events on tight budgets- the folks at RSA are in their crunch time: thousands of attendees, hundreds of exhibitor companies, hundreds of speakers, and many others are bearing down on them, the pressures must be significant.  In light of that, it is easy to see how what should be a constructive conversation could end up being, well, not constructive.  But that is behind us.  (If you are reading this, you’ve seen the BSides perspective, here is RSA’s post on this)

There will be frustrations with each other again, but hopefully we can minimize those- I still see more mutual benefits than challenges, but the critical thing for now is that BSidesSF will happen as planned, and the sponsors of that event will not be placed in an uncomfortable position.  BSides organizers have worked, or at least communicated, with almost every “A-Side” event in recent times.  The relationships generally range from outstanding to at least understanding, and that is our goal.  (Note: There is one parallel event where things really are competitive… but I can’t even think about it now.  Some day I will have to send a peace dove over to them and see if they return it, or cook and eat it; that day is not today).

I’ve learned a little more about event management and conflict resolution this week.  In retrospect I should have picked up the phone and made a call or two to try to sort things out directly.

I do want to thank all of the sponsors of BSides San Francisco for working through this, and thank those who stepped in with sponsorship when things looked questionable.  Among those, Lee Kushner of InfoSec Leaders deserves special thanks for his significant moral and financial support of Security BSides San Francisco.

I am looking forward to both RSA and BSides later this month.  I’ll be speaking at RSA for the first time this year, and I am also leading a peer to peer session for the first time (more on that in another post).

For those who are surprised at my conciliatory tone, and disappointed by my lack of vitriol, I apologize- I just don’t see any value in dwelling on past frustrations in this case.

Thank you to everyone who showed their support for BSides, the event and the community.