Golden_Gate_Bridge_SF_cropped-1014x487

I’ve just completed one of the most difficult pre-RSA tasks… narrowing the list of talks to attend during the RSA SF 2015. I was able to nail mine down to the 10 that I found not only most beneficial, but also engaging.

I tried spreading it over the week as much as possible to fit in also meetings and walk the expo floor. Hopefully, this list can help you out as well if you’re deliberating between the nearly 300(!) talks.

I’m also really looking forward to catching up with old colleagues and new acquaintances. If you’d like to catch up at any time during this week, shoot me out a note at “roy at ensilo.com”.

#1: The Long and Winding Road: Building an InfoSec Career from Techie to CISO

Date & Time: Monday, April 20, 3:30-4:20pm
Location: Moscone West, Room 3022
Abstract: Almost 20 years ago, they began their careers as part of one of the fore runners in security consulting services. From the world of war dialing, early Attack and Pen engagements, they emerged security leaders in their organizations. Using real-world war stories as foundations, the panel will discuss the different and divergent paths in understanding security and building CISO skills.
Who:

  • Steve Schlarman, GRC Strategist, RSA (Moderator)
  • Justin Somaini, Chief Trust Officer, Box (Panelist)
  • Less Stoltenberg, Executive Director and Chief Information Security Officer, MD Anderson Cancer Center (Panelist)
  • Robert Buchheit, Global Head of IT Governance, Risk & Compliance – Group Information Security, Zurich Insurance Group (Panelist)

Why:

  • As one CISO once told me: “My passion? Bits&Bytes. My day job? CISO”. With most CISOs coming from a hands-on technical background, you’ll be able to identify with much in the panel.

What I’d like to see:

  • How do you continuously keep updated when the threat landscape, practices and technologies change at lightspeed?
  • Once communication skills shift towards management and outbound, does the CISO even need to continue honing their technical skills? If so, how does the CISO avoid losing their technical edge while shifting towards business speech?

Get the slidedeck:

https://www.rsaconference.com/writable/presentations/file_upload/prof-m06_the-long-and-winding-road-building-an-infosec-career-from-techie-to-ciso.pdf

 

#2: What Does Responsible Vulnerability Disclosure Look Like?

Date & Time: Tuesday, April 21, 1:10-2:00pm
Location: Moscone West, Room 3002
Abstract: What do we expect from researchers who find security vulnerabilities? How should software firms respond to vulnerability disclosures? What do users want? Be part of the conversation, as we wrestle with the ethical, moral, technical, and practical issues from the perspectives of these three constituencies: researchers, vendors, and users. Bring your questions, concerns, and experiences to share.
Who:

  • Paco Hope, Principal Consultant, Facilitator

Why:

  • The Google<>Microsoft vulnerability disclosure wars from a few months ago are still fresh in everyone’s mind.
  • I’m taking this talk a bit personally as at enSilo we’ve worked with vendors on vulnerability disclosures - from a 0-day affecting all Windows OS to an AVG critical vulnerability. I have to admit that we only had positive experiences on this front, which based on earlier experiences, signify a change in the air.

What I’d like to see:

  • End-users that chime in and share their experiences on this topic – from the day they learn about a vulnerability to the day they actually deploy a fix across the organization. That is the greatest feedback the industry can receive in order to improve technologies and processes.

Talk #3: Android Security: Data from the Front Lines

Date & Time:

  • Tuesday, April 21, 1:10-2:00pm
  • Friday, April 24, 10:10-11:00am

Location:

  • Tuesday: Moscone West, Room 2001
  • Friday: Moscone West, Room 2020

Abstract: The world of security is riddled with myths, assumptions, and FUD. Most of this is well-intentioned, but it can create a constant sense that you can never do enough. In some instances, it can lead to behavior that makes you even less secure. Using data collected from hundreds of millions of Android devices, we’ll explore myths and assumptions and the state of security in the mobile ecosystem.
Who:

  • Adrian Ludwig, Android Security – Lead Engineer, Google

Why:

  • Gartner calls mobile one of the Nexus of Forces and security must consider this. However, mobile security solutions and their adoption are still in budding stages. It’s an interesting arena to tap into and see how they’ll mature out.
  • Google’s Android lead security engineer is giving the talk. Hats off to Google to place their security team in the forefront to demonstrate their security commitment.

What I’d like to see:

  • Data collected research makes this talk all the more relevant amid elevated privacy concerns and regulations. Raising such a discussion will make this talk all the more relevant.
  • A talk by Google de-mystifying Android threats sounds like there will be much self-promotion. Which, in turn, calls for hecklers. I’d love to see how Adrian bravely wards them off.

#4: Network Security and Operations When the Network Is Already Compromised

Date & Time:

  • Tuesday, April 21, 1:10-2:00pm
  • Friday, April 24, 9:00-9:50am

Location:

  • Tuesday: Moscone West, Room 2018
  • Friday: Moscone West, Room 2020

Abstract: This talk focuses on how an organization should think about managing a network with the fundamental assumption that Internet-facing networks (business networks) are already compromised. This is a talk about how to drive that assumption into decision making. For example, how to best architect access, credential management, rule libraries, and access control.
Who:

  • Eric Cole, Cyber Defense Curriculum Lead/ Fellow Instructor, SANS

Why:

  • Call it being practical. Companies have started to register that being compromised is not an if. It’s a when.
  • The talk discusses both prevention and detection, and the strict correlation between the two.

What I’d like to see:

  • How can we effectively leverage multiple proposed solutions to properly compensate for the shortcoming of each, without suffering from doubling the maintenance and incident handling efforts.

Get the slidedeck:

https://www.rsaconference.com/writable/presentations/file_upload/tech-t07r_network-security-and-operations..._rnd2b.pdf

#5: Detecting Unknown Malware: Security Analytics & Memory Forensics

Date & Time: Tuesday, April 21, 3:30-4:20pm
Location: Moscone West, Room 2009
Abstract: This presentation will show how open source tools can be used to detect "unknown" malware using Memory Forensics and Security Analytics. It will showcase how to build a security analytics engine that can be automated to perform memory forensics on thousands of on-hosts in near real time and to identify malware that is not detected by today's security tools like sandboxing tools, IDS, AV, HIPS etc.
Who:

  • Fahad Ehsan, Security Research and Analytics, UBS AG

Why:

  • Tackles heads-on the problem of “unknown malware” – i.e. malware that bypasses signature and rule based solutions (AV, sandboxing, Indicators of Compromise, etc.).
  • This one is for the technical folks. Expect mentions of memory dumps, code injections and process layouts.

What I’d like to see:

  • Heuristics to improve setting the baseline in order to reduce false positives.
  • Success stories: real-life numbers and stats on detection improvement rates and detection timeframes.

Get the slidedeck:

https://www.rsaconference.com/writable/presentations/file_upload/anf-t09_detecting-unknown-malware-security-analytics-_-memory-forensics.pdf

#6: Dissecting Office Malware for Fun and Espionage

Date & Time: Wednesday, April 22, 8:00-8:50am
Location: Moscone West, Room 3018
Abstract: Microsoft Office documents are becoming the attack vector of choice for nation-state cyber espionage, like Stuxnet and Duqu. It’s no wonder, given that they have a 6546 page spec so complicated that Google estimated it would take 18 years to study it properly. Learn Office’s internals and how attackers use it to deliver malware, steal IP, and perform long distance espionage.

Who:

  • Jonathan Grier, Principal, Grier Forensics

Why:

  • Stories about exploiting Office documents are abound. This is the deep-dive to understand the technicalities behind the news.

What I’d like to see:

  • We’d like to see not just the details, but also the start-to-end attack campaign.
  • While much focus is on the victim’s system, it would be interesting to see the attack also from the attacker’s perspective – i.e. the actual attacker tools used to control and manipulate the victim’s machine.

#7: Watt, Me Worry? Analyzing AC Power to Find Malware

Date & Time: Wednesday, April 22, 10:20-11:10am
Location: Moscone West, Room 2002
Abstract: Side channels have been widely used to spy on users. What if we spied on malware instead? It turns out that execution on the CPU creates observable patterns on the AC power line. We use this side channel to detect malware and other anomalies from a single measurement point at the wall. We’ll describe the research that drives our work and explain how to use power side channels for good.
Who:

  • Benjamin Ransford, Chief Technology Officer, Virta Laboratories, Inc.
  • Denis Foo Kune, Chief Executive Officer, Virta Laboratories, Inc.

Why:

  • A breath of fresh air – an outside of the box thinking to combat malware.
  • Side channels attacks have an “Aha” moment to them - like solving a good logical riddle.

What I’d like to see:

  • Nothing calls out better than analogies for good side channel attack story telling.
  • Future development and applicability to these types of side channel attack/ defenses.

#8: Patching Exploits with Duct Tape: Bypassing Mitigations and Backwards Steps

Date & Time: Thursday, April 23, 8:00-8:50am
Location: Moscone West, Room 3014
Abstract: The sale of exploits and bug bounty programs are at an all-time high, as is their use by cyber criminals. OS vendors, such as Microsoft have progressively implemented a gigantic number of controls to stem the bleeding. Learn how attackers side step mitigations in accessible live demonstrations. New to exploitation or want to learn about the latest mitigations? Come along and learn more!
Who:

  • James Lyne, Global Head of Security Research, Sophos
  • Stephen Sims, Security Research and Instructor, SANS Institute

Why:

  • Zero days and built-in software bugs are inevitable.
  • Attackers side-stepping mitigations should not surprise anyone. It’s time to see how we can remain productive and secure albeit an already-compromised network.
  • The promise of live demos wins us over.

What I’d like to see:

  • Individual mitigation solutions fail to detect the infiltration of attackers exploiting these vulnerabilities, resulting in the compensating “defense-in-depth” model. That in turn, however, leads to the inundation of alerts by multiple solutions and the need to deal with them effectively. Can we expect these folks to propose a new efficient model?

#9: Securing Active Directory Correctly

Date & Time: Friday, April 24, 10:10-11:00am
Location: Moscone West, Room 2018
Abstract: Even after 15 years of Active Directory being released, administrators and security professionals still don't understand the key points of Active Directory security. In this session, MVP Derek Melber will go over the top incorrectly secured and configured settings related to Active Directory. When you leave this session you will have immediate tasks to perform on your Active Directory environment.
Who:

  • Derek Melber, Technical Evangelist, ManageEngine

Why:

  • Active (AD) has garnered much focus in the past couple of years – and rightfully so. It has been a security blindspot for much too long.
  • Microsoft has recently admitted the need to secure and protect AD with their September $200M acquisition of Aorato, an AD-security startup.

What I’d like to see:

  • With attackers leveraging AD’s functionality to propagate within the enterprise network or externally to its cloud services, it would be interesting to see what type of tell-tale attack signs they leave within AD.

#10: Are You Giving Firmware Attackers a Free Pass?

Date & Time: Friday, April 24, 10:10-11:00am
Location: Moscone West, Room 3018
Abstract: Despite numerous conference publications and revelations in the past year showing attacker's interest and capability in BIOS-level attacks, most enterprises are content to leave their firmware un-inspected. This talk shows concrete strategies to check for BIOS vulnerabilities and integrity checking firmware, to minimize the attacker’s ability to sit on your network undetected for years at a time.
Who:

  • Corey Kallenberg, Chief Technology Officer, Co-Founder, LegbaCore
  • Xeno Kovah, Co-Founder & Chief Executive Officer, LegbaCore

Why:

  • Highly relevant. Reports from just a couple of months showed how backdoors were installed on various firmware vendors such as Lenovo and Western Digital. News about the vulnerable Superfish, ODM related software component shipped with certain Lenovo machines, followed soon after.
  • Enterprise infiltration is typically considered as performed methodologically over time. This talk shows that infiltration can also come in the form of “out-of-the-box”.

What I’d like to see:

  • These are attacks that come already during the supply chain so detecting the mere existence of the threat is nearly impossible. At what moment in time can we start detecting the threat while ensuring we don’t suffer from its consequences?