I went to BSides Cleveland last Friday. We put the word out to the #misec mailing list, and took a couple of carloads of Michigan IT/InfoSec pros down to Ohio. The conference was well run, the swag bags were well stocked, and everyone I spoke with enjoyed themselves. Below are some of the highlights.
Dave Kennedy (Rel1k) kicked off the conference. Dave has recently made the transition from Diebold’s CSO to CEO at TrustedSec. Dave demoed some advanced pentesting techniques using the Social-Engineer Toolkit (SET). Of note, did you see the news on the new scary attack that knows your OS? Yeah. That was Dave’s code being re-used. Whoops.
Next up was Bill Mathews (@billford) on cloud security. I have a reasonably sound understanding of cloud computing and cloud security. I went to Bill’s talk to get ideas on how to talk with non-infosec people about cloud concepts. Bill did not disappoint. He had a good talk, kept my interest, and provided a one page cheat sheet at the end. (These sheets are on their way to my team already.) You can see Bill’s slides and cheat sheet at Hurricane Labs.
I attended Jeff Kirsch’s talk next (@ghostnomad). As a haiku fan and long-time reader of Jeff’s blog, I really wanted to meet Jeff. He is also a hard guy to meet because I rarely see him at other conferences. Finally I had my chance! Moreover, I identified end-user training as a weakness in my security program and I am on the lookout for ways to improve. The “<? $People ?> Process Technology” talk was informative and helped steer me in the right direction.
Jeff joined us for lunch at the Winking Lizard Tavern. We got to talk secbiz, rail against auditors who don’t get it, rail against IT managers who don’t get it, and basically geek out on the business side of infosec. I rarely get to scratch the business itch and so this was a real treat.
After lunch, I gave an updated version of my Naked Boulder Rolling talk. How did this compare to the one I gave in June? Detroit was more fun and Cleveland was more satisfying. That is to say, I enjoyed the audience participation and humor while presenting in Detroit. The only problem was that it meant a good quarter of my talk was cut due to time. In Cleveland, I was able to present the material in full. I felt the overall message of the talk was conveyed more clearly. I fielded some good questions afterwards that have me thinking of making a new ITGRC deck.
With Matt Johnson’s incident talk fresh in my mind, I joined Mick Douglas’s talk on Automating Incident Response. Mick’s metaphor was building a sprinkler system to respond to the burning building that is the security breach. Add to that the research that shows how exponentially expensive a breach gets the longer it goes undetected, and Mick has a powerful argument. He wrapped up by demonstrating Python scripts that respond to incidents using network segmentation and throttling. Mick gave me a few ideas that I am going to try on my own network gear this coming week.
I sat in on a talk by James Siegel (@WolfFlight) next. James has been thinking about moving the security conversation beyond the echo chamber for some time. At BSides Detroit, he brought a hallway con discussion around the topic that led up to a podcast. It was decent for a first time presenter. James employed some humorous visuals featuring Looney Toons to provide a clear call to action: let’s educate non-technical folks.
I walked into the next session chanting “.net! .net! .net!” Some might argue that was because of all the free Bawls drinks. But, no, I was excited to see Bill Sempf‘s perspectives on application security. Bill walked us thru ASP.NET controls for the OWASP top ten, and touched upon using Back|Track for validation. The key insight from this talk was using Back|Track scripts to validate code as part of the build process. This dove-tails nicely with my philosophy of baking infosec into the work, and I am looking to explore the concept further in the next few months.
The conference wrapped up with a two hour after party, and then a three hour drive back home. I had a number of great conversations over those five hours, and spent yesterday collecting notes and pulling down content. BSides always leave me fired up to do more, learn more, and see more. BSides Cleveland once again proved why community conferences are so inspiring. All I can say is, when do we get to do it again?
Kudos Dave DeSimone and the Cleveland organizers, and thank you to sponsors: Diebold, Accuvant, FireEye, f5, Bit9, DerbyCon, Hurricane Labs, Neoisf, SecureState, Rapid7, and McAfee.
Update: The videos for all BSides Cleveland talks are now online: http://www.irongeek.com/i.php?page=videos/bsidescleveland2012/mainlist