As I write this, the first full day of the 2015 UNITED Security Summit is nearing its end -- many of our attendees are still out at our Wednesday evening party (or, reading this the next morning... but hopefully no worse for wear).
This seems like a good time to give a quick recap of today's packed agenda. Below are just a few select highlights from the day with video clips where possible.
Welcome & Kickoff
Our CEO Corey Thomas set the stage for the conference with an exploration of this year's theme -- Confidence in a Chaotic World -- by having us examine the concept of chaos itself. Our industry can seem chaotic, the attackers can certainly impart a feeling of utter chaos -- but there is a framework for greater understanding that can help us regain confidence. One framework Corey mentioned was that of piracy, a crime that goes back to crime immemorial, and how it bears striking parallels and resemblance to the world of cybersecurity today. In that way, we can even look to successful methods to combat piracy for queues to help us gain a foothold in our world. Now, piracy is a notorious difficult crime to understand, let alone combat, so what has worked? Changing the economics. Making piracy less lucrative makes it a less attractive employ. And if we work to shift the economics of cybercrime back in the favor of those of us who fight it, with organization, intelligence and technology, Corey believes we'll see the tides turn.
Giving a bit of detail on the economics and methods of cybercrime today was Nicolas Christin (@nc2y) of Carnegie Mellon, and Matt Noyes of the US Secret Service. Nicolas walked us through some common search engine hijacking methods many attackers use in order to conduct compromises at scale. These attacks aren't sophisticated, but they allow attackers to compromise and nab a lot of websites very quickly and easily, and employ those websites for their own gain. It's a method that's been around for years, but is still so prevalent because it simply works.
Both Nicolas and Matt emphasized that most attackers -- usually members of transnational criminal organizations -- are simply looking for readily monetizable data. Money is what motivates them above all, we're no longer worried about skiddies. These criminal organizations often work with distributed groups who specialize in different parts of the attack chain. That means that while these organizations are very distributed, they themselves lack expertise and sophistication, and they're quite reliant on the commoditization of attack methods. They want and need the easiest attack for the greatest ROI. Both Nicolas and Matt advise to never be the low-hanging fruit, but also minimize potential damages by reducing assets in your organization that could be potentially monetized. If what you have can't be easily turned into cash, the attackers will find a more appealing target.
And for the defender's point of view? Mike Murray (@mmurray) of GE Healthcare emphasized that we need to be asking better questions. The reasoning that we don't have enough data to know what's going on no longer applies -- nowadays we're overloaded with data, but we don't know what to make of it: "It used to be what gets measured gets managed -- now it's what gets analyzed gets done." Matt had a lot of great quotes on making sure we're being smart with the data we're collecting and that we actually know what to make of it all, but I thought it put it perfectly with this: "Bad guys win on exploits, good guys win on analytics and getting intelligence quickly."
Creating a Robust Incident Response Program
I sat in on Wade Woolwine's (@wadew) panel "Seven Things To Do If You've Been Breached," and really appreciated how much of Wade's advice emphasized preparation and communication. The human element can't be under-emphasized here -- whether it comes from successfully negotiating for time and resources to respond to an incident, or in communicating to executives and legal departments when the worst happens. Another key point was that one size does not fit all when it comes to incident response, so again, preparation is key to success here. Your organization is unique, your environment is unique, and the only way to know what unique factors your IR team will need to navigate will be from direct experience and applying lessons learned. A few hours for a tabletop exercise one day could save a lot of churn time when its a real emergency -- people will know who and what needs to mobilize and how. The cliche about an ounce of prevention is so true here, and of course it's incredibly difficult to implement in practicality (...otherwise we'd all be doing it, right?), but it's worth repeating.
The Battle of the Analysts
Rick Holland (@rickhholland), Rich Mogull (@rmogull) & Wendy Nather (@451wendy) sat down with Trey Ford (@treyford) for a no-holds-barred panel on a variety of infosec topics. There was a lot of consensus around a few areas -- the current state of threat intelligence is poor, analysis of cybersecurity events in the mainstream news is extremely lacking, there's far too much ambulance-chasing happening after a breach -- it was interesting to hear opinions strongly diverge especially on the topic of cloud. Specifically, the wisdom of moving a lot of your operations to a cloud environment. Rich was admittedly "optimistic on cloud," and sees huge opportunity for organizations who might be stuck with legacy tech or lack of resourcing for upkeep, whereas Wendy described herself more of a "cloud survivor." She recounted her experiences on projects to virtualize "ancient" technology and, while the intentions may have been good to help catch up on technical debt, the practicalities can be daunting-to-impossible for many other organizations.
One piece of advice Rick Holland had for the audience was to think of security's role as a service and not as a control. While this might go against some instincts about what security "should" be, Rick strongly believes that when positioned as a service, security reaps real benefits -- like better intelligence sharing from colleagues and better response from management.
Even MORE video clips
I've embedded a few video clips above from the day's events, but we have more on the way! I'll embed day 1 videos below, and you can access all the videos from this year's UNITED Security Summit via the Rapid7 YouTube channel on this playlist: https://www.youtube.com/playlist?list=PLMrgKzfE1aIOZmnT1xBEXcNaY-CryQEYg
Excerpt from Breaches? Security Issues? It's All In Your Head with Rapid7 CISO-in-Residence Bob Lord (@boblord):
Hope everyone had a great day today -- see you bright-eyed and bushy-tailed at UNITED Day 2 first thing tomorrow!