Rapid7 Blog

Caitlin Condon  

AUTHOR STATS:

3

UNITED Summit: Day 2

After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again. The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs,…

After a jam-packed day one of Rapid7’s UNITED Summit, the UNITED running club started the day bright and early yet again. The rest of us opened UNITED day two with a fireside chat hosted by Jen Ellis, Rapid7 VP of Community and Public Affairs, and a slew of prominent security commentators: Lares founder Chris Nickerson, Mach37 Cyber’s managing director Mary Beth Borgwing, Veracode CTO Chris Wysopal, and Josh Corman of the Atlantic Council and I Am The Cavalry. We skipped last year's on-stage drinking but kept the lively debate, which started with automation and moved swiftly through machine learning, theories on the future of software and security policy, and time frames for security’s being integrated into teams organization-wide. There was little wholesale agreement (that’d make for a boring debate, after all!) but much overlap in the group’s opinions and predictions: Yes, automation is important, and automating what everyone can do frees us as a community to focus on what we, uniquely, can do; machine learning isn’t magic and requires focus on the right problems and the right incentives; there’s plenty of need—and hope—for input and engagement on policy, even and especially when getting it right is difficult; reducing complexity and making it possible for everyone in organizations to do the every-day work of security is key. The panel wrapped up with a lighthearted question: What’s your #1 prediction for the future of infosec? Click through for the respective answers from Chris Nickerson, Josh Corman, Chris Wysopal, and Mary Beth Borgwing. There’s nothing like a fast-talking panel of smart people to get conference-goers geared up for a bunch of action-packed sessions, and that’s exactly what we had in store for UNITED attendees after our fireside chat concluded. Rapid7’s data science team talked about how Rapid7 builds and maintains internet-scale active and passive telemetry platforms (and what we learn from them) in the Research & Collaborate track. Folks listening to talks in the Assess & Remediate track got insight into how to talk to their boards about information security. Phish, Pwn, & Pivot attendees learned how to keep pen testers (and attackers!) out of their networks. And Rapid7’s transportation security director Craig Smith led a brilliant session on self-driving vehicles and their relationship to security. The afternoon was no less bountiful in information and engagement opportunities: the Detect & Respond track revealed the hidden value in log management, we dug into how organizations around the world can prepare for GDPR, and Rapid7 Threat Intelligence Lead Rebekah Brown and the DoJ’s Leonard Bailey discussed information exchange with the government. Research Director Tod Beardsley closed out the Research & Collaborate track with a succinct-yet-cheerful statement: “You’ve got 0-day! Here’s how to deal with it.” Before our phenomenal closing keynote, the Metasploit team awarded prizes for the first-ever UNITED CTF. Congrats to the persistent and talented winners! As the end of 2017’s UNITED Summit drew near, Chief Marketing Officer Carol Meyers took the stage to deliver thanks to Rapid7’s partners, speakers, and—of course—our incredible customers and community attendees. She then introduced Dan Geer, CISO of In-Q-Tel, iconic security futurist and commentator, and undeniable facial hair inspiration (though there’s no defeating Rapid7’s Deral Heiland). Geer invoked a litany of philosophers, scientists, public servants, and writers as he drove home some beautifully, impactfully-delivered points: The attack surface in the world is expanding, and it’s doing so faster than the security skill umbrella can match. What we do here, in this field and everything that touches it, isn’t so much a ‘profession’ as it is an occupation—or as some might have put it, a vocation. Geer referenced the lessons he’s learned in engineering and biostatistics, respectively: First, that getting the problem statement right is essential, and second, that correcting for data bias in an imperfect world will be, necessarily, imperfect. “My principal challenge,” he told the audience, “has been the balance between getting the problem statement right and choosing tolerable failure modes based on the data available...This hasn’t changed: You have to know what problem you’re trying to solve and which data you need to solve it.” This theme kept resurfacing as Geer took the UNITED audience through some of security and technology’s fundamental tensions, particularly when building models and thinking about the future: causality vs. control, optimization vs. resiliency, automation vs. sentience. Our problem statement, he said, is not cybersecurity itself, but rather the side effects of the pursuit of it. If the future is data-rich and the technologies acting upon all that data are dual-use, how do we ensure integrity of that data and the supply chain that underpins it? What, as an industry, are our ‘tolerable failure modes’—do we trust the data we have? Do we make and keep algorithms interrogatable? Do we keep humans in the loop as we move further and further toward automation? And is it a good thing when we do? Big questions deserve deeply-considered answers—your engagement at UNITED and beyond is critical to helping us at Rapid7 and the industry as a whole understand and address our proverbial problem statements. Rapid7 thanks all of you at UNITED for your much-valued participation and your continued attention to the big questions and the big problems that drive us. As Dan said in closing: “There’s never enough time. I thank you for yours.” You can find the full transcript of Geer's speech here. For a limited time, you can watch both UNITED’s fireside chat and Dan Geer’s closing keynote on-demand here. For more UNITED blog content, check out these posts.

UNITED Summit: Day 1

Day one of Rapid7’s UNITED Summit is almost over! We kicked off this morning with welcome remarks from CEO Corey Thomas (after a very, ahem, colorful performance by the Blue Man Group!), who spoke on the need to de-silo data and teams in the…

Day one of Rapid7’s UNITED Summit is almost over! We kicked off this morning with welcome remarks from CEO Corey Thomas (after a very, ahem, colorful performance by the Blue Man Group!), who spoke on the need to de-silo data and teams in the interest of driving innovation and solving big problems. He made a point of calling out the cybersecurity industry’s tendency to believe that security teams can be successful independently of IT—a shackle, as Corey put it, that holds us back, often unnecessarily. One of Corey’s most powerful attributes as a speaker is the way he constantly evokes forward motion; at UNITED, he asked key questions for the security industry as a whole and for Rapid7 as a company: How can we harness our collective imagination to create a sense of optimism in our field and beyond? Are the organizational models of the past really serving us today? What areas of expertise will ensure our continued relevance and success in a changing world? Looking ahead with clarity and focus is a talent our CEO has in spades. We’re thrilled to be able to share Corey’s vision so intimately with our customers and the community! We chose a formidable speaker and technologist as UNITED’s opening keynote: Nicholas Negroponte spoke eloquently on everything from the breakdown of barriers between the natural and manmade worlds to the need for innovation and the inevitability of change. UNITED’s thematic notes resonated in the MIT Media Lab co-founder’s words—we in technology are both witness and driver to the crumbling walls of old models and distinctions, whether those borders lie between nation-states or between IT and security teams. As we look to package and deliver information in new ways (a car from a seed!), it’s urgent that we ask whether we’re developing new approaches to big problems. “When I wake up in the morning, I ask myself a question,” Negroponte told the UNITED audience. “‘Will normal market forces do what I’m doing today?’ If the answer is yes, I stop. They don’t need me.” Rapid7 Chief Product Officer Lee Weiner and Customer Success SVP Stephanie Furfaro offered smart, actionable answers to the morning’s big questions on the future of technology with a powerhouse presentation on customer-centered innovation. UNITED attendees got a close-up look at how the vision for Rapid7’s Insight platform informs and enhances individual product improvements—from fresh container security assessment functionality in InsightVM to uniting UBA and SIEM capabilities with InsightIDR. Much like Corey Thomas recognizes the pressing need for collaboration between IT and security teams, Lee and Stephanie put strong emphasis on synergy between product and customer success teams. As Stephanie said right off the bat, “Our customers are heroes….We want to be there when you need us.” A rousing round of applause for our three Rapid7 Customer Award winners marked the end of the morning presentations and the beginning of an afternoon that included talks on everything from automation and container security to the evolution of the CVE and cybersecurity for trade agreements. The Metasploit crew kicked off their exclusive UNITED CTF, Deral Heiland and Craig Smith led an IoT lab complete with hands-on demos, and a slew of different Rapid7 teams gave 1:1 expert consultations (at no cost!) for attendees. This afternoon we’ll host a series of industry roundtables so UNITED guests can share challenges and solutions with others in their industry. Want to gear up for tomorrow? Plan your day with the full agenda, and if you’re extra motivated, get up early to join the UNITED running club for a 5K jogging tour of Boston! Not here in person? Follow the #R7UNITED hashtag on Twitter and take advantage of the UNITED live stream showing tomorrow’s fireside chat and Dan Geer’s closing keynote. Thanks to everyone who made the trip out to Boston to join us this week, and to those of you watching at home! You’re all our heroes.

The Next Generation of the Rapid7 Community

Welcome to the new and improved place for Rapid7 blogs! Rapid7’s blogs aim to provide readers with pragmatic, down-to-earth information and advice to help you navigate the complexity and noise of the security landscape. We rely on, and greatly appreciate, the feedback and input…

Welcome to the new and improved place for Rapid7 blogs! Rapid7’s blogs aim to provide readers with pragmatic, down-to-earth information and advice to help you navigate the complexity and noise of the security landscape. We rely on, and greatly appreciate, the feedback and input of our community to help us identify what kinds of content and topics are most valuable. Thank you! We’re constantly looking for ways we can improve the quality of our content and the experience for our users. To that end, in August 2017 we launched two new resources to provide a richer, more seamless experience across Rapid7’s web assets and information sources: blog.rapid7.com is our platform for news, issues response and commentary, and research help.rapid7.com offers a rich and constantly-updated knowledgebase, and a forum where you can ask questions How can you get involved? We value community perspectives, so we hope you’ll continue to offer frank, insightful comments in response to our blog posts. We use Disqus to facilitate commenting and discussion on blog.rapid7.com articles. You won’t need your old community login to share your opinion: Disqus allows users to log in using email or major social platforms. Please note: logins for the old Rapid7 Community site (pre-August 31st 2017) are no longer valid. From deep-dive research to ad-hoc feedback, the community is our lifeblood. The entire Rapid7 team is excited (one might even say “pumped”) to share this next generation of community resources with you! If you have any questions or concerns about the future of our blog and help site, please contact community [at] Rapid7 [dot] com.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now