3 Days, 3 Talks, 3 Conferences, and 3 Reports

I’ve been on the road speaking at various conferences over the last two weeks. This past week, however, I found myself with a very busy schedule that included flights to both Boston, MA and Washington, D.C. (and back again to Boston) to present 3 different talks, at 3 different conferences over the course of 3 days.

da6137_323b7c78a06c41cdbd4b8fd7c8c2339dThe first conference on this junket was SOURCE Boston 2016 in Boston, MA. Though I missed the morning of the first day I arrived just in time to spill coffee on my good friend Chris Nickerson, CEO of Lares Consulting, before he took the stage for his afternoon keynote presentation entitled Nightmares of a Pentester. It was a great presentation that discussed the technologies and techniques that have turned traditional paths to root from minutes to months based on his more than 15 years as a professional penetration tester.

On the second day I kicked off the Security & Metrics track with my Bootstrapping A Security Research Project talk. The talk was well received and it dovetailed nicely into fellow data nerds Suchin Gururangan and Bob Rudis’ talk on the Topology of Malicious IPv4 Activity and Michael Roytman’s Mr. Human – Vulnerability Management from a Hacker’s Perspective talk.

8192bb0a89424e39834df328d2b14c79Unfortunately I had to leave mid-day, missing several talks, to catch my flight to the second event on my junket, the (ISC)² CyberSecureGov 2016 conference in Washington, D.C. The second day of the conference kicked off with a keynote on Positive Change Agents in Our Exponential Era by Dr. David Bray, CIO for the Federal Communications Commission (FCC). He had several very quotable messages during his presentation including:

Following Dr. Bray’s talk was a panel session entitled The FedRAMP Transformation Through the Eyes of the FedRAMP Team with Matt Goodrich, William (John) Hamilton, Claudio Belloi, and Ashley Mahan. The session discussed the program’s history, customer feedback, case for change, and transformation efforts currently underway. It was no surprise to me, however, that many individuals left the room as soon as they heard the phrase “The FedRAMP team is up next.”  I’m not sure if this was because they were not embracing cloud, they felt they already knew everything they needed to know about cloud, or they were disillusioned with FedRAMP or the speed at which the team was moving. Needless to say:

My talk, 15 Years Later – Data Awareness in a Post Robert Hanssen World, followed the panel. This session asked the question “have we learned anything about protecting our sensitive data since the arrest of disgraced FBI agent Robert Hanssen?”  The short answer is “sort of” but the longer answer is that we, as security professionals, are having an unsurprisingly hard time keeping pace with technology.

When I polled the room asking individuals to self-identify as working for a “three letter agency” roughly 6 attendees raised their hands. Ironically, when I asked if anyone was working with the Federal Security Service of the Russian Federation (a.k.a. the FSB) nobody raised their hands. Either they had very good operations security (OPSEC) or were just flat out lying to me.

I also presented real-world tips, tricks, and proven methodologies for detecting, disseminating, and defending the sensitive data used within an organization’s environment. Seeing people furiously scribbling notes and taking pictures of slides as I presented is always a good feeling.

Hopefully some of the content has changed the way the attendees will approach security upon returning to their respective offices and agencies.
bsidesbos_est1After my talk I headed back to the airport for my return flight to Boston in order to take part in the (mostly) annual BSides Boston 2016 conference held at the Microsoft New England Research and Development (NERD) Center in Cambridge, MA.

As my talk wasn’t until the afternoon of the event I volunteered with Roy Wattanasin, Ming Chow, Steve Coley, Rob Cheyne, and others, to review resumes of students looking to break into security as well as experienced professionals looking to improve existing resumes.

My good friend Bill Brenner grabbed a quick picture of us hard at work pouring over the resumes.

There were two very noteworthy keynotes at the conference. The first was from cultural anthropologist Gabriella Coleman, current holder of the Wolfe Chair in Scientific and Technological Literacy at McGill University, on her studies around Anonymous and the hacker mindset in general.

Peiter “Mudge” Zatko, of L0pht and DARPA fame, was up after lunch where he highlighted some of his experience in working with DARPA and the Department of Defense (DoD). It wasn’t, however, a tell all:

One of the slides from Mudge’s talk highlighted the fact that one third of vulnerabilities in government systems is a result of vulnerabilities in the software itself – not in their configuration.

After another round of resume reviews I presented my Facilitating Fluffy Forensics 2.0 talk to a packed room with great cross-section of forensics and incident response (IR) practitioners, IT and security managers, and security generalists. The session covered the forensic and IR challenges of investigating servers and applications in cloud environments in addition to the opportunities that cloud presents to help expedite forensic investigations. At the networking event after the conference I had several individuals come and thank me for my talk and for the suggestions (and suggested tools) highlighted therein.

All three conferences come highly recommended by me and a number of others that I spoke with at each event, respectively.  As I awoke in my hotel room on Monday it felt strange knowing that I would not be boarding a plane in a matter of hours. Perhaps I’ll find something to present this week at our HQ in Nashua, NH if I begin to get the shakes.

Next up, RVAsec 2016 in Richmond, VA in June. Hopefully I’ll see you there!

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.