RSA Conference: Last Day

Hallelujia, it’s the last day!

Being the last day, it meant some morning session that were remarkably well attended, then some really great afternoon keynotes designed to keep people in their seats.  Nicely done, RSA conference organizers.

So, in the morning, it was metrics, metrics, metrics (and measurements). Here are the themes:

– Metrics measure services, and link to the organizational mission

– They measure the underlying pieces of services:  People, information, technologies, and facilities

– For security, metrics at some level measure “How Secure Am I?”  “Am I Secure Enough?”  “How Secure Do I need to Be?”  “What would change if I was more secure?”  “What Is the Business Value of Being More Secure?”  and most importantly, “SO WHAT”.

– Metrics are only valuable if they inform decisions, affect behavior/actions, and determine improvements

– Metrics should:  guide decision making, guide variance (aka compliance) measurement, guide loss exposure

– Benchmarks against peers may also been known as the “Lemming approach” or “Regression to the Mean” – in other words, benchmarking works if you are starting from scratch, but can sometimes be used to replace critical thinking of what is important to an individual business.

So, that was it for the really Security focused sessions.  Which brings us to the last Keynotes of the conference.

The first session was “Hugh Thompson and Friends”, discussing the intersection between predictive analytics and the implication for privacy.  The first “Friend” was Dr. Angela Duckworth from UPenn, who has worked out a 10 question measurement of “Grit”, used to predict success, and measure passion and perseverence.  It is used at West Point to determine who will stick out the program (25% of entrants drop out), and who will last.  If you will, this measures “Top Talent”.  I won’t tell you what my score was, but the good news is you can learn to model your behavior after people with “Grit”:

– Be Specific about the skills you want to sharpen

– Work on fixing your weaknesses, not improving your strengths

– Work in your discomfort zone

– Get feedback often and early

– Be loyal and steadfast to your goals

Then, Dan Greer came on to discuss more of the predictive analytics in a security sphere.  Most interesting assertion:  That de-identification (anonymizing data) can be reversed – always.  The implications to big data research is significant.  Here was another zinger:  Knowledge is power.  We are Creating Knowledge.  Where does the Knowledge/Power Go?    Here’s another thought:  it is cheaper to keep data forever than to selectively delete it (which is what our current records retention policies require).  Private industry keeps data long enough to work out that the data cannot be monetized; government keeps data as long as they can afford to store it.  “The right to be forgotten” is not achievable.  (Ominous music plays in the background).

Lastly, and by far my favorite, Stephen Colbert was the final speaker, and was predictably hilarious.  He noted that he has created a new company called “CloudFog” – look for it in a store near you.  I leave you with his thought:

“There is no greater threat to our security than not knowing where the money goes, and not voting.”

Stay warm!

RSA Conference: Day 4

Will this conference never end???  Actually, although my brain is almost at saturation point, it was quite an enjoyable day.

My first session was titled “Public Cloud Security: Surviving in a Hostile MultiTenant Environment”.  Certainly not for the faint of Security heart.  The presenter (an architect from Microsoft Azure), defined 3 computing eras: mainframe, client/server, and mobile/cloud.  Obviously, we are in the relatively early stages of the 3rd phase.  The number one concern of IT leaders related to cloud is, not surprisingly, Security.

The Cloud Security Alliance has defined the “notorious nine” security concerns about the cloud.  You can read more at Here’s the main thing about cloud:  in order to be scalable, cloud vendors have to architect their systems in a very homogeneous way – same hardware, same o/s, same hypervisor, etc.  This introduces a LOT of concentration risk (if you have one vulnerability, you have LOTS of them).  It also means that you cannot assume that you can trust the hardware/software of the providers, and that attackers are anonymous and diverse.  So, the session focused on what can be done, both by providers and customers, to mitigate these risks.  I won’t focus on these mitigants now, but here’s the thing:  IT groups (and security) have made assumptions that off-premises cloud providers are inherently less secure than on-premises in house architecture – but are they really??

The second session blew my mind.  It was a presentation titled “practical attacks against MDM solutions”.  In this session, the presenter did a live demo of how to hack an iPhone, how to hack a Container solution on that iPhone, and how to hack an Android.  In each case, he was able to hack the phones in about 3 minutes, and gather so-called encrypted email, and to take control of the microphone and camera of the iphone.  All with publicly available commercial software.  Guess what, they’re cloud services, known as TaaS:  Trojans as a Service.  Now, in all cases the phone had to be infected via a Phish in order to get the software installed, but he wouldn’t eliminate the possibility that the malware could be inserted remotely, either.  There are not commercially viable solutions available to prevent these kind of attacks – we’re dependent on PEOPLE to NOT respond to a Phish.  You know those QR codes used by companies to so easily direct you to their website??  Be careful with those…

So I stumbled from that session to a session about implementing security in Agile/Scrum software development practices.  There were some key takeaways from this session, mostly to do with having a Secure code baseline, doing dynamic testing, and training developers how to hack their own code.  To be honest I would have paid more attention if I wasn’t concerned that someone was hijacking my iphone camera…

I then went to a session called “Privacy Reboot”.  Here’s the nickel tour:  Privacy is not dead (if it is dead, think of it like a cat who has not yet exhausted all nine lives), it is simply being reworked and has not yet stabilized in the latest technology environment (aka Social Media). 

Now, I know that at this point you are feeling sorry for me for having to sit through all this stuff…  so I will remind you that I spent lunchtime sitting in the SUN (I couldn’t resist rubbing that in).

The keynotes seem to be getting (mostly) better as the week progresses.  This afternoon, we started with Peter Sims who has written a book called “Little Bets”.  This is a book about innovation (not security) and about how we should take lots of small, low risk actions rather than waiting for a Big Bang success.  Beethoven did it, Pixar did it, and even comedians do it.  We have to allow for, and be comfortable with, failure – to go “from suck to non-suck”.  At Pixar, they avoid the HIPPO effect (the Highest Paid Person’s Opinion counts) by implementing “Plussing”.  That is, you don’t immediately dismiss an idea, instead, you say “Yes, and…” and then “what, if..”?  I know, that is as clear as mud.  Get the book.

Two VPs (one was a woman even!!) from Cisco then did a presentation about the “Internet of Things” (IoT – see my post about your fridge attacking you for more info on this).   Here’s the gist of the presentation – all these “things” are now internet-connected, and internet-aware.  This connects people, process and data in new and interesting ways (think of how enStar works in your car, for example).  The IoT will PERSONALIZE the internet.  So, for Security, we need to get visibility to all these devices and networks and data and identities, we need to have realtime threat analysis, and we need the ability to act on that analysis in realtime.  Not surprisingly, the industry is a bit short on talent right now…  They also suggested that we have to ASSUME COMPROMISE, and have things PROVE THEY ARE TRUSTWORTHY.

Kevin Mandia, of Mandiant-the-chinese-are-attacking-us fame, presented his 2014 report.  In summary:

– There are no risks or repercussions to cyber-actors

– Future conflicts will have a cyber component

– Cyber-actors target people as an attack surface – this makes Security a decentralized problem

– The “theatre of war” is asymmetrical – offense develops faster than defense, and defenders have to defend EVERYTHING

– Cyber crime is the only crime where the victim has to apologize for being a victim

– The risk of disclosure of a breach is very high (more than the risk of the breach itself)

– Security awareness erodes in an organization over time after a breach (“vigilance fatigue”) and the bad guys adjust

– The goal of Security, then, is to eliminate the impact of a breach, and shorten the time from alert to when it is fixed.


Lastly, Scott Harrison did a fabulous presentation on the creation of Charity: Water.  He is not a Security dude, he runs this non-profit with a goal of getting clean water to world-wide communites.  More explicitly, to get access to clean water to 100 million people in the next 10 years.  Did you know that for every $1 spent on clean water, it returns $4 to $12 in economic benefit?  You can check it out at  – really really amazing stuff.

Tomorrow is the last day of the conference.  I hope there isn’t anything else new to scare me.


RSA Conference: Day 3

Today began with a discussion on Boomers, Gen Xers, Millennials and Gen-Zers.  You know who you are. 

The point was, if we’re going to reach them in training and awareness for security, we have to know how they think, and how they consume information, and tailor our stuff appropriately.  It was a fun session, with a lot of your usual psychology stuff

– Boomers = Kennedy, Vietnam, Moon Landing, etc

– Gen Xers = Challenger disaster, MTV, End of Cold War, Latchkey kids

– Millennials = Colombine, 9/11, and Facebook

Here was the funny thing – Millennials think they know security really well – better than the Boomers rate themselves.  But, they are 15% more likely to have been breached.  Overconfident?  Perhaps.  As a university CISO, I was interested in knowing how to get Millennials to care about security and privacy – but in general they just don’t.  So, focusing on the fact that the UNIVERSITY cares about the data they manage is where we have to focus our training efforts.  For everyone else, we can just tell them what they have to do. (OK, not really).

From there I listened in on a presentation about Insider Threats, and how to programmatically address this.  In this sense, Insiders are malicious, not accidentally careless.  HR, Legal – we’re coming for you  🙂  Actually, we need great partnership with HR and Legal to identify likely scenarios and triggers for “insider” behavior, so we can QUICKLY triage incidents.  Note the golden 30 day window – insiders are disproportionally more likely to do something nefarious between the time they resign and the time they actually leave.  Of course, most people DON’T do something creepy – but should the university keep an eye out for this?

I then dragged my tired mind over to a panel discussion on letting users “go rogue” using cloud services.  No real new stuff there.  No surprise, folks are using cloud services (the average company uses 395 vendors today – I can only imagine the exponential OSU numbers).  The goal here is to enable secure cloud usage, not to prevent it from happening.  We also need to orchestrate HOW we use cloud services – we can get pretty inefficient pretty quickly without some air traffic control.  Even for all the support of people using cloud, none of the panelists want “Crown Jewels” to be there – some things (like the Coke recipe – yes, really) don’t belong in the cloud.

Of the five keynote speakers today, only some are worth mentioning.

First, James Comey, our new FBI Director, spoke about the need for the FBI and private industry to support one another.  We need to share information quickly and routinely, at the speed of computers, not the speed of humans.  His presentation was well received, and he comes from private industry where he ran Security teams (he’s a lawyer, actually), so he’s been on both sides of the political fence.

Art Gilliland from HP threw out some interesting statistics:

– We collectively, as an industry, spend $46B (yes, Billion) a year on Security. 

– We’re seeing 20% increases in breaches year over year

– A single breach costs 30% more this year than last year, on average (pity the Universities of Maryland and Indiana…)

– Statistically, we’ll get better bang for our buck if we focus on people (training, analysis) and process (intelligence gathering), than on “silver bullet” tools.  No argument from me on this one.

The most interesting speaker of the day was 19 year old Taylor Wilson.  He’s a nuclear scientist, and from the age of 10 (when he built a nuclear reactor in his garage) to now he has created nuclear material scanning devices, medical isotopes scan tools, and is currently working on cheaper, safer nuclear reactors.  It is not a stretch to say that he is a Genius in Action, and he absolutely gives me hope for our future.  If I thought the Cryptographers were above my IQ paygrade, they’ve got NOTHING on this kid.  Yes, kid.  Millennial, actually.

Apart from the speakers, we also cruised the vendor halls today.  Some of our own vendors were there, of course, but there were also PLENTY of new vendors.  It was a bit like running the guantlet to make it down an aisle without being accosted for our contact information.  I would also say that my unscientific poll shows more Michigan fans than Ohio ones at this particular event!

2 days left to go.  Let’s hope I’m still standing when it’s all over.

RSA Conference: Day 2

William Shatner beamed down to the Keynote session and sang (sort of) a really bad version of “Lucy In The Sky With Diamonds”.   Then, mercifully, he left.

Art Coviello, the Executive Chairman of RSA, gave the keynote speech, spending a lot of time discussing hacking, trust and morality.  With a lot of quoting of President Kennedy, he called on governments everywhere to renounce Cyber Weapons, Cooperate on International investigations and prosecutions of cyber criminals, ensure Internet Economics are “unfettered” and IP Rights are protected, and ensure privacy of Citizens.  A call to action, so to speak.

Scott Charney of Microsoft then reinforced this by suggesting that one of the reasons Security is such a tough field to work in is that there are no “norms” around acceptable internet/security use.  He called for the equivalent of the Geneva Convention, or the Hippocratic Oath, for the Government and other practitioners – to establish a “sense of proportionality”.

Nawaf Bitar from Juniper Networks then followed, urging all to “Be Truly Outraged” (“Liking a Cause on Facebook is not outrage”).  He insisted that we are complicit in the apathy around how governments, industry and users are allowing the Internet to be handled.  He urged us to take an Active defence to disrupt the economics of hacking.

Lastly, there was a cryptographer’s panel.  Four really really smart guys discussing the past, present and future of Cryptography.  Nothing new here, I didn’t think.  Of course, my ability to actually understand what was discussed was proportional to how far I could collectively throw the panel. 

Overall, an interesting morning.  The afternoon got better.

In a session titled “Securing the Big Data Ecosystem”, we were urged to take an IKEA model of security – Identify “sick” assets, Keep adequate records of asset problems, Evaluate assets daily, and Adapt until we see noted improvements.  Essentially, in big data, we will have too many things to take care of at once, so a high touch approach is not scalable or practical.  Instead, we should look for areas of leaks, tampering or loss events in “data lakes”, and focus on on that until things improve, or we “kill it”.  We will need lot of Intelligence Analysis to do this (good thing OSU does this well!).  The analagy was to treat the assets like “Cows, not Pets”.  hmmm…

In a session titled “Measuring Change in Human Behavior”, Lance Spitzner from SANS reminded us that we should focus on a few key behaviors we want to change, instead of boiling the metrics ocean, and our training/awareness efforts should be measurable, repeatable and actionable. is a place to start.  Yup.

Then there was a panel discussing “How to Sleep Soundly with your data in the Cloud”.  In short, they suggested we “bring our own security to the cloud”.  Okay….  not helping me sleep soundly, guys.   The elephant in the room was named as “okay, so you get comfortable with your cloud vendor – but what about the vendors THEY use?”  Frankly, I’ve already lost enough sleep to worry about that right now!

To take away something more personal, I attended the session titled “Monitoring and Filtering your Child’s Web Use”.  Comforting to know (not) that kids today have so many connections to the Internet that there is no real effective way to monitor kids use unless you’re a highly techy security geek who applies work controls to your own house (who would do that!!).  Ethics of monitoring kids use to this degree was not discussed.  Oh, and there isn’t much out there to review Chat and Peer-to-peer sessions (one lady suggested using a keystroke logger).  The session should have been titled “There are no Parental Controls”.

Running from session to session is starting to make my head hurt.  But, there are useful snippets in each session to make it worth it.  Hard to believe it’s only Tuesday….



RSA Conference: Day 1

This conference is enormous!  That doesn’t make it great (not yet, anyway), but there is certainly a lot to see and do.

Getting my feet wet, I spent the morning in a 3 hour session titled “Surviving As A Security Leader”:

We discussed “making Regulations and Audits work for you”.  Key takeaway:  don’t expect an auditor to know more about your space than you do (if so, you should consider a different career…) – so in the Audit planning process you should partner with Audit to help them understand the technology and the control/risk environment you work in.  RISK-RELEVENT FINDINGS SHOULD BE THE MUTUAL GOAL of an audit – they are partners to help us do our jobs better!

We then discussed Security/Risk leadership – we need to lead participatively, to get buy in and reduce resistance.  We also need to develop others in the organization to be security leaders – even when they are not in the business of security.  Motherhood and apple pie, right?

Then, there was a panel of ex-CISOs talking about being a CISO.  The main skill?  Influencing without direct authority.  The primary focus?  Basic IT blocking and tackling – configuration management, change management, asset management, etc. etc.  Think ITIL…   The most valuable thing?  Understanding the business: Goals, objectives, motivations, stressors. To know how security supports the business is to make Security relevent and useful.  The most depressing thing?  Not one of the ex-CISOs on the panel want to be a CISO anymore.  The function was self-described as a “high burn-out position”.  Hmmm….

Lastly, in the morning session we discussed Boardroom presentations.  Not necessarily Security-specific, but interesting nonetheless.  Fun fact:  ROI can also mean “Risk of Incarceration”.

In the afternoon, the session turned to Risk Management and Operational Resiliency Frameworks.  Really bad topics for the “first after lunch” spot.  Key takeaway?  Most Risk Managers are really bad at estimating risk…  how to fix this?  Get Risk Calibration training for Risk Analysts.  Oh, and scrap ratings of High, Medium and Low and use real numbers to quantify  orders of magnitude when evaluating risk.  You can check out for the Society of Information Risk Analysts. 

For Operational Resiliency, we heard from Carnegie Mellon and, and how being operationally resilient means you’re like a Slinky – you can snap back into shape during and after an incident.  Another fun fact:  The average age of a Script Kiddie (you can google the term) is 10.  Ten!  (Editorial:  It’s time for our elementary and high schools to be teaching software coding so we can teach them how to do things well…)

So, as you can see, the topics are varied, broad, and for geeks like me, interesting.  Tomorrow is the real kickoff of the conference, so I’m looking forward to sharing more then. 

Sleep Well!



RSA Conference – the Big, the Bad, and (quite possibly) the Ugly

This week marks the 2014 RSA Security Conference – for those not emersed in all things Security, this conference is probably the biggest in the world, with 300+ sessions and 21 learning tracks and 350 exhibitors, etc, etc.

It will be my first time attending this conference, so I’ll be sharing my insights and reflections as the week progresses.  It promises to be interesting:

– The Keynote speakers range from the Head of the FBI, to Stephen Colbert (Security = “truthiness”)

– Some regular presenters are boycotting the conference because EMC, the parent company of RSA, works with the NSA on various cyber intelligence initiatives, which some people are quite upset about

– The Chief Information Security Officer track offers classes titled with alarming adjectives like “survival”, “get no respect” and other things that indicate a lot of doubt and frustration…

– Being Security, topics tend towards the militaristic “Cyber Battlefield: The future of Conflict” or “Foreign Spies and Facebook: The Undeniable Truth” (no one said we weren’t a bit dramatic)

This is a 5 day conference – so I fully expect my head to explode before the week is out.  I will share all this, this week.

Wish me luck…