Tag Archives: rsa

Post RSA musings

So it finally happened – I’ve had my first RSA in 9 years.

And what an experience. Suffice to say that I ended that week with no voice, a bad back, and minimally functioning knees, but given the premise of the show I’d peg is as a huge success.

First – having BSides to catch up with friends and colleagues was a perfect beginning to the week (not to mention the weekend in Napa right before – thanks for having me, Tenable!). There still is a huge value that I see in BSides, and BSidesSF specifically. Albeit the great venue (thanks OpenDNS), some more hallway-con was sorely missed. Be it the way the venue is laid out (preventing from more active/vocal discussions from happening other than outside), or the decision to run a dry venue (not even bring your own alcohol), I’d want to see how peer-engagement gets more focus there.

Second – the ability to “hack” RSA from a technical person’s perspective, and yes, I still consider myself somewhat technical, regardless of my ability to don on a suite and behave like a business guy. Which is sort of what hacking RSA is… It was intriguing having interactions with people outside of the echo-chamber (aka infosec) who deal with security and having them take a preconceived notion of me as a sales person. Or with those who gravitated to me as “I needed to talk to someone who is technical” – probably after snooping around a bit and choosing their approach based on existing conversations 😉

Last (and I saved the downer for here) – the show floor. After getting over the sheer size of the convention (no worries – BlackHat has a way to go until it becomes an RSA), I had my expectations adjusted a bit. Walking through the halls, you get into a realization that a lot of the companies showing there (especially the south hall) should probably have no reason to exist. The same regurgitation of “threat intelligence”, “endpoint protection” (i.e. APT, 0day, etc…), and your usual “trust me, I’m an engineer” approaches, were becoming comical to a point where I’d need to keep my gaze pointed far away and ignore the noise while walking around. I truly expected to see some new innovative approaches to security, and companies who would break out of the circle-jerk of security vendors. Unfortunately I didn’t see many, the reason for which I can’t really put my finger on (maybe the cost of entry to RSA?).

Overall, a great experience (and yes – lots of new business too), so yes, I believe my #notatrsa streak has come to an end. Or maybe I’m just getting old 😉

2015-04-21 15.57.44

Yes – you can engage with other evangelists at RSA! (and what seemed like a weird obsession – collect truckloads of branded t-shirts and vendor giveaways).

Defense through Offense, and how APT fits there

I’m guessing that having “APT” in anything that goes outside for public consumption these days is mandatory, but this post actually has a good reason to do so. If you look back just one post in the past, we were discussing the new initiative to define “Penetration Testing”. The post, and the proposed standard itself really take a good look at what organizations need, and how to address such needs from a practical point of view, rather than from a compliance or a “check-box ticking” perspective.

For me this is one of the things that the security industry has done a great disservice to. It is exactly why companies are announcing that for every time they get breached, it was an advanced attack. An attack so sophisticated, that managed to stay persistent in their network and exfiltrate lots of sensitive information, that no reasonable control could have prevented or detected it. The all dreaded “APT”.

However, if you take a look at how organizations prepare themselves for such attacks you may find yourself staring at a blank page. Since regulatory compliance dictates a very basic “box checking” methodology for a very narrow and specific aspect of information security, and the product vendors on the other hand provide solutions that are “compliance oriented”, organizations are left with a very weak defense mechanisms. This is without even mentioning the biggest security gap in most organizations – the employees.

The lack of self-testing, of a real-world simulation of what an attack would look like, and how the organization would cope with, hinders most organizations from putting reasonable defenses in place. The lack of proper training, awareness campaigns, and exercises that stress out the human factor as well are leading us to a situation where even simple attacks that utilize off-the-shelf (and even FREE) attack tools, manage to go through an organizations control mechanisms with aggravating ease.

I’m looking back at what the penetration testing execution standard defines for its basic testing methodology, and I can clearly see how every element of the recent “APT” attacks would have been simulated, and probably in a more rigorous scenario. Such a test would have clearly left the tested organization with a roadmap that would bring it to a much higher security standard. And that’s the power of testing – of understanding the adversary’s techniques and strategies, and running exercises that reflect them in order to identify security gaps and close them as efficiently as possible. And yes – that also (and perhaps mainly) applies to human related processes and policies rather than just to technology.

So to sum things up – you may be compliant, but do not think for a moment that this compliance has anything to do with the security of your information. Until regulatory compliance does not mandate proper security testing in order to protect the data in question, such compliance is only going to hinder your “security vision”. Get proper testing, set up an internal team that would be responsible for understanding the threat communities you are dealing with (or hire an external one ), and make sure you set yourself a goal to have an unbiased understanding of what your gaps are and how well you can face a standard attack (yes – the same standard attack that you are going to call an “APT” if it would hit you unprepared).