SF Cybertalks

Monday (16 Apr, 2018) A co-worker and I attended Cyberscoops “SF Cybertalks”, one of many events associated with the RSA conference week down in San Francisco.  I was attending to take my rightful place among the cybersecurity elite after passing my GPEN exam and to hobnob with the bigwigs.  I’m not sure why my co-worker was there; probably because it was free and they were giving us breakfast and lunch.

The talks began at 0830, after a delicious FREE breakfast of bacon and pineapple, with a keynote by Jeanette Manfra of DHS.  Her talk was called “How (Cyber)Defense Can Win Championships.”  The basic points of the talk were:

a)      We need to increase baseline security by better understanding systemic risk, identifying national critical functions, and using that information to disrupt the ability of threat actors to operate and degrade their operations.  This will narrow the attack space that threats can operate in.

b)      We need to start pushing vendors to more secure solutions thru purchasing power and procurement practices.

c)       Organizations need to stop chasing phantom threats.  For most organizations nation state hackers are not a real concern, use data to identify what is.

d)      Information sharing among peers needs to become a priority (i.e. ISACs)

Next after a delicious cup of coffee (not the recycled pig water we get at work) Amit Yoran, CEO of Tenable, talked about “Making Cybersecurity Suck Less”.  The basic takeaway here was IOT is going to force major changes on the enterprise, which security is not embracing.  This is causing security to be viewed as an impediment not a partner.  The way to deal with this is not by standing in the way but by:

a)      doing the basics well (CIS Top5) (pay attention this stuff comes up again),

b)      PATCHING,

c)       MFA (“if you aren’t doing MFA you aren’t doing security”) and

d)      continuous monitoring / incident response.

At this point I think I insulted the venture capitalist I was sitting next to by saying that VCs needed to stop investing in new products, we have enough of those, and start investing in innovative workforce development.  He took it in pretty good humor though and invited my co-worker and me to a cocktail party later that evening.  We had to decline because of our flight back to Portland. 

Next there was a fireside chat regarding North Korea’s Hack Mindset.  The jist – North Korea isn’t crazy, despite what we may think.  Their cyber-operations and nuclear programs are designed to level the playing field against the greater powers and as revenue generators / sanction evasion tools, as well as to keep the Kim regime in power.

Adam Hickey of DOJ talked about “Privacy and National Security” next – basically a rehash of the 2016 election interference issues.

Galina Antova of Claroty, Lesley Carhart, of Dragos, and Edgard Capdevielle of Nozomi, talked about “The Growing Need to Protect the Grid” This was another recap - Yes, we are under attack, but active monitoring / active defense can help mitigate.  This was the talk I was most interested in so I was hoping for a little bit more.  (Don’t get me wrong it was a good talk and I enjoyed it, I was just hoping for a little more new information / perspective) 

Another fireside chat, this time with Marianne Bailey of NSA and Essye Miller CISO / SISO for DOD.  This centered around DoD’s growing bug bounty programs and efforts to get more women in cybersecurity.

Networking break – I spent 15 minutes talking to the Chief Marketing Officer for Nozomi Networks.  Mainly about the general direction of cybersecurity and about the demo of Nozomi products I had seen while at the SANS ICS Summit. 

Cyber View from the White House was canceled by Rob Joyce’s sudden decision to resign as Homeland Security Adviser and return to the NSA.

Election Security panel – honestly I kind of tuned out and was talking to one of the journalists next to me. (I should have mentioned My co-worker and I got there early and grabbed seats at what I think was a VIP table)

GDPR panel – This was more a discussion of how GDPR would affect Google and Facebook than an actual discussion of the regulation.  Lisa Hawke, the lawyer on the panel, kicked butt.  If I ever need representation I am calling her.  “Too big to comply’ is not acceptable to regulators”

Donna Dodson of NIST and Stina Ehrensvard of Yubico discussed the difficulties in driving MFA acceptance in a panel called 10 percent is too little: Time to pay attention to two-factor authentication.  The consensus seemed to be that a lack of open standards, incentivation, and lack of ease of use are hindering adoption.  I would add poor vendor support and always having to have my phone with me. 

Last talk of the day Scott Smith, Asst. Director of the FBI Cyber Division on the Cyber Threat Landscape , the FBI’s perspective:

a)       80% of breaches can be prevented by regular verified PATCHING

b)      MFA is critical

c)       Do the Top 5 of the CIS Top 20 Controls (told you this stuff would make a reappearance)

d)      Develop a top down security culture

Cyber9/11 is ongoing with an increase in frequency and sophistication of attacks.