Index ¦ Archives ¦ Atom

RSA Conference 2015 Highlights

The RSA conference kicked butt, although the word on the street is that Blackhat and DEF CON are actually ten times cooler...we shall see...

BUT...having said that-an infosec conference is an infosec conference and hey-I'm just glad to be there :)

I went all five days, all day each day and it was definitely worth the time and effort to get there. Some highlights:

Day 1-Monday April 20: I went to the CSA Summit on Cloud Security in the morning, and the IAPP's seminar on Privacy in the afternoon. The CSA Summit was pretty good. I took a lot of notes and got some good insights. If I had to do it over, I still would have picked it. The Privacy Seminar was also very good, although Sagi Leizerov's talk blew all the other ones out of the water! (He was imploring the industry to automate privacy controls, and as someone who finds automation the only cool thing about DevOps, I was definitely interested in that.)

Day 2-Tuesday April 21: The unwashed masses (read: us Explorer Expo badge holders ;) weren't allowed into anything that started before 11am, so I got to sleep in and have a nicer commute that morning. I went to a lot of lectures, but the good ones were:

-"Hacking the CEO: Ninja Mind Tricks to Get More Security $$$$s" I went to this because IMO, IT (and by extension, InfoSec) has become such an integral part of the business that as an IT professional, you can't afford NOT to know how to speak the language of the business, maybe talk to a Board, and otherwise align your IT/InfoSec goals with the goals of the business. (The end was funny-based on the questions I asked, someone later came up to me thinking I was a C-level exec and trying to pitch their product. I had to gently correct the misunderstanding :)

-"Evasive Malware Exposed and Deconstructed" This talk was excellent-at first, he was speaking kinda vaguely, and I was worried maybe the talk was going to be over my head, but then he went into the nitty-gritty of how malware inserts itself into the kernel and spawns threads, and then I was able to follow him fine. Phew :)

-"How to Become A World-Class CISO" I have no plans to become a CISO anytime soon, but I thought having a look at how CISO's approach things would only help me. I also am currently job-hunting, and the blurb on the talk mentioned that it would discuss career strategies for CISO's and I thought "Hey, whatever they're doing must be pretty high-octane, so imagine how much better it'd probably work for me." I was not disappointed.

Day 3-Wednesday, April 22: The good stuff was:

-"State of CyberSecurity: 2015 Findings and Implications" This was good and the biggest eye-opener for me was how few companies have confidence in their security people. That to me is kinda sad, and makes me wonder where the expectation mismatch is happening.

-"Major Cybercrime Innovations of the Last 12 Months" This was pretty interesting. I waited to meet the speaker afterward and thanked him for a great talk.

-At about 1-2ish, I spent the rest of the day at the Expo areas. I had some schedule conflicts and I had to decide whether I was going to spend time at the expo area networking with companies looking to hire or do the SANS NetWars. I opted to go with the networking, even though it felt really weird to go to an InfoSec conference and not do any CTF-type stuff.

Day 4-Thursday, April 23: At this point, the early commute was definitely catching up with me (I was getting up at 4:15am to beat the traffic) so things were starting to blur together...but the biggest thing on Thursday:

-"Active Response: Automated Risk Reduction or Manual Action?" IMO, this was easily one of the best talks at the conference. Among other things, Monzy Merza outlined when it's best to have a person do a task, and when it's best to have it automated. Really good stuff. I noticed he doesn't have much of a Twitter account, which is a shame, because he had a clarity about the security industry that I felt was missing from the vast majority of the other speakers.

Day 5-Friday, April 24

This day was just the ISC2's teaser trainings and Alec Baldwin's keynote. I went to the secure coding training, but it was..okaaayy... because we seemed to talk more about the idea of "secure coding", instead of how to securely code. So in other words, it was kinda like, "let's talk about the problem" instead of "let's talk about concrete ways to solve said problem". I kinda regretted not going to the other training, the one that was more focused towards InfoSec management, but oh well. Live and learn.

As for my initial plans for the conference: I got to visit Cisco's booth and ended up meeting a guy that apparently was pretty high up in the development for Snort, I believe (I'm actually not sure who he was exactly, but he was a bigshot of some sort :), so I talked to him a bit about my background and asked for tips on what companies are looking for and what I'd need to learn and do to be a good InfoSec professional. (I already had my own plans and ideas, but it's always best to get advice from others more experienced than you). I also had a lot of fun doing the CSI Digital Crime Lab Sandbox and networked with a lot of people. I didn't get to go to any Bruce Schneier talks or meet him, but that's ok (I also found out that Brian Krebs at one point was there signing books-he would have been another cool person to meet, but oh well...) I also played a really fun game at the Synercomm booth-basically you had a brief amount of time (something like 2-4 minutes) to open a case, find and use the correct key to open a box, listen to a phone play a marketing jingle, then use that to decode and open a device that contained a scroll. The scroll had numbers on it, and you had to figure out what the numerical pattern was and predict the next few numbers in the sequence to get to the next level. I thought it was in binary, but it wasn't, so that's where I had to stop, as the timer kept running out. (I actually played this game about 3-4 times...no kidding >_<)

So all in all, it was my first security conference, so how could it not be good? It was great to be there, I took a ton of notes and learned a lot and I met a lot of great people. :D

© 2015 Gloria Silveira. Member of the Internet Defense League.