Wednesday, April 28, 2010

Source Boston 2010 Conference Notes

Here is my delayed account of the awesomeness of Source Boston 2010. Did I mention the event was awesome? Yup, it was indeed. Awesome.
So, here is Source 2010 conference day by day.
Day 1 started from Andy Purdy keynote which was ..shall we say… “not bad.” Since keynotes at security conferences usually suck (with a few notable exceptions), “not bad” is actually a pretty good rating. For example, he complained about how many meetings in DC are about “the need for data sharing” and then called for more data sharing himself :-) Ooops!
The next very fun thing was a start-up panel – with two parts, one with startup entrepreneurs (including Loggly) and the second with VCs. It is quite hard to summarize since the discussion floated from subject to subject – watch the video when it comes out. "Secure cloud enablement"  was mentioned as something they would fund while “mobile security” produced a passionate “forget it.” Better endpoint protection  was also mentioned as “AV is in crisis.” Other hot – fundable? - topics mentioned were "data-focused security", cloud (surprise!), next wave of privacy for consumer (an actual surprise for me), “secure data anywhere,” etc.
I asked a question about SMBs: will VCs favor a security solution that is aimed at enterprises over the one for SMBs? They did say that while "SMBs are harder to reach”, “’SMB security’ is largely a green field.” They also said that “SMB game” is more business model innovation than technology innovation and the winner is determined by "who owns the channel" and who does more "creative selling"  rather than by who is more “hard core” technically.
At one point in the panel, Josh tossed his favorite curveball about PCI DSS and “compliance culture.” The esteemed VC panel members were actually negative on PCI. The panelists tried to blame PCI for “PCI as a ceiling” mindset by saying that many organizations “achieve PCI” and then not do any more security which results in “false sense of security.” They only praised PCI for raising awareness of information security. My guess is that VCs would like people to buy shiny new toys and PCI DSS prescribes the use of “boring,” but effective “old toys” aka security basics. PCI’s focus on the basics is definitely abhorred by a lot of “discretionary purchase” security vendors as well.
The end of the day was a mentor panel. I somehow thought that more people would show up there, even if just to watch @SecBarbie perform :-). The topics discussed were related to security career development, certifications, written goals, finding mentors in security, building your personal brand, the importance of hands-on work, etc. I wish Source will somehow make this mentorship idea permanent and ongoing…

UPDATE: I don't know how, but I missed Andrew's "Failagain's Island - The Perils of Banking in an Island Nation" talk which was fun as well - even though it suffered from a lack of details. In any case, it makes sense to be on the lookout for some island banks 0wnage...

During Day 2, I loved Alex Stamos presentation on cloud security architecture, “Securely Moving Your Business into the Cloud.” I will just not do it justice by retelling it here, try to get the slides or even the video if/when they get posted. He spoke about how cloud deployment makes flat architecture superior to a traditional on-prem 3-tier arch both in terms of security and performance, for example.
Obviously, “Too Many Cooks Spoil The Broth: How Compliance Regulations Get Made” compliance panel was impressive as well. And the huge-but-cute face hanging over the entire audience made me even more skeptical about ISO ever producing a vulnerability disclosure standard :-)
Max Kilger from the Honeynet Project did an awesome presentation called “Motivations and Objectives That Are Shaping Emerging and Future Information Security Threats.” On top of a few gems like “Russia steals our money, China steals our future” and “First time in history a single individual can affect the entire country” [by using Internet for attacks], the presentation was insightful since it connected the technical world of attacks with the cultural profiles of the attackers. More highlights of his talk are here.
Finally, our PCI presentation (slides) and subsequent PCI book signing went really well. We did get praise for  managing to “make PCI compliance … fun” which totally made my day :-)
Among other highlight of the day, I like Rich’s “Involuntary Case Studies in Data Breaches” (even though I missed a piece of it). As it is typical for Rich, he was very insightful – and again reminded everybody that incident response if the only thing that you can ever hope to “get right” (likely, you’d screw both prevention and detection – but please don’t screw the response!).
On Day 3, somehow I had high hopes for a keynote by Sam Currey, but it was again “not bad.” A lot of his stuff was about well-known facts packaged together in an interesting way, and I liked the bit about how regulations evolve and more than few others. Skim the video when it comes out, it is worth it.
The biggest disappointment was that Amit Yoran “Security Sucks” speech was cancelled. I cannot believe he “got volcanoed” while flying from DC to Boston :-)
Among the usually great hallway conversations, there was one curious discussion about the PCI assessment level of diligence. Is the diligence of a routine QSA assessment any different from the  “replacement QSA” assessment after a massive breach (e.g. was Heartland first QSA less diligent than the second?)? This debate had to do with “no breached company was compliant during the breach” [so far], which I find reasonable and most people find offensive [since they equate this with retroactive PCI pulling…which it is not!]
The usual “security con rumor central” produced such gems as “after you travel to China with your mobile device, company X mandates that you toss the device into a nice bucket of cold water” and “no less than 10% of all iPhone apps are 0wned.”  Rumors come …rumors go.
Grab the conference slides here (more are being added as we speak). Grab ours (Branden’s and mine) here.
For live coverage, as usual, check hashtag #sourceboston. BTW, other accounts of the event can be found here and here.
BTW, I have started highlighting the key points to make this blog even more useful for even busier people. Let me know if you like it or not!
Possibly related posts:
Reblog this post [with Zemanta]

Dr Anton Chuvakin