Skip to main content

Posts

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.


If you are interested in jumping straight the slides you can visit here.
OpeningThe conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statis…
Recent posts

Top 10 InfoSec Mistakes

This is my Top 10 list based on what common mistakes I am seeing, which may be completely different from what others are observing. Please share your experiences to see where there is overlap or uniqueness.


1) No CISO Left Behind Having a low performing CISO is in almost all cases a program killer. Not only is it bad for morale, it typically derails efforts to reduce risk and puts budget dollars on projects with very low ROI. One thing I have noticed is that C-levels and most BoDs are unable to adequately assess CISO performance. Its often only measured on personality and the pure luck of avoiding a public security breach. Conversely, many high performing CISOs get a raw deal when they experience a breach, yet have advanced the program further than any of their predecessors.
Recommend: Hold quarterly KPI reviews, including discussion of new KPIs at least annually. Maintain accountability of a CISO's time, specifically around time spent building their personal brand or with vendors…

The saga of Norse and an industry indictment

I first interacted with Norse and Sam Glines in 2013, when they were making the rounds in St. Louis pitching their product. They showed up to our office with 3 people and another person on the phone. They couldn't really answer any of my technical questions, but were pleasant enough. I knew right away though, they had nothing to offer me as leader of an IT security program at a then Fortune 500 energy company. Because they had an office in St. Louis and I was keen to see them succeed, I gave Sam advice to the effect that in their current form they were only replicating what Damballa had already done years earlier and much better. I told him they were too early and needed to establish an actual threat intelligence team with experienced, industry recognized analysts. I also recommended they focus on nation state versus the commodity type data they were collecting in the "deep, dark, web". No idea what he actually thought of this, but I'm going to go out on a limb and …

The People Problem - Part 1

Every new year begins with the best of intentions, and I am going to try to blog at least once a month in 2016. There was an absolutely fabulous post by Scott Roberts in January called Introduction to DFIR (http://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/) that I highly recommend reading. That along with my steadfast belief that being good at infosec is primarily dependent on people and not technology, has inspired my first blog post of the year.
More than anything, infosec is a problem caused by people that can only be effectively addressed by people. Whether it is coders introducing bugs, business leaders taking excessive cyber risks to accomplish near term business goals, or oblivious users clicking on links and attachments in phishing emails, it a people problem. To drive home this point, lets make an example. Based on the following organizational descriptions, which ones do you think are most secure and alternately which one would you want to work for.
Sta…

SANS DFIRSummit 2015

I was fortunate to have been able to attend both the DFIR Summit and the Forensic 508 course this year. It's been forever since I've been able to pick a training course, not tied to purchase of a product. I have always wanted to go to the summit, but it never worked out. Having heard good things about it, my expectations were high.



The Hilton venue itself was top notch. The rooms were updated and the conference space was very spacious, so it never felt crowded. It cost me $18 for an Uber, so it wasn't too far from the airport. The location 2 blocks from 6th street (aka Dirty 6th) was perfect. Every night there was tons of live music happening and lots of bars and restaurants to check out.

James Dunn from Sony kicked off the conference and unfortunately did not talk about the breach. He did however point out some great things about how orgs need to move beyond the Kill Chain. Most of what matters in crisis management happens after actions on objectives by the attacker. For …

The Growing Divide: InfoSec Practitioners vs. Climbers