Archive for the ‘Conferences’ Category

There’s been quite a bit of drama with regards to whether or not to boycott the RSA conference over a deal that the RSA security vendor had made with the NSA. I will not be rehashing it here.

What I will say is that I can respect individual decisions for principled reasons.

My own choice is also based on a calculus of my principles; I hope those who made a different choice can respect that.

I will be speaking at RSA – for a number of very nuanced reasons.

Of these, the clearest in my mind was simply this…

I research security to help people better defend themselves and things that matter.

Love or hate the RSA Conference, it is the annual heartbeat of the security industry and for many mainstream security professionals, this is their best chance to learn, challenge themselves and interact with the industry’s leading minds. I thought long and hard about all of the sides of this issue and decided that those most likely to be hurt by me boycotting were the very people I do this for.

Trust has been damaged on many fronts over the last year. I believe these issues cut to the core of the industry and our “community”. They will need hard discussion and debate – and I will be there to make sure that happens.

My Speaking Slots:

Both Sunday and Monday, February 23/24, 2:00 – 6:00 PM — BsidesSF at DNA Lounge 

“I am The Cavalry” @ #BSidesSF DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103

Our dependence on technology is growing faster than our ability to defend it. The Cavalry isn’t coming. It falls to us… While its roots come from many places, a key moment for the @iamthecavalry movement was my #BSidesSF closing keynote last year. One year later, we have a large and growing movement of security professionals focussed on having impact on security of consequence. As our focus converges on technologies with the potential to impact human life and public safety, come hear what we’re doing regarding Auto, Medical, Home Electronics, and Public Infrastructure. The full agenda for our 2 days of working session is posted at the BSidesSF Website.

I am The Cavalry

Tuesday, February 25, 8:00 AM PM – RSA USA – South “Viewing Point” in Gateway Halls – Keynote Commentary

“Expert” Commentary for Day 1 Keynotes

RSA is always experimenting. This year in the “Viewing Point” in Moscone South, folks can watch the Tuesday  keynotes with some running commentary and play by play analysis. I’ll be joined by Hugh Thompson and Wendy Nather for what should be a bit of fun and analysis, but will hopefully help to frame the discussions and the rest of the week.

Tuesday, February 25, 3:00 – 3:30 PM – RSA USA – North Room 134 – Speaker

Call in the Cavalry – WHY We Need The Cavalry and Why It Falls to Us

Our dependence on IT has grown faster than our ability to protect it. What was once our hobby became our profession, and now permeates every aspect of our lives. In this swarming internet of things, vulnerable, connected technologies now permeate every aspect of our lives. While our best and brightest struggle to defend our enterprises, no one is even thinking about our growing dependence and exposure. The sad news is… the cavalry isn’t coming – it falls to us. We must be the adults in the room. We must ready ourselves to be ambassadors of technical literacy and the voice of reason. We have to be better… and we will be… starting now.

Much of RSA Conference is about protecting your enterprise. We are very pleased that RSA acknowledged the need also focus our best and brightest on security for the internet of things. My Tuesday “WHY the Cavalry” talk is the first of three 30 minute Cavalry talks at RSA. On Wednesday, Nicholas Percoco will explain WHAT the Cavalry must lead. On Thursday Katie Moussouris will outline HOW the Cavalry will affect change. All three #RSAC Cavalry talks are listed here.  Also, come talk about the mission at out booth in the Sandbox:

  • Tuesday 1:00-5:00pm
  • Wednesday 8:30am – 1:00pm
  • Thursday 8:30am – 1:00pm
Wednesday, February 26, 10:40 – 11:40 AM – RSA USA – West Room 2014 – Panelist

ASEC-W03 – DevOps/Security Myths Debunked

As DevOps has become more popular a lot of myths have arisen with regards to security and many opponents claiming that you can’t do security in a DevOps environment. This panel will address a number of those myths and demonstrate how you can embrace DevOps and maintain the appropriate security profile for your organization.

Dwayne Melancon will once again moderate myself and fellow Rugged DevOps trailblazers: Gene KimDavid Mortman, and Nick Galbreath. The great news is that the ranks of security DevOps boundary spanners is growing to include folks like Neil MacDonald, Rich Mogull, Dan Kaminsky and others. If this is a new or threatening subject, my 30m RSA Europe 2013 Keynote was a good introduction:

Thursday, February 27, 8:00 – 9:00 AM – RSA USA – West Room 2020 – Co-Presenter

STR-R01 – Not Go Quietly: Surprising Strategies and Teammates to Adapt and Overcome

Nearly every aspect of our job as defenders has gotten more difficult and more complex—escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. This session will provide new approaches to finding financial and operational support for information security across the organization.

I’ll ride once more with David Etue for Part 3 of our “Modern Security Strategy Trilogy” based on work we’ve together over several years.
NOTE: The slides and visuals came out WELL BEYOND my expectations. You do not want to miss this.
Friday, February 28, 9:00 – 10:00 AM – RSA USA – West Room 2014 – Co-Presenter

ASEC-F01 – Software Liability?: The Worst Possible Idea (Except for all Others)

Nearly While many had hoped that market competition would influence security improvements, customers are forced to accept software as is with no alternatives. Software is responsible for our critical infrastructure, cars, medical devices and is a part of our daily lives including our well-being. Will we be able to achieve better software security without vendors facing financial consequences?

I’ve not yet worked with Jake before but we have had spirited exchanges in the past. We have come into the topic of Software Liability from very different paths, but it has been a good complement and I really hope this advances what is often a thought terminating debate. Jake knows a ton about how the Insurance industry has been looking at the issues. He also has an interesting vantage point through his work with the Open Source Vulnerability Database (OSVDB).
I hope to meet new people and new teammates.

Q: Are you going to RSA?

A: Of course. RSA is mandatory punishment for people like me.

Like I said just before RSA USA 2012, each year at RSA I want to quit security.

At the end of the day, like with most things…

…it is what you make of it. Make it matter this year. Demand better. I will be.

My suggestions on are worth re-reading :

  • People Value
  • Non-RSA Venue
  • The Bizarre Bazaar of the Exhibit Floor

Anticipated Buzz-Words:

Remember: Just because a buzzword is abused and/or nausiating, doesn’t mean all uses or the ideas/facts behind them are nonsense. The trick is to ask people to define their use, defend their use, and provide specifics.

  • Big Data: This will be the least clear and most abused. It isn’t just having a hadoop cluster or *B or *flops of useless data.
  • Actionable Intelligence: Done right, this is becoming table stakes. Done wrong, this is a marketing retread. Ask for specifics. Most are offering a data feed. Good programs are combining and enriching from OSINT, HUMINT, SIGINT, pay-for feeds of various types, information sharing communities/pilots. This topic is worth sifting out Signal from Noise.
  • Offensive Security: For some, the term itself is “offensive”. This often is heard as “Hack Back”. Which is for most, a really, really bad idea. Aside from the legal or attribution debates… if you can’t consistently change default passwds or basic access control, why do you think you’ll win an escalating fisticuffs with your attacker? My Wed 1pm panel (END-W25) will try to clarify this.
  • Active DefenseThis is a less offensive spin on “Offense”, but definitions vary tremendously. It often means beginning to use deception, deterrence, increased work effort/work factor, increasing the entropy of the attack/er, etc. Again, my Wed 1pm panel (END-W25) will try to clarify this.
  • APT or APT1: Yes folks. The Kitten-Killing, Thought-Terminating Cliche’ is back. Given the one two punch of the Executive Order and the hotly debated APT1 materials put out by Mandiant; China, China, China will be discussed. Not all espionage is out of China. Lots is. Get past the groaning and try to get to substance.
  • Adversary: This is a good one I am pleased to see entering the lexicon. While many “thought leaders” dogmatically fight the inclusion of adversary analysis, they are wrong 😉 . The programs that are modernizing are trying to weave in the chaining of Adversaries -> Motivation Structures -> Preferred Assets Types -> Their Common/Range of TTPs (Tactics, Techniques & Procedures). Much like this artifact from our Adversary talk from RSA last year (slideshare here).


My Speaking Slots:

Monday, February 25, 3:30 PM – RSA USA – Innovators Sandbox – Room 134 – Facilitator

ISB-001 – Do You Know Your Enemy Enemies?: WHO & WHY do matter…

Much of RSA Conference will focus on WHAT & HOW; at Innovation Sandbox we will focus on WHO & WHY. From script kiddies to nation states (or chaotic actor/hacktivists to citizen soldier militias)… gone are the days where our adversaries are only financially driven. We now face a pantheon of adversaries – each with varying motivational structures, preferred asset type(s), capabilities and levels of skill/determination. This facilitated white boarding session will discuss the characteristics of modern adversaries and hopefully raise questions (and answers) on their implications to our risk management priorities.

This White Boarding session should be both fun and challenging – given the innovative crowd.

Monday, February 25, 4:00 – 5:30 PM — BsidesSF at DNA Lounge 

Closing Keynote: Joshua Corman

DNA Lounge is at 375 Eleventh Street San Francisco, CA 94103
I will be “taking the gloves off” in this audience of fellow digerati. We are not getting better (enough), fast enough. We are part of the problem. We need to level-up and we need to entertain some uncomfortable ideas. The pot will be stirred. If there is anything you’ve wished you could say to them, you have a few more days to load me up…It will be followed immediately by: “We Quit” – A Roast of the Infosec Business hosted by Jack Daniel, JadedSecurity, and Javvad Malik.

Tuesday, February 26, 3:50 – 4:50 PM – RSA USA – Room 132 – Panelist

ASEC-T19 – Making Rugged DevOps and Infosec Work

Because of widespread cloud adoption and the DevOps movement, information security has never been at more risk of being completely marginalized by development and the business. This panel will discuss how information security can integrate into these value streams, where agile businesses routinely conjure thousands of compute instances doing over 1000 deploys per day.

Dwayne Melancon will moderate myself and fellow Rugged DevOps trailblazers: Gene Kim, David Mortman, and Nick Galbreath.

Wednesday, February 27, 1:00 – 2:00 PM – RSA USA – Room 309 – Moderator

END-W25 – Offensive Security: Hope or Hype?

With the threat environment dramatically changing, there is a new consensus that it is almost impossible to keep targeted attackers out of any large-scale network. This panel will discuss new thinking around “Active Defense,” or what some would term “Offensive Activities.” We will explore the pros/cons of enacting an offensive security position in defending a company’s networks.

This one is going to be feisty. Born out of some hot offline debates, this clash of the titans needed to happen. I will have my hands full moderating, but I am up for the challenge – and for challenging them. Come watch George Kurtz (CEO of CrowdStrike), Chris Hoff (Juniper), Adam O’Donnell (Sourcefire) and Andrew Woods (Stanford) duke it out. Got anything you want asked?

Thursday, February 28, 8:00 – 9:00 AM – RSA USA – Room 135 – Panelist

HT-R31 – Mayans, Mayhem and Malware

This panel focuses on the persistent gaps and perennial conditions confronting organizations today, notably in areas of compliance and governance related to threat mitigation, education and awareness. Also, we examine the resurgence of advanced, malicious code & content intelligent enough to obfuscate, assess, re-assess and execute against a programmatic strategy.

Will Gragido, Brian Honan and I tried this at RSA Europe and it was surprisingly good – realistic and griity and honest… This time we’re adding two other dynamic characters.

Friday, March 01, 9:00 – 10:00 AM – RSA USA – Room 133 – Co-Presenter

GRC-F41 – Control Quotient: Adaptive Strategies for Gracefully Losing Control

Cloud, virtualization, mobility and consumerization have greatly changed how IT assets are owned and operated. Rather than focusing on loss of security control, the path forward is cultural change that finds serenity and harnesses the control we’ve kept. The Control Quotient is a model based on control and trust, allowing proper application of security controls, even in challenging environments.

I’m teaming up again with David Etue and we’ve been maturing this idea/approach over several years. A lot of my best concepts/models are born near the end of final content creation. This happened again this year with this talk. One of our new models has been sanity checked with a few of you and we’re excited that it will pack a real punch.

I regret this is so early on the last day but this is not one to miss.

The 6 minute RSA Podcast pre-interview of our talk is posted here.

The security challenges have REALLY stepped it up… it’s time we do.

DEF CON 19 Whoever Fights Monsters Q&A

DEF CON 19 Whoever Fights Monsters Q&A [No. Josh is not a member of Anonymous]

Will you be headed out to Vegas for this year’s MegaHackerWeek ? If so, I’d love to meet you.

I know some people get fatigued with the scene and some of these conferences, but I personally find the week incredibly valuable. Like with most things, you get out what you put in. Much like the RSA Conference does for the corporate/commercial side of the industry, this week in the desert is the heartbeat of the research and hacker community for the year.

While our challenges in security are tremendous, the intellectual potential in the hallways and bars of Vegas is humbling and inspiring. I look at this week as an asymmetric window of opportunity to:

    • determine the thrust and Zeitgeist of our demographic (in the now)
    • help to frame and set the tone for the next 12 months
    • challenge my various colleagues and teammates (and myself) out of respective ruts and comfort zones
    • meet new people and get to know people better in meat space
    • find new collaborators
    • stimulate new research topics and insights
    • eat bacon wrapped, almond stuffed dates (#BWASD) with red wine reduction and bleu cheese crumble
Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Bacon-Wrapped, Almond Stuffed Dates with Red Wine Reduction and Bleu Cheese Crumble

Highlights of Last Year

Here are a few of the things I fondly remember from last year:


At #BsidesLV in 2011, a few of us launched the beginning of acknowledging and studying the levels of fatigue and burnout in our industry and demographic. The room was honest and cathartic and intense. Seeing we had clearly struck a nerve, we later invested in the formal Maslach Burnout Inventory and presented more data at the RSA 2012 conference this spring. While there is much more to do, we’ve brought some of the challenges and support gaps to the surface and have started something needed. You can follow @SecBurnOut on twitter and the expanded IT Burnout Project. Many thanks to Jack Daniel, Dr. Stacy Thayer, KC Yerrid, Martin McKeay, and Gal Shpantzer who helped to kick-start the initiative.

Confronting Anonymous:

At DEF CON 19, we braved our “Whoever Fights Monsters” panel where we tackled the rise of Anonymous in a substantive way – perhaps for the first time. After Aaron Barr was legal-threatened off the panel and another quit fearing retaliation, we pulled together:

    • Joshua Corman (@joshcorman) <- me
    • Brian Martin / Jericho (@attritionorg)
    • “Baron von Arrrr” / Scot Terban (@krypt3ia)
    • Paul Roberts (@paulfroberts) <- As Moderator

The video of our panel and the more intense and meaningful audio of our Q&A room are both posted in the conclusion of our Building a Better Anonymous Series – which Jericho and I researched and wrote over this past year. The exchanges were so intense – and the press/industry/community knowledge was so poor – that we felt we had to drive this dialectic forward.

Winning Hacker Pyramid:

Somehow I went from watching 10,000 cent Hacker Pyramid to joining Dan Kaminsky in defending the crown. While Rogue Clown and Jayson Street were impressive and fought admirably in the final round, Dan and I squeaked out the win. This year, they are “in it to win it” and all manner of smack talk has already begun.

DEFCON19_HackerPyramid_WINNERS via CoolAcid

DEFCON19 HackerPyramid WINNERS via CoolAcid

HDMoore’s Law:

While technically born during Metricon 6 in San Francisco the Tuesday after DEF CON 19… a concept like HDMoore’s Law can really only be born after spending a week in Vegas, surrounded by brilliant hackers and pentesters, getting the bartender at the 303 party to pour HD Moore some stiffer cocktails while listening to nerdcore and then turning your brain inside out with a bunch of statisticians and risk professionals at a Metrics conference. While my brain felt as if it had been through an unnatural act, HDMoore’s Law turns out to have been a pretty useful concept – and many a practitioner is putting it into action in their environments.

Casual Attacker power grows at the rate of Metasploit

My Speaking Slots:

Tuesday, July 24 – 4:00 PM – Black Hat Executive Briefings (Caesars Palace)

Closing Panel – Analytical Response and Discussion

    • Joshua Corman
    • Rob Joyce
    • Rich Mogull
    • Kevin Overcash

After a full day of CISO briefings and discussions on this year’s Black Hat presentation themes, we’ll provide some broader context,  framing and friendly debate – to help enhance the CISOs’ experiences through out the rest of the week.

Tuesday, July 24 – 6:00 PM – CodenomiCON 2012 (Bellagio)

Unconventional Adversaries vs Conventional Wisdom

I’ll give give a short but hitting look at how two adversary classes have shattered a lot of security “conventional wisdom”.

Wednesday and Thursday, July 25 & 26 – #BSidesLV (The Artisan)

Interviews and Honey Badgers

Martin McKeay and I will be interviewing speakers and attendees on and off for most of the two days. I’ll also be giving away Honey Badger T-Shirts. There are far too few of you wearing Honey Badger T-Shirts. Find me or Martin.

Friday, July 27 – 8:00 PM (pretty sure) – Track 3 – DEFCON 20 (Rio)

25,000 cent Hacker Pyramid

Dan Kaminsky and I will attempt to retain the title.

Saturday, July 28 – 10:00 AM – Track 2 – DEFCON 20 (Rio)

World War 3.0 – Chaos, Control & The Battle for the Net

    • Michael J Gross – Moderator and author of World War 3.0 piece in Vanity Fair May 2012
    • Jeff Moss (The Dark Tangent)
    • Joshua Corman
    • Dan Kaminsky
    • Rod Beckstrom (playing the part of Vint Cerf)

This panel (FULL ABSTRACT) will build upon the Vanity Fair piece profiling these panelists and the escalating tension/conflict between forces of chaos and control – threatening a free and open internet. The December meetings of the ITU will likely bring these issues to a head. What role will the DEF CON community play in the coming months as this story and the fallout unfold?

Saturday, July 28 – 9:00 PM – Track 2 – DEFCON 20 (Rio)

FILM SCREENING and Q&A: We Are Legion by Brian Knappenberger

We’ll screen Brian’s documentary on Anonymous. I’ve seen an early cut and it was excellent. The film features several DEF CON speakers who will also do a Q&A after the film: Richard Theime, Chris Wysopal (WeldPond), Jericho, myself, Biella Coleman and loads of Anonymous members. Here is the Trailer.


Be sure to:

    • hydrate
    • pace yourself
    • hydrate
    • meet NEW people
    • hydrate
    • see NEW speakers
    • hydrate
    • be diligent about “how you can I bring this back with me and apply it?”

Hope to see you in Vegas!

RSA 2012 Preamble

Posted: 2012/02/15 in Conferences
RSA 2012

RSA 2012

RSA 2012 is close upon us (Feb 27th – Mar 2nd) – for better or worse.

Love it or hate it, RSA is the single largest security conference of the year – and if the security industry has a rhythm and a cadence, then it is the RSA Conference sets it.

Though I sometimes quip that:

RSA is mandatory punishment


Every year at RSA I want to quit security

…there is no denying the importance of the event on framing the upcoming year’s buzz words, topics, trends, etc.

Below are:

  • a few quick thoughts on how to make the most of the conference week
  • a few topics/times I’ll be speaking in case you’d like to catch me

People Value:

The best parts of the RSA conference aren’t the actual conference. Be sure you embrace the Hallway-Con, the Bar-Con, the Lobby-Con, and nearby eateries… People are what drive the progress of our industry more than any vendor or sponsored keynote. We are blessed with some very creative minds and dynamic personalities. Network as ferociously as you can. My best collaborators have been born from happenstance chats in some hallway or lobby.

Non-RSA Venue:

Some of the best talks and debates are at adjacent events to RSA. BSides and BSidesSF has become a force (despite its growing pains). I get a ton of value out of the AGC Security Conference (America’s Growth Capital) which brings great content to a high octane audience of the investment community, the founders of innovative start-ups, and potential acquirers. Mini-MetriCon 6.5 continues to push the rock up the hill to drive us from faith based security to evidence based models. There are a myriad of other events and working groups which converge that week. While many are closed or filled up by now, do some digging – as they are well worth it.

The Exhibit Floor:

While the exhibit floor is a bit of a Bizarre Bazaar (Hat Tip to Neil Gaiman), you must try to walk the floor. Embrace the horror. Treat it as a Tour de Force of what matters and what doesn’t. Of who is a source of SIGNAL and who is a source of NOISE. In fact, develop a justified, righteous indignation against hyperbole, FUD, and vendor B.S. Vendors do this because they can, because we let them, and because there are seldom consequences for doing so. Provide the feedback loop that alters that equation for them.

Last year I walked the floor with Paul Roberts and we gave this a try. We knew just about ever vendor, who had the goods, who was full of [insert your favorite here], etc. We saw maybe a dozen vendors making credible claims about emerging security challenges and offering valuable products/services in response. We asked each vendor who was thumping APT to define it – with nearly none of them even close to real substance. Asking for specifics will quickly reveal the snake-oil from the substance. We even quipped a safe rule of thumb (at least last year):

The frequency of the phrase “APT” by a vendor is inversely proportional to their actual expertise or comprehension of it

Put the vendors to the test. Ask for specifics. Maybe take some dramamine 1st.

My Speaking Slots:

Monday, February 27, 12:30 PM – RSA – Room 302

PROF-001 – Stress and Burnout in the Information Security Community

Jack DanielStacy Thayer,  Gal ShpantzerMartin McKeay, Joshua Corman (and @kcyerrid shhh!)

We’ve done real survey work with proven non-security-models and this is an important topic. We did a less formal version at BSidesLV 2011 with great feedback, validating the need for this.

Monday, February 27, 3:00 PM – AGC’s Security Conference – Main Stage at Westin Market St

PM Keynote: Apocalypse Now: Adapting to Espionage and Chaotic Actors

Joshua Corman

I’m excited to confront the VC and Investment community to actually rise to substantive changes in the space – versus repackaging old “kit” into the latest compliance or FUD buzzwords. This industry used to innovate, and it is time to again. What’s really cool about this, is my keynote is followed by two child panels: one on adapting to Espionage developments – one on implications of Chaotic Actors. With the money and the innovators in the room, confronting these topics, perhaps we can catalyze some action.

Tuesday, February 28, 1:10 PM – RSA – Room 305

CLD-106 – Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed

Gene Kim & Joshua Corman

Gene and I have been collaborating for a little over a year and a half on this topic. I’m most excited about this one. **BONUS POINTS if you can name the movie reference in the title

Here is a short podcast teaser we did with RSA

Wednesday, February 29, 9:30 AM – RSA – Room 309

GRC-202 – Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1M?

Joshua Corman & David Etue

David and I have been working this idea for several years. After last year’s pantheon of adversaries and pervasive failures became clearer, more practitioners may be ready for this concept. HDMoore’s Law will be discussed.

Here is a short podcast teaser we did with RSA

If you need/want to reach me while there, hit me on twitter: @joshcorman

RSA is what you make of it…

  • What are you expecting?
  • What are you dreading?
  • Which people/talks are you eager to see?