Friday, February 28, 2014

RSA Conference 2014: Thursday

I woke up and it was absolutely pouring out, I thought it was going to be a repeat of yesterday.  Fortunately, by the time I started walking down the hill towards the Moscone Center, it had stopped raining.  And, while eating breakfast I noticed the sun coming out, a welcome addition.  Breakfast is served 7-8 in the morning.  The first conference I had scheduled was 9:20, but I thought to myself, I don't want to waste the time, so I decided on an 8:00 talk.  I'm glad I did.  Here's the talks I went to today:
  • Cloud Ninja: Catch Me If You Can - by Rob Ragan and Oscar Salazar.  Initially, I had this time slot open but at the last minute, I decided to pick a talk and go.  I'm glad I did.  This talk was awesome.  Initially, I thought it might be neat to hear a session with a little offense to it, seeing as how I mostly focus on defensive security.  But, as the talk focused on (ab)using free trials of company's software to build a botnet, I realized that there were dire implications for the company where I work.  This was a great talk that gave me information to go home and battle the developers.
  • Keeping Up with the Joneses: How Does Your Insider Threat Program Stack Up - by Dawn Cappelli and Randall Trzeciak.  Probably of all the talks I scheduled myself to see, this was number one.  I have their book, so it was great to hear Dawn and Randall talk.  Of course they backed up their research with plenty of numbers and examples.  They gave great advice on building and working an Insider Threat program.
  • The Future of Exploits, Developing Hidden C&C and Kittens by James Lyne. I picked this talk as I wanted to hear a talk by one of our company's vendors and I suspected it might get a little deep.  It didn't get too deep, and I'll tell you, I've never laughed so hard in a conference talk.  A great talk, kept light, with lots of great information.  And, now I've learned a great little story to explain buffer overflows.
I did not attend the Keynote talks today, instead I took a walk up to Fisherman's Wharf to see the Rock, seals, and a tour of the USS Pampanito.

I did attend the Codebreakers Bash, which was really well done.  They gave out these blinking LEDs, and now it is my hotel room has become a disco.  I'll have to cover it before going to sleep.

I fly out tomorrow, in the afternoon.  So, I'm on the fence with going to a talk tomorrow.  I'm tempted, to go see one more.  Probably the decision will be made by what time I get up. I will miss the keynotes tomorrow, and that means missing Stephen Colbert.  But I think I'll be ready to get on a plane.

Wednesday, February 26, 2014

RSA Conference 2014: Wednesday

In getting yesterday's post up, there are a couple of things I forgot to include: a couple of general thoughts on the conference.  First, there is usually twenty minutes (or more)  between sessions.  So far, I've found this to be ample time to get from one track to another...and that includes going between West and one of the other buildings, like North.  That even holds true for today, when it rained.  I noticed today that in all talks you can hear the jingling of the badge holders - it reminds me of the clacking of poker chips in a poker room - and ultimately, it's white noise.  Pro Tip:  If you are sitting in the front of a session, be careful with what you are surfing on your laptop.  Screens project more than you think.  Finally, one thing that irks me are the session attendees that have to take a picture of EVERY slide, with their IPAD.  Really?  In one talk yesterday, I noticed a presenter spotted someone doing that, and I got the feeling he varied his pace just to throw the person taking pictures off.

Today was another busy day.  Here are the talks I went to:
  • Hacking Exposed: Day of Destruction by the CrowdStrike guys, George Kurtz and Dmitri Alperovitch.  This was an awesome talk, where they literally destroyed some computers.  Yes, I think a couple were VMs, but they bricked at least one laptop.  And they showed how malware could literally fry a machine.  My question I didn't get to ask was:  could you do that on an airplane, or a hospital?  Consequences would be dire.
  • Gumshoes - Security Investigative Journalists Speak Out - Dan Hubbard from OpenDNS moderated a panel of Brian Krebs, Nicole Perlroth, and Kevin Poulsen. Again, this was another really great talk that I selected because I follow Brian Krebs' and Kevin Poulsen's blog religiously.  I hadn't heard of Nicole's work before, but I just added it to my feed reader.  Lots of great stuff was discussed.
  • Using Data Breadcrumbs to ID Targeted Attacks - Dan Hubbard.  This was only a twenty minute talk, and I enjoyed it.  It gave me some ideas to take back to the mother ship.
In the afternoon I went to the keynote talks.  Already, I look forward to tomorrow's talks.

RSA Conference 2014: Tuesday

I didn't get a post up yesterday, and for that, I apologize.  Take my comments with a grain of salt, this is the first security conference I've been to.  And to be sure, I'm having a blast and learning a lot.  Already, I've written plenty of notes from some of the talks I've heard that I will take back to work with me.  To be sure, there's going to be work for someone, and much depends on some of the output of what I bring back.

On Monday, I registered.  The schedule seemed light so I went to the Leadership talks.  They were ok, but nothing to really write home about.  I used the afternoon to catch up on work.  But, I returned to the show for the welcome reception, really - free beer and food.  This was the first time I walked around the expo floor.  It is definitely a site to be seen; I liken it to a country carnival, where the various exhibits are competing for your attention.  I actually have an agenda of exhibitors I need/want to see for various reasons.

Today though, was my first full day at the conference.  I got their early for the "continental breakfast" but to me it seemed more like a lunch.  Then, I got in the line for the keynotes.  My impression of the keynotes was that I was at a concert; what with the lights and sounds.  William Shatner's intro was very well done.  I would have liked to have heard an emphatic denial regarding RSA's activity and the NSA, and the other talks were well done.  I had a meeting with one of our corporate vendors at noon, then it was a full afternoon of talks:
  • Establishing Trust After A Breach - I really thought this was how you work with your customers and the community-at-large after suffering a breach.  It wasn't.  To me, it was DFIR 101 and what to do.
  • NSA Surveillance: What We Know and What to Do About it - this was my first time hearing Bruce Schneier talk and it was all I expected.  It was very good, but I follow his blog, so there wasn't TOO much new here.
  • The Seven Most Dangerous New Attack Techniques and What's Coming Next -  By far and away, this has been the most popular talk I've been to.  The room was packed.  Period.  And with good reason.  Especially if you are a fan of the SANS guys.  I am.  More importantly, Ed Skoudis taught my Sec 504 class.  I learned more from his office hours than the actual class.  He's engaging, crazy smart, and gets his points across in a great to digest manner.  This was definitely a great talk.
  • Use Anomoalies to Detect Advanced attacks Before Bad Guys Use It Against You - there were a bunch of talks that I wanted to attend at this time slot, but I picked this one.  This was a great talk, a little in depth, but I took from it some nuggets of practical information that I will bring back to the company to implement.
After dinner, my co-worker and I went to the party given by OneLogin.  A good time was  had.  And now, I'm beat, especially after all the walking, (and climbing Nob Hill AGAIN).  Sleep will be easy tonight.  I know I have a packed  morning tomorrow, and I believe the keynotes are after lunch.  Plus, I have to make time for the exhibits.

Monday, February 10, 2014

Too Much Zeus, Need Recommendations

It's been a little over three months since I have started the new job.  To be certain, I love it.  I'm really starting to get  my arms around all that goes on (or doesn't) around here.  And while I know I have a daunting task to help guide this place towards becoming more secure; I know I have already taken great strides in moving forward.

I fully admit that there are some pretty basic controls that are not implemented.  If I were an auditor from my previous contracting job, my head would probably explode with some of the findings here.  Some of them are THAT basic.  But, these decisions have been made way in the past, and for the most part fall into the politics/culture category.  It will take a while to get movement on those controls.  Or a decent-sized breach.

All of that said, I was looking through my incident notes for the past month (or so.)  And looking at the fires I put out on a daily basis, I see that I work to eradicate at least one Zeus-infected host a day.  That's an average.  I've given up on remediating the hosts.  I send the IP to our helpdesk and let them get it off the network and reimaged.

In light of the controls that need grassroots work, I'm looking for a solution that I can dump on the client hosts to help combat zero-days, attachments, etc.

One recommendation I have received so far is Invincea.

Are there any potential solutions I should be aware of?