Archive

Archive for September, 2017

Where are the “Actionable Defense” talks?

September 4th, 2017 No comments

This year, for the first time, I did not make it to DEF CON, B-Sides Las Vegas, Black Hat, etc. I was bummed, because this has been a yearly pilgrimage for a really long time for me, but too much work sandwiched on both sides of it.

Naturally, I was thinking, “What did I miss?” Aside from seeing friends and getting up to shenanigans, of course. As for talks, I went looking for some that had a few criteria:

  1. Focused mostly on defense
  2. Immediate tools, tactics that can be put to use

That’s it. Nothing fluffy there. I asked people on Twitter about their experiences, too, and got a few good responses:

  • @sarapeters pointed me to the InSecurity conference lineup from Dark Reading…which looks very defense-oriented (if you can stay awake through the compliance talks): http://www.schedule.insecurity.com/list
  • @oh3px pointed out two talks that were “actionable” (not all defense, but good examples). One was on attacking a DevOps CI/CD pipeline by @spaceB0xx: https://t.co/u8SFc4W9yZ and a DFIR DC workshop by @AlanOrlikoski: https://t.co/76zUyCo02g
  • @cyphermike mentioned “Lee Holmes (@Lee_Holmes) talks at DEF CON and blue team stuff in packet hacking villages”.

And that, folks, was about it. Here’s the full list of DEF CON talks: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/

I don’t have the time to go through them all, but a huge number are all about attacks, exploits, “weaponizing” this or that, “owning” this or that, “offensive” such and such. Nice.

I’m not trying to pick on DEF CON – far from it. I’ve always had a great time there, and it’s one of my favorites. Given that I think most cons are a massive waste of time, that’s saying something. But if I am your employer, and you ask me to send you to something that I am paying for, what do I get out of it? What can you come back to work and actually DO?

Can we be honest for a minute? Most of ya’ll aren’t pen testers. You’re not exploit writers. You’re not “weaponizing” a fucking thing. Hacking is cool. It’s sexy. Apparently, defense in depth, innovative security architectures, improving on the classic blocking and tackling stuff…none of that is worthy. You hate hearing that horrible cliche about how “we’re losing”? Well, this may be a factor. We all get so excited about the latest exploit or hacking technique, but very few are actually in positions that use any of that shit. So folks go out to the desert, get drunk, nerd out with friends for a few days, and have almost nothing to really show for it in terms of true impact on their respective organizations. Does that make it bad? Intrinsically, no. But out of all the talks I see, especially at BH/DC, very little tells anyone how to defend something.

We *DO* need some stunt hacking, future thinking stuff. The latest info on pacemakers needing firmware updates confirms this. But we really need a lot more emphasis at some of the biggest cons on defense, and people being able to walk away with real, actionable skills and ideas for improving DEFENDING. No, this is not a thinly-veiled argument for training – that’s different. This is basically me just ranting about how most of the con talks these days are offense, and while that whole “offense informs defense” thing has some merit, it’s really not applied often.

If ya’ll have been to some good talks about defense, that left you with tons of notes, ideas, and specific tactics you could immediately use back at the ranch, I would LOVE to hear them in the comments.

/out

UPDATE: Got a response from Lee Holmes (and updated his Twitter handle above). Good to hear re: Derby.

 

Categories: Information Security Tags: