Back in February I received an email alerting me to a conference put on by OSU for business leaders and IT personnel. I decided the attend as the fee wasn’t too high, and I had some questions I wanted answered for my own business planning. Also, I just wanted to see what the speakers would talk about.
I had no particular expectation that this would be a conference targeted at penetration testers or anyone in “offensive” security. Only one of the listed speakers seemed to have any particular background in offensive security techniques. What I did expect was a lot of non-technical talking points about scary hooded figures with laptops gunning for your corporate crown jewels.
To be fair, there was some of that.
However, after attending most of the day, I came away with a pleasantly more nuanced impression.
The truism in infosec is that the attacker has the advantage, always. Being the offensive force is also more glamorous. Whether it’s publishing new 0-days with fancy logos and theme songs, gloating in the underground about your latest escapades, or giving talks at Defcon that are remembered for years, attackers get the glory.
I think defense is more interesting though. Certainly, the cycle of planning, testing (what we do at 0meta) and remediation involves scheduled verification of your posture, i.e., offense. But offense is just a data point in the broader picture of ‘security’ as a process. Far more important is what a business does with the results of a penetration test, and how that informs ongoing efforts to keep a system safe. Defense is the harder computer science problem, and I want to be part of that solution.
The notion of defense in depth was pretty much the most prominent idea from the talks given. Putting aside the (admittedly subtle) salesmanship on display, the basic idea of “here’s what your threats do, what they look for, and how you can adapt” was pretty much what everyone talked about.
What surprised me more than the focus on defense was that the information wasn’t as technically out of date as I expected. My estimate was about 9-12 months behind what a BlackHat or Defcon attendee would probably consider “current news.” I expected much worse.
I also expected inaccuracy and a certain blasé attitude towards technical minutia. And honestly, I didn’t see really any of that. Where a slide did dip into hard information (which wasn’t often, as this was a conference for c-class execs and MBAs for the most part) it seemed all on the level to my eyes. The speakers balanced being specific about technologies and techniques with broader language that was easy to understand.
It wasn’t all great, of course. Since everyone was essentially talking about the same things, with the same defensive focus, information was repeated several times, and by later in the day it was really beginning to wear on me. Some of the speakers also seemed to be delivering a more generalized message, or one that had multiple broad points that didn’t really come together into a cohesive whole to me. Sabine Schilg’s was the worst in this regard. The idea of AI driving detection of threats is legitimately cool. Selling me your cloud control product wasn’t nearly as interesting.
The most glaring omission from a corporate perspective was the nearly complete lack of discussion about cyber “breach” insurance. Terry Jost mentioned it at the very end of a short QA after his presentation. It’s actually a Really Big Deal, and has been growing at an enormous rate in the last 2 years. I expected it to come up multiple times. Crickets.
I also have to point out that having someone up on stage to talk about offensive security is a part of every defensive conference. Penetration testing is a cog in the machine of your system’s defense. Without it, verification that your defenses work and that your staff is trained is impossible to verify. But it didn’t get a single mention, break-out or acknowledgement. Disappointing.
Overall, I’m glad I went. Seeing the kinds of local businesses that attended and the types of questions they asked was instructive to me in figuring out how to best frame security in a way that matters the most to each customer.
The chairs in the conference room were an atrocity against posterior comfort though, and the combination of fatigue and material that wasn’t really aimed at my professional class combined in me leaving the event early.
I think next year though, I will attend the Infosec Southwest event instead, since it is aimed at folks like me, and I’ll send my business development guy to this event.