BSidesSF 2018 Recap

Posted by HomeBrewedSec on April 19, 2018 · 9 mins read

If you follow me on Twitter, you'e already seen my recap (I sent around 100 live tweets during sessions). You'll probably notice that I chose Blue Team talks wherever possible. I was tempted to go to more Red Team sessions since those were the hyped sessions, however I am Blue Team, so I chose to focus in on talks that can help me grow (boring I know).

Starting a Security Program: Thrills and Spills

Poorna Udupi (@poornaudupi)

This talk reminded me quite a bit of "InfoSec Rockstar" by @teddemop (if you haven't read it, you really should). It's refreshing to hear voices in tech take emotional intelligence, self awareness, and personal growth seriously. All of our peers have technical skills and "geek", what sets us apart are our soft skills.

Quite a bit of emphasis was made on getting organizational buy-in. One of the key ways mentioned was to "demonstrate presence in a way that the security team is part of every function". Don't just be the team in the corner that makes life more difficult for other teams, prove how you already are a value-add.

Overcoming obstacles in operationalizing security: A tale from the trenches

Rafae Bhatti (@privacyphd)

Another great talk that put an emphasis on proving InfoSec's worth to the organization. Rafae made great points about placing more importance on security awareness training, and prioritizing the right things. For example, it might be easy to succumb to the temptation to start red teaming early on, but what good is that if you already know that you don't have operational controls in place? There's no sense Red Teaming to discover something that you already know you aren't doing well.

So you think you can patch: The game show that questions your security assumptions

John Banghart (@jbanghart5), Allan Friedman (@allanfriedman), Kent Landfield (@bitwatcher), Wendy Nather (@wendynather)

Definitely the most entertaining session. Worth it if even just to see @allanfriedman dressed as a game show host. The game show really highlighted some of our misonceptions around patching, and really encouraged us to :treat patching like the complex problem it is".

Blue Team Fundamentals

Benjamin Hering (@bitwatcher)

After this talk, my new decision tree is "Can I see it? Can I throw it away? Can I make it more expensive [for attackers]?". He also turned the usual "users are stupid" on its head, encouraging us to make it safe to click everything. Why trust our users to be Security Administrators? That's our job.

Speeding up Windows Security Assessments with Ancient Math

Cole Thompson

Wow. I am admittedly not a quant, but this made me want to be one (although it did make my head hurt). Cole went through how to use euclidian distance + logagirthms to assist with security assessments.

I immediately saw the possible applications of this approach. I want to try to use this technique to highlight anomalies in our baselining, to identify potential compromises and prevent them from entering our baseline.

Six degrees of infiltration: Using graph to understand your infrastructure and optimize security decision making

Sacha Faust (@sachafaust)

"If everything is urgent, nothing is urgent. How do we prioritize?". One potential answer was to use CVSS score and device risk rating to determine priority. Seems simple enough, why aren't more of us doing it?

I am going to attempt to aggregate CVSS score , device risk rating, remediation time, external facing/not to determine risk and priority using tools like vulnwhisperer and ELK.

Ask the EFF

Nate Cardozo, Andrew Crocker, Gennie Gebhart, Stephanie Lacambra, Sydney Li, Kurt Opsahl

Way too many take-aways to list them all here. One of the most itneresting things to me was contrasting the cultural landscapes of the US and EU in how it relates to Security. They discussed that the right to be forgotten / right to erasure wouldn't work because of the First Ammendment, and that GDPR in general is in contrast to our views on privacy. And there's this about Net Neutrality:

Fix All The Things: Rapid-fire Stories of Creative Solutions to InfoSec Problems

Katie Ledoux (@kledoux)

Simple. Open. Mobile: A Look at the Future of Strong Authentication

Jerrod Chong

Heard about FIDO2, got a free Yubikey. That was cool.

Bring in the $$ : Moving Security from Cost Center to Revenue Generator

Arianna Willett (@AriannaWillet)

I end up serving a sales role quite often. Even though this talk was focused on convincing internal departments the worth of cybersecurity, it applies to third parties as well. Great ideas proposed here, definitely things that I'll use on a regular basis.

You want to step outside? What we can learn from Google’s fight with phishing

Neal Mueller (@nealmueller)

Tons of great stastics in this one, without any of the FUD. Once again, heard the idea that it's "a bad idea to count on human to inspect every URL bar", and that we should be doing more to protect users.

Great Tip: Call your cell provider and ask them to put a port block on your number.