Now that Black Hat USA and DEF CON are over, it allows for some reflection on conferences and speaking engagements. I’ve been involved in the conference review and submission process for quite some time. In that time, there have been multiple instances where someone submits a good talk, it gets accepted, and their company makes them pull it. This situation is frustrating not only for the conference staff but also for the individual who submitted the talk in the first place.
On a less extreme side, I’ve seen many talks given by people who aren’t allowed to say where they work. They also had to take vacation time and pay their expenses. That’s pretty humiliating.
Why does this happen? The reason isn’t always apparent, but often it indicates an antiquated idea of the risk associated with presenting at a security conference. There may also be a healthy dose of not understanding the benefits mixed in as well.
With a few highlights, I hope to provide some benefits and dispel some myths. My aim is to give you some solid talking points for these conversations with your organization.
Benefits of Speaking
If you are a security leader who finds conferences valuable, then you already understand the value of presenting. Some companies, however, don’t see the benefits. But these most likely aren’t security companies. If you have any doubts, what if I told you that your people speaking at conferences gives you a leg up on your competition from both a perception as well as recruiting perspective?
Here are just a few of the benefits:
- Employee Retention / Morale / Quality of Life
Employees are more likely to stick around at companies that support them. Saying no to speaking engagements could mean you lose good people. Working on something more significant than your everyday job is fulfilling.
- Recruiting Tool / Differentiator
Future employees want to work with smart people and perform “cool” work. One of the best ways they can find out about that is through conference activities. We all know not everything we do is glamorous, but knowing there are interesting opportunities to engage and present research could be a good differentiator for future employees.
Customers get an idea that you have experienced people and that you take security seriously. Even if the research points out something you weren’t doing so well in the past, it engenders confidence that you continue to be proactive and make improvements.
- Information Sharing / Greater Good / Community Support
You send a strong signal to the industry and peers that you’re willing to be a part of the community by sharing knowledge. This makes it much more likely that other organizations will share as well. Lead by example.
- Demonstration of Expertise
Speaking and sharing your experience at conferences can be incredibly rewarding. Not only is it a notch in the belt professionally, it just feels good to share with peers. Show the industry, peers, and customers that you are proactive.
Fear of the Unknown
Given the benefits, why do some companies not allow their people to speak? In my opinion, this comes down to fear. Let me break this up into 3 main areas.
- Unnecessary Attention
Throughout the years, unnecessary attention has been the excuse I’ve heard most often. Companies feel that if their people speak at conferences, it puts a target on them and invites attackers to try and show them up. I’ve got some news for you; your company is most likely already a target.
Vulnerabilities these days are worth money. So if an attacker is sitting on a 0day, they aren’t likely to burn it to make a point about you having someone speak at a conference.
If you are worried about elevating your position on an attacker’s radar because of public speaking, a lot of this comes down to how the speaker presents the content. If the presenter is claiming to be the smartest person around and says their organization is “unbreakable” then that can undoubtedly invite some negative attention. If the presenter is merely sharing some experiences and trying to further the conversation, then it’s rarely an issue.
In some cases, there may be a fear of disclosing sensitive internal information or internal process. Maybe the company feels an attacker can use the information to formulate more accurate attacks.
Your people should be smart enough to know what content is sensitive internally and not disclose. After all, don’t you have an awareness program for that? If there are any doubts, you could always review the content before submitting rather than creating a blanket denial.
On the disclosure front, I think there is also a little bit of not wanting to look “stupid.” Security problems can be tough to solve (even simple ones in some cases), and many are just trying to figure it out. Some may worry about their customers thinking they don’t have it together, but one thing I’ve learned in my career is customers appreciate due diligence.
We have real problems with information sharing in the security community as it is without further restrictions. Information such as lessons learned, information on attacks and intelligence as well as mitigation of risk could be helpful to the community as a whole. The more share, the better off we’ll be.
On the other side, it may be pressure from a vendor over a responsible disclosure process. I’ve seen a few companies push deadlines to try and stop people from presenting their findings at a conference.
Healthy responsible disclosure pushes vendors to ensure they are performing due diligence on their side. If you’ve given a vendor 60 to 90 days, then that is more than fair. At that point, you have fulfilled your obligation when it comes to responsible disclosure, and you should support the continuation of the process by disclosing.
Somewhere, buried deep inside your organization is an ancient policy that states people can’t speak at conferences. This policy hasn’t seen an update since its creation because everything in the company is more important.
I think we can all agree that policy for the sake of policy is bad. The intention of that policy is probably lost (or relates to the previous two points) and the default answer when you ask about it is, “well, that’s just the way it’s always been.”
Don’t look at that policy as a fixed object. Maybe the reason it has never changed is that there hasn’t been a champion to address the issues with it. If the policy is necessary, adjust it with new processes, where there is a certain amount of review (hopefully not painful and lengthy).
Times when you can’t speak
In this post, I’ve covered why you should let people speak. You may be wondering if there are situations which you shouldn’t support a conference presentation. The answer to this question, unfortunately, is yes.
The first situation that comes to mind is if there is an NDA in place or some terms and conditions that prohibit disclosure. This should be obvious, but if you have an NDA that prohibits disclosure of details, then you have to abide by it. Keep in mind that some companies can use T’s and C’s to try and discourage disclosure, see Adventures in Vulnerability Disclosure from Google’s Project Zero.
There may be other times as well, such as revealing your intellectual property or damaging a business relationship. I will say that each of these is highly situational and should be fairly obvious. None of them are good reasons to create a blanket statement of not allowing people to present.
Call to Action
If you are a security leader, hopefully, this has softened your position on the subject of speaking at security conferences. If you are in favor, but someone above you objects or a policy related issue exists, then start now to add some clarity around this topic. Lead with the benefits and do your best to dispel any myths or old beliefs. It may not be easy, but in the long run, it will be worth it. Be the change agent your company needs you to be.
If you found this article interesting, you may also be interested in this article ‘Keys to a Successful Infosec Conference Submission’
As Black Hat continues to draw closer we wanted to take a moment to highlight some talks that we are excited about. There is a lot of great content, so picking just a few was difficult, but these are the presentations that I and some of my colleagues are looking forward to attending.
AI & ML in Cyber Security – Why Algorithms are Dangerous
By Raffael Marty
The topic of AI disciplines is one I spend quite a bit of time talking about myself. It seems you can’t turn anywhere these days without encountering some product claiming to use a subset of AI in some “advanced” way. A healthy dose of real-world challenges helps cut through the marketing hype and get to core issues. This talk is a much-welcomed reality check.
Blockchain Autopsies – Analyzing Ethereum Smart Contract Deaths
By Jay Little
Blockchain technologies aren’t just for cryptocurrencies. This technology is gaining more and more acceptance in the business world and being used or evaluated to solve a range of business challenges. Blockchain technologies aligned with business challenges, like Ethereum Smart Contracts, have a higher chance of success and longevity. Understanding how these contracts work as well as the various risks they present, is critical.
Applied Self-Driving Car Security
By Charlie Miller, Chris Valasek
Come on, who doesn’t love the thought of hacking self-driving cars? What’s even better is getting this information from the experts on the subject. In the not too distant future, we will share the road with people taking a nap, eating lunch, and texting. Okay, we do that now, but in the future people may not have control of their cars the way they do today. Highlighting these risks now helps us avoid running into them tomorrow. This presentation promises to be informative and entertaining.
Understanding and Exploiting Implanted Medical Devices
By Billy Rios, Jonathan Butts
Self-driving cars are one thing, but IoT gets scarier when it’s inside your body. Increased attack surface from a device inside your body is the stuff of nightmares and Hollywood movies. This presentation promises to shed light on these risks.
WebAssembly: A New World of Native Exploits on the Browser
By Justin Engler, Tyler Lukasiewicz
WebAssembly is a technology supported by all of the major browsers that allows for the compilation of languages like C, C++, and Rust for the web. WebAssembly makes a promise of better performance and increased security, but is it a lot of hot air? This talk highlights this technology and the security risks it introduces.
Squeezing a Key Through a Carry Bit
By Filippo Valsorda
Although this presentation isn’t some destruction-of-the-Internet-style vulnerability, it demonstrates a great example of why no small bug should be ignored. In an amazing feat of crypto engineering, by exploiting a single bit bug, the presenter shows how a cryptographer’s worse nightmare comes true. Secret keys can be recovered in about 500 submissions on average. Don’t miss this highly technical talk on the cryptography track that shows a small bug can yield a big result.
Kudelski Security Events
We also have a few events happening while we are out in Vegas.
Join us for our Kudelski Security Bash party Tuesday night from 6-9pm in the Foundation Room at Mandalay Bay.
We are also doing a couple of breakout debriefs from 4:30-6pm on Wednesday, August 8th, and Thursday, August 9th. Wednesday’s session is on IoT and Operational Technology security. Thursday’s session is on Blockchain. Use the following link to RSVP for these sessions.
If you are hanging out for Defcon as well, check out our presentation:
Reaping and Breaking Keys at Scale: When Crypto Meets Big Data
Presented by Yolan Romailler and Nils Amiet.
In this talk, we show how we collected over 300 million public keys leveraging our scanning infrastructure and our open source fingerprinting tool, Scannerl, and tested them for vulnerabilities such as the recent ROCA vulnerability or factorization using batch-GCD. We performed this analysis on a 280 vCPU cluster and are able to test new keys against our dataset in just a few minutes thanks to a novel in-house distributed implementation of the algorithm. As a result of our research, we could have impersonated hundreds of people, mimicked thousands of servers and performed MitM attacks on over 200k websites. Fun stuff.
If you see any of us around the week after next, say hello. See you at Black Hat and Defcon!
One year ago, we sat around a big table at The House of Blues Foundation Room in Mandalay Bay, Las Vegas, meeting with potential clients and partners and telling them the Kudelski Security story. In the United States, it’s quite a short story, but reality is that we’re just a new chapter in a decades-long saga which is Kudelski Group in Switzerland. Founded 65+ years ago by a Polish inventor named Stefan Kudelski, Nagra (which means “record” in Polish) would go on to set the defacto standard in analog sound recording. Inventing one of the world’s first high-fidelity recording devices was not enough for Stefan, it had to be the most precise, true-to-sound and most reliable recording device on the market. His hard work, alongside that of his team, led to numerous industry awards including winning three Academy Awards and two Emmy Awards. Yes, our trophy case has three Oscars and two Emmy’s in it.
Kudelski Group has a knack for recognizing shifts in the market. Understanding that digital was rapidly overtaking analog, the Group shifted its business model accordingly. Digital content created new challenges for producers and distributors, one of which is how to protect it from piracy and theft. Kudelski began to create technology and converged systems that provided security and encryption to content and media. While shifting from analog was a major step, the Kudelski Group core remained the same: an Engineering company.
We’ve added physical access security and lots of cool engineering and encryption technology since then and in 2012, leveraging decades of experience and expertise gained from defending, monitoring, and protecting nearly 400 million devices against digital piracy, Kudelski Security was born.
Kudelski Security and the Cyber Fusion Center
Our Cyber Fusion Center (CFC) is at the heart of our cybersecurity offering. The CFC takes business intelligence, threat intelligence, and security content and merges them to produce interesting, relevant, and contextualized threat information to our clients.
The next step in our evolution was to take on the largest security market in the world, the United States. In early 2016, we started planning our new approach and how to organize our services. We looked at the state of the MSSP vertical and realized after more than 10 years it hadn’t changed much. MSSPs were still content just trying to prevent breaches and while a noble goal, it wasn’t working. Organizations were still getting breached and the rate was accelerating; something had to be done differently and with a new perspective.
A New Perspective to Deliver Different Results
We built our services around the way an attacker does what they do. We organized into pre-breach, breach, and post-breach pillars, each with its own set of services. We recognized that with a strong post-breach offering we may just be able to become predictive in our analysis, strengthening our pre-breach and breach detections including our Threat Monitoring and Hunting which lies across all three pillars of our strategy. We included Threat Hunting in our Monitoring at no additional cost as it’s our perspective (and the Kudelski mantra) that a shift is necessary. The MSSP world needs to be prepared to handle the new challenges presented by advanced adversaries.
We pay special attention to the post-breach pillar because that is where attackers spend most of their time. We added Endpoint Detection and Response and Attacker Deception to complement our business and threat intelligence from our clients and it’s working. We’ve been recognized by Gartner in their recent Market Guide for Managed Detection and Response. You might be saying “So what?” but you should give us a look as we are one of the only pure-play MSSPs included, and the only representative vendor that provides hunting, deception, prevention, detection, and response as part of an overall post-breach strategy. We assume breach, which can be a tough pill to swallow, but necessary if we want to reduce the time it takes to contextualize the threat, detect a breach, and limit its impact.
For More of the Story…
There’s much more to this story that I’d love to share but let’s do that at BlackHat, DefCon, and BSides in Las Vegas. We’re back at the House of Blues Mandalay Bay again. I’m bringing some of the best minds in modern security with me, including Francisco Donoso, and we would enjoy talking with you about what our Cyber Fusion Center is all about and how our EDR strategy and partners can prepare your organization to face today’s most difficult threats. So, let’s meet up either for a one-on-one meeting, or at our debrief session at the Four Seasons Hotel, Monday 24th July.
See you there!