What Happens in Vegas: Highlights from a week of Infosec Presentations and Conversations

Summer means only one thing for those of us in the security industry –  a week spent in the heat and general chaos of Vegas as four infosec conferences run in parallel and tens of thousands of infosec people descend on Sin City. For the third year in a row I was one of them, and here I’ll share the highlights of the trip.

BSidesLV (Tuesday and Wednesday)

Panaseer presence in Vegas tends to focus on BSidesLV, which began as a BlackHat alternative focussing on tech not vendors pitches, and attracts a large crowd in its own right. This is the perfect conference for us because of the Ground Truth track. It’s a whole track dedicated to data science in security embedded in a general infosec conference, which is a pretty rare occurrence!

Since I first spoke on this track 3 years ago, the number of attendees and variety of talk topics has grown immensely, to the point where people from big names such as Microsoft make an appearance and the room is often full, with standing room only. It’s great to see the impact and perceived importance of this field in the security industry growing.

One of the most valuable aspects of BSidesLV is the random conversations I have with other attendees. Sometimes this is people who I’ve met previously who I reconnect with specifically to get their thoughts on something as I know they’ll have a great perspective…or it might be the person next to me in the lunch queue who turns out to be an expert in identity and access management, or securing Hadoop, or any number of fascinating topics.

It’s a conference where everyone wants you to feel welcome. The amount of effort the team went to to sort out vegan food for me (and chase it down when it disappeared somewhere!) was amazing. And there was non-dairy milk for the coffee! It’s a small detail but it really makes a difference.

We need to talk about PAM

On the second day of BSidesLV I gave a talk on Privileged Access Management (PAM). PAM is climbing the security charts, coming in at no. 4 in the latest CIS controls, up from no. 5 in the previous version. It has also piqued the interest of the Board: the concept of a superuser with the potential to wreak havoc on critical business systems because you’ve given them the keys to your front door is easy to grasp.

Security teams now find themselves thrust into the spotlight, with the C-suite demanding answers while they grapple with this seemingly intractable problem. If you want to learn more about how we can reframe PAM as a data science problem, you can find me speaking at 4:05.

Takeaways

Some of the main themes that emerged for the talks I attended and conversations I had were:

• Growing appreciation that getting data is hard and that getting this right is fundamental for a good security analytics programme.
• An increased willingness to share the challenges with machine learning – how it’s hard to transfer to production and how it can be subverted. A refreshing antidote to the marketing hype around these techniques!
• Interest in analysing event logs and active directory to look for malicious logons, lateral movement, excess permissions.

There were many, many fascinating talks, but if you only have time to watch a few I recommend the following which touch on the themes above.

• “101 ways to fail at getting value out of your investments in security analytics, and how not to do that” – Cx0Sidekick, Ground Truth
• “Tracking Malicious Logons: Visualise and analyse Active Directory Event Logs” – Shusei Tomonaga & Tomoaki Tani, Ground Truth
• “Another one bites the dust: Failed experiments in infrastructure security analytics and lessons learned from fixing them” – Ram Shankar Siva Kumar, Ground Truth
• “The current state of adversarial machine learning“ – infosecanon, Proving Ground

The Diana Initiative (Thursday and Friday)

Growth is the headline at the Diana Initiative too. This event aimed at women in infosec and their allies started small last year with a borrowed suite and an afternoon of talks focusing on issues for women in security. I spoke about how we’d created Panawomen, our internal women’s group.

This year it was a full suite and two days with two tracks, (as well as lock-picking, soldering and careers workshops) and the agenda expanded to include technical talks. I was pleased to return to speak about “Demystifying data science in security”. While this talk wasn’t recorded you can see me talking along similar lines about the principles of data science in security in my previous talks at BSidesLV, How to make metrics and influence people and How to make sure your data science isn’t vulnerable to attack.

It was great to see lots of Defcon attendees coming over hoping to get into talks (Diana initiative is an independent event and has separate registration) and kudos to the organisers who managed to issue temporary badges to meet some of the extra demand where possible. There was particular demand for my data science talk so it’s great to see this aspect catching on even at Defcon which is usually considered to be more focused on offensive techniques.

Some of my favourite technical talks were:

• “IoT 4n6: The Growing Impact of the Internet of Things on Digital Forensics” – Jessica Hyde
• “Threat Modeling Everything” – Anne Oikarinen
• “Are you ready for the worst? Application security incident response” – Tanja Janca

I also enjoyed some quiet time by signing up for the Lock Re-pinning class with Lockpick Extreme. I learnt lockpicking with them last year, so this was the next step. It was literally the most relaxing hour of my entire trip. I also took 20 minutes out of my day on the Friday to solder a Diana Initiative badge – so satisfying! I definitely recommend finding a few activities like these to get some downtime from screens and the hectic pace of the conferences.

Defcon and departure (Saturday)

I wasn’t really planning to attend Defcon this year as, while it’s fun, when I attended previously I didn’t find it directly relevant to my work at Panaseer. However, I heard about the AI village and it seemed all the data scientists from BSidesLV were congregating there. After stopping by the Pinball Hall of Fame (best meetup location ever?!) to catch up with the Many Hats Club, I went over to Caesar’s and managed to catch a panel on the ethics of AI and a talk on how we can assess AI algorithms before it was time to head out to the airport. This is definitely one to watch for next year!

In a dramatic end to my trip, my already delayed flight was pushed back further due to a crazy dust storm, that actually took out the power in the city.

Vegas – it doesn’t do things by halves!

Despite the various controversies and issues that seem to plague this week every year, I’ve always found the time in Vegas to be invaluable in terms of connecting with peers, getting new perspectives on my work and learning about emerging topics.

Are you thinking of going next year? For me, BSidesLV is still a firm favourite, but it’s now joined by newer events, the Diana Initiative and the AI village at Defcon, which are well worth a visit. I also recommend you take time to talk to speakers after their presentations, ask to have coffee with people whose work you’d like to discuss in more detail and generally chat to people (politely!) in queues, at lunch, in the elevator… There is a wealth of knowledge and, from my experience, a real desire to share it in the infosec community and Vegas seems to me to be one of the best places to join the conversation.