My Favorite Sessions at RSA Conference 2013

I attended the RSA Conference 2013 last week in San Francisco, and as usual, I saw many useful and interesting keynotes and sessions.  There were three presentations, though, that had some especially awesome content and I am excited about adding them to my toolbox. They were, in no particular order:

  • A clever innovation in malware hunting was described by Chris Larsen, from the Malware Research Lab at Blue Coat Systems. The intriguing title of his session was "Foolish Zebras: Log-tracking Your Riskiest Users to Find the Bad Guys."  "Foolish zebras" are the zebras that leave the safety of the herd to do things like explore the forest or race to be the first one to the river--where they are promptly attacked by lions or crocodiles.  In other words, foolish zebras are excellent threat locators for the other zebras. Chris noted the usual sysadmin response to web users of the same propensity is to continually build bigger and stronger fences to try to protect them.  The problem is, the foolish web-zebras keep breaking through the fence. So instead of cursing at the habitual clickers while he piled on yet another defensive layer, Chris instead recognized the value in them as highly effective malware finders. He described a process he developed to track the most foolish zebras in his network (who remain anonymous) to see where they go the most often, and it turns out they almost always encounter new malware as a result.  By "radio tagging" the most prolific malware finders he can quickly locate and characterize that malware, often ahead of more traditional locator methods.
  • I spend a lot of time trying to communicate risk, so the Structured Threat Information eXpression (STIX) project, presented by Sean Barnum, a Cyber Security Principal at The MITRE Corporation, was facinating. STIX is a relatively new collaborative community-driven effort to define and develop a standardized language--not a tool or framework--to represent structured cyber threat information. STIX address the main problem right now in cybersecurity information sharing: many constructs, taxonomies, and tools are currently used to describe pieces, such as the Common Vulnerability Scoring System (CVSS), but until recently no good way existed to consider all those pieces together, nor is there away to uniformly communicate your results.  Sean showed how STIX brings all that together with a common language, that is both human and machine readable, for all to share this information.  You can learn more about it and participate in the project by going to
  • The big risk picture was the subject of "Extreme Cyber Scenario Planning & Fault Tree Analysis," presented by Ian Green, Manager of Cybercrime and Intelligence at the Commonwealth Bank of Australia. Ian presented a very comprehensive system his team developed to represent the entire scope of risk in his org to better inform cyber risk management activities. The system uses carefully qualified measurements for each risk parameter, threat, consequence, vulnerabilities, and controls.  I was very happy (and surprised) to see they used Intel's very own Threat Agent Library for the threat analysis portion, but I was also very impressed with their taxonomy of control characteristics and how they use that to demonstrate which areas most need attention.  It very clearly shows the relative strength of each control and how well (or not) each asset is protected by those controls.  They have started an online project that will open shortly to encourage community collaboration to develop common attack trees to enhance and accelerate cyber risk assessments.  Hmm, wonder if that will fit into STIX?  Probably will.

Connect with me on twitter @timcaseycyber