Tuesday, March 27, 2007

SecureWorld Boston

I attended SecureWorld Boston this month. I'm a little late in posting about it, but here are my thoughts.

  • The conference in general was not particularly high-tech. I know it's not intended to be a Black-Hat-style cutting-edge techie event, but I still would like to see a presentation or two where I can learn something I don't already know from a technical standpoint.
  • The very first thing I did there was to drag an old co-worker over to see a demo of CORE Impact. I believe that is hands-down the coolest product going in the security space. It's hard for organizations that don't specialize in pen-testing to justify the price tag, but it sure is nifty. (I am 100% green with envy at the developers who get to write exploits for CORE Impact as a full-time job.)
  • I spent some time chatting with the Feds. I don't think they realize how in awe most of us IT folks are of their position. Their cybercrime people have a tough and thankless job, that's for sure.
  • In making the rounds of the vendor booths, I came across two products that I wasn't familar with that impressed me.
    • BeyondTrust Privilege Manager allows you to granularly assign administrative rights to users. So, where previously you would need to give a user full admin rights to his PC to install or run certain applications, you can now set that account to run as a normal user with elevated privileges only for specific applications. You can manage rights from a central console, and you can assign privileges either by workstation or by username (a huge benefit in an environment where users log onto and share multiple workstations). I'm not sure how much of this you can do with Windows out of the box, not being much of a Windows guy myself, but it seems like something that any organization could benefit from.
    • LogLogic is a log management/SEM product, and the thing that really struck me about it was the interface. I've used Network Intelligence Envision, as well as Splunk, and I find them both difficult to get useful information out of because the interfaces are a pain to work with. LogLogic looks simple, attractive, and to the point. Every question I could come up with was met with "yes, we do that"; it seems like a full-featured, if pricey, solution.
  • I accidentally found myself in a panel on IP-based video surveillance. (I got the room number I was looking for wrong.) When I realized I was in the wrong room, I decided I would stay and possibly learn something about an area that I know little to nothing about. The major thing I took out of the panel was that there seems to be little to no thought given to the data security side of putting a bunch of new endpoints on the network (cameras, DVRs, etc). It may just have been that there wasn't enough time to get into that...I found that the panels in general were to short to get any kind of depth on their subjects.
  • I also attended a panel on compliance, specifically about whether IT should own it or not. Again, there wasn't enough time allotted to get into any kind of depth on the subject, but I think the answer, as expected, was that nobody really knows. Certainly we don't WANT it, but where else is it going to go? More to the point, I think there are too many aspects to compliance to call it an "it." There are technological and procedural controls that need to be designed, implemented, tested, and validated, and I really believe it involves defining the steps involved in all of those in detail to find the best places to put them.
  • There were a couple of sessions that discussed things like business risk and asset value, basically "how do we justify the money that goes into security?" As IT people, we are still not used to tackling the question of value from a risk perspective. (At least, I'm not, and I don't think I'm alone.) A good, solid, simple methodology that allowed us to get in the ballpark without wasting hundreds of hours in meetings across the organization would go a long way.
  • And I got a new laptop backpack, thanks to Michael Ford's encyclopedic knowledge of geek movie trivia!