Quite frankly the keynote alone was worth the price of admission. However, I did see some other presentations. As I mentioned earlier, being more of a manager these days I focused less on some of the splashier briefings and drifted towards those on a more managerial track. The first I caught was by Patrick Reidy, formerly the CISO of the FBI. I was partial to this speech because I had worked with Patrick before and I was really curious what he had to say.
Patrick’s presentation centered on lessons learned at the FBI concerning how to combat and detect insider threats. Patrick homed in on some interesting points. He noted that you can’t use traditional IDS to track or detect an insider. He also noted that simple base lining and assigning equal value to all actions would fail to identify insider based anomalies. His solution was to analyze the history of insider breaches at the bureau and other organizations. He used that information to create a different baseline. Interestingly, he was very candid about the initial failures of the monitoring system the bureau initially setup. He stated that only when they clearly defined what insider threat was and the actions that an insider would take did they stand a chance of detecting them.
Even more interesting was his ultimate conclusion that detection was not the most effective approach. After a few years, Patrick finally settled on what he called “positive social engineering”. This basically consisted of a combination of training users and reinforcing positive behavior. The Data Loss Prevention (DLP) software installed on user’s computers was used to provide warning to users who were moving sensitive data. He noted a significant drop in incidents once the staff was forced to acknowledge the transfer of sensitive data through the DLP notification system.
One other interesting piece of information he provided was an Insider Threat Kill Chain. This model differs from the traditional model Lockheed Martin created. It covers Recruitment, Search & Recon, Acquisition and Exfiltration. Creation of this insider threat kill chain was necessary in the development of detection strategies. The most impressive part of the presentation was the admission of failure, rethinking of strategy and research that went into developing a successful insider threat program. On a side note there was an awesome moment of levity when Patrick showed a slide that said a kitten dies every time someone mentions BYOD. I’m not a fan of BYOD either.
I also sat in on “Practical Attacks against Mobile Device Management Solutions”. Like I said, I’m not a fan of BYOD. However, like just about every other security professional I have to deal with it a work. This talk identified some serious flaws with the majority of major device management solutions used for BYOD. If you use Airwatch or Good yes, they were talking about you. The vulnerability centers on the fact that despite having encrypted partitions, at some point the data needs to be decrypted and presented. At that point the data can be intercepted and extracted. Given the fact that just about every major smart phone platform has at least one vulnerability that can be exploited for root access. It’s not farfetched. The talk noted that after a phone had been rooted it was trivial to either extract the data from memory or from storage after it had been decrypted.