Monday, June 2, 2008

TechnoSecurity Day 2

Today was much more interesting, probably because I was a bit more alert.

I forgot to mention that I finally got to meet Christopher Brown of Pro-discover the night before. Chris is a great guy and if you haven't had a chance, pick up his book. We discussed the difficulty he had with publishers and how the book as a result has not received the marketing and advertising it deserves. If you don't own the book, buy it. It's a good read with a lot of fantastic information.

I had the pleasure of meeting and having dinner with Matt Shannon from F-response today. Matt is a real stand-up guy and if you're down at the con, stop by the booth and see the demo if you haven't checked out his videos. We chatted quite a bit today about a wide range of topics and while at the booth I thought it was very interesting to watch the reactions of people checking out F-response. You could literally see the lights turn on as investigators and consultants watched the tool at work. Some people just get it. I'll be back by the booth at various times tomorrow, and if you're at the con, stop by and say hi. I'm always interested in meeting people, especially anyone that reads this blog. Speaking of which I finally met Christine of E-evidence.

Conference talks:

I started off in Joe Stewart's presentation about analysis of the storm worm. Wow, this was a really geeky but interesting talk. Lots of hex, lots of details about the various protocols and encryption used by storm variants. Joe wins points in my book as being the ONLY presenter I've seen so far at the con using Zoomit to show fine print during a presentation. Word to the wise for other presenters, learn and use this tool if you're showing small font text in your talks. I can't tell you how frustrating it is as someone in the audience when you hear "You probably can't see this very well"... If the audience can't see it, then don't show it. No takeaways here other than geeky tech details and perhaps some research opportunities.

Next I scooted to a talk by Y12. I'd never heard of Y12 before this conference. They do some pretty interesting things which while interesting is just scary at the same time (think nuclear energy). The talk was interesting and I have one takeaway when it comes to operational testing of security technologies (presentation topic).

Government agencies need to share more information. If I am a corporate consumer of security technologies, specifically physical security and someone has done operational testing of the product, then I want to know about it, and the results before I purchase. Y12 stated that there are currently NO testing standards or even guidelines which I found alarming, especially coming from their group. When I asked, they suggested that they may release their own best practices for others to work with, but of course no promises of sharing information. I love the government.

Get your products to testers early on in the development process.

I next attended Anthony Reyes' presentation on international incident response challenges. This talk was interesting even though I skipped out early. He shared some good information on what to look out for in an international investigation, even if it's an internal corporate investigation.

two takeways:
Does your Incident Response Plan Consider international regulations?
Does your IR plan consider international geographic locations?

The talk I skipped out to see was poorly attended and more of a showcase for netwitness. So...I quickly jumped next door to a fantastic talk.

Michael Cahoon of Sandia Labs shared some warstories and wisdom from Sandia's experiences. Fantastic stuff. I can refer to the Counter Insurgency Field Manual as a basis for his talk. Consider if you will the Intelligence Planning of the Battlefield. This is absolutely vital when looking at your own environment, especially when analyzing all of the data and the operational environment. You can begin to identify your threats and the necessary actions required to deal with that threat. This talk was just great and I will likely have quite a bit to say about the contents at a later time.

Thoughts of the day:
Why did Vantos have a chixor dressed like a stripper cop at their booth? I may never understand this.
Don't make me come to a conference to hear your sales pitch disguised as a presentation. If I want a sales pitch, I'll stop by your booth or call your sales team. I look for useful information at talks, not sales pitches.
Fantastic crime scene photos at the ECTF booth. Very illuminating photos. The Paraben booth took a good approach of having a mock crime scene in which you had to identify all of the sources of potential evidence.

Accessdata...Wow what can I say? They've released a lackluster product in FTK 2.x, essentially called their customers morons in an email by shifting the blame to the customer for their own failures and they weren't exactly very friendly to many folks at the conference as far as I could tell. Not exactly the approach I would take from a business standpoint.

A lot of people have mocked them as overly expensive drill presses but this EDR product is impressive. They had a few of them at their booth doing live demonstrations. Some folks are required by various contracts to be present during drive destruction and this is one of those devices that I would ask to operate because it's fun to press the button on the remote. Check out the pile of destruction! I think I'll ask them for a destroyed drive as a souvenir tomorrow.

Tomorrow will be my final day at the conference. Should be another interesting day.


Keydet89 said...

If I am a corporate consumer of security technologies...

However, everything in the corporate world begins and ends with the bottom line. Why should I evaluate/test a product, spending money to do (and possibly consuming other resources) only to give it to you for free?

Come on, dude...guys like me who generate revenue for corporations don't get to attend conferences such as this one, b/c it takes away from the bottom line, without adding to it [note that this is the short-view...]

hogfly said...

True, however they [Y12] are a part of the Department of Energy. It would be like NIST not releasing the computer forensics tool testing reports.