Aug 28, 2013

Key Learnings From the UNITED 2013

In today's Whiteboard Wednesday, Patrick Hellen, our fearless community manager will discuss the key learnings from the UNITED 2013 conference. UNITED was our customer focused conference that took place in Boston last week. Learn about the major problems that security professionals have in their day to day jobs and learn about the new products that we have come out with to help solve these problems.

Read Video Transcript

Hi everyone. Welcome to Whiteboard Wednesday. My name is Patrick Helen; I am the community manager here at Rapid7. This week, we're going to be talking about the key takeaways from UNITED 2013. For those of you who don't know, UNITED is a security conference that we put on for our customers now. The UNITED itself stands for Using New Ideas to Empower Defenders. What we're going to go through this week is 4 points that we felt were excellent takeaways from the conference itself, both brought up by speakers of the conference, as well as general discussions that we had at the conference that we thought were pretty impactful to the everyday world of security.

Starting off, a paraphrase from our CEO, Corey Thomas: Security is something that must be practiced daily. It's no longer a situation where you've got a 'set it and forget it' mentality, we're not looking at your basic AV programs that your parents are running that you hope captures everything. Security and good security is something that you have to adapt and model against the attackers. Make sure it's something you're paying attention to, not on a yearly basis, but an every-single-day basis to make sure that you have the best tools in place and the best scenarios in place to protect yourself.

Number 2: One of our speakers, actually, our opening keynote speaker, Hugh Thompson, spoke about the fact that in reality, the average security practitioner, someone that is practicing every day, thinks differently than everybody else out there. The example he used, which I found actually hilarious, is that a flight he took from San Francisco to London. About a few minutes into the flight, they found that they had trapped a bird onboard the flight; a live bird fluttering around the cabin, scaring the living everything out of everybody onboard. What he put out there is there's two types of people, really, that reacted to this story when they first started telling it. The first type is generally the majority of people, in that telling them that there was a bird trapped on a transatlantic flight, their first reaction was "Oh, my God. Is the bird okay? Did the bird survive?" The second type was more of the security practitioner mindset, in which their response was generally, "If you can get something bird-sized onto a plane and no one notices it, then maybe you could create some robotic drone with a small payload of explosives." You generally see where I'm going here.

Thinking about it from a standpoint of the average security practitioner, it's always looking for the model that you have to protect against in the worst-case scenario. Having that conversation with the people that were at UNITED was incredibly eye-opening for a lot of people, in that they realized that the average security researcher is looking at things in a significantly different way than John Q. Public.

Number 3: This incredibly charming-looking fellow is actually me. I did a quick talk at UNITED about my own personal viewpoint on security, which is 'One of us is not nearly as smart as all of us.' As I said before, I'm the community manager here at Rapid7, so I do run a full community of people that help each other to be more secure. They help each other with questions, with scenarios, best practices, and various other things. That level of collaboration allows everyone to be more secure. If you're in a situation where answering someone's question, helping them with a scenario they're trying to plot out; even if it's someone who doesn't have a lot of security researcher experience or security front-line experience, they're in a position whereby helping them, you're making it that much harder for the average attacker to gain access to a system that might have connections to your system, everyone else's system, banking systems, or whatever it might be. That rising tide mentality; if we make the least skillful among us better, then the average least-skillful attacker has a lot more work to do before it can actually penetrate and work on a general network.

Finally, 'there's no silver bullet; mentality, which was one of the things that we heard over and over again, both from speakers and from attendees. This is a werewolf and this is the 'no silver bullet'. The discussion pretty much was "What's the most common tool that everybody uses for security"? The answer was Excel, which is not ideal for any security scenario that you're putting together, mostly because you're just parsing data. Our discussion was that the small 1-man security teams that are out there, all the way up to the huge multinational enterprise-level security teams that are working on huge government projects, whatever it might be. If they're using Excel as their common tool, that's fine. There's a lot more movement in the market right now that allows us to have things like a Mobilisafe product. If you're a multinational corporation and you have Blackberrys that you hand out to everybody, it's not as much of a big deal. If you're a tiny shop and you can't afford to buy those devices then guess what? Everyone is bringing in their own Smartphone. You have to worry about the latest Apple releases, you have to worry about everything that is going on with Android and how unlocked-down it is.

Then if you expand that to our 2 new products that we announced at UNITED, Controls Insight and User Insight, we're looking at this scenario to say, "You know what; there is no 'one size fits all' tool. It really is an individual corporation or person-by-person security stance that we have to look at? For one company, having something that looks at their controls and looks at what they're doing for that security side of the house, that might be the best solution for them, in addition to your average vulnerability and firewall, and whatever. For someone else, if someone's in a corporation that's doing a lot of travel to some nondescript Asian country that starts with a C; that person has a scenario, where if you have something like User Insight, you can check to see where they're logging in from. If you see them logging in from Brooklyn and then tomorrow they're logging in from Beijing, you know you might have a problem, considering they didn't on a flight yesterday.

Those are our Top 4 key takeaways from UNITED 2013. As I said, I'm Patrick Helen; the community manager. That's me. If you have any other questions or if you want to talk to us more, feel free to reach out.

New Product - ControlsInsight

Assess, harden, and monitor your security controls with ControlsInsight

Download Now