Tenable's Ron Gula, Paul Asadoorian, and Jack Daniel spoke at the recent BSides Rhode Island security conference. Here's a synopsis and videos of their talks.
My Bucket List
Some people create a bucket list, things they want to do in their lifetime, and fill it with activities such as travel and bungee jumping. One item on my bucket list was to organize and host a security conference in my home state of Rhode Island (RI). I've attended and spoken at several conferences in the past and had some ideas about how I might like to organize my own event. I knew I’d need help organizing the inaugural BSides Rhode Island conference, so I turned to a couple folks here locally to help me and the Security B-Sides organization.
BSides is a collection of security conferences, the larger ones running alongside major security conferences and smaller events all over the world. Tenable Network Security supports many of the BSides conferences, and one of our own employees, Jack Daniel, is a co-founder and organizer of the BSides conferences.
Our approach was two-fold; we wanted a day where anyone could submit a call-for-papers, and a day where we, the conference organizers, hand-picked the speakers and influenced the topics. BSides RI was held June 14-15, 2013, and it was a resounding success.
Tenable Sponsorship and Talks
Tenable was a sponsor of the BSides RI event (kindly providing some free t-shirts sporting the new Tenable logo and a custom BSides logo, as well as tote bags for all attendees). Three Tenable employees, including myself, gave presentations.
Our very own CEO and CTO, Ron Gula, presented a talk entitled "Future Trends in IT Security." Ron discussed several of the new and exciting ideas surrounding security and vulnerability management in our field. Ron went through five major points: Scanning daily, focusing on attack readiness, fixing daily, grading personally, and holding managers accountable. If you’re looking to improve the security of your organization, and especially if you’re frustrated on any level with your progress, Ron’s talk is a must watch.
On Saturday of the conference, I presented on security failures and potential solutions. Unfortunately, my presentation wasn’t recorded. However, I described three major problems we’re facing: 1) Embedded systems insecurity, 2) Data breaches, and 3) Patch and vulnerability management done incorrectly. Number three is an area where Ron, Jack, and I frequently overlap with our definitions of the problems and solutions.
Jumping right to the solutions portion, I provided people with a seven-step process to implement vulnerability management:
- Define your policies and procedures: Perhaps one of the most important steps is to outline how security will be implemented in your environment (policy) and create a more-detailed list of how it will be implemented (procedures).
- Work with administrators to develop a plan to stay compliant, including change control: Working with developers and systems administrators is key as they will be the primary folks implementing security.
- Implement the plan to harden and control systems: The two most important things to accomplish is to create a hardening guideline for all of your systems and applications, and then back that up with a solid change control plan.
- Scan your environment: This is where tools, such as Tenable's Nessus, Nessus Perimeter Service, and PVS, come into play.
- Distribute the results to people who can fix the problems: I find this step missing in various organizations. While the security folks effectively use the available tools to find vulnerabilities, there are typically additional steps and procedures that must be created to get the results to the appropriate parties.
- Fix the problems: Once the responsible parties have the results, they must have their own procedures, and incentives (Ron spoke about providing incentives in his presentations), to fix the problems.
- Repeat steps 4-6 on a regular basis: This is the big one, you have to do steps 4 through 6 every day (as Ron suggested). Environmental changes happen constantly, especially in virtualized environments.
Jack Daniel presented some tips, tricks, and techniques for giving better presentations. I believe this is important to all our audiences, whether you’re a seasoned conference speaker or working in the security field at any level. I've given several presentations in the past, and I learned some valuable tips and tricks about presenting. This is also a very informative presentation for those who are communicating security to upper management.
We are looking forward to putting on BSides Rhode Island next year. In the meantime, you can check the Security B-Sides website for a complete list of upcoming BSides conferences happening all over the world. This July, Tenable is sponsoring and will be in attendance at the largest security BSides conference, BSides Las Vegas. Come by and see us!