Posted November 21st, 2011 by rybolov
So while I was at some conferences over the past couple of months, I had an awesome idea while sitting in a panel about data breaches, especially notification. While streaming conferences is pretty awesome for most content, I keep thinking that we need that as an industry we need the exact opposite: a track of the conference that is completely off-the-record.
Here in DC when we do smaller training sessions, we invoke the Chatham House Rule. That is, the discussion is for non-attribution. There are several reasons behind this:
- You don’t have to worry (too much, anyway) about vendors in attendance selling you something
- It won’t end up in the press
- It gets real information to people instead of things that are “fit for public consumption”
My local area has a hackers association (No linkie, if you have minimal skill you can find it) that meets to talk about mostly technical stuff and what folks are working on. I find that more and more often when I do a talk there I do it “Off the Record” for a wide variety of reasons:
- I don’t want the attackers to get more effective
- I have half-baked ideas where I want/need feedback on if they are completely off-base
- The subject matter is in a legal gray-area and I’m not a lawyer
- I talk “on the record” all day every day about the same things
- I can “test-drive” presentation material to see how it works
- I can show nuts and bolts
So, the point of all this is that maybe we need to start having more frank discussions about what the bad guys are doing “in the wild” if we want to stop them, and that involves talking with peers from other companies inside the same industry to see what they are getting hit with.
Chatham House Rule photo by markhillary.
Posted in Public Policy, Speaking, What Doesn't Work, What Works | 3 Comments »
Tags: government • infosec • infosharing • security • speaking
Posted December 16th, 2010 by rybolov
My DDoS presentation at DojoCon on Sunday. A big thanks to Marcus J Carey for organizing the con and Adrian Crenshaw for doing the recording.
Posted in Cyberwar, Speaking, Technical, What Doesn't Work, What Works | 2 Comments »
Tags: ddos • infosec • operationpayback • pwnage • scalability • security
Posted October 12th, 2010 by rybolov
I’ll be speaking at Akamai’s Government Symposium on November 10th on the security of our platform and incorporating us into a Government IT environment: risk management, regulation, compliance, and delineation of responsibilities. If you’re interested in Web Security, Government, FISMA, and/or Cloud Computing, it should be something of interest to you. Even if you’re working in State and Local Government, there will be something of interest.
Event page is here.
Disclaimer: obviously I work for Akamai. Nothing I blog about represents the official position of my employer. From time to time, Akamai even claims me. =)
Posted in Risk Management, Speaking | 1 Comment »
Posted September 29th, 2010 by rybolov
My talking schedule over the next couple of months:
October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.
November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.
And coming to you, if you give me a call. =)
Posted in Speaking | No Comments »
Tags: barcode • cloud • cloudcomputing • ddos • management • security • speaking
Posted August 13th, 2010 by rybolov
Metricon 5 was this week, it was a blast you should have been there.
One of the things the program committee worked on was more of a practitioner focus. I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.
I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.
You can go check out the slides and papers at the Security Metrics site.
My slides are below. I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.
Posted in Public Policy, Speaking | 1 Comment »
Tags: catalogofcontrols • certification • compliance • government • infosec • infosharing • law • legislation • management • publicpolicy • security • speaking
Posted May 17th, 2010 by rybolov
This was announced a couple of weeks ago (at least 9000 days ago in Internet time) so now it’s “old news” but have a look at Metricon 5.0 which will be in DC on the 10th of August.
It’s a small group (attendance is capped at 60), but if you’re managing security in Government, I want to encourage you to do 2 things:
- Submit a paper!
- Attend and learn.
I’ll be there doing a bit of hero-worship of my own with the Security Metrics folks.
Posted in Public Policy, Speaking | 1 Comment »
Tags: government • infosec • infosharing • management • metrics • publicpolicy • security • speaking