Ahmed ElAshmawy from Axenic recently attended the Australian Information Security Association (AISA) conference – in our latest blog post he shares his experience and key insights.
It was my first time this year to attend the AISA conference in the Melbourne convention center and I must admit that I loved it. I presented a half-day incident handling tabletop exercise on the 10th of October. The feedback was amazing, and the participants were among the best groups that I’ve ever had in such exercises.
The exhibition, alongside the conference, was full of vendors, service providers, etc. (almost 100 exhibitors), not my favourite part although it may be for some attendees. I really enjoyed some sessions and to follow is a short summary of some of the best talks I attended:
Brian Krebs session on popular misconceptions about security and cybercrime was music to my ears. In addition to his top 4 security tips, it really clicked when he said: “check your assumptions”. He noted that businesses should check their assumptions about being “secure” as the number of infiltrated organisations, that don’t know it, is staggering. He also added that if your organisation’s management does not believe that there is still a good chance that their environment is going to be infiltrated even though they spend millions annually on security, then go find another job.
He literally said: “BTW, if that describes your situation, seriously go find another job. This is a great time to be employed in cybersecurity, there is a lot of competition for people who know what they are doing”. My favourite among his top 4 security tips was the one about exercising data breach response; his direct quote was: “get lots of [breach response] exercise, you don’t want to do that for the first time when it’s the real deal! It is important for organisations to drill their breach response”.
Another highlight was the SANS session on exploring the DevSecOps Toolchain, where Eric Johnson provided his insights into the breakdown of DevSecOps phases and the security controls at each of the phases. It was reassuring to see that what the team at Axenic has been advising our clients around adopting an Agile approach, follows the same model Eric presented. His list of mostly open source tools was extremely useful. Here is a link to the SANS poster that summarises it all
The thing that I enjoyed most, for obvious reasons, was presentations that discussed incident response beyond being a technical problem. This is a topic that I am particularly passionate about. Stephen Moore, VP, and Chief Security Strategist at Exabeam, delivered an excellent talk titled “Pain and fortune on all sides; rapid leadership development and career management before, during and after an earth-shaking breach”. He had interesting lessons learned to share from his own experience after being through an incident where he was six levels below his organisation’s top management and how he was suddenly asked to report directly to the executives and board. In addition to his jokes about gaining authority as well as body weight, his most interesting advice in talking to executive and board level was to speak low and slow, and pause a lot. He said: “important people always pause”. Now visualise Obama speaking; voila. His advice got me interested and I started searching “the importance of the pause”.
VP and CISO of DocuSign, Vanessa Pegueros, also outlined in her talk about how we can no longer hope that we will prevent security incidents and that we should expect and plan for them. While it is important to have the right tools and technologies in place, it is equally important to be prepared as an organisation to deal with such events. Again, music to my ears, Vanessa reiterated the importance of practicing incident handling and strongly recommended doing that once every quarter. She also highlighted the importance of managing team stress and fatigue while responding to incidents. Her Fitbit graph showing heart rate before, during and after the incident was extremely interesting.
Overall a great few days in Melbourne and I am looking forward to #AISACYBERCON19.
For more information on the 2018 AISA conference or information security and privacy in general, feel free to get in touch.
Principal Consultant, Axenic