It's RSA Conference time again, and there are some interesting talks going on this year on Moscone Center and on BSides SF. These are the talks that I and the general MLSec Project community will be attending and commenting on during this very busy week in San Francisco.
Without further ado, here are our picks categotized by areas of interest. Please note we are purposefully excluding Panels and Sponsored Talks. I will probably attend some Panels so I can ask some tough questions, but I'd rather not give anyone the heads-up. :)
Anything we missed? Let me know on Twitter!
DNS Spikes, Strikes, and The Like - Thomas Mathew (OpenDNS) - BSides SF - Sunday, April 19 • 12:00pm - 1:00pm
I have not met Thomas yet, but the OpenDNS Labs folks usually put interesting research out on the data that they have (and it is a lot of data). On first glance, it looks like an intro piece on unsupervised learning and clustering for DNS data. However, the mention of "it's not all as it seems on spikes" will probably generate an anecdote or two that should inspire feature building for DNS classifiers.
No More Fudge Factors and Made-up Shit: Performance Numbers That Mean Something - Russell Thomas (Large Financial Firm) - BSides SF - Sunday, April 19 • 12:00pm - 1:00pm
Russell has been doing a lot of interesting work in taking the "witch doctoring" and "cargo culting" of security metrics generation. This time, it seems he is presenting his TSS (Thomas Scoring System) with associated examples and code/tools in Excel and R to help you roll your own. I think Russel's work is great, but I don't really understand it all that well (math is hard), so maybe this is the one talk that helps me make his ideas actionable.
Analyze This! - Aaron Shelmire (E8 Security) - BSides SF - Sunday, April 19 • 4:00pm - 5:00pm
E8 Security is a "security analytics" vendor that is partially in steath still (and by steath I mean I have not figured out what exactly they are buiding yet). It should be interesting to peek under their interpretation of what this analytics should be according to them. Aaron comes from a security background, and not a "big data" background, so the insights he present might actually be actionable and relevant. I am looking forward to attending this talk and meeting him.
How to Lie with Statistics, Information Security Edition - Tony Martin-Vegue (Large Global Retailer) - BSides SF - Monday, April 20 • 10:00am - 11:00am
Data misrepresentation talks are always fun. Everybody has a few of these when they do a data analysis talk and going through a presentation with a lot of these examples should be a good way to start your RSAC week with a lighter tone. Haven't met Tony yet, but I am looking forward to watching his talk.
Structural Entropy Analysis for Automated Malware Classification - Glenn Chisholm and Mike Wojnowicz (Cylance) - RSAC - Tuesday, April 21, 2015 | 3:30 PM – 4:20 PM | West | Room: 3018
Wow, an actual Machine Learning talk, I can't contain my excitement. Hope they spend some time with more than just the entropy as a feature for malware classification, because that has been a known technique for a while. It will be cool to get a glimpse under the hood of Cylance, because as far as I can tell, they have been legitimaly trying to push the malware classification envelope.
Apologies to Sean for missing this on the first pass, but it looks like this will be a fun talk about the pitfalls of trying to automate too much security without really understanding what you are trying to do. Should be an interesting mix of anecdotes of failed miraculous products that Yahoo! has evaluated over the last year or so, sprinkled with some honest "human hunting" techniques, describing what are the actual "anomalies" that these vendors should be paying attention to. If they are smart and want to improve their products, they will be in the audience taking notes.
Lessons Learned from Building and Running MHN, the World's Largest Crowd-sourced Honeynet - Jason Trost (ThreatStream) - BSides SF - Monday, April 20 • 4:00pm - 5:00pm
MHN is arguably one of the easiest honeypot deployments out there and Jason has been doing a great job to assist its community and get more and more sensors out there. There should be a little bit of interesting morsels about their data analysis from the data they are collecting from the MHN users. Also some good distributed systems architecture tidbits, which is sorely missing in security talks in general.
Vulnerability Management Nirvana: A Study in Predicting Exploitability - David Severski (Seattle Children's Hospital) / Kymberlee Price(Bugcrowd) / Michael Roytman (Risk I/O) - RSAC - Friday, April 24, 2015 | 9:00 AM – 9:50 AM | West | Room: 2018
This is a dream team of Security Data Science coming together to talk about some very interesting metrics on vulnerability scoring. They have all being doing interesting work on this subject independently for the last few years, and them getting together to build a predictive scoring model is really exciting.
Before and Beyond the Breach: New Research in the 2015 DBIR - Lots of Verizon People - RSAC - Tuesday, April 21, 2015 | 3:30 PM – 4:20 PM | West | Room: 2002
This is the obligatory DBIR talk of the year, with the brains behind the magic talking about it all. This also means they will probably release the DBIR before RSAC begins, so if anyone is participating on the DBIR Puzzle Contest, you better set some some time aside for it during the conference.
The great minds who brought us the "Data-Driven Security" book, blog and podcast (disclaimer: I am an occasional guest to the podcast) have put together a talk outlining examples and practical use cases for Data Science on security. If you can't make it on Tuesday, they also have a repeat session on Thursday. This either means this talk is very good, or that they used their DS powers to game the talk selection process.
We're Gonna Need a Bigger Boat - Alan Ross and Grant Babb (Intel) - RSAC - Friday, April 24, 2015 | 9:00 AM – 9:50 AM | West | Room: 2014
Hadoop and analytics focused talk, that sadly drew the short straw and got stuck on an early Friday slot. But I would get up for large-scale netflow analytics combined with other telemetry sources. Hopefully this will go beyond unsupervised methods.
Understanding Threats Using Big Data and Contextual Analytics - David Dufour (Webroot) - Friday, April 24, 2015 | 10:10 AM – 11:00 AM | West | Room: 3006
Looks sales-y at first glance, it's the "deep data correlation" that gives it away in case you are wondering. But they did tag is as Advanced, so feel compelled to sit through it if only to give it a bad rating when it becomes a sales pitch.
Most of the Threat Intelligence talks are either panels or read like a Markov Chain generator output that used the Information Security Platitude Handbook as source material, so I probably will skip most of those, but I would like to point out the one I will definitely attend.
Threat Intelligence is Like Three-Day Potty Training - Rick Holland (Forrester) - RSAC - Tuesday, April 21, 2015 | 2:20 PM – 3:10 PM | West | Room: 3005
Rick has a very complete understanding of the Threat Intelligence marketplace, and he will present a maturity model for people to be aware how they should navigate this space. The threat intelligence market is highly unregulated right now (i.e., anything the vendors says goes), and Rick is one of the few who is actually trying to organize and setting some structure into what customers should expect and request as they build or buy their TI capabilities.