BSides Orlando 2024: Insights, Innovations, and Security Adventures
Orlando, Florida, is one of the most visited places on Earth, partly because it is home to Disneyland, which is roughly the same size in land mass as San Francisco. It is also unique geographically, as it is made up of over 100 lakes. This same spirit of many travelers coming together, connecting many things into one, made it the perfect backdrop for a security event that brought together professionals and students with a wide range of backgrounds: BSides Orlando 2024.
Established in 2013, this year marked the most prominent BSides Orlando yet, with over 500 attendees attending two days of workshops and talks from industry experts. There were also multiple villages, helping people get a handle on progressing through the multiple avenues security can take you. Partnering with the host venue, Full Sail University, BSides Orlando was able to grant multiple $5,000 scholarships to students who participated in the event, making this a truly unique event helping people along their career paths.
Here are just a few highlights from this 11th year of BSides Orlando.
AI is, often, not going to get it right on the first try
In his updated keynote "Red/Blue/Purple AI," Jason Haddix, Former CIO of UbiSoft and CEO/Founder of Arcanum Security, took us through a history of AI use and laid out a path for all security professionals to better leverage this rapidly evolving technology. This new version of his talk compared 19 different AI tools he has experimented with over the last couple of years, talking through the strengths and weaknesses of each offering.
Jason also walked us through how he builds ChatGPT bots, such as his Arcanum Cyber Security Bot. This includes telling the AI how it should behave and what is at stake for them if they do well. He has actually built a private "SystemBot," which his wife refers to as "BotBot," that can take a general description of a new bot he wants to build and formulate the proper prompts and output structures.
While demoing from stage a new CVE analysis bot, created on the spot through SystemBot, it did not produce the results he had hoped for. He said it is essential to show these failures, as any AI is likely not going to deliver the results you want on the first try. The key to leveraging AI and LLMs in security is patience and persistence, but Jason argues it is worth it in the end, as it will enable teams to solve many issues faster.
Using Data Lakes to manage logs in a cost-effective way
Alexander Cote, Lead Engineer at Abbot Laboratories, in his session "Cheaply and efficiently manage security events using datalake architectures," walked us through the problems of trying to manage all our logged events directly in SIEM tooling. The largest issue for security teams ingesting an ever-increasing number of events is cost; the more logs you have, the higher the price for storage.
The answer Alexander has implemented recently in his career is to store the bulk of his logs in data lakes. As giant object stores, this is a much more cost-effective option. However, it does come with some technical overhead, as you will need to implement a way to effectively retrieve logs of events you want to investigate, which he showed as an example in his presentation.
This approach is ideal for any long-term data you want to keep, such as DNS logs, which are expensive to store in traditional analytics tools. In one instance, his storage bill shrank to around $80,000 vs. the $2 million it would have cost if they had stored these same logs in Splunk directly. He did warn this approach requires an economy of scale, meaning if you don't require storing thousands of gigabytes of logs a day, you might not see substantial savings. However, it is a good idea to review how you store logs and the associated costs, no matter how large your enterprise is, as there might be better alternatives than just paying your SEIM for more storage.
Attackers should actually need to be right all the time once they are inside
In his highly entertaining talk "One Arrow, One Breach: The Medieval Mindset in Cyber Defense," Kevin Johnson, CEO at Secure Ideas, challenged the notion that the blue team needs to be right all the time and that attackers only need to be right once. First, it is unrealistic to expect any professional never to make a mistake, regardless of focus. That is demoralizing and sets everyone up for failure and frustration.
Kevin said that getting into an environment in his work as a pentester should be the easiest part. Moving around undetected should be much harder to do. He said, "Once I am in, I have no idea how the system is laid out and what actions I do will trigger alarms."
We need to increase our security posture with this in mind, spending time building traps and early warning systems when something or someone does not seem right rather than continue to spend as much time trying to harden our perimeter. We also need to stop blaming the user for 'clicking the wrong link' when we have made their job dependent on clicking links. Blaming the user for failing security does not help us improve security. While we must work to raise awareness through security education, we need to understand users and what matters to them, which we can only do through listening to a lot more and thinking about how we can make the easy path the safest one.
Security assessments mean having a lot of conversations once you have done your homework
In his very practical session "Conducting Security Assessments–Lessons for those being assessed and those wanting to do it," Michael Brown, Security Compliance Director at Financial Recovery Group, walked us through what it means to conduct assessments from the perspective of someone who might want to do these professionally and from the viewpoint of an organization who is facing being assessed.
In the world of Information Security Management Systems (ISMS), assessors are brought in to give you a grade of "good" to "Oh my god, I can't believe how bad this is." Michael stressed that an assessment is not an audit, which is much more formal and costly to pass. While an assessment can certainly be useful in preparing for an audit, the real goal of these engagements is to perform a gap assessment, showing where you are now and where you need to improve.
At the start of any engagement, Michael said all assessors must fully study and evaluate a company's controls. A "control" is a function of management that helps check errors in order to take the appropriate corrective action. These include technical and non-technical policies and procedures. Once these controls are understood, the real work begins, requiring you to talk to every person involved with the controls to make sure they understand and implement them effectively. Where the team's understandings and actions do not align with documented controls are what you need to document and the management team needs to be made aware of in the final report.
Choosing our own security adventure
This year's event theme was "Choose your own security adventure." Just like the book series of the same name, it is up to all of us to pick our path ahead in security. As an event heavily focused on students and people new to working in cybersecurity, it was encouraging to see so many conversations and questions as people navigated what to focus on. As your author said at the end of my talk on understanding SCA, it is dangerous to go alone, but fortunately, we don't have to. BSides gives us a place to learn from one another and help each other find the area that suits us best.
You don't need to wait for next year's BSides Orlando to get together with other security practitioners; with over 200 chapters worldwide, there is likely a BSides event near you soon. We would also encourage you to think outside of just security events. After all, we can only really help secure systems if we understand the folks building and using those systems. They all have conferences, too, like DevOpsDays, Developer Days, and programming language-specific meetups. You are more than welcome to go and be part of the larger world of computer science conversations. Maybe you will even see GitGuardian there.