Birmingham’s tech scene keeps getting better! Yesterday was the second annual Alabama Cyber Now security conference hosted by TechBirmingham, the Central Alabama Chapter of the Information Systems Security Association (CAISSA) and the InfraGard Birmingham Members Alliance. This conference brings together security and other technology professionals from across the southeast for a day of engaging talks, panels and networking, along with a sizable vendor hall. Last year’s event was so successful that this year they had to move to a bigger venue.
I’m not a security specialist, but I do think that everybody that works in technology needs to have a working knowledge of core security concepts. In my day job I work with technology leaders in all sorts of organizations from government agencies to brand marketing firms, from insurance and banking to healthcare. Security topics come up all the time. Single day events like the Alabama Cyber Now conference provide a great chance to learn from experts in the field about new threat types, some security best practices and to get a glimpse into how they look at securing their systems and those of their customers. For those that need them the Alabama Cyber Now conference also provided a chance to earn some CPE credits, a requirement for maintaining CISSP and other security certifications.
The conference was generally very well run, with a few exceptions. The check in lines got pretty long, leading to some delays and it looked like there were people still waiting to check in when the morning keynote was starting. Maybe next year it would be helpful to do earlier check in or have more people doing it. Coffee was hard to come by, I didn’t see any stations set up outside of the morning keynote and lunch. Conferences run on coffee. The badges had people’s names and organization printed in a pretty small font, which made it hard to just glance at somebody’s badge to see who they are and what org they were with. But really, those are tiny little things that didn’t affect the overall conference experience. The conference team did an awesome job putting on the event, and I’m grateful we had the opportunity to have such diverse group of speakers delivered right to our doorstep.
The highlight of any event is usually the keynote(s), and this event was no exception. Dave Shackleford was the morning keynote, talking about the challenges and opportunities in cloud security. Dave brought up some great points and provided some guidance for how to integrate security into the DevOps processes, which he is terming DevSecOps. Developers and ops won’t tolerate security slowing down their cycles, so security needs to find ways to automate and integrate with the cycles they are already executing. Velocity means everything today for competitiveness. If I recall correctly, Dave also declared the old idea of a “bullseye” security model with perimeters to be dead. This was a theme that was repeated in several other talks in varying ways.
The second keynote is the one that I was really looking forward to. Bruce Schneier is one of the best known and most respected voices in security. Bruce lived up to his reputation, delivering a riveting talk about IoT security and how the internet of things completely changes the way we should be looking at security. The stakes are much higher now, it’s not just data. When everything has a computer in it software security becomes the security of everything. We have essentially given the internet the ability to gather data from the physical world (sensors), to make decisions based on that data (compute / AI) and to affect the physical world (actuators). Bruce described it as humanity inadvertently building “A world sized robot”. Essentially, his argument is that we aren’t intentionally building this world sized thing, it’s an emergent property of hooking up billions of sensors and actuators to a global network. Bruce ended his talk with a call for regulation to help us avoid the worst consequences of poor IoT security (like the Dyn attack). This made several folks in the audience visibly uncomfortable and sparked a few questions during the Q&A session that followed the talk.
Speaking of the Dyn attack, another talk I really enjoyed was one in which we got to hear from Chris Baker at Dyn. He gave a detailed timeline of the attack, how it worked and what strategies his team and others used to map and mitigate the attack, and how they are preparing for the next one. The other talks I attended included how pen testers (and malicious actors) approach phishing, security analytics in a world where each device and user is its own “front” in a war between attackers and defenders, and a great talk on the role of privilege escalation and lateral movement in a breach. The last one I listed was delivered by Andy Givens from CyberArk, and was one of my favorite breakouts. I especially enjoyed the case studies where he walked through how the hackers got a foothold, and how they expanded from that initial landing.
Assuming this event happens again next year, there are a few things I would love to see added. A few “101” style talks would be great as an introduction to areas of security that one might not be familiar with. I’d also like to see some developer focused talks. Developers can always get better at building more secure applications, evaluating libraries for security concerns before they adopt them, etc. Maybe a talk could be added for DevOps folks that integrates parts of Dave Shackleford’s DevSecOps model.
All in all, it was a good event, and one that I hope continues next year. Thanks to all of the organizers, volunteers, sponsors and vendors that made it happen!