Staff from Deja vu Security and its partner company Peach Tech recently attended DefendCon, a nascent conference based in Seattle. DefendCon’s inaugural event was in 2017 and was developed, bankrolled, and hosted by Adobe. Now, in its second year, the conference bills itself as a forum that “provides the same technical content as a more traditional security event while providing a safe, collaborative space for women and non-binary individuals.”
Attendees possessed a wide variety of backgrounds and seniority levels, in both technical and non-technical cybersecurity roles including engineers, compliance professionals, security architects, employee relations staff, scientists, and activists. Speakers were just as varied—coming from engineering, research, and even marketing departments at powerhouse organizations like Google, Microsoft, Netflix, Lyft, and the Electronic Frontier Foundation.
We were thrilled to be able to see the event’s keynote talk by Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation (EFF). The EFF is arguably the largest and most influential nonprofit behind defenses of digital rights in the United States, lobbying against and bringing to court policies, laws, and issues that risk individuals’ and organizations’ digital civil liberties since its founding in 1990. Eva used her keynote opportunity to speak on cybersecurity training, with extensive tips on how to develop effective and ethical training programs within organizations. Notably, she cautioned trainers against using the common tactic of scaring their audience with the assumption that it will convince them to adopt secure practices. Eva encouraged trainers to instead help their learners feel empowered and hopeful, making them much more likely to take action to improve their security practices.
Also on the schedule was John Trammel of Adobe, who gave an in-depth presentation on Adobe’s process of building and scaling a centralized and efficient identity management system. John offered some excellent nuggets of advice, including:
- “Establish your support and escalation plan before you have an incident. Before you even launch your product.”
- “When you’re looking at your process post-incident, you’re always looking for fixes for that [specific] incident.” But instead, companies need to perform process reviews outside of incidents so they can improve their processes as a whole.
- “If your service isn’t important enough for anybody to care [about security being current], then take it offline.”
John also recommended several activities which served the identity system management team at Adobe well: One, run a simulated incident before a service goes live—that way you can verify whether or not your organization’s planned response is actually doable and effective. Two, take one of your team’s best programmers, give them the source code, and tell them to do their worst, causing as much (isolated) mayhem as possible. Then make the system resistant to those issues—issues such as one person within the organization being able to deploy new builds by themselves.
We were particularly happy to hear John stress the importance of external security audits (Deja vu Security’s forte): “We use outside pen testers and we love those. They give us fresh eyes. We give them the code and turn them loose. We want to be involved in what they find, because we want to fix it.”
If the ideas presented above are of interest to you, Deja is hosting its 3rd Cybersecurity Summit on the topic of scaling security within organizations of all sizes on September 20th 2018 at the Columbia Tower in Seattle. Click below to request an invite to attend or to submit a talk.
DefendCon hosted a number of other great talks on topics like malicious actors using core marketing principals to trick victims, and hardware security scoping issues. Deja was lucky to hear from this diverse group of cybersecurity industry leaders, and we’re hoping to see a third DefendCon in the works.