I like the regional Infosec conferences. For someone at a SMBiz, it's an opportunity to see how the rest of the world does things without sitting through hours of vendor talks pimping one product (and eventually their family of products) as the be all end all. Learning the hows is akin to crawling before walking before running. One you learn what you can do and how to do it in efficient ways, you can then push to acquire tooling that supports the skill set.
I have become disillusioned with the conferences in my immediate area (MKE//CHI) in the last year or two. As a defender, I'd be thrilled if there was at least one talk that benefitted my side fo the fence that wasn't a weird corner case scenario. Usually, I'd see a talk that looks good, that would turn into 'I did crazy thing and I'm not going to have any serious detection or prevention strategy besides patch.' I want more in depth talks that speak to a defender. So this year I pushed my regional boundaries out to Detroit (Convergeconference.org) and Indy (circlecitycon.com).
Circle City Con (hereafter CCC) turned out to be the con I wanted. Designed so local people only had to take a half day off of work, it ran from Friday afternoon to Sunday early afternoon. This gives people plenty of opportunities to come see what's going on. There were talks and trainings, a CTF, a modest vendor presence, and evening events Friday and Saturday.
The trainings looked to be solid. However, some of the better trainings like @da_667's training on virtual labs, was an all day training on Saturday, meaning if you did the training, you did nothing else Saturday. Had I the power to make a recommendation, I would set the trainings in the morning and do talks in the afternoon on Saturday, with trainings part 2 Sunday morning for 8 hour trainings, to minimize the number of talks missed. The training was a huge time commitment. That would be some difficult juggling, but possible in the available space.
Check out @frankmcG's twitter feed, as he live tweeted several talks. This is a good way to check out core content and decide if you should watch the talk when it's published (almost always yes).
The opening ceremonies made it clear that over the five previous years, CCC had its own culture. This meant that for first timers, there was a lot of references and in jokes that went right over one's head. Whereas it was informative about the weekend to come, it also made it clear I could skip the closing ceremonies.
The opening keynote was a look at data rights and privacy laws around the world, and what an org had to honor in regards to a personal data request. Amber Welch did an excellent job going through the ins and outs of the laws and how to 'hack the system' with the legal framework in place. This was a solid talk, right up to the last five minutes when a blatantly political remark thrown in as a backhanded attempt at humor soured the whole thing for me. It would have been a B+/B, but the one remark, and everything it carried with it (especially in light of the talk) dropped it down to a C/C-.
Shecky (@siliconShecky) gave a talk on Saturday on hiring for Infosec roles titled 'Get off my lawn ... or are we looking for the right people?' He talked about addressing the core skillsets needed in Infosec beyond the technical (sysadmins, pentesters, coders, etc) and looked more holistically at the background types we should bring in and nurture, as they will provide overall value to an Infosec team (e.g. librarians for research, thespians for social engineering, data scientist for analysis, etc). He also showed the division between the field of security, subfield of Infosec, and the sub-subfield of Cyber Security.
Alex Chalmers gave a talk titled 'Evicting the Password from the Digital Estate'. This was a talk on the weakness of passwords, proper password guidelines, where passwords exist in the cybersecurity space, and what an institution has to do to move past them. He addressed how NIST has written its framework to apply to the federal government, and what we can pull from that. He looked at the differences between single factor, two factor, and multifactor authentication, and how different authentication types are combined to get to a mature multifactor setup. The caveat to his talk is in a mature institution, the idea of going passwordless is so popular (and misunderstood) that the mere mention that I saw a talk on this means I will have to present the idea to leadership. Thank you Alex. Even still, watch the talk.
Steven Bernstein (@sciaticNerd) gave a talk titled 'Cons and careers'. This is the talk that's perfect for anyone new to the industry or trying to break into Infosec. IT looks at the non-technical self imposed stumbling blocks to personal and career growth, including tackling impostor syndrome. He uses his own path as an example of how he cleared the stumbling blocks, and what it takes for someone else to do the same, as well as why they need to. This was the A+ talk at CCC, and is one that should be spread far and wide. And his delivery was near flawless. He'd be a good speaker to have at any con.
Part two of my review will come tomorrow, looking at a few more good talks and highlighting some of the great people I met.