Wednesday 3 September 2014

Security B-Sides MSP 2014 - Automating Compliance

Last week, our team flew across the ocean, to Minneapolis to attend and present at Security B-Sides MSP 2014.





Security B-Sides is an information security event, that follows an "unconference" format and was setup by a few renowned security experts, in 2012, after large hacking conferences (BlackHat, DefCon) experienced a huge amount of subscriptions to their CfP (Call for Papers) and simply ran out of space to accommodate them all. 






Our team came to discuss Automating Compliance. Titania's founder, Ian Whiting, spoke about his background as a penetration tester, the concept behind creating the network security auditing and compliance tools, Nipper Studio and Paws Studio and why he thinks it is essential that software "should just work". 


My background is a penetration tester. I used to be one of those geeks, hackers that would sit in the corner of the room, and got the blame for everything that went wrong: "it must be the guy coming in doing the auditing that's causing all of these network problems today."

I used to have to run a wide variety of different kind of tools to do those jobs and it's very important to understand exactly what the software is doing, but also to understand the weaknesses of the software.


I was once given a job, many years ago, to audit some network switches and I think it's very important that auditors' time is best spent doing things that require a human to look at, while things that are fairly mundane and routine are excellent candidates for automation. I truly believe that. So I sat down and someone gave me 30 configs for different switches to go through manually. At this point I thought: "now is the time to start automating this kind of process. It's a very mundane task, computers are ideal at automating those very basic checks".

One of the things that being a penetration tester has led me very strongly to believe is that all software should be easy to use. I don't care if it takes the software developer an extra 6 months to code a bit of software. For the users it should be intuitive and easy to use. It should be there to help you and it should go hand in hand with the way you work, in order to reduce the amount of time that it takes you to audit. It should just work. I don't want a bit of software that I install on a system and then have to tweak  for the next half an hour, using Google to try and work out what's going wrong and fix it along the way. It's one of the founding principles of the software that we develop. 



We have a product called Nipper Studio which automates the auditing of firewalls, routers, switches and your various network infrastructure devices and another called Paws Studio, which does similar things for servers and workstations. Both products offer free evaluations, so that you can give it a go on your own platform. One of the things I think it's very important, is to be able to try these things for yourself. You shouldn't have to go and buy something blind, in the hope that what the sales person told you about the product is true and that it's going to do what they said it'd do. You have to try things out for yourself and that's why we provide evaluations for our software. 

Download your free evaluation license here

Although the first edition of the Minnesota chapter, the event was appreciated by the industry and praised by the media








Aside from numerous talks from cyber security experts (an overview of the talks can be found in this previous post), the keynote opening speech was delivered by a legend in the Chinese cyber warfare arena: Lt. Col. (ret) William Hagestad (@RedDragon1949). A very worthwhile talk to listen to and the Colonel is a very engaging presence on the scene. The talk can be found here and it is number 2 on the list, right after the Opening Ceremonies from Matthew J. Harmon, Bradley Ammerman and Tom O'Neill. You can also read the story in CSO Online: Why our lack of understanding on China may be the biggest risk 

An overview of all the talks can be found in our previous post, or viewed / downloaded
off the Security B-Sides wiki.



Video and images courtesy of @mjharmon

No comments:

Post a Comment

Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.