« Process Improvement: Overcomplicating the Simple | Main | Privileged Password Management: Cloakware & Cyber-Ark »

Reflections on the 2008 RSA Conference

Now that it's May and I've had a few weeks to recover, I've decided that it's time to finally post a thorough retrospective piece on my first attendance of the RSA Conference in San Francisco. Overall, I had a wonderful time, taking full advantage of the opportunity to meet lots of people. I approached the conference primarily as an opportunity to network with colleagues across the industry, secondarily to attend some training sessions, and thirdly to hit the vendor expo. As expected, none of the training sessions were overly technical. Conferences simply cannot have highly technical sessions because a certain portion of the presentation has to be spent on levelsetting with the audience.

You can see my day-of posts from the conference here, here, here, and here. Also, pictures from the week are available here.

The Good, the Bad, and the Ugly
I'd say that less than 50% of the keynote speeches were of any value whatsoever. Many of them were bought by headline sponsors of the conference, and thus could be almost thoroughly discarded. RSA, Symantec, IBM ISS, Microsoft, Oracle... none of them had much of anything to say... my previous posts (see above) talk about some of the high and low points of each day. As I look back now, it's interesting what stands out for me. For example, I remember the IBM ISS person saying that security was dead, but then she went on to talk about security in other terms and technologies. This was very similar to the RSA and Symantec talks. I walked out of the MS and Oracle keynotes as I couldn't bear to listen to the slow-paced monologuing that had no content at all.

The keynotes I greatly enjoyed were the Cryptographers Panel, Jeff Hawkins of Numenta, and Malcolm Gladwell. Al Gore was ok, but it was pretty much the SSDD story. The protesters were probably more interesting than his talk.

The Crypto Panel was just cool because it was comprised of Diffie, Hellman, Rivest, and Shamir (just missing Adleman to complete the set).

Hawkins was fascinating because of the research he's doing into AI. Numenta has implemented in software a cortex-like AI model that has managed to simulate learning and being able to get past signature-based identification. In other words, once the AI is trained on what a dog looks like, it will recognize dogs that it hasn't previously seen before.

Gladwell - author of Blink and The Tipping Point - was very entertaining, but also informative. He seems to have a very good handle on things, as evidenced recently in this discussion.

I did not attend the Chertoff keynote, though I heard it was ok. There were soooo many feds around in ugly black suits the first Tuesday, when he spoke, that it was laughable. It's hard to take anyone from DHS serious these days as it is that the cliche was really just too much.

Sessions, Workshops, etc.
My favorite presentations were from the Experts track, though I also enjoyed a couple of the Legal (ABA ISC) tracked offerings, too. Judge Facciola, Joe Burton, and Steve Teppler were very good, for example. Paul Kocher from Cryptography, Inc, was a good speaker, talking about security from the evolutionary perspective.

Overall, though, I didn't find most sessions to be terribly interesting. This was, again, due to the fact that you can't assume people attending have a thorough enough background to go into deep technical discussions.

I also attended a 1-day pre-conference workshop on identity and access management. I enjoyed the presenters very much (Dan Houser and Erik Heidt), but the full-day session suffered from the same problems as the other shorter presentations.

Overall, my only thoughts on improvement would be to add "advanced" sessions where you explicitly tell people that you will not be spending time on the basics, maybe including a "you must be this tall to ride" measure of some sort. Not an easy objective to accomplish, though.

The Expo and Interesting Vendors
I'm not going to spend a lot of time talking about the vendors because I plan to highlight a few in follow-on posts later. Overall, it was a very large expo, which I enjoyed. Lots of junk, of course, was to be had. The iPod Touch seemed to be the popular top prize. Maybe next year I'll figure out how to get my hands on one.

Many people have expressed disappointment over the Expo, but I have no real basis for comparison. I did notice that there were not very many technical astute people at the booths. If you tried to ask questions that were too technical, you would lose the sales people very quickly. I'm told this is in marked contrast to years past. I don't know if this is telling of the approach to RSA changing, or if it may simply be a matter that there are not enough technical security people to go around. It's probably a combination of the two.

Some of the interesting vendors that I ran into included AccessStick (SSL VPN w/ fingerprint reader on a USB pendrive), Sunbelt Software (excellent security research company), Beyond Trust (can abstract Windows apps away from direct administrator/system access), Ounce Labs (competition for Fortify in the static code analysis arena), and Visible Statement (great security awareness tools, including cartoons and animations for Windows logins).

One thing that I did not do was to write down notes on all the vendors I spoke with. Next year I plan to do this, possibly taking the Blogger Press approach. We'll see...

Networking: Of the People, By the People, Lots of People, People, People
My primary motivation in attending the RSA Conference was to meet lots of interesting people. This, I accomplished, and quite well, though next year I hope to meet more folks. The receptions on Wednesday and the Codebreakers Bash on Thursday were excellent for meeting people, and it certainly made for an enjoyable trip. My only mistake was in having an early morning flight on the Saturday after the conference because I was hurting from the late nights. I think next year I will plan to have a recovery day and a later flight home. We'll see what I can work out. Some day I hope to live not too far away such that I can simply hop the train home at the end and not have to worry about the effects of a pressurized cabin on my sinuses. :)

---
So, those are my thoughts at this late date. In the end, I greatly enjoyed the conference, and very much look forward to next year. In particular, I missed out on the ABA ISC meetings that led up to the conference, so hope to participate in those next year. I also plan on putting together a couple ideas for presentations and submitting them. It's hard to believe that the conference was a month ago already. I wish I could go to an event like that a couple times a year - it was so much fun! :)

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/675

Post a comment

About

This page contains a single entry from the blog posted on May 9, 2008 3:45 PM.

The previous post in this blog was Process Improvement: Overcomplicating the Simple.

The next post in this blog is Privileged Password Management: Cloakware & Cyber-Ark.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.