The RSA Conference talks we’re looking forward to most

The RSA security conference is just about a week-and-a-half out, so, per tradition, I’ve been scouring the agenda in search of talks I might want to attend. Much to my dismay (although not to my surprise), there’s an overwhelming number of sessions. In fact, there’s 518 list items on the agenda as of right now. Most of them are talks but the agenda also includes receptions, learning labs, and other non-talk sessions of one sort or another.

Having looked through all of them, I can say with confidence that you’re going to have a good time if you enjoy software bills of material, the cloud, and/or (especially) artificial intelligence (AI). There’s more than 100 items on the docket that mention AI in their title (full disclosure: my own talk is one of them).

After sifting through, I wanted to highlight what look to be the most intriguing talks about threat intelligence, detection, incident response, cloud security, identity, writing, and much much more. Since there’s so many on my list (far more than any person could ever attend without one of those fancy time-turner doohickeys from Harry Potter and the Prisoner of Azkaban), I’ll limit myself to just one sentence explaining (read: speculating) what I think the talk is going to be about.

Before I start, know that Red Canary will be at the event in force, handing out t-shirts with our slick new logo, talking to folks in the community, and giving short booth talks—ranging from educational to product-centric to fun. We’ll be at booth #934 so stop by for a shirt, to sit in on one of our booth talks, or to chat about managed detection and response (MDR), Atomic Red Team, or whatever else is on your mind.

24 RSA talks worth your time

Permissions: Centralized or Decentralized? Both!

Monday, May 6  |  8:30 AM – 9:20 AM PT

Sarah Cecchetti of AWS and Pieter Kasselman of Microsoft will explain how organizations can balance the conflicting needs of managing permissions across applications in a way that is fast, flexible, reliable, and secure.

The Always-On Purple Team: An Automated CI/CD for Detection Engineering

Monday, May 6  |  10:50 AM – 11:40 AM PT

Stephen Sims and Erik Van Buggenhout will discuss an architecture for security operations centers (SOC) that incorporates security information and event management (SIEM), extended detection and response (XDR), security orchestration, automation, and response (SOAR), and breach attack simulation (BAS) technologies to create a CI/CD detection engineering pipeline that automatically creates, tests, and deploys detection analytics.

How to Keep Your Cool and Write Powerful Incident Response Reports

Monday, May 6  |  1:10 PM – 2:00 PM PT

Lenny Zeltser will show how you can write better incident response reports that people will actually want to read and that will drive action, including tips on structure, clarity, knowing what to include, and writing summaries for decision makers who might not have time for the full report.

Leveraging MacOS’s Networking Frameworks to Heuristically Detect Malware

Monday, May 6  |  1:10 PM – 2:00 PM PT

Patrick Wardle has been a leading expert on macOS security for years, so, if you care at all about macOS security, you’ll want to attend his talk on network-level detection approaches for catching sophisticated malware on macOS.

How AI Is Changing the Malware Landscape

Monday, May 6  |  2:20 PM – 3:10 PM PT

I’m extremely skeptical about claims that AI is changing the malware landscape, but I’ve been following Vicente Diaz’s work for more than a decade, I respect his work, and therefore I want to hear what he has to say about AI-generated malware and evasion techniques.

The Anatomy of Cloud Attacks

Monday, May 6  |  2:20 PM – 3:10 PM PT

Cloud services and systems are different from traditional endpoints and on-prem systems. The way adversaries interact with them is also different, and Ofek Itach and Assaf Morag’s talk promises to shine a light on common patterns of adversary behaviors in the cloud—and what defenders can do about it.

Advanced Discovery, Persistence and Privilege Escalation in AWS, GCP, Azure

Tuesday, May 7  |  8:30 AM – 10:30 AM PT

We’ve got a lot to learn about securing cloud systems and the ways that attacks unfold on them, so Colin Estep and Jenko Hwong’s learning lab should be a great opportunity to learn more about defense evasion, privilege escalation, and persistence across the big three cloud platforms.

Batloader or FakeBat? Unraveling Competing MaaS Operations

Tuesday, May 7  |  8:30 AM – 9:20 AM PT

This looks to be a classic threat intelligence talk from Spence Hutchinson and Ann Pham about malware-as-a-service (MaaS) operations, differentiating different operations, emerging delivery mechanisms, and how to detect them.

CloudSec Hero to Zero: Self-Obsolescing Through Prolific Efficiency

Tuesday, May 7  |  8:30 AM – 9:20 AM PT

More cloud security stuff from Rich Mogull (who is great and offers free weekly cloud security labs that you should definitely check out) and Chris Farris, who will offer tips on triage, remediation, and building a sustainable cloud security program.

Building a Cloud Security Flywheel: Lessons from the Field

Tuesday, May 7, 2024 | 9:40 AM – 10:30 AM PT

Shaun McCullough’s speaking about cloud security as well, focusing on a realistic scenario wherein security practitioners inherit a changing cloud environment and leverage security and technology frameworks to fortify and validate their defenses.

Unveiling the 2024 Data Breach Investigations Report (DBIR)

Tuesday, May 7  |  2:25 PM – 3:15 PM PT

In a lot of ways, the DBIR is the standard by which we judge the quality of all other annual infosec reports, so Chris Novak’s unveiling of the 2024 edition is a must-watch talk for all the longform report fans out there.

Backdoors & Breaches: Live Tabletop Exercise Demo

Tuesday, May 7  |  4:30 PM – 5:45 PM PT

Friends of Red Canary Jason Blanchard and John Strand are doing a live playthrough of their wildly popular incident response card game, which is not only fun but also an effective means of conducting incident response tabletop exercises.

Fun fact: Jason will also be dropping by the Red Canary booth (#934) on Tuesday, May 7 at 1:30pm to talk more about Backdoors & Breaches!

Don’t Be a Cloud Misconfiguration Statistic in AWS, Azure, or Google Cloud

Wednesday, May 8  |  8:30 AM – 10:30 AM PT

One of the first and most important lessons we learned from cloud migration as an industry is that misconfigurations can lead to a bad time, so consider attending Michael Ratemo’s learning lab to hear how things can go wrong when configuring services in Amazon Web Services (AWS), Microsoft Azure, and Google Cloud.

Dynamic Analysis of MacOS Malware Using SpriteTree

Wednesday, May 8  |  8:30 AM – 9:20 AM PT

Another well-known macOS threat researcher, Jaron Bradley, is giving a talk on a community tool called SpriteTree, which enables security practitioners to analyze data from Apple’s Endpoint Security Framework (ESF) and that’s been used to analyze macOS malware and develop corresponding detection strategies.

State of the Hack 2024 – NSA’s Perspectives

Wednesday, May 8  |  9:40 AM – 10:30 AM PT

Rob Joyce was the highly respected director of the NSA Cybersecurity Directorate until he retired earlier this year, and he’ll be joining his successor David Luber to discuss exploit trends, state-level adversaries, and the cybercrime threat landscape.

The First Decade of Corporate Ransomware

Wednesday, May 8  |  2:25 PM – 3:15 PM PT

There’s no way we were getting through this list without a ransomware talk, but I’m going to zag a bit from the super tactical, actionable talks and go with Mikko Hypponen’s keynote, a historical overview of ransomware’s now decade-long incursion into the corporate world.

Red vs. Bank: Surviving a Three Year Red Team

Wednesday, May 8  |  2:25 PM – 3:15 PM PT

Longtime friend of Red Canary Brenden Smith will explore his experiences running a staggeringly long, three-year red team exercise and how the intricacy and persistence of it better prepared his organization for modern, patient adversaries who are happy to spend months or years casing the joint.

You Can’t Measure Risk

Wednesday, May 8  |  2:25 PM – 3:15 PM PT

As much of a security luminary as anyone on this list (random fact: also something of an American football savant), Andy Ellis will discuss the elusiveness of measuring risk, how to talk about it, when to measure it, and, equally important, when risk measurement can become an exercise in futility.

A Blueprint for Detection Engineering: Tools, Processes, and Metrics

Thursday, May 9  |  9:40 AM – 10:30 AM PT

Atomic Red Team maintainer Jose Hernandez will join Eric McGinnis for a talk that’s directly in readers of this blog’s strikezone: an exploration of state-of-the-art detection engineering, including discussions of open source tools, metrics for success, and coverage strategies to help organizations defend against emerging threats and adversary techniques.

Applying Past Lessons for Intel-Driven Identity Threat Detection

Thursday, May 9  |  9:40 AM – 10:30 AM PT

Securing identities is fast becoming priority number one for increasingly distributed and cloud-centric organizations, so Nicole Hoffman and Michael Mariott’s session on lessons learned from historic identity attacks and how we can apply them to identity and access management (IAM), security operations, and threat intelligence promises to be a must-attend talk.

The Good, the Bad, and the Bounty: 10 Years of Buying Bugs at Microsoft

Thursday, May 9  |  9:40 AM – 10:30 AM PT

Katie Moussouris is the pioneer of bug bounty programs that fundamentally reshaped the infosec industry for good, so you’ll definitely want to check out her talk with Aanchal Gupta, telling the story of how she overcame deep institutional reluctance in her effort to convince Microsoft that paying researchers for vulnerability disclosures was a worthwhile endeavor that would make us all more secure.

The Moneyball Approach to Buying Down Risk, Not Superstars

Thursday, May 9  |  9:40 AM – 10:30 AM PT

The winners of my informal award for the most interesting talk title at RSA, Rick Howard and Simone Petrella plan to explain how emulating the early 2000’s Oakland Athletics’ roster building strategy of collecting skills in aggregate, instead of chasing superstars, can be applied to SOC hiring practices.

Malvertising 101: Setting Up a Lab and Hunting for Malicious Advertisements

Thursday, May 9  |  12:20 PM – 2:20 PM PT

Longtime malware researcher Jerome Segura’s learning lab will walk attendees through strategies for finding and analyzing malvertising schemes, which are as popular an initial access mechanism as ever.

The ART of Probable: Test with AI, Atomic Red Team, and Threat Metrics

Thursday, May 9  |  1:30 PM – 2:20 PM PT

Last but (hopefully) not least, Adam Mashinchi and I will discuss a custom GPT we built—and more importantly why and what we learned building it—that’s designed to help security practitioners prioritize and test their defensive efforts according to findings from a library of our favorite annual infosec reports.