The O’Reilly Security Conference: Teachable Moments and Envisioning Adversaries

As a Google product manager working to mitigate risks to end users, Allison Miller has a first-hand view of the constant — and ever-shifting — arsenal of security threats thrown at internet platforms and consumers. As chair of the O’Reilly Security Conference, coming up later this month in New York, Miller leverages her insight and experiences to help find, and present, the best in new technology and “honest lessons learned” from the defensive InfoSec world.
Allison Miller works in product management at Google, mitigating risks to Google and end-users. Prior to her current role, Allison held technical and leadership roles in security, risk analytics, and payments/commerce at Electronic Arts, Tagged.com, PayPal/eBay, and Visa International. Miller is a proven innovator in the security industry, and regularly presents research on risk analytics, cybersecurity, and economics. She is known for her expertise in designing and implementing real-time risk prevention and detection systems running at internet-scale.
The New Stack caught up with Miller for a sneak peek at what’s new and good this year, and the conference offerings she’s most excited about.
So tell us about the security conference.
This is an event set up specifically for defenders in technology, to recognize the people in the marathon. Most of the other conferences out there focus on the attack side — you get a lot of street cred if you name-drop a zero-day and can show that off. There is a lot less attention to the folks who work endlessly to make things better day in day out. So we tried to craft the agenda to talk about fixing things, and finding issues and what you need to do to defend information security before the attack ever happens.
It’s a crowded space, there are a lot of other security events out there, but we were able to put together an amazing agenda and our attendees are really excited about it. The organizers, too! This is our second year, but tapping into all that experience out there to create the most cutting-edge and relevant lineup is still fresh and compelling.
Any lessons learned from last year’s inaugural event?
What we found last year is that everybody brought their A game, and that was great. However, what we saw people truly respond to were the “war stories” — the actual experience folks have, especially in security, when they get things wrong and, ultimately, are able to learn from them. I think we called that “teachable moments” and this year we put out a specific request for people to share their experiences from the trenches.
Also, last year we picked fairly broad topics; this year, we were more focused and responsive to what attendees most need and want to see. So security user experience and data-driven security folks trying to secure big data, especially in machine learning, those get much deeper this year. Of course, there are always a lot of proposals around tools and technology, who doesn’t like good tools? We also actively sought presenters on organizational security, communicating with your stakeholders — basically, understanding the business side of putting together an entire security program or initiative.
Did “teachable moment” presenters step forward?
In security, nobody wants to admit they were hacked. There are legal ramifications to standing up on stage saying how you were breached, but there is such great value in talking about how to make things better. Last year we had Phil Stanhope from Dyn talk about the distributed denial of service attack the (Infrastructure-as-a-Service) company had just experienced. It had happened barely three weeks before we convened, and he got up on stage and talked about it. In many senses there was almost no need to keep secrets at that point, everyone had experienced it, so many businesses and consumers were impacted as result of the outage. So it was really inspiring to have someone stand up and explain what it was like to be on the receiving end of a virtual hurricane. The Dyn team learned a lot and they shared what they learned, which is exactly why we want to do this event for defenders. It’s such a good environment for sharing what we’ve learned, so we can ALL be better.
Which conference events are you particularly excited about?
I feel really great we have great coverage across a lot of interesting topics. Personally excited about on day two, Runa Sandvik from the New York Times is speaking. She is the director of information security, in charge of infosec for the newsroom and teaching reporters digital security.
Window Snyder’s keynote is another one I’m really excited about. She’s with Fastly, a very big network provider and edge cloud platform — being a service provider in this environment is very interesting and Window has got a lot of horsepower. She has previously been at Apple, at Mozilla, at Microsoft, and literally co-wrote the book on threat modeling. I’m very very interested in what she has to say.
Also, because we are going to be in NYC for Halloween, we are going to for sure leverage that. O’Reilly has this great Monday night conference eve ignite session, with a series of five-minute speed talks that are super high energy and hilarious. A pre-party for whatever trick or treating goes on. Trick or treat at a security conference? We will definitely be able to do something fun with that!
What do you hope Security Conference attendees get as their main takeaway from this year’s event?
That “defenders” means so much more than just the cybersecurity people at the table. It’s not just the security team you need to defend a system; you need managers, sysadmins, developers. Everyone who has the ability to make decisions to help defend your system, or who could make mistakes that create risk.
So I would like to both expand the group beyond the people who self-identify as defending a system, who say “I am in infosec” or “I do cybersecurity” — to create the sense of “I am a defender” to those who strictly speaking aren’t even in the security industry. While at the same time creating awareness inside the industry that these folks can be defenders, too. That this is a tool we can all use.
You mention developers. What ways might devs benefit from this year’s offerings?
The short version is, we have quite a few talks and training that would be useful for devs interested in learning to do more. Tutorials like secure coding practices, the web security analysis toolbox, and how to find vulnerabilities in your own code.
The longer version is, developers absolutely should be interested in security!
A classic model for trying to protect a system is the perimeter model. Imagine your company’s network and data, all the sensitive stuff, is within a well-protected perimeter of firewalls and hardened thou-shalt-not-pass systems. That approach worked for a long time, but now everything, all our systems, are interconnected — and it’s not just software and hardware connecting these things, but also people. Technology is good to solve tech probs, and it can help in many situations to solve people problems. But it can’t solve all people problems. And this is where developers come in.
The human interactions and system interactions that happen in software are an essential aspect of security, yet we don’t necessarily think of them that way. Yet. Currently, I think devs sometimes feel that factoring security creates friction for them. They just want to push their code. They think of security as a gate, because we haven’t yet figured out how to get it into the design. If we could join forces — figure out how to get it done more in the beginning, as an inherent part of the design process, built in rather than bolted on — this is why the security community would love to figure out how to get more engaged with the developer community.
Devs take great pride in their code and ability to architect useful software, useful systems. The diff with devs when thinking about security is there is a difference between a bug and an adversary. So I’d think they would enjoy learning threat modeling, which means taking the next step to think not just about your code but how it could potentially be used against you in some unexpected way. Building security into your code is so much more fun when you’re envisioning adversaries.
So looking straight at bringing developers into the security fold and security as a prominent part of the software development lifecycle, our opening keynote is a developer and former hacker, Chris Wysopal. Chris will be talking about how effective software architecture must consider security. And how we can enable developers to create secure software through coaching, shared code, and services. This is relevant to everyone, and if you are building systems this is relevant to you.
So, this conference is relevant anyone building systems?
There’s a whole world of people building things — how do we help the average product manager building an account creation flow or some kind of interface or UX, what are the things they should ask for? We don’t even necessarily give them some universal thing to add into their development lifecycle. It’s a nascent capability and why more discussion is needed. And this conference is an opportunity to have that discussion. Everyone is invited!
Google and Microsoft are sponsors of The New Stack.