[Dailydave] First RSAC 2015 Note

Dave Aitel dave at immunityinc.com
Tue Apr 28 11:10:58 EDT 2015


So as much as I malign RSAC, I occasionally attend it! I find that the
West Coast's corporate style is foreign to me, and learning about it is
probably important. For example, it took me forever to realize that what
was being sold on the Expo Floor at RSAC was not products and services,
but companies!  So let me brief those of you who didn't go, probably
because you had technical work to do, on what happened this year.

First of all, RSAC is "fashion forward" and you had to pretty much wear
a suit to it this year. A very expensive suit jacket and jeans was also
acceptable. But likewise, your small startup last year had to be mobile
and "BYOD" and this year it was all old-school endpoint security, with a
new frosting of "behavioral analysis". Literally every other booth had a
very El Jefe Style process tree as their main demo. Wait until they see
and copy El Jefe's other amazing features, like USB tracking. :)

Being small was a liability this year, in the way it hasn't been in
previous years. Having anything less than a triple-size booth made your
company seem hopelessly tiny and underfunded.

But I want to relate one of the technical talks I saw to demonstrate a
strategic hilarity. The basis of the talk was simple and cool. The
authors measured power draw on the AC line going into a desktop PC.
Literally, they just used a trojaned baseplate and an O-scope. Then they
ran that power data through some generic neural network/statistical
classifiers. They were able to determine (after training), based on the
power usage levels, which websites a user visited on the machine!
Likewise, they could detect execution of programs such as malware. TIME
TO BUILD A COMPANY AND PROFIT! You could feel their excitement over the
commercial applications from the back row of the poorly filled RSAC
auditorium. They answered every question with "Let's talk offline, since
we're not allowed to pitch our new company in this session!"

As an offensive technique, power analysis is quite useful (which is why
NSA boxes filter their power supplies). As a defensive technique it is
entirely useless. If all a malware writer has to do is add
(sleep(rand()); into their code a couple places to defeat your
detection, then you probably shouldn't build a whole company based on
the hope that they won't someday do that. But our two intrepid speakers
WILL build this company, and they will get funding to do so, so doubt.

The strength of the West Coast system is basically the same as the talk.
The company churn over there is hugely noisy. But they've built a
process that survives on the gold rush of technical hopes - without
having to know anything about technology to predict what will work they
can just fund and try everything. From that Big Data the market becomes
a statistical classifier. Any East Coaster visiting RSAC looks around
and says "Wow, you guys have a TON of CRAP here." But a West Coaster
will smile and say "Exactly."
 
-dave




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20150428/84925717/attachment.sig>


More information about the Dailydave mailing list