Network Security Podcast

Welcome to the RSA Wrapup show.  Except it's not a wrapup where we talk about the things we saw and did so much as a discussion of our very different views of what the RSA experience was for us.  This was Zach's first RSA, Martin has been to half a dozen and Rich has been coming to the show since he was a young pup.  And just as the three of us come at many news stories from different directions, we also view the RSA Convention very differently from one another.

As long time veterans of the event, Martin and Rich see a lot of the behind the scenes action and spend a considerable amount of time in meetings with vendors and other security professionals, especially Rich, who spends almost every waking moment either in a meeting or running to the next meeting.  For Martin, it was the first time he's attended RSA as a vendor in addiion to his blogging and podcasting duties.  And Zach's experience as delegate are close to on par with what the average RSA going is going to see.  Which frustrated him greatly.

If you're already tired of hearing about RSA and everything that goes on there, you may want to skip this podcast.  But if you're curious to hear a little bit about what it's like to attend the single biggest convention in the security industry, you'll want to listen.  We actually believe this is one of the better podcasts we've done recently.

If you've been anywhere near security during the last 18 months, you probably have a nervous twitch every time you hear someone mention the term Advanced Persistant Threat.  Much like Cloud is the big term of this year's RSA Conference, APT was last year's buzzword.  But that doesn't mean that APT isn't still a real issue and isn't important; it just means marketing teams burnt out the industry on an important issue.  Dave Merkel from Mandiant took a few minutes to talk to me about the panel he was on yesterday, as well as the PCI Council's new PCI Forensics Investigator program.  And yes, the two are more closely connected than is immediately obvious.

NSP Microcast, RSA 2011:  Dave Merkel, Mandiant

PCI compliance in the cloud is real, and Amazon is the first major cloud service provider to claim a PCI Compliant Cloud Solution.  Robert Zigweid, the Principal Compliance Consultant at IOActive, was the QSA who performed the assessment on Amazon's environment.  We talk about what exactly Amazon is claiming is compliant in their PaaS solution, what a merchant should know this means and the difficulties of scoping and cutting up such a complex environment so you can assess it. 

Network Security Podcast Microcast:  Robert Zigweid, IOActive - PCI Compliance in the cloud

Welcome to Day 2 of RSA

Today's interview turned out to be rather fortuitous; Dr. Mike Lloyd from RedSeal gave one of the opening talks at this year's Security BSides San Francisco and through a series of unfortunate events there was no stream of his talk nor did it get recorded.  But since I was scheduled to talk to him today anyway, heres a small taste of what his talk was like.  There's a chance his talk may get re-recorded, we'll let you know.

We all know that firewalls are very complex beasts when you have to start figuring what the resultant rule set is from several layers of systems.  Even dealing with one firewall can be hard when you realize the difference a zero in the wrong part of the subnet can cause.  People aren't good at dealing with this complex relationship between devices, while machines are.  Machines can't make the strategic decision, they need the backing of a human intellegence to decide which dataflows are appropriate.  So why is these both so important? 

Day one of RSA and BSides SF is over, more microcasts to come soon.