Takeaways from the SecTor 2024 conference

As attendees to the opening sessions of this year’s SecTor security conference took their seats in Toronto’s convention centre they were bombarded with ominous, rumbling introductory music.

Was it calculated to represent a year when infosec pros are seeing unprecedented levels of cyber attacks? That this is a SERIOUS conference? Maybe. Certainly the presentations weren’t uplifting – no sessions on ‘How my team slashed the number of security incidents to zero.’

I couldn’t get to all of the sessions, but here’s a few things I came away with on Wednesday:

-- Keynote speaker Leigh Honeywell of Tall Poppy, which advises firms on dealing with online harassment of employees, said infosec pros have a role in helping protect democracy and elections. They can do it by warning friends and relatives about not trusting everything online.

“We can draw from our own field for some of the clues about how to deal with misinformation and disinformation,” she said. “As security people when we talk to users about avoiding phishing we tell them to watch out for emotional appeals, urgency, greed, FOMO (fear of missing out), a desire to be helpful to your boss who really needs some gift cards right now!

“With misinformation and disinformation, the emotion they [creators] are going after is usually rage, and rage directed against a specific person or group of people casting them as another. When you feel yourself reacting to an image, an article, to a piece of reporting with that kind of rage.”

So people should be told “to take a breath, to reconsider, to check your sources [of information]. You may still chose to act, but respond, don’t react. Check your sources, check the sources to the sources, and chose to act, don’t act in a reactive way that has the risk of being manipulated. In the same way, you tell users stop and think before they click that link.”

--I had a chat on the sidelines about the progress of Canadian federal cybersecurity legislation with Robert Gordon, strategic advisor to the Canadian Cyber Threat Exchange (CCTX). Bill C-26, which changes the Telecommunications Act and introduces the Critical Cyber Systems Protection Act, has passed the House of Commons and is about to start committee hearings in the Senate. Briefly, it allows the government to designate any service or system as a vital service, requiring designated operators to implement cyber security programs, mitigate supply chain and third-party risks and report cybersecurity incidents to appropriate regulators. The first sectors to be covered will be federally regulated telecom, interprovincial pipeline, interprovincial transportation and financial services companies.

Although it took two years, it was passed by the House in a relatively non-partisan way which should be celebrated by the Liberal government (although admittedly it isn’t law yet). Strange, Gordon and I both agreed, the government has been pretty silent. It reflects the fact that Canadians are more focused on economic issues.

True, even when C-26 passes the Senate and is signed by the Governor General it will likely be a year until this (or a future government) releases the regulations firms will have to follow to comply with the law.

Meanwhile, Gordon pointed out, firms likely to be covered by C-26 should now be telling their suppliers to tighten their cybersecurity so they will comply with what will likely be expected. The arm-twisting might go like this: “If you’re ready you will be a supplier of choice,” Gordon said.

As for the fate of C-27, the combined new federal privacy law covering the private sector, the Consumer Privacy Protection Act, and the Artificial Intelligence and Data Act (AIDA), who knows? Just over two years after it was introduced the legislation is still before the House industry committee. My advice to Canadian readers: Tell your MP to get moving on it. Tell them loudly.

--I interviewed Zack Zeid, principal detection and response engineer at U.S.-based managed endpoint detection and response provider Expel, who gave a presentation on improving an IT department’s security metrics.

“It’s not enough to just measure, not enough just to track” numbers, he said. Too many organizations gather what he called “volumetric metrics” – for example, alert volume, false positive rates – and not what needs the most attention. A list of false positive and true positive rates doesn’t show if important incidents are being missed.

Metrics should tell the security team where to focus its resources and how to improve response, he said.

A security team should be able to set a specific goal (say, increase the SOC’s efficiency by improving detection precision from 70 per cent to 85 per cent) by reducing false positives over the next three months. There’s a specific, measurable goal broken into an achievable time frame.

Instead, he told me, “I have never seen metrics do things within security teams. More often than not I’ve seen them in weekly slide decks – ‘Our metrics are good! This is up, this is down.’ So what next?”

If a detection fires twice in a week but it takes the security team 12 minutes to triage, that’s 24 minutes of time chewed up, he pointed out. That, he said, doesn’t scale.

His advice to infosec leaders: “Measure what matters, and ensure what you measure drives action”