Saturday, June 04, 2011

Security Conference Recommendations

After my post Bejtlich Teaching at USENIX Security in San Francisco 8-9 Aug a reader asked the following:

Richard,

I was curious if you could suggest other security conferences that either you have attended or have heard are better than average?

It seems as though everyone and their brother sponsor some sort of security conference and it is difficult to tell how educational they will be just by reading the website.

Perhaps you could provide some insight into how you determine which conferences you would actually pay to attend? Thanks!


Great question. The answer that follows is just my opinion, and I'm sure others feel differently. For me, I like these conferences:

  • Black Hat offers the best combination of training plus briefings per unit time, on a consistent basis. In other words, I believe attendees will learn more in two days of Black Hat Training plus two days of Black Hat Briefings compared to any alternatives, every year. The content is uniformly high, regardless of whether you attend in DC, Barcelona, Las Vegas, Tokyo, or Abu Dhabi. This is why I will be teaching two TCP/IP Weapons School 3.0 classes this summer and staying for the two days of Briefings that follow.

  • My next favorite event is probably the SANS What Works in Forensics and Incident Response Summit organized each year by Rob Lee. His Summit connects me with the sorts of people who do the same work that I do. The event is a mix of panels and briefings by interesting people.

  • In terms of value per dollar spent, you can't beat Security B-Sides. Why is that? Well, your travel cost will likely be almost nothing, since B-Sides events happen all over the world. Registration is free. Content quality is mixed, but when you throw a lot of local security people into a room in a non-traditional format, the output is surprisingly good!

  • If you want more of an academic approach, I recommend any of the USENIX conferences. They are also a mix of training, "Refereed Papers" (see what I mean), and Invited Talks. I tend to see more college students talking about "solutions" more or less detached from the real world, but the diversity of specialized events means you're likely to find something of value that meets your direct needs, especially regarding system administration. After a multi-year break, I'm returning to teach TCP/IP Weapons School 3.0 in San Francisco at USENIX Security in August.

  • Returning to the incident response world, you might also like FIRST conferences. I think every CIRT should become a FIRST member, and attending a conference or other FIRST event every other year or so is a nice way to stay in touch with a very globalized security community.

  • If you qualify to attend, you might also enjoy the DoD Cybercrime or GFIRST conferences. As you can tell they cater to the .gov and .mil communities, but their focus tends to involve more interesting problem sets.

  • I should also give CanSecWest an honorable mention, although it's been years since I've attended. I could say the same for BSDCan and ShmooCon.

    Speaking of Shmoo, the logistics are the main reason I stopped going. At least with my old job, it was a hassle to commute to DC for only a Friday evening, then again for a full day Saturday, and again for only a few hours on Sunday morning. I don't like weekend events since I'd rather spend the time with my family, and the ratio of travel-to-conference for Friday evening and Sunday morning was just too high!


Regarding how I pick conferences, I primarily want to learn something and see people whom I may not have seen recently. I prefer to avoid any conferences where keynotes are given to sponsors based on their sponsorship alone. I also try to attend conferences where I expect new material to be presented.

What conferences do you like to attend, and why?

11 comments:

David Sharpe said...

The new Immunity Infiltrate conference was good (if you are are interested in red teaming, pentesting, and exploit development). Infiltrate is small and expensive, but it draws really great people. Anything Marcus Carey touches is good it seems (the former Dojosec monthly meetings were the best ever!), and now he has Dojocon yearly. Derbycon is new and it looks good on paper for cyer security folks. The Technoforensics conferences (Myrtle Beach, SC, USA the NIST one won't happen again) are good for forensics folks. -- @sharpesecurity

Eric Huber said...

Guidance Software does a nice job with their CEIC conference. It's well organized and well attended by people from all over the world. The presentations cover a broad variety of topics such as eDisco, incident response and the like. It's a conference that I'd like to attend more often in the future.

rezuma said...

What about certifications? which one would you recommend? I have been in IT for 14 years but I want to switch to the security fields (from the high performance computer and the general IT manager fields), is there a certification that you would recommend ?

tomas said...

CCC in Berlin between Christmas and the New Year. Covers everything what can fit into word "hacking" with some focus (at least interesting to me) to telephony. The positive side is that you don't have to attend it personally, all the conference is videorecorded and freely available to general public.

Anonymous said...

Dollars spent has to go to the king of InfoSec conferences... Defcon. Why pay 2000 plus for BlackHat when you get the same content/same speakers for a fraction of the price.

Pete Hewitt said...

If you're a denizen of North Carolina, the annual NC2600 CarolinaCon has 3 days of good topics and great speakers for all of $20. http://carolinacon.org/

Anonymous said...

I always enjoy Flocon and VizSec, though it can be a little specialised.

Anonymous said...

Definitely DEFCON! This year marks the first time I've been provided funding for BlackHat, so I'll be attending both this year. However, many of the BH speakers and attendees also attend DEFCON, the bang-for-buck ratio (DEFCON's a sky-high $150 this year) is pretty good. The atmosphere is much more laid back than other conferences, too, which I think helps a lot with under-the-table or over-a-beer information sharing between professionals.

Anonymous said...

DEFCON is $150 to get in the door, but the Defcon briefings ticket is still $2,000+, which is right in line with the BlackHat cost.

Scott Hazel said...

Not sure what "Defcon briefings" is. BlackHat has a 2 day section called Briefings that starts around $1200. Defcon has always been sub $150 for admission and it's only reached that high in the past 3 years.

The sheer volume of people attending both BH and Defcon can make it hard to get the most out of these conferences but I agree they generally have great content and Defon has an entire layer of other activities (contests, niche spaces for wireless, lock picking, hardware hacking, etc) that offer a potentially more educational experience through hands on access.

100% agree with Richard about Security BSides. This is the 3rd year for BSidesLV but the past 2 years has seen an explosion of localized BSides events throughout the US and now several other countries. You can't beat the cost of attendance (free, as in beer) and the format encourages audience participation via conversation. They also encourage speakers to present on topics too risky for the larger cons like BlackHat or RSA.

Another conference to consider this year is DerbyCon. It's their first year but the speaker line up is on par with other popular cons and they're also offering classes.

Shmoocon has been great the past 4-5 years. I find it's best to stay in the same hotel as the con though. I think the Shmoo group refused to pay a Norse god at some point and has earned epic snow the past 2 years.

I'm fortunate my company is paying for BH training this year so I'll be in Richard's Aug 1-2 class. Very much looking forward to the class and the Defcon Network Forensics contest at the end of that week.

C said...

There is no need to "qualify" for the GFIRST conference. It is (still) FREE and open to the public for registration/attendance.