Hosting the world's largest cybersecurity conferences is no easy feat. With thousands of attendees, countless devices, and a vast attack surface, these events present a unique set of security challenges that organizers must overcome. But what can the rest of us learn from their experiences? The lessons gleaned from securing the likes of RSA Conference and GovWare offer valuable insights for any organization tasked with protecting critical events and infrastructure.

Embracing the Chaos

Unlike the controlled environment of a typical enterprise network, conference venues are a chaotic mix of devices, protocols, and security postures. "During conferences, Talos IR sees all kinds of traffic coming through the infrastructure," explains Yuri Kramarz of Cisco Talos Incident Response. "Some encrypted, some clear text, but we also see all kinds of different protocols."

The key, Kramarz says, is to develop hypothesis-driven threat hunting strategies that can adapt to this dynamic landscape. "We don't have months of baseline data available, devices come and go all the time, thousands of devices flood the network for just a few days, and each device has its own security posture, protection mechanisms, and patch levels, making them either resistant or very vulnerable to exploitation."

Collaboration is Critical

Securing these events requires a collaborative effort across multiple vendors and service providers. As Claire Fulk of Cisco notes, the GovWare SOC leveraged technologies from partners like Endace, alphaMountain, Pulsedive, and Stealth Mole to extend their threat hunting capabilities. "Their collaboration ensured that our threat hunting efforts extended beyond Cisco infrastructure, enabling us to integrate contextual intelligence from multiple security platforms into one XDR view."

This cross-pollination of expertise and data is crucial, says Jessica (Bair) Oppenheimer, who led the SOC at the RSA Conference. "From the tours and sessions—and this Findings Report published by sponsors Cisco and Endace—you can learn about what happens on an open, unsecure wireless network."

Preparedness is Paramount

While the chaos of these events may seem overwhelming, the most successful security teams are those that plan meticulously in advance. As Jerzy 'Yuri' Kramarz and Giannis Tziakouris of Cisco Talos Incident Response write, securing major events "necessitates a multifaceted approach and the involvement of multiple entities, including but not limited to the vendors, hospitality teams and service providers to facilitate a uniform approach to cybersecurity across the event ecosystem."

The lessons learned from these high-stakes cybersecurity battles are invaluable for any organization tasked with protecting critical infrastructure and events. By embracing the chaos, fostering collaboration, and meticulously planning, security teams can turn the world's largest cyber conferences into proving grounds for their incident response prowess.