Takeaways from Art into Science

January 22, 2020

What do you get when you take a security conference and pare back its typical formula of swag-laden vendor tables, high-concept lighting that promises to be “an experience”, bougie parties with LED-lit stemware and a surplus of decibels — not to mention all of the offsec-focused talks? You find a group of dedicated defenders who, freed from the flash and fanfare, come together not to exchange pitches but to exchange ideas. And donuts.

That’s Art into Science.

Also known as ACoD — a shortening of its tagline “A Conference for Defense” — the Austin-based Art into Science has a fairly rare value-prop in the security conference landscape: “glorify the defense”. It’s common for security cons to over-index on stunt hacks, 0day drops, and tales of ultimate pwnage; ACoD aims to create space for the valuable and often-overlooked defender perspective. 

Having spent the better part of four years working in security operations, and now supporting a product that secops teams use, ACoD had been on my radar for a while, but this was my first year in attendance. (Our own Kelly Shortridge was a speaker there the previous three years, so this year in Kelly’s stead they got a slightly taller Capsulator with the same initials.) Most of the talks I went to were in the operations track. A few themes I observed:

Building/customizing rather than buying/outsourcing

Several of the talks in the operations track followed the general narrative of: 

  1. We kept encountering this problem
  2. Here’s how we approached trying to solve the problem
  3. Here’s the open-source tool we built to solve it

Perhaps the most striking of these was Philip Gardner and Derek Chamorro detailing building their own serverless SIEM in order to handle the high volume of log data they ingest — and measurably decreasing their cloud services bill. I noticed a good bit of variety in this and other alerting pipelines that were discussed, reflecting the complex infrastructure of all of our respective environments. For detection tooling, rather than buying one pane of glass to rule them all, there’s a drive toward making the existing panes of glass play nicely with one another. Words like “webhooks”, “API”, and “integration”featured prominently.

Often in build vs buy debates, the question arises, “will it scale?”. In “Democratizing Chrome Extension Security”, Jacob Rickerd explored the threat landscape of Chrome extensions, and building CRXcavator to surface extensions’ unique risks. No viable tooling previously existed to comprehensively assess extensions’ attack surface such as permissions changes over time and potentially risky API calls. (Full disclosure, Jacob is a former colleague and my old team was customer zero for this tool.) 

What stood out to me was that CRXcavator was intentionally built for use beyond its original internal customer and use case — distinguishing it from many internal tools that struggle to retrofit themselves for external use and a broadening scope. A full API was released along with the tool, as well as API documentation and discussion of its use at enterprise scale.

A welcome shift in language

For all of the FUD-speak of 0days, nation-state attacks, and APTs, the more realistic threat model for many blue teamers involves well-intentioned mistakes, misconfigurations, and undetected changes. It was refreshing to see this reality reflected — from a standpoint of blamelessness and enablement — in ACoD talks. 

Jordan Wright, Nick Mooney (also both former colleagues), and Matt McNiece released Secret-Bridge for monitoring Github for secrets leakage — a near-universal occurrence among developers, rarely with malicious intent. Rather than the counterproductive angle of trying to shame users into behavioral change, tools like this reflect a judgement-free acceptance of the fact that humans are messy and complex, and when mistakes inevitably happen we should have a way to detect and remediate them.

Reframing resilience

The one philosophy track talk I did catch was Guillaume Ross’s “Reliability as a Liability”. Conventional wisdom often frames complete availability at all possible costs as the measure of success. Uptime, however, can mean uptime of attack surface and pivot points; a server that stays online for 200 consecutive days gives ops pristine availability metrics, but also gives an attacker a comfy and stable place to chill. 

Drawing upon examples of attacks that were inadvertently mitigated by interrupted availability (such as the DoS of a DHCP server that left more sensitive endpoints unroutable), Guillaume reimagined building for “resilience” not as unilaterally preserving uptime, but as designing strategically-placed breaks in uptime to reduce blast radius. He drew parallels to cars engineered with “crumple zones” to bear the full impact of a collision, leaving more critical zones (read: driver and passenger areas) intact. Ephemeral infrastructure is a more familiar concept in the DevOps world; it’s heartening to see these ideas begin to gain traction in security spaces.

And the winner for buzziest word is…

The MITRE ATT&CK framework is clearly the current hotness — it came up in several talks. (The pivotal question remains unanswered as to whether “ATT&CK” is pronounced “attandck” or “attampersandck”.) The two matrices I saw mentioned most were Windows and cloud. Tim Frazier used the Windows matrix as the foundation for his attack simulation tool to assess detection capabilities. While I’d caution against taking the ATT&CK framework as 100 percent comprehensive, many teams are leveraging it as a tool to more easily identify coverage gaps based on their infrastructure, rather than starting from a completely blank threat model.

Read it now: Forrester Q&A on the MITRE ATT&CK Framework and Modern Cloud Infrastructure

What’s missing: Linux and containers 

Detection and response at the public cloud level (mainly AWS) came up in a few talks. The container and orchestration layers, however, were greenfield. A few of the folks I spoke with whom I’d consider security experts noted their lack of familiarity with container security. (Incidentally, we’re working on writing a blog series on container security — more to come!)

I also noticed that many of the malware-related talks were heavily Windows-focused. It’s difficult to work in security without ever interacting with Windows at some point, but Linux is everywhere from production workloads to embedded systems, and there’s a ton of Linux security content that’s ripe for exploration. 2021 may not be the year of Linux on the desktop, but maybe it’ll be the year of Linux on the ACoD?

A note on accessibility and diversity

A win for accessibility: every talk I attended had a microphone for audience questions. However, the venue still presented some challenges for those who are hard-of-hearing or have auditory processing disorders: the two tracks could hear each other, and no sound barrier existed between the operations track and the area where people mingled. Having that separation also would have aided in facilitating more of the organic conversations that pop up during cons — the foundation of a successful “hallway track” is something akin to an actual hallway.

Though the atmosphere was friendly and open, the diversity of the ACoD crowd both onstage and off left room for improvement. I hope that going forward, the organizers will, particularly in building a speaker lineup, take an intentional, intersectional approach to leveling up the con’s diversity. The goal of conference program committees should not be to have speakers reflect a demographic cross-section of the current industry (which just perpetuates the status quo), but to give a platform to a wide range of practitioners whose diverse lived experiences inform their threat models and approaches to solving a problem. “The status is not quo.”

One small change that can facilitate a broader speaker base: move the CFP window earlier. While on the surface it seems inconsequential, ACoD closing its CFP two weeks before the con privileges those who are either local to high cost-of-living Austin or in a position to make last-minute travel plans (they’re probably not a primary caregiver, and they either have an employer who’ll foot the bill or they can afford more expensive flights).

I mention these not to throw shade, but to give a loving nudge to make a good conference even better. Even at a con that’s informal by design, there’s always some degree of care and feeding needed to foster an inclusive environment.


I left ACoD tired yet energized, my head buzzing with new ideas and perspectives — the mark of a successful conference. If you’re looking for a con with a chaotic-good character alignment that elevates the art of blue teaming, this is one to watch.