Archive for the ‘Speaking Engagements’ Category

Hoff’s Upcoming VirtSec/CloudSec Presentations in 2009

January 14th, 2009 No comments

I'll be updating my speaking itinerary shortly, but I wanted to let folks know I'm working on three major VirtSec/CloudSec presentations for 2009:

The Frogs Who Desired a King

The Frogs Who Desired a King is based on the topical reference to one of Aesop's fable about a discontented population of frogs who appealed to Zeus for a king.

Ultimately, through a comedy of errors, the frogs finally got their new king — a stork — which promptly ate them.

We, as a discontented legion of frogs, decry our dark overlords' choices (or lack thereof) of security in virtualized and cloud computing environments and long for security solutions to magically solve all our problems. 

Just like the frogs, we better be careful what we wish for, as our prayers might just be answered, consuming us all. This is the sequel to my "Four Horsemen of the Virtualization Security Apocalypse" series.

Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure

What was in is now out. 

This metaphor holds true not only as an accurate analysis of adoption trends of disruptive technology and innovation, but also parallels the amazing velocity of how our datacenters are being re-perimiterized and quite literally turned inside out.

One of the really scary things happening with the massive convergence of cloud computing is its effect on security models and the information they seek to protect.

Where and how our data is created, processed, accessed, stored, backed up in what is sure to become massively overlaid cloud-based services — and by whom and whose infrastructure — yields significant concerns related to security, privacy, compliance and survivability. 

This "infrastructure intercourse" makes it very interesting to try and secure your assets when you don't own the infrastructure and in many cases cannot provide the same levels of functionality we can today.

Mozart's "The Marriage of Figaro": Complexity & Insecurity Of the Cloud

Mozart's sequel to the Barber of Seville was lauded as one of the most profound works of its time. 

Its staggering complexity, inviting overtures, rich textures and variety of orchestration were perceived by many as unapproachable, unfathomable and in some cases unintelligible. 

Yet so remarkable and unique was the composition that people flocked to its performances although in many cases were blinded by the simplicity of its underlying complexity.

Such are the parallels with the deeply profound cacophony surrounding the issues of securing Cloud Computing and the tonal miscues hidden amongst its various acts.

This presentation will review the most pressing security, privacy, sustainability and resiliency
issues surrounding the marriage of convenience, economics and computing.

See You At SecTor (Toronto) and/or DayCon (Dayton)

October 3rd, 2008 4 comments

It's been a whirlwind tour recently travel-wise as I've been speaking quite a bit on the virtualization circuit regarding security (or lack thereof.)

I've spent some serious time talking to users, vendors and analysts regarding some of the research I've been doing on current and future state virtualization technologies and roadmaps.

To cap of this year's events, I'll be at SecTor in Toronto on 10/8-9 and DayCon in Dayton from 10/10-12.

DayconAfter that in November (at Information Security Decisions) I'll be officially retiring the Four Horsemen presentation in lieu of the next in the series to come.

Hope to see you in Toronto or Dayton, eh?


Categories: Speaking Engagements Tags:

Upcoming Presentation: The Frogs Who Desired A King: A Virtualization Security Fable Set To Interpretive Dance

September 3rd, 2008 No comments

The sequel to the "Four Horsemen of the Virtualization Security Apocalypse," is my next presentation entitled "The Frogs Who Desired A King: A Virtualization Security Fable Set To Interpretive Dance."

It goes something like this:

Aesop wrote a little ditty about some discontented frogs who lived in a pond.  They asked Jupiter for a King.  They got one.  They didn’t like it.  They got a replacement. It ate them.  The moral of this story is "be careful what you wish for."

The corresponding analog is that of the future state of security in a virtualized world.  It’s coming, but it’s not going to look much like what security looks like today and it’s certainly not what people are expecting.  In fact,it may consume us all because we’re actually unprepared for what we’re asking for.

You’ll laugh, you’ll cry.  You’ll want to know what I used to make my slides… 😉

Coming soon to a disturbed audience near you (seriously.)


Don’t Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements

August 28th, 2008 No comments

Here is some of the recent press coverage on topics relevant to content on my blog:

  • Information Week: Virtualization Has A Security Blind Spot
  • Information Week: Securing Virtualization, or is that Virtualizing Security?
  • Network World: Black Hat speakers expose virtualization, OS security gaps (**NOTE: Please see here, VERY important)
  • Network World/Computerworld: Black Hat spotlights virtualization, DNS issues (**NOTE: Please see here, VERY important)
  • SearchSecurity (Australia): Could securing virtualised environments destroy ROI?
  • SearchSecurity: Initial virtualization costs could outweigh benefits
  • Computer Zeitung: Today’s Security Products Aren’t Ready For Virtualised Data Centres
  • Wall Street Journal: Hackers On the Move
  • Baseline: Managing Mobility In the Enterprise
  • ITWorld: Pros and Cons of VMware’s New Security Guide


I am confirmed to  speak at the following upcoming events:

I will be attending the following events:


Complete Slides: The Four Horsemen Of the Virtualization Security Apocalypse

August 19th, 2008 10 comments

UPDATE: Here’s the latest version of the presentation as I updated it for SecTor in Canada.  It includes many additions as well as modified single slides of the animated ones.

You can find the slides from October 2008 here.

There were some significant differences in the slides that were on the CD issued by the Blackhat folks and what I delivered.

You might be interested in them.  I’ve exported the presentation to PDF with each animation built as a separate slide – in some cases that means there are 5-6 slides with advancing bullets, graphics, etc.  As annoying as that may be, it fixes the mess of the positional overlay problem you’ll see if you view the PDF from the CD.

As an important note, my slides are designed to accompany my speaking, not the other way around, so in some cases they don’t explain themselves.  This is by design 😉

I will be giving updates to this presentation throughout the rest of the year since it’s a presentation designed to communicate the virtualization “state of the art” as it relates to VirtSec.  So, if you attend a conference and see this talk advertised, it will have new/updated content.

Be warned, this PDF is huge (~55 MB) because my slides are intensely graphical.



(In 5 days there have been almost 1000 downloads of this preso.  If any of you have feedback, I’d really appreciate it.  Thanks)

From the “Sucks To Be Me” Department…

August 11th, 2008 7 comments

Based upon feedback from attendees at Blackhat, my talk, "The Four Horsemen of the
Virtualization Security Apocalypse," went over well and I really had a lot of
fun delivering it. It’s had a TON of coverage.

Despite the positive feedback from folks, it seems the foreboding narrative of the apocalypse has carried over into the real world due to a rather unfortunate journalistic misinterpretation of the facts.

It’s only fair to state that I have been critical in the past of others in our line of work who have complained of their inability to control the output of their direct interviews with the press and analysts as misquotes and misunderstandings arise.

Perhaps this is a little karmic payback for my outspokenness, as after my talk at Blackhat, I have now enjoyed the fruits of journalistic distortion firsthand.  It’s important to note that this was not the result of a direct interview, but rather the inaccurate reporting of a reporter sitting in the audience of my talk.  I was never contacted with questions or asked for clarification or review.

Many of the points I made in my presentation were reflected upon poorly and my perspective butchered, but one specific item is causing me some serious grief in a professional capacity.  It cast a rather crappy pall on the rest of my Blackhat and Defcon experience (more on that later.)

One of the "Four Horsemen" which represents a critical issue in virtualization security is that of the hidden costs involved in virtualizing security.  The point I made, and the language I used to consistently describe it multiple times appears below:

To be perfectly clear, what I obviously said was that "virtualizing security will not save you money, it will cost you more."

What Ellen Messmer reported in her Network World article was that I said "Virtualization will not save you money, it will cost you more.”

Now, this may not seem like much of a difference, but it’s a profoundly impacting dissimilarity.

It’s a dangerous rephrase that has now caused significant pain for me that I’m going to have to deal with once I return from vacation.  It’s been picked up and re-printed/adapted so many times without validation that I can’t keep count any longer.

You see, I work as the security architect for the division of a company who is maniacally focused on designing, deploying and supporting heavily-virtualized realtime infrastructure for our customers.  One of the (obvious) value propositions of virtualization/RTI is cost savings/reduction/avoidance which I specifically referenced during my presentation as a well-established fact and reasonable motivation for virtualization.

You can probably imagine the surprise of folks when they read Ellen’s article which is written in a way that directly contradicts our corporate messaging and the value proposition offered to our clients.  It reflects rather poorly on me and my company.

And just to be clear, my scorn was not directed at the "network industry" or the "virtualization industry" as reported in the article; the context of my entire talk was the security industry, a point sorely missed.

This article reads like the output result of a bad game of "telephone."

I intend to contact Ellen Messmer and ask for a retraction as well as corrections of multiple other mistakes in the article, but as we all know, there’s no real retraction on the Internet.  All I can offer is my presentation, the video recording of it and the recollection of the 500+ others that were in the audience when I presented (including numerous other reporters.) 

The only other thing left to do is to sheepishly admit that despite the fact that this was not an interview that I or anyone else could control or influence for correctness, Joanna Rutkowska was essentially correct in her assertion during our last debate that you cannot control the press, despite best efforts. 

Even though I’ve never had a problem of this degree in the almost 15 years of doing this sort of thing, I humbly submit to her on that point.


Categories: Press, Speaking Engagements Tags:

Blackhat/Defcon Bound & My Talk

August 3rd, 2008 3 comments

I’m interrupting vacation in SoCal with the family and trucking up to Vegas for this next week’s forthcoming Blackhat and Defcon extravaganzas.  I’m getting into Vegas on Sunday, 8/3 around 4pm and leave on the 10th after Defcon.

I’ll be attending the Microsoft Ninjitsu training on Monday/Tuesday so I expect my Windows Fu will be strong as bull after the conference 😉

I’m speaking on the first day of the briefings.  My talk (Network Track – Augustus 5&6) is titled "The Four Horsemen of the Virtualization Security Apocalypse" and is from 1:45-3:00pm on August 5th.  Hope to see you there:

Despite shiny new stickers on the boxes of our favorite security vendors’ products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments.

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

This talk will focus on both securing virtualization as well as virtualizing security; from virtualization-enabled chipsets to the hypervisor to the VM’s, we’ll explore the real issues that exist today as well as those that are coming that aren’t being discussed or planned for.

There are a bunch of security weenies who use Twitter who are attending one or both venues.  You can find a list of them (thanks, Zach) at the official Security Twits webspace.

See you at the show(s)


Categories: Speaking Engagements Tags:

Blackhat 2008: Four Horsemen Of the Virtualization Apocalypse – Done!

June 30th, 2008 5 comments

Today was the deadline for submission for all selected Blackhat presentations. 

I’m giving a 75 minute talk titled "The Four Horsemen of the Virtualization Apocalypse" which is based upon my original blog posting here.

I dutifully uploaded my presentation to Ping and the gang at Blackhat HQ today (on time, that’s a first!) with a sigh of relief and accomplishment.  I’ve done hundreds of presentations over the years, but this one is special.

I have to say that I poured my heart and soul into this presentation.  I went all "Zen and the Art of Presentation" for most of it and I think that combined with the dozens of hours I put into the content, the diagrams and animations turned out purdy. 😉

Once BH is done, I’ll be posting it online with my narrative as I have my other presentations.

This cathartic little post is just the final little exhale of this project prior to numerous advance rehearsals, the first of which I will be inflicting upon my unwitting guests (75+ of them thus far) at my July 5th Pig Roast & Mojito festival in honor of another notch in the annual belt I’ve managed to stay alive on this hunk o’ rock.

Speaking of which, if you’re in the MA area and want an amazing cuban or southern-style pulled pork feast with all the trimmings, drop me a line as everyone’s welcome…many of the BeanSec’rs are coming, you should too!

Happy 4th/5th!


Don’t Hassle the Hoff: Recent Press & Podcast Coverage & Upcoming Speaking Engagements

June 5th, 2008 12 comments

Here are some of the recent press coverage on topics relevant to content on my blog:


I am confirmed to  speak at the following upcoming events:


Categories: Press, Speaking Engagements Tags:

IANS – NY Metro Security Forum

May 21st, 2008 3 comments

IanslogoI’m in New York presenting as faculty at the IANS NY Metro Security Forum.

Marcus Ranum and I spent today presenting the “Network Potluck” track on Log Consolidation/Analysis/Correlation, Next-Generation Network Security and Endpoint/Mobility Security.

Further, I gave a couple of presentations on virtualization security.

For those of you unfamiliar with the Institute (IANS,) you should check it out. What an absolutely incredible gathering of faculty and partners from such a stacked and diverse set of verticals. The agenda and format is really unique and it’s unlike any other forum I’ve attended:

The Forum is a highly interactive experience. Modeled on the Harvard Business School teaching method, it emphasizes expert-led, real-world discussions that draw on the experience and expertise of participants to drive insights to new levels.

This is not a person yapping at you from behind a PowerPoint, it’s a moderated dialog between real practitioner’s from some of the most forward-thinking companies on the planet offering you real advice (and seeking it) regarding what works and doesn’t.

Tomorrow is “solutions provider” day where we put the vendors through their paces and the opportunity for real face-to-face “no bull” sessions between vendors and customers — moderated by faculty members — begins.

Look forward to seeing you at an IANS event!


Categories: Speaking Engagements Tags: