The Fal.Con Has Landed

California Dreamin’

In early November 2019, I found myself in sunny California for CrowdStrike’s third annual Fal.Con UNITE conference at the Sheraton San Diego Hotel & Marina.  As a big fan of the CrowdStrike platform, I was excited that CrowdStrike invited me to hear about upcoming features and get hands-on training. Full disclosure, CrowdStrike covered my travel costs, so how could I say no? 😛

Having been to a number of security conferences, I have a good idea of what makes or breaks an event like this.  Great conferences inspire you to bring back what you learned and start improving the security of your systems. Lackluster conferences leave you wondering why you wasted your valuable time and checking if you can catch that earlier flight back.

Typically, I look for several key elements:

  • Quality training and informative breakout sessions that are immediately actionable
  • Opportunities to connect with peers and expand my professional network
  • Engaging and inspiring keynote speakers
  • Fun events and cool swag! 🙂

On these points, Fal.Con was a resounding success.  I was particularly impressed by the caliber of keynote speakers and the technical depth of the onsite training courses.  I made great connections at the various events and there was plenty of swag for all. It also didn’t hurt that the choice of city and weather were fantastic!

United We Strike

Conference keynotes are typically a mixed bag.  There’s usually a heavy dose of marketing and promotion around new features and what sets a vendor apart from its competitors.  This of course includes overproduced customer success highlight reels that seem to only feature high-level customer executives but never the actual security practitioners that use the vendor’s products day in and day out (no, I’m definitely not jaded 😛).  Sometimes, you’ll even see someone famous, only to find their talk ultimately makes no real connection to the conference theme.

So yeah, I have a healthy amount of skepticism when it comes to keynotes.  Given this, I was impressed by the overall messaging and cohesiveness of the keynotes.  Yes, I expected the traditional marketing and promotion but from what I saw, the newly announced Falcon features are worthy additions, not simply rebranding existing functionality or solutions in search of problems.

Day 1 Keynote Speakers

George Kurtz, CrowdStrike CEO and co-founder, kicked off Fal.Con by describing how the CrowdStrike platform was born from the frustrations of legacy security solutions.  He provided great insight into what made CrowdStrike different from the many security platforms out there, in particular the traditional, big name “Security Dinosaurs.” He announced new features including Falcon Firewall Management, Falcon for AWS, and additional CrowdStrike Store partners.

Next up was Shawn Henry, president of CrowdStrike Services and CSO, who delivered perhaps the most passionate keynote speech I’ve ever seen.  He spoke from the heart about the importance of mentorship and building your legacy. He bluntly described how our adversaries are actively sowing global chaos and how we must leverage “The Three C’s” (see photo) to collectively fight the good fight.  An incredibly fiery talk, and words can’t accurately capture Shawn’s intensity and energy.

Brian Krebs, of KrebsOnSecurity fame, recounted numerous war stories that tracked his career progression from working in the Washington Post mail room to ultimately becoming an accomplished cybersecurity journalist.  He discussed the dos and don’ts of talking to him should you find yourself in the unfortunate position of receiving that call from him.  As a long time fan of Brian’s blog, it was incredibly cool to see him live.

Roxanne Austin, president and CEO of Austin Investment Advisors, sat down with George Kurtz for an informal chat on the infamous Target Corporation breach and the lessons learned from her experience as part of Target’s board of directors.  She humorously mentioned that she and her team did in fact receive that call from Brian Krebs, and while the breach nearly broke Target, the company survived and the experience ultimately made Target a better, more successful company today (heck, I just bought some shoes there!).  Having previously heard so much about the technical failures behind the breach, it was interesting to hear her perspective on the business and people side.

The first day’s keynotes ended with none other than NBA Hall of Famer and now Chairman and CEO of Magic Johnson Enterprises, Earvin “Magic” Johnson.  Honestly, when I saw him in the list of keynote speakers, I wasn’t sure what to expect. From what I (and most everyone) knew of him, he was an incredible basketball player turned successful businessman but had absolutely nothing to do with cybersecurity.

However, I was pleasantly surprised by how engaging the “Magic Man” was.  He emphasized the importance of building a strong team and how he’s always been motivated by people telling him he wasn’t good enough or how impossible his dreams and goals were.  Connecting that back with cybersecurity, defending our systems isn’t a function of who has the most expensive security tools, it starts with having a solid team that’s driven by shared goals and common purpose.  Throughout his talk, he picked on unsuspecting audience members to chest bump him (yes, really) and ask questions. Not pictured below: me chest bumping Magic. 🙁

Day 2 Keynote Speakers

Dmitri Alperovitch, CrowdStrike CTO & Co-Founder, dived deeper into George’s new product announcements.  In particular, we learned about how CrowdScore will enable security teams to speed up incident response. I’m personally very excited to try out the new CrowdScore Incident Workbench and the slick new incident graph and timeline views.

Dan Ariely, James B. Duke Professor of Psychology & Behavioral Economics at Duke University, gave an entertaining and enlightening talk on human behaviors and how things being equal, we tend to choose inaction over action (even if taking action may benefit us in some way), unless cleverly motivated otherwise.  This is especially relevant in cybersecurity as quite often, we as defenders may want users to change their behavior and choose the “more secure but more friction” path over the “less secure but less friction” path. The challenge for security teams is to work with the business to develop the ideal “more secure and less friction” option.

The final keynote speaker was Caitlin Conley, former executive director of the Defending Digital Democracy Project.  She explained the numerous challenges that election officials face in ensuring a secure election process, the cornerstone of any great democracy.  She encouraged us as cybersecurity professionals to volunteer our time and expertise to make our elections as secure as possible.

CrowdStrike Foundation NextGen Scholarship & Customer Excellence Awards

The keynotes were followed by the CrowdStrike Foundation NextGen Scholarship and Customer Excellence awards.  It was cool to see that CrowdStrike is investing in students pursuing cybersecurity degrees to meet the growing cybersecurity skills gap.  However, the Customer Excellence awards presentation was unnecessary and best left out completely. It felt out of place here and conference attendees honestly aren’t interested in seeing other people win awards.

Keynote Wrap-up

Often, most conference attendees will pack the house for the first few keynote speakers and then significantly drop off as the day and week goes on.  And while Fal.Con wasn’t completely immune to this, anyone that left early truly missed out on some great content ranging from new product announcements to “thinking big picture” in terms of how security can serve as a business asset as opposed to a burdensome cost.

You Know Nothing

Cybersecurity is a vast field, and you’ll find that the more you learn, the more you realize there is to learn.  A great conference should expand your knowledge and inspire you to apply your new skills to your own environment.  It shouldn’t just be mere promotion of vendor/partner products or service offerings.

With this in mind, I carefully selected my sessions to avoid any obvious sales pitches or marketing fluff.  No vendor conference is without these types of sessions, Fal.Con included. So I was happy to find non-Falcon specific sessions that covered interesting tools such as BloodHound and AutoMacTC.

Having no experience with mobile malware, it was cool to learn more about mobile threats and how CrowdStrike plans to take this on with Falcon Mobile.  I also enjoyed learning more about the recently released “Custom IOA” feature in Falcon and the creative ways this can be used to detect and prevent suspicious activity.

In addition to the general conference sessions, I had the opportunity to attend a couple “CrowdStrike University” courses.

FHT 202: Intermediate Falcon Platform for Hunters

FHT 202 was an all day course that demonstrated a variety of ways to analyze the rich data available in the Falcon Insight app.  The data that Falcon collects is a gold mine for threat hunters and it would be impossible to cover every possible use case.  To get you started, the course included a sheet of actionable queries that could be used immediately in your own environment.

CST 350: Deriving Intelligence from Falcon Sandbox

CST 350 was a half day course that introduced Falcon Sandbox, part of the Falcon X offering.  After learning about the technology behind the sandbox, we learned how to manually upload malware samples and read the comprehensive reports Falcon Sandbox produces.  I’ve just started getting more into malware analysis, so I’m excited to apply what I’ve learned in my own testing of the platform.

These are also available as virtual classes, but you miss out on connecting with your classmates and of course, heckling the instructor! 😛

Work Hard, Play Harder

It wouldn’t be a conference without some fun events and networking opportunities.  This year’s Fal.Con featured two big events: the first night’s “Welcome Reception” hosted at the Partner Pavilion and the “Fal.Con UNITE Party” hosted at the USS Midway Museum.

Welcome Reception

The Welcome Reception included a buffet dinner amongst a sea of vendor and partner booths.  “Vendor speed dating” is generally not my thing, but if you were interested in learning more about a particular product or service offering, there were plenty of opportunities to do so.  Like other conferences, there was much swag to be had.

As an incentive for folks like me who don’t tend to mingle with vendors, there was a “Passport to Prizes” drawing where you could win some admittedly sweet prizes such as $150 gift cards and noise canceling headphones.  You merely had to scan all 38 QR codes, one at each vendor booth, to qualify for the drawing.  This is pretty common for conferences like this and I may or may not have gotten very good at grabbing these QR codes stealthily from afar. 😉

CrowdStrike also had artist Stephen Fishwick create a custom artwork live on stage that you could bid on through silent auction.  The proceeds went directly to the CrowdStrike Foundation.

Fal.Con UNITE Party

The Fal.Con UNITE Party was a fun evening event held on the famous USS Midway, now a museum.  I had never been on an aircraft carrier, much less partied on one, so I wasn’t sure what to expect.  But it turns out that free food and open bar while connecting with other security professionals makes for a great time.

The Biggest Room Is The Room for Improvement (groan)

I had a great time in San Diego and thoroughly enjoyed the conference.  That’s not to say there weren’t areas I’d like to see improved upon going forward.

  • Removal of Customer Excellence Awards presentation
    As I mentioned earlier, this felt out of place.  I heard other attendees mention this. CrowdStrike could instead recognize customers as part of events focused solely on those customers or as part of a press release or blog.
  • Recorded sessions and slides
    It’s convenient to be able to replay an interesting session or watch a session that I missed.  It’s also a great way to showcase quality talks to those who weren’t able to attend the conference.
  • A better Fal.Con app
    Presumably, an app is a great way to schedule your sessions and keep up with events. However, this app was slow and clunky compared to others I’ve used.  Notably, it didn’t alert me when scheduling sessions with conflicting times and there was no way to schedule sessions on a website and have these sync with the app.
  • Connecting attendees by industry or role
    The networking events were fun, but it’d be cool to have a way to more easily identify and connect with peers that are in the same industry or role.  For example, having some of the meal tables marked specifically for networking with your industry peers.
  • More training opportunities
    CrowdStrike is heavily focused on creating quality training and more in-person training classes would be welcomed.

‘Til We Unite Again

It’s no small feat to create a great conference, especially as the number of attendees grows, but CrowdStrike put on a great show in San Diego.  As an introvert (and I know most of us in IT and Security are), the idea of spending hours amongst large crowds of people is generally not my idea of a good time.

But I’ll always say yes to opportunities that immerse me in the latest security developments and enable me to connect with my peers.  Perhaps because Fal.Con is still on the smaller side in terms of attendee size (which I think is a good thing), people seemed more open to socializing and everyone I met was friendly and interested in sharing their perspectives.  In talking to other cybersecurity professionals about the challenges we collectively face, you quickly realize how small the world of cybersecurity really is and how critical it is that we unite together to defend our systems from adversaries.

Related Posts

Elastic Explained: How To Create a Cluster with Docker Compose

Elastic Explained: How To Create a Cluster with Docker Compose

Overview In this guide we'll walkthrough setting up and running an externally accessible three-node Elastic cluster using Docker Compose on Ubuntu Linux 22.04 that's suitable for a home lab or developer / test environment. Our Elastic deployment will include the...

Zeekurity Zen – Part IX: How To Update Zeek

Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor. Overview In our Zeek journey thus far, we've: Set up Zeek to monitor some network traffic. Used Zeek Package Manager to install packages. Configured Zeek to send logs to Splunk...

Elastic Explained: How To Guides For The Elastic Stack

Elastic Explained: How To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

Transform Your Business & Operate at Peak Efficiency