Justifications for attending the FIRST conferences and being involved with FIRST

Background

Several people have indicated that they have a difficult time justifying international travel (or even travel at all) to attend FIRST conferences, or for time and resources spent volunteering for FIRST. We decided to poll people at the 1998 conference and ask why they are involved with FIRST (either by attending the conference or through membership, or both) and how they justify the costs (time, other resources, and especially travel costs) to their management.

This is a compilation of their answers.

What are the benefits of FIRST?

I should start by pointing out that the responses I received echoed many of the points made in https://www.first.org/about/first-description.html, under the section "What are the benefits of the FIRST?"

Brief summary: Computer security incidents are often international in nature. Each incident response team can assist their constituency and coordinate with other teams to provide efficient global response.

FIRST provides:

A forum for trusted interaction among incident response teams.
The annual conference , which is the only event that focuses on incident response. Education is provided through tutorials, presentations and team to team interactions.
The FIRST technical colloquia provide a closed discussion forum for teams to share more explicit and sensitive information with each other.
New teams benefit from membership in FIRST by improved communication with their peers around the globe and through the exchange of information, ideas and practices.
The collection of FIRST teams provide expertise that covers a wide variety of incident response and security issues.

Advantages of FIRST Membership

Member teams share more explicit and sensitive information at our Technical Colloquia than is usually shared (at least in public) at the annual conference.

The mailing lists provide an opportunity for us to share information about exploits, threats, tools and techniques in a secure and restricted forum.

Networking

The first thing that everyone said when asked was "networking": they like FIRST because it provides an excellent opportunity to meet with their peers - people who are involved in the international incident response effort.

Some teams have this goal of networking as part of their mission, or perhaps we should say, they believe in the mission of FIRST (in part, to promote the formation of incident response teams all over the world), and so attendance at the conference and involvement in FIRST is a natural part of their activities.

Other teams are interested mostly in self-improvement - their mission isn't so much to help create teams around the globe, but they want to be the best they can be, and an important part of that is meeting with their peers and sharing ideas. This sharing goes both ways - teams that are weak in one area are strong in others, and we can benefit from one anothers strengths when we have the opportunity to meet, compare notes, and share problems (and solutions). The best way to do this is through meeting face to face - the FIRST conference provide an excellent forum for this sort of discourse.

Finally, new teams and groups that are interested in forming teams can obviously benefit greatly from the experience of existing teams. Involvement as a member of FIRST, and attendance at the conferences gives new teams an opportunity to learn from the best and become an active member of the international incident response community.

Networking - getting help

Meeting people from experienced incident response teams helps us build contacts that we can refer to when we run into unfamiliar problems. Through the presentations and our conversations at the conferences, or discussions on the first-teams mailing list, we learn about other teams. When we need help, we can refer to those people for assistance. Members of FIRST can also search for help through the first-teams mailing list.

Several teams use these external contacts to identify experts that they have invited to get involved with their constituencies in various ways (e.g. providing consulting, giving talks). Often times bringing in an outside authority lends extra credibility that can convince people where we couldn't. FIRST provides an excellent forum for finding these sorts of experts.

Networking - Trust

One of the big problems in incident response is that when we contact someone at another site we don't know who they are and whether we can trust them not to damage our investigation. Having a trusted contact at a remote site can greatly help us, contacting the wrong person can really mess things up.

FIRST helps build that trust between teams in several respects.

The conferences provide an opportunity to meet with people from other incident response teams. through our conversations and efforts to help one another, we build personal trust between us.

FIRST members go through an interview process of sorts, and that lends at least a limited sort of trust to any FIRST member. When I contact another FIRST team, even if we haven't met anyone from that team, we know that someone from FIRST has, that they probably know how to handle my incident at their end in a discrete and secure fashion, and that they will probably cooperate with me to solve our mutual incident. as we work together on incidents, we also build more trust and credibility with one another.

Also, we often need to contact organizations that have not been involved with FIRST. we haven't met them, their incident response team (if they even have one) isn't a FIRST member, we don't know whether we should communicate with them or not. we can often contact regional incident response teams who are FIRST members (e.g. a national team) to solicit their advice, or even just ask around FIRST to see whether anyone also has had dealings with that group before. FIRST can help us find and build trusted contacts with non-FIRST teams, and to avoid disclosing sensitive information to suspicious groups.

Networking - an indirect benefit

There is also a hidden but important benefit of involvement in FIRST. Active participation in FIRST directly helps accomplish the mission of FIRST - the formation of a global incident response community. Many Internet security incidents are global in nature. As we increase the number of experienced teams, and increase coverage of the Internet, the quality and efficiency of global incident response will rise.

Bridging gaps, raising awareness

The FIRST conferences provide a unique means for the incident response community to interact with the law enforcement community. This helps us form and maintain mutual understanding, respect and trust. Since many incident response teams interact with law enforcement groups on a regular basis, this helps us to work together more effectively.

FIRST also helps incident response teams to understand one another. Although we share common goals and problems, there are significant differences between the teams for software vendors, Internet service providers, colleges and universities, military groups, national teams and commercial teams. Through networking and presentations we can learn more about both the problems and solutions we hold in common, as well as gain mutual understanding. This facilitates cooperation and helps alleviates frustration when we try to work together.

Education/Training

The annual conferences provide excellent tutorials and presentations that help us advance in our own education and to stay abreast of new threats and developments in the security world.

The FIRST Technical Colloquia (available to FIRST members only) provide additional opportunities for us to share sensitive information with one another.

Incident response teams share information about threats, exploits, incident response tools and techniques through contact at the conference, and through the technical colloquia and mailing list.

Attendance at FIRST events can be a productive part of training new team members - bring them along, let them associate with other incident response personnel and develop their own network of contacts, in addition to learning a lot. It also gives other teams a chance to meet the newer members of your team.

Best conference for our needs

There are other security conferences. Some provide limited training in incident response, but none of them address the specific needs of incident response teams. FIRST is only group focusing specifically on incident response and incident response teams.

The USENIX Security Symposium is focused more on "security research". The value of FIRST is that the focus is on real world incident response experiences - what are other teams doing that I can learn and apply now?

Involvement with FIRST lends credibility to our separate teams

FIRST is the "premier organization for the international incident response community". Involvement in FIRST lends credibility to our teams, especially for teams that join FIRST as members. This has helped at least one team tremendously in its outreach efforts to local businesses.

Internet security is an international problem, and needs an international involvement to address it.

You may need to contact another IRT outside your country to address an incident at your site. Knowing who you are working with before you contact them in an emergency is a great help, and can result in more effective and efficient coordination and interaction. It is important to raise the profile of your team in the international incident response community to establish these contacts. Attendance at the FIRST conferences, especially in locations that are geographically removed from us, is the most effective way to do this. It is especially useful for meeting teams from the area where the conference is located, which you might never meet otherwise.

Incident response teams are (mostly) isolated - we are spread all over the globe, and most don't have teams nearby to consult with on a regular basis. FIRST provides a unique forum for us to break through the barriers that separate us and meet together.

International travel isn't necessarily more expensive than other travel. Compare the costs.

A concern for many teams in the U.S.A. is that international travel is perceived as a "vacation". Travel for a conference in Mexico or Bristol (or Australia) isn't any more of a vacation than is travel to San Diego or Baltimore.

Other:

From a consulting firm: our clients are setting up incident response teams. We'd like to help them (and help them get involved with FIRST, we hope!)

Management likes to be on top of things. Involvement with FIRST is one step they can take to help ensure that their team will be among the best. When someone asks what they are doing to ensure that their company is on top of things with regard to incident response, they can say that they are actively involved with FIRST, the premier incident response forum in the world.

One respondent worked attendance at the FIRST conference into their job as part of their benefits package when they signed on.

Some groups list involvement with FIRST as a mission-critical part of their job.

Last modified: 25 February 1999