Attacks on Critical Infrastructure: Insights from the “Big Board”

Targeted attacks on critical infrastructure continue to increase in number and severity. We’ll present the latest data on these attacks: What is their goal? What are the attacker strategies? How are attacks supported by the darknet? We’ll discuss banking threats discovered at the “Big Board” at the RSA Anti-Fraud Control Center and Smart Grid threat detection in the EU SPARKS project.

Speakers

Daniel Cohen ( @iFraudFighter ); Robert Griffin ( @RobtWesGriffin ) 

Daniel Cohen is head of RSA’s FraudAction business unit that provides hundreds of organizations worldwide with anti-fraud services, including phishing and malware attack handling and cybercrime intelligence operations. Through his work, Cohen has gained deep insight and expert knowledge of the cybercrime landscape and economy, and often speaks on the topic at industry and customer events.

Robert Griffin ( @RobtWesGriffin ) 

Chief Security Architect, RSA

Dr. Robert W. Griffin is Chief Security Architect at RSA, the Security Division of EMC, where he is responsible for technical architecture and standards. He is particularly active in RSA’s initiatives to address the challenges of new threats and new models for IT, including security architecture for cloud computing, security for critical infrastructure, and security strategies for and using Big Data. 

Detailed Presentation:

What Is Next-Generation Endpoint Security and Why Do You Need It?

This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.

Speakers

Jon Oltsik ( @joltsik )

Jon Oltsik is an ESG Senior Principal Analyst and the Founder of the firm’s cybersecurity service. With almost 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO’s perspective and strategies. Oltsik was named one of the top 100 cybersecurity influencers for 2015 by Onalytica, and is active as a Committee Member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners. Often quoted in the business and technical press, Oltsik is also engaged in cybersecurity issues, legislation and technology discussions within the U.S. government. 

Detailed Presentation:

A New Security Paradigm for IoT (Internet of Threats)

All facets of computing have changed since the 1950s, except the security posture of our systems; nowhere is this more the case than in mobile and IoT. Some of our security foundations are outdated: chief among them “static” security, which assumes the threat landscape is static and predetermined. This session will describe the old static security paradigm and the new one: analytics-driven security.

Speakers

Hadi Nahari ( @hadinahari )

VP, Security CTO, Brocade Communications Systems, Inc.

Hadi Nahari is a security professional with over 24 years of experience and extensive work in design and implementation of secure systems. He has worked on large-scale enterprise solutions as well as embedded systems with primary focus on security, crypto, complex systems design, and vulnerability assessment and threat analysis. Author of Web Commerce Security: Design and Development, Nahari is a frequent speaker at U.S. and international security events and has led various security projects for Netscape, Sun Micro, the U.S. Government, Motorola, MontaVista, eBay, PayPal, NVIDIA and Brocade, among others. As VP, Security CTO, Nahari is in charge of security strategy and development efforts at Brocade, driving dynamic security via the applications of Analytics and Machine Learning in Cybersecurity.

Detailed Presentation:

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device 

Imagine being dependent on a wireless infusion pump to receive the correct dosage of life-supporting medication. Now imagine the implications, were that pump to be maliciously hacked. In this session learn more about how to successfully secure these medical devices, based on work being conducted at the National Cybersecurity Center of Excellence (NCCoE) with premier health care organizations.

Speakers

Nathan Lesser ( @natelsr ) 

Nathan Lesser, Deputy Director of the National Cybersecurity Center of Excellence (NCCoE) at NIST, has over 15 years of experience in technical and leadership roles. Nate oversees the NCCoE’s engineering initiative and is responsible for cultivating collaboration across government, business, and technology companies to address cybersecurity issues within and across industry sectors. Previously, Nate led a team of cybersecurity engineers at Booz Allen Hamilton, served in the Office of Management and Budget, and the Senate’s Homeland Security and Governmental Affairs Committee. Nate holds bachelor’s and master’s degrees in electrical engineering from Columbia University, and is currently a Senior Fellow at the George Washington University Center for Cyber and Homeland Security.

Detailed Presentation:

Braking the Connected Car: The Future of Vehicle Vulnerabilities

In this presentation, analysts from Kelley Blue Book’s Automotive Industry Insights will illustrate how the connected car is quickly becoming an unrestricted playground for cyberthreats and how the next generation of in-car technology will intensify already-present vehicle vulnerabilities.

Speakers

Akshay Anand ( @iamakshayanand ); Karl Brauer ( @karlbrauer ) 

Manager, Commercial Insights, Kelley Blue Book

Akshay Anand is the Senior Insights Analyst for Kelley Blue Book’s KBB.com. In this role, he develops and provides insights reflecting Kelley Blue Book’s position as the market leader for new- and used-car research. Anand regularly produces data and reports, developing and sharing powerful storylines and actionable information with executives in the automotive industry. This information also is shared for media release with coverage from top-tier publications, and Anand regularly lends his insight on automotive news and information via commentary to media.

Karl Brauer serves as the Senior Director of Automotive Industry Insights for Kelley Blue Book. In this role, he develops and provides insights to position Kelley Blue Book as the market leader for new- and used-car research. Working with many departments within Kelley Blue Book and AutoTrader Group, Kelley Blue Book’s parent company, Brauer cohesively synthesizes available data and reports, developing and sharing powerful insights with the automotive industry. In addition to this role, Brauer is a Senior Editor and regularly contributes to Forbes.com, CNBC.com and other publications. As a veteran industry analyst, Brauer has been interviewed by, or appeared on, the New York Times, CNN, CNBC, the Wall Street Journal and more.

Detailed Presentation:

Integrating Cybersecurity into Supply Chain Risk Management

Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.

Speakers

Jon Boyens 

Program Manager, Cyber Supply Chain Risk Management (SCRM), NIST

Jon Boyens is a Senior Advisor for Information Security in the Information Technology Laboratory, within the Department of Commerce’s National Institute of Standards and Technology (NIST). He leads NIST’s Cyber Supply Chain Risk Management Program and works on various policy and technical projects. Boyens helps develop and coordinate the department's cybersecurity policy among the department’s bureaus. He represents the department in the administration’s interagency cybersecurity policy process. Boyens has worked on various White House–led initiatives, including those on trusted identities, botnets, supply chain and, most recently, the Cybersecurity Executive Order and related work on Cybersecurity Incentives, Government Acquisition Policy and the Cybersecurity Framework and Roadmap.

Detailed Presentation:

Hardware Attacks and Security

Physical side channel attacks and physical unclonable functions (PUFs) are discussed. Topic 1: Enhancing Side-Channel Analysis of Binary-Field Multiplication with Bit Reliability Authors: Peter Pessl and Stefan Mangard Topic 2: Towards a Unified Security Model for Physically Unclonable Functions Authors: Frederik Armknecht, Daisuke Moriyama, Ahmad-Reza Sadeghi and Moti Yung

Speakers

Daisuke Moriyama; Peter Pessl 

Daisuke Moriyama received a Ph.D. from the Institute of Information Security in 2011. He worked as a researcher in the National Institute of Information and Communications Technology from 2011. His research interests include cryptographic authentication protocols for resource constrained devices, e.g., Internet of Things, provably secure cryptographic protocols and those building blocks (lightweight block ciphers and PUFs).

Peter Pessl is a Ph.D. student at the Institute for Applied Information Processing and Communications (IAIK) of Graz University of Technology. His main research interests include side-channel analysis and efficient hardware implementations of cryptography. More specifically, his focus is on algebraic methods in SCA and lattice-based cryptography. Before starting his Ph.D. studies in 2014, he received his M.Sc. in information and computer engineering. His master’s thesis covered efficient hardware implementations of the SHA-3 hashing algorithm and elliptic-curve signature algorithms.

Detailed Presentation:

Lattice Cryptography

Somewhat homomorphic encryption schemes using lattices and lattice libraries are discussed. Topic 1: Which Ring-based Somewhat Homomorphic Encryption Scheme Is Best? Authors: Anamaria Costache and Nigel Smart Topic 2: NFLlib: NTT-based Fast Lattice Library Authors: Carlos Aguilar-Melchor, Joris Barrier, Serge Guelton, Adrien Guinet, Marc-Olivier Killijian and Tancrède Lepoint

Speakers

Anamaria Costache; Joris Barrier

Anamaria Costache is a first-year Ph.D. student at the University of Bristol in England, working under the supervision of Prof. Nigel Smart. She completed her master of mathematics at Warwick University, with a dissertation investigating Brauer groups and applications to the Brauer-Manin obstruction. Presently, her area of research is in the field of fully homomorphic encryption, with a focus on ring-based schemes.

Detailed Presentation:

DevSecOps in Baby Steps 

Here's an overview of the presentation: Getting to DevOps; DevOps to DevSecOps; Planning your Epics & Sprints; Use Cases & Examples

Speakers

Hart Rossman ( @HartDanger )

Detailed Presentation:

Bring Your Own Internet of Things: BYO‐IoT

Here's an overview of the presentation: What is loT?; What's the Problem?; What's the Attack Surface?; IoT Security - Current State; Response and Actions

Speakers

Carsten Eiram ( @carsteneiram ); Jake Kouns ( @jkouns )

Detailed Presentation:

Embedded Systems Security: Building a More Secure Device

Here's an overview of the presentation: What are common embedded systems?; What issues do they face?; Recommendations for securing embedded systems

Speakers

Randall Brooks ( @randallsbrooks )

Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, SSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. 

Detailed Presentation:

Transforming Security: Containers, Virtualization and Softwarization

This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.

Speakers

Dennis Moreau ( @DoctroMoreau )

Dr. Dennis Moreau is a Senior Engineering Architect at VMware, focusing on security innovation in highly dynamic utility computing environments. Moreau has over three decades of experience in the representation, visualization, analysis and control of complex system behavior and security. He has been a Sr. Technology Strategist at EMC/RSA, a founder/CTO of Configuresoft (now a VMware technology), the CTO Baylor College of Medicine, and a tenured Computer Science faculty member, with research sponsored by NASA/Jet Propoulsion Laboratories, Bell Laboratories, IBM, the U.S. Department of Commerce, National Institutes of Health, National Library of Medicine and the National Science Foundation. He holds a doctorate in Computer Science and speaks regularly at security conferences worldwide. 

Detailed Presentation:

Estimating Development Security Maturity in About an Hour

The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.

Speakers

Matthew Clapham ( @ProdSec )

Principal, Product Development Security, GE Healthcare

Matthew (Matt) Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal, Product Development Security at GE Healthcare. Clapham previously worked as a Software Tester, IT Policy Author, Auditor and Security Advisor to all things games at Microsoft. He is quite familiar with security foibles of the Industrial Device Internet of Things and how to overcome them. Clapham is a frequent speaker and author of magazine articles on IT, security, games or some combination thereof. He holds degrees in engineering and music from the University of Michigan.

Detailed Presentation:

Understanding the “Why” in Enterprise Application Security Strategy

The Hershey Company initiated a strategic initiative to identify all of the truly critical IT assets that enable the company’s continued success. The evaluation confirmed the importance of protecting their business critical SAP systems. To get executive cross functional buy-in the security team implemented an SAP Vulnerability Management program with a clear strategy of “why” to influence results.

Speakers

Troy Grubb ( @TroyRGrubb ) 

Information Security Manager, GRC & SAP Security, The Hershey Company

Troy Grubb is an accomplished Information Security Professional with over 10 years of experience in Information Security with a strong focus on enterprise applications and SAP Security. Grubb obtained a B.S. degree from East Stroudsburg University of Pennsylvania, with a dual major in computer science and computer security. Grubb currently works as an SAP Security Specialist for a fortune 500 company in the consumer goods industry. In his career, Grubb has worked on a large number of information security projects focusing heavily on the development of secure standards of access control models, configurations, software development and technical infrastructure of enterprise applications.

Detailed Presentation:

DevSecOps in Baby Steps

Here's an overview of the presentation: Getting to DevOps; DevOps to DevSecOps; Planning your Epics & Sprints; Use Cases & Example

Speakers 

Hart Rossman ( @HartDanger )

Detailed Presentation:

Open-Source Security Management and Vulnerability Impact Assessment

Re-usage of Open Source Software (OSS) has increased in commercial software development by orders of magnitude. This presentation will show how OSS vulnerabilities can be managed at large scale (about 10,000 OSS usages in our case), and how to address sins from the past. At last a concept will be shown which automates the analysis of the exploitability potential of an insecure OSS component.

Speakers

Gunter Bitz; Henrik Plate

Senior Manager Legal Compliance, SAP SE

Gunter Bitz is the Senior Manager for the European and APJ Technology Legal Compliance team. His team is supporting SAP’s product engineering groups in managing legal compliance and software security aspects arising from the consumption of open source software and freeware during the software development lifecycle.
Prior to his current role Bitz was responsible for product security governance at SAP and held the position of the product security spokesperson. In his first role at SAP he was protecting the organization’s intellectual property by designing and implementing global policies and information security technology.
Bitz has spoken at many international security conferences, in particular RSA conferences and was member of the program committee of RSA Europe and RSA APJ.

Henrik Plate works as a Senior Researcher in the Product Security Research group within SAP since 2007. During this time, he was coordinator and scientific lead of the European FP7 research project PoSecCo, built up an SAP-wide security training for application developers and performed security assessments of SAP applications. Currently, he researches new approaches and tooling for ensuring a secure consumption of third party components in the software supply chain. Before joining the SAP research group, Plate held different positions as a software engineer, and studied computer science and business administration at the University of Mannheim. He holds a diploma from the University of Mannheim and is a CISSP.

Detailed Presentation:

Agile Security—Field of Dreams

PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them.

Speakers

Laksh Raghavan ( @laraghavan )

Laksh Raghavan works at PayPal Inc. as Senior Security Strategist in the Information Security organization specializing in Application Security. He is currently responsible for managing the Secure Product LifeCycle program for all PayPal applications including the web and mobile apps supporting PayPal’s more than 170 million active accounts. Raghavan has fifteen years of experience in the areas of application security and information risk management and has provided consulting services to various Fortune 500 and Financial Services companies around the world before joining PayPal in 2009. Laksh has been a speaker at BayThreat and Microsoft Security Development conferences. He is also the co-author of two books on the topic of Secure and Resilient Software Development.

Detailed Presentation:

Introducing a Security Program to Large Scale Legacy Products

A discussion of the real-world work and challenges to introduce and maintain a comprehensive security program to a large and complex set of legacy storage products. This includes developing a security architecture, vulnerability response, pushing for necessary security enhancements and application security. In this session, you will hear about which efforts worked well and which didn’t.

Speakers

Millard Taylor ( @tad_taylor )

Security Architect, Self

Millard (Tad) Taylor has been working in various aspects of computer security for over 30 years. Starting at NSA, he helped to develop the Rainbow series and guided research into security and formal methods. Then came a stint as a Consultant and Researcher into security while at RTI and Computational Logic, Inc. Afterwards, he became a Security Tester and Developer for Trusted DG/UX and “the security person” for a string of products at Data General/EMC, finally becoming the Security Architect for the Celerra, VNX and VNXe product lines. While at EMC, he also consulted to other product groups, helped to develop corporate-wide standards and guidelines, and continually pointed out that the RSA division doesn’t have sole responsibility for security of all of EMC’s products.

Detailed Presentation:

Embedded Systems Security: Building a More Secure Device

Here's an overview of the presentation: What are common embedded systems?; What issues do they face?; Recommendations for securing embedded systems

Speakers

Randall Brooks ( @randallsbrooks ) 

Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, SSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. 

Detailed Presentation:

IOCs Are Dead—Long Live IOCs!

Indicators of Compromise were meant to solve the failures of signature-based detection tools. Yet today’s array of IOC standards, feeds and products haven’t impeded attackers, and most intel is shared in flat lists of hashes, IPs and strings. This session will explore why IOCs haven’t raised the bar, how to better utilize brittle IOCs and how to use intrinsic network data to craft better IOCs.

Speakers

Ryan Kazanciyan ( @ryankaz42 ) 

Ryan Kazanciyan is the Chief Security Architect for Tanium and has twelve years of experience in incident response, forensic analysis, penetration testing and security architecture. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, a FireEye company, partnering with dozens of Fortune 500 organizations impacted by targeted attacks. Ryan is a frequent presenter at industry conferences, has taught classes for corporate security teams and federal law enforcement, and is a co-author of Incident Response and Computer Forensics, 3rd Edition (2014). 

Detailed Presentation: