State of Cybersecurity: 2016 Findings and Implications

This session will present key results of ISACA and RSA’s State of Cybersecurity Survey. Learn findings of the current cybersecurity landscape. Understand current threats and vulnerabilities as well as how enterprises are responding. Results will include top threats faced, as well as information on controls, skills employers are looking for, security organizational structures and incident plans.

Speakers

Jennifer Lawinski ( @lawinski ); Ron Hale 

Jennifer Lawinski is currently the Editor-in-Chief of online engagement for RSA Conference, driving the editorial strategy as well as managing online content. Before joining RSA Conference, she spent several years covering business technology and the tech industry, among other topics, for publications including Fox News, MSN News, CRN and CIO Insight. She is a graduate of Dartmouth College and earned her M.S. in journalism from Boston University.

Dr. Ron Hale, Ph.D., CISM, is the Chief Knowledge Officer at ISACA. In this position he works with a staff team of subject experts and volunteers from among ISACA’s global membership to develop the products and certifications that support the career advancement of our constituents in information systems audit, cybersecurity, information risk management and the governance of enterprise IT. Hale has professional experience in information and cybersecurity gained as a security manager and as the practice director for Deloitte. Hale was admitted to the Directorship 100 by the National Association of Corporate Directors for his contributions to corporate governance. He has a master’s degree in criminal justice from the University of Illinois and a doctorate in Public Policy from Walden University. 

Detailed Presentation:

Smart Megalopolises. How Safe and Reliable Is Your Data?

Road sensors which collect raw data for intelligent transport systems are hugely important, with key decisions around road improvement, traffic jam management and traffic light patterns based on the information they collect. Radars transmit this data to an operation center for detailed analysis, but can governments truly trust and rely on the data?

Speakers

Denis Legezo ( @legezo ) 

Security Researcher, Global Research and Analysis Team (GReAT), Kaspersky Lab

Denis Legezo got his degree at cybernetics and applied mathematics facility of Moscow State University in 2002. His diploma topic was directly related to information security. Then he started his career as a programmer in different public and commercial companies. Before joining Kaspersky Lab in the beginning of 2014, he worked as a technical expert for one of the Russian system integrators. Legezo collaborated a lot with Russian IT-magazines and online news resources the same thematic. He loves everything that’s high-tech, including embedded systems and modern cars security. 

Detailed Presentation:

Security Advantages of Software-Defined Networking

Current practices using wide-area routing over Internet infrastructure decentralize the control of how information is transferred. Software-Defined Networking (SDN) centralizes network control functions, offering more holistic network security management and allowing for dynamic divisioning, multivendor end-to-end security and reduced dependence on the traditional perimeter approach.

Speakers

Edward Amoroso

Dr. Edward Amoroso serves as Senior Vice President and Chief Security Officer at AT&T, where he is responsible for real-time protection of AT&T’s vast enterprise, network and computing infrastructure, including mobile and video services. During his 30-year career with AT&T, Amoroso has focused exclusively on cybersecurity, working on projects ranging from Unix operating system security to critical infrastructure protection design. He is the author of five published books on cybersecurity and has served as Adjunct Professor of Computer Science at the Stevens Institute of Technology for the past 26 years. 

He holds a B.S. degree from Dickinson College, and M.S. and Ph.D. degrees in computer science from the Stevens Institute of Technology. He is also a graduate of Columbia Business School. 

Detailed Presentation:

Attacks on Critical Infrastructure: Insights from the “Big Board”

Targeted attacks on critical infrastructure continue to increase in number and severity. We’ll present the latest data on these attacks: What is their goal? What are the attacker strategies? How are attacks supported by the darknet? We’ll discuss banking threats discovered at the “Big Board” at the RSA Anti-Fraud Control Center and Smart Grid threat detection in the EU SPARKS project.

Speakers

Daniel Cohen ( @iFraudFighter ); Robert Griffin ( @RobtWesGriffin ) 

Daniel Cohen is head of RSA’s FraudAction business unit that provides hundreds of organizations worldwide with anti-fraud services, including phishing and malware attack handling and cybercrime intelligence operations. Through his work, Cohen has gained deep insight and expert knowledge of the cybercrime landscape and economy, and often speaks on the topic at industry and customer events.

Robert Griffin ( @RobtWesGriffin ) 

Chief Security Architect, RSA

Dr. Robert W. Griffin is Chief Security Architect at RSA, the Security Division of EMC, where he is responsible for technical architecture and standards. He is particularly active in RSA’s initiatives to address the challenges of new threats and new models for IT, including security architecture for cloud computing, security for critical infrastructure, and security strategies for and using Big Data. 

Detailed Presentation:

What Is Next-Generation Endpoint Security and Why Do You Need It?

This session will clarify the definition of next-generation endpoint security and distinguish it from legacy antivirus software. It will also describe how next-generation endpoint security can help organizations improve incident prevention, detection and response.

Speakers

Jon Oltsik ( @joltsik )

Jon Oltsik is an ESG Senior Principal Analyst and the Founder of the firm’s cybersecurity service. With almost 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO’s perspective and strategies. Oltsik was named one of the top 100 cybersecurity influencers for 2015 by Onalytica, and is active as a Committee Member of the Cybersecurity Canon, a project dedicated to identifying a list of must-read books for all cybersecurity practitioners. Often quoted in the business and technical press, Oltsik is also engaged in cybersecurity issues, legislation and technology discussions within the U.S. government. 

Detailed Presentation:

A New Security Paradigm for IoT (Internet of Threats)

All facets of computing have changed since the 1950s, except the security posture of our systems; nowhere is this more the case than in mobile and IoT. Some of our security foundations are outdated: chief among them “static” security, which assumes the threat landscape is static and predetermined. This session will describe the old static security paradigm and the new one: analytics-driven security.

Speakers

Hadi Nahari ( @hadinahari )

VP, Security CTO, Brocade Communications Systems, Inc.

Hadi Nahari is a security professional with over 24 years of experience and extensive work in design and implementation of secure systems. He has worked on large-scale enterprise solutions as well as embedded systems with primary focus on security, crypto, complex systems design, and vulnerability assessment and threat analysis. Author of Web Commerce Security: Design and Development, Nahari is a frequent speaker at U.S. and international security events and has led various security projects for Netscape, Sun Micro, the U.S. Government, Motorola, MontaVista, eBay, PayPal, NVIDIA and Brocade, among others. As VP, Security CTO, Nahari is in charge of security strategy and development efforts at Brocade, driving dynamic security via the applications of Analytics and Machine Learning in Cybersecurity.

Detailed Presentation:

Wireless Infusion Pumps: Securing Hospitals’ Most Ubiquitous Medical Device 

Imagine being dependent on a wireless infusion pump to receive the correct dosage of life-supporting medication. Now imagine the implications, were that pump to be maliciously hacked. In this session learn more about how to successfully secure these medical devices, based on work being conducted at the National Cybersecurity Center of Excellence (NCCoE) with premier health care organizations.

Speakers

Nathan Lesser ( @natelsr ) 

Nathan Lesser, Deputy Director of the National Cybersecurity Center of Excellence (NCCoE) at NIST, has over 15 years of experience in technical and leadership roles. Nate oversees the NCCoE’s engineering initiative and is responsible for cultivating collaboration across government, business, and technology companies to address cybersecurity issues within and across industry sectors. Previously, Nate led a team of cybersecurity engineers at Booz Allen Hamilton, served in the Office of Management and Budget, and the Senate’s Homeland Security and Governmental Affairs Committee. Nate holds bachelor’s and master’s degrees in electrical engineering from Columbia University, and is currently a Senior Fellow at the George Washington University Center for Cyber and Homeland Security.

Detailed Presentation:

Braking the Connected Car: The Future of Vehicle Vulnerabilities

In this presentation, analysts from Kelley Blue Book’s Automotive Industry Insights will illustrate how the connected car is quickly becoming an unrestricted playground for cyberthreats and how the next generation of in-car technology will intensify already-present vehicle vulnerabilities.

Speakers

Akshay Anand ( @iamakshayanand ); Karl Brauer ( @karlbrauer ) 

Manager, Commercial Insights, Kelley Blue Book

Akshay Anand is the Senior Insights Analyst for Kelley Blue Book’s KBB.com. In this role, he develops and provides insights reflecting Kelley Blue Book’s position as the market leader for new- and used-car research. Anand regularly produces data and reports, developing and sharing powerful storylines and actionable information with executives in the automotive industry. This information also is shared for media release with coverage from top-tier publications, and Anand regularly lends his insight on automotive news and information via commentary to media.

Karl Brauer serves as the Senior Director of Automotive Industry Insights for Kelley Blue Book. In this role, he develops and provides insights to position Kelley Blue Book as the market leader for new- and used-car research. Working with many departments within Kelley Blue Book and AutoTrader Group, Kelley Blue Book’s parent company, Brauer cohesively synthesizes available data and reports, developing and sharing powerful insights with the automotive industry. In addition to this role, Brauer is a Senior Editor and regularly contributes to Forbes.com, CNBC.com and other publications. As a veteran industry analyst, Brauer has been interviewed by, or appeared on, the New York Times, CNN, CNBC, the Wall Street Journal and more.

Detailed Presentation:

Integrating Cybersecurity into Supply Chain Risk Management

Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.

Speakers

Jon Boyens 

Program Manager, Cyber Supply Chain Risk Management (SCRM), NIST

Jon Boyens is a Senior Advisor for Information Security in the Information Technology Laboratory, within the Department of Commerce’s National Institute of Standards and Technology (NIST). He leads NIST’s Cyber Supply Chain Risk Management Program and works on various policy and technical projects. Boyens helps develop and coordinate the department's cybersecurity policy among the department’s bureaus. He represents the department in the administration’s interagency cybersecurity policy process. Boyens has worked on various White House–led initiatives, including those on trusted identities, botnets, supply chain and, most recently, the Cybersecurity Executive Order and related work on Cybersecurity Incentives, Government Acquisition Policy and the Cybersecurity Framework and Roadmap.

Detailed Presentation:

Hardware Attacks and Security

Physical side channel attacks and physical unclonable functions (PUFs) are discussed. Topic 1: Enhancing Side-Channel Analysis of Binary-Field Multiplication with Bit Reliability Authors: Peter Pessl and Stefan Mangard Topic 2: Towards a Unified Security Model for Physically Unclonable Functions Authors: Frederik Armknecht, Daisuke Moriyama, Ahmad-Reza Sadeghi and Moti Yung

Speakers

Daisuke Moriyama; Peter Pessl 

Daisuke Moriyama received a Ph.D. from the Institute of Information Security in 2011. He worked as a researcher in the National Institute of Information and Communications Technology from 2011. His research interests include cryptographic authentication protocols for resource constrained devices, e.g., Internet of Things, provably secure cryptographic protocols and those building blocks (lightweight block ciphers and PUFs).

Peter Pessl is a Ph.D. student at the Institute for Applied Information Processing and Communications (IAIK) of Graz University of Technology. His main research interests include side-channel analysis and efficient hardware implementations of cryptography. More specifically, his focus is on algebraic methods in SCA and lattice-based cryptography. Before starting his Ph.D. studies in 2014, he received his M.Sc. in information and computer engineering. His master’s thesis covered efficient hardware implementations of the SHA-3 hashing algorithm and elliptic-curve signature algorithms.

Detailed Presentation:

Lattice Cryptography

Somewhat homomorphic encryption schemes using lattices and lattice libraries are discussed. Topic 1: Which Ring-based Somewhat Homomorphic Encryption Scheme Is Best? Authors: Anamaria Costache and Nigel Smart Topic 2: NFLlib: NTT-based Fast Lattice Library Authors: Carlos Aguilar-Melchor, Joris Barrier, Serge Guelton, Adrien Guinet, Marc-Olivier Killijian and Tancrède Lepoint

Speakers

Anamaria Costache; Joris Barrier

Anamaria Costache is a first-year Ph.D. student at the University of Bristol in England, working under the supervision of Prof. Nigel Smart. She completed her master of mathematics at Warwick University, with a dissertation investigating Brauer groups and applications to the Brauer-Manin obstruction. Presently, her area of research is in the field of fully homomorphic encryption, with a focus on ring-based schemes.

Detailed Presentation:

DevSecOps in Baby Steps 

Here's an overview of the presentation: Getting to DevOps; DevOps to DevSecOps; Planning your Epics & Sprints; Use Cases & Examples

Speakers

Hart Rossman ( @HartDanger )

Detailed Presentation:

Bring Your Own Internet of Things: BYO‐IoT

Here's an overview of the presentation: What is loT?; What's the Problem?; What's the Attack Surface?; IoT Security - Current State; Response and Actions

Speakers

Carsten Eiram ( @carsteneiram ); Jake Kouns ( @jkouns )

Detailed Presentation:

Embedded Systems Security: Building a More Secure Device

Here's an overview of the presentation: What are common embedded systems?; What issues do they face?; Recommendations for securing embedded systems

Speakers

Randall Brooks ( @randallsbrooks )

Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, SSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. 

Detailed Presentation:

Transforming Security: Containers, Virtualization and Softwarization

This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.

Speakers

Dennis Moreau ( @DoctroMoreau )

Dr. Dennis Moreau is a Senior Engineering Architect at VMware, focusing on security innovation in highly dynamic utility computing environments. Moreau has over three decades of experience in the representation, visualization, analysis and control of complex system behavior and security. He has been a Sr. Technology Strategist at EMC/RSA, a founder/CTO of Configuresoft (now a VMware technology), the CTO Baylor College of Medicine, and a tenured Computer Science faculty member, with research sponsored by NASA/Jet Propoulsion Laboratories, Bell Laboratories, IBM, the U.S. Department of Commerce, National Institutes of Health, National Library of Medicine and the National Science Foundation. He holds a doctorate in Computer Science and speaks regularly at security conferences worldwide. 

Detailed Presentation:

Estimating Development Security Maturity in About an Hour

The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.

Speakers

Matthew Clapham ( @ProdSec )

Principal, Product Development Security, GE Healthcare

Matthew (Matt) Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal, Product Development Security at GE Healthcare. Clapham previously worked as a Software Tester, IT Policy Author, Auditor and Security Advisor to all things games at Microsoft. He is quite familiar with security foibles of the Industrial Device Internet of Things and how to overcome them. Clapham is a frequent speaker and author of magazine articles on IT, security, games or some combination thereof. He holds degrees in engineering and music from the University of Michigan.

Detailed Presentation:

Understanding the “Why” in Enterprise Application Security Strategy

The Hershey Company initiated a strategic initiative to identify all of the truly critical IT assets that enable the company’s continued success. The evaluation confirmed the importance of protecting their business critical SAP systems. To get executive cross functional buy-in the security team implemented an SAP Vulnerability Management program with a clear strategy of “why” to influence results.

Speakers

Troy Grubb ( @TroyRGrubb ) 

Information Security Manager, GRC & SAP Security, The Hershey Company

Troy Grubb is an accomplished Information Security Professional with over 10 years of experience in Information Security with a strong focus on enterprise applications and SAP Security. Grubb obtained a B.S. degree from East Stroudsburg University of Pennsylvania, with a dual major in computer science and computer security. Grubb currently works as an SAP Security Specialist for a fortune 500 company in the consumer goods industry. In his career, Grubb has worked on a large number of information security projects focusing heavily on the development of secure standards of access control models, configurations, software development and technical infrastructure of enterprise applications.

Detailed Presentation:

DevSecOps in Baby Steps

Here's an overview of the presentation: Getting to DevOps; DevOps to DevSecOps; Planning your Epics & Sprints; Use Cases & Example

Speakers 

Hart Rossman ( @HartDanger )

Detailed Presentation:

Open-Source Security Management and Vulnerability Impact Assessment

Re-usage of Open Source Software (OSS) has increased in commercial software development by orders of magnitude. This presentation will show how OSS vulnerabilities can be managed at large scale (about 10,000 OSS usages in our case), and how to address sins from the past. At last a concept will be shown which automates the analysis of the exploitability potential of an insecure OSS component.

Speakers

Gunter Bitz; Henrik Plate

Senior Manager Legal Compliance, SAP SE

Gunter Bitz is the Senior Manager for the European and APJ Technology Legal Compliance team. His team is supporting SAP’s product engineering groups in managing legal compliance and software security aspects arising from the consumption of open source software and freeware during the software development lifecycle.
Prior to his current role Bitz was responsible for product security governance at SAP and held the position of the product security spokesperson. In his first role at SAP he was protecting the organization’s intellectual property by designing and implementing global policies and information security technology.
Bitz has spoken at many international security conferences, in particular RSA conferences and was member of the program committee of RSA Europe and RSA APJ.

Henrik Plate works as a Senior Researcher in the Product Security Research group within SAP since 2007. During this time, he was coordinator and scientific lead of the European FP7 research project PoSecCo, built up an SAP-wide security training for application developers and performed security assessments of SAP applications. Currently, he researches new approaches and tooling for ensuring a secure consumption of third party components in the software supply chain. Before joining the SAP research group, Plate held different positions as a software engineer, and studied computer science and business administration at the University of Mannheim. He holds a diploma from the University of Mannheim and is a CISSP.

Detailed Presentation:

Agile Security—Field of Dreams

PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them.

Speakers

Laksh Raghavan ( @laraghavan )

Laksh Raghavan works at PayPal Inc. as Senior Security Strategist in the Information Security organization specializing in Application Security. He is currently responsible for managing the Secure Product LifeCycle program for all PayPal applications including the web and mobile apps supporting PayPal’s more than 170 million active accounts. Raghavan has fifteen years of experience in the areas of application security and information risk management and has provided consulting services to various Fortune 500 and Financial Services companies around the world before joining PayPal in 2009. Laksh has been a speaker at BayThreat and Microsoft Security Development conferences. He is also the co-author of two books on the topic of Secure and Resilient Software Development.

Detailed Presentation: