Introducing a Security Program to Large Scale Legacy Products

A discussion of the real-world work and challenges to introduce and maintain a comprehensive security program to a large and complex set of legacy storage products. This includes developing a security architecture, vulnerability response, pushing for necessary security enhancements and application security. In this session, you will hear about which efforts worked well and which didn’t.

Speakers

Millard Taylor ( @tad_taylor )

Security Architect, Self

Millard (Tad) Taylor has been working in various aspects of computer security for over 30 years. Starting at NSA, he helped to develop the Rainbow series and guided research into security and formal methods. Then came a stint as a Consultant and Researcher into security while at RTI and Computational Logic, Inc. Afterwards, he became a Security Tester and Developer for Trusted DG/UX and “the security person” for a string of products at Data General/EMC, finally becoming the Security Architect for the Celerra, VNX and VNXe product lines. While at EMC, he also consulted to other product groups, helped to develop corporate-wide standards and guidelines, and continually pointed out that the RSA division doesn’t have sole responsibility for security of all of EMC’s products.

Detailed Presentation:

Embedded Systems Security: Building a More Secure Device

Here's an overview of the presentation: What are common embedded systems?; What issues do they face?; Recommendations for securing embedded systems

Speakers

Randall Brooks ( @randallsbrooks ) 

Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, SSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. 

Detailed Presentation:

IOCs Are Dead—Long Live IOCs!

Indicators of Compromise were meant to solve the failures of signature-based detection tools. Yet today’s array of IOC standards, feeds and products haven’t impeded attackers, and most intel is shared in flat lists of hashes, IPs and strings. This session will explore why IOCs haven’t raised the bar, how to better utilize brittle IOCs and how to use intrinsic network data to craft better IOCs.

Speakers

Ryan Kazanciyan ( @ryankaz42 ) 

Ryan Kazanciyan is the Chief Security Architect for Tanium and has twelve years of experience in incident response, forensic analysis, penetration testing and security architecture. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, a FireEye company, partnering with dozens of Fortune 500 organizations impacted by targeted attacks. Ryan is a frequent presenter at industry conferences, has taught classes for corporate security teams and federal law enforcement, and is a co-author of Incident Response and Computer Forensics, 3rd Edition (2014). 

Detailed Presentation:

Bridging the Gap Between Threat Intelligence and Risk Management

Here's an overview of the presentation: Bridging Risk & IR in Verizon's DBIR; Building Understanding; Finding Common Ground; Bridging the Gap; Crossing the Divide

Speakers

Wade Baker ( @wadebaker )

Detailed Presentation:

STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015

Amid privacy concerns and after a decade-long battle, the U.S. Cybersecurity Information Sharing Act (CISA) of 2015 was passed. Critics claim CISA is a surveillance bill in disguise; proponents claim the act provides a needed legal framework for information sharing. Can CISA actually improve cyberdefense without risking privacy? Are there unforeseen roadblocks? What about STIX/TAXII?

Speakers

Bret Jordan ( @jordan_bret ); Mark Davidson 

Director of Security Architecture and Standards, Blue Coat Systems

Bret is a seasoned business leader and cyber security architect with over 20 years of experience in cyber security. He has worked with an eclectic mix of global enterprise companies, startups, non-profits, academic institutions, and currently works at Blue Coat Systems where he heads security architecture and standards in the Office of the CTO. Bret is also a co-chair of the OASIS-CTI-TAXII sub-committee.

Mark Davidson is a cybersecurity leader and information sharing subject matter expert. Davidson heads up software development at Soltra and is a Co-Chair in the STIX/TAXII standards group. Davidson has experience in security operations, cyber R&D and product development. Before leading the development of Soltra Edge, he was a core member of the STIX/TAXII team at MITRE where he was the lead author for TAXII 1.0 and TAXII 1.1 and contributed measurably to the development of STIX and CybOX. Before that, Davidson was an analyst in a Fortune 100 SOC where he developed solutions for information collection and fusion across multiple subsidiaries, geographic regions and political environments.

Detailed Presentation:

Dreaming of IoCs Adding Time Context to Threat Intelligence

Find an interesting Intelligence Framework followed by a good undertanding of logstash & logstash filtering, tardis, kibana reporting etc.

Speakers

Travis Smith ( @MrTrav )

Detailed Presentation:

The Measure of Success:Security Metrics to Tell Your Story

Information Security as a problem is rather complex and it gets more difficult in terms of quantification. This presentation helps us with some metrics that will help us make security more understandable.

Speakers

Julie Bernard ( @juliein10A ); Wendy Frank 

Detailed Presentation:

The Newest Element of Risk Metrics: Social Media

In order to identify, measure and track the risk exposure that different elements of social media have on an organization, organizations require a threat metric framework to evaluate a network’s current risk posture. Learn how to take an ocean of data and distill it to the most critical risk indicators.

Speakers

Ian Amit ( @iiamit ) 

Amit, Vice President at ZeroFox, has over a decade of experience in hands-on and strategic roles, working across a diversity of security fields: business, industry, marketing, technical and research. At ZeroFOX, Amit leads the company’s customer solutions offerings and strategy, and runs ZeroFOX’s New York offices. Previously, Amit served as Director of Services at IOActive. His career also includes time at Security-Art, Aladdin, Finjan and Datavantage, as well as speaking at conferences such as BlackHat, DefCon and InfoSecurity. He founded the Tel-Aviv DefCon chapter (DC9723) and also was a founding member of the Penetration Testing Execution Standard (PTES).

Detailed Presentation:

Building an Effective Supply Chain Security Program

We’ve realized that the supply chain in most organizations is a potential weak spot for security controls and awareness. The time has come to shore up our approaches to supply chain management, incorporating security best practices at all stages. This talk will break down exactly how to get started, what to look for, and how to better secure your supply chain across the board.

Speakers

Dave Shackleford ( @daveshackleford ) 

Dave Shackleford is Lead Faculty at IANS, Owner and Principal Consultant at Voodoo Security and a SANS Senior Instructor and Course Author. He has consulted with hundreds of organizations in the areas of security, compliance and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He previously worked as CTO at IANS, CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Shackleford is the author of Virtualization Security: Protecting Virtualized Environments, currently serves on the Board of Directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.

Detailed Presentation:

Bridging the Gap Between Threat Intelligence and Risk Management

Here's an overview of the presentation: Bridging Risk & IR in Verizon's DBIR; Building Understanding; Finding Common Ground; Bridging the Gap; Crossing the Divide

Speakers

Wade Baker ( @wadebaker )

Detailed Presentation:

Integrating Cybersecurity into Supply Chain Risk Management

Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.

Speakers

Jon Boyens 

Jon Boyens is a Senior Advisor for Information Security in the Information Technology Laboratory, within the Department of Commerce’s National Institute of Standards and Technology (NIST). He leads NIST’s Cyber Supply Chain Risk Management Program and works on various policy and technical projects. Boyens helps develop and coordinate the department's cybersecurity policy among the department’s bureaus. He represents the department in the administration’s interagency cybersecurity policy process. Boyens has worked on various White House–led initiatives, including those on trusted identities, botnets, supply chain and, most recently, the Cybersecurity Executive Order and related work on Cybersecurity Incentives, Government Acquisition Policy and the Cybersecurity Framework and Roadmap. 

Detailed Presentation:

Are You Thinking about IT Outsourcing? Top Reasons, Risks and Rewards

There is more to outsourcing than just the bottom line and running lean. Any organization embarking on this journey needs to (1) clearly identify and articulate the compelling narrative for steering in this direction, (2) have risk transparency on associated risks when someone else is running your critical part of the business and (3) enumerate the benefits expected to be reaped.

Speakers

Lakshmi Hanspal ( @lakshmihanspal )

Lakshmi Hanspal is a Leader of Information Security and Risk Management with PayPal. She is a persuasive champion of information security, providing transformational leadership with emphasis on payment security, risk and privacy management. Prior to joining PayPal, Hanspal was SVP with Bank of America, and held leadership roles across Strategy and Architecture. Her career spans across 20+ years in Information Security and risk management, with 16+ years in the financial and payment space. Hanspal is a post graduate of Boston University with a master’s in computer science. She is actively sought after advisor for Silicon Valley startups and currently serves in the Advisory Board for Cipher Cloud. She lives in the Bay Area with her family and is an active volunteer with the community.

Detailed Presentation:

Adjusting Your Security Controls: It’s the New Normal

Most of us learned cybersecurity practices based on the application of controls that were part of a framework. Once the framework was implemented then the controls didn’t change often. It’s time to adjust our thinking and recognize that on-going adjustment of controls may be a better indicator of cyber-maturity than adherence to any framework.

Speakers

Jim Routh ( @jmrouth1 )

Jim Routh is the Chief Information Security Officer and leads the Global Information Security function for Aetna. He is the Chairman of the National Health ISAC and a Board Member of the FS-ISAC. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 30 years of experience in information technology and information security as a practitioner. He is the Information Security Executive of the Year winner for the Northeast in 2009 and the Information Security Executive of the Year in 2014 in North America for Healthcare. He has published several white papers including the FS-ISAC 3rd Party Software Security Controls paper and leads several cross functional information security working groups.

Detailed Presentation:

Vendor Security Practices: Turn the Rocks Over Early and Often

Too often security is reviewed at the end of the vendor selection process. It ends up blocking projects moving forward as you identify issues with already selected vendors. Reverse the process with security considered early and business teams can avoid investing precious time on unsuitable vendor candidates and get rankings for suitable ones. This session will show you how using real examples.

Speakers

Martin Andrews; Michael Hammer ( @MichaelHammer ) 

Director of Web Operations, American Greetings

Martin Andrews has spent over 20 years managing computer environments and negotiating with wily vendors. When not dealing with vendors he prefers promoting collaboration and application performance management. Andrews currently leads the web operations team at American Greetings, where he ensures the reliability of sites that create happiness, laughter and love.

Michael Hammer ( @MichaelHammer ) 

Web Operations Security, AG Interactive/American Greetings 

Mike Hammer has been with AG for 16 years and is responsible for overall security, email operations, anti-phishing/fraud and compliance such as PCI-DSS at AG Interactive, the online division of American Greetings. Hammer is responsible for AGI-CSIRT and managing incident response for AGI. His 25+ years of online experience includes stints at the American Marketing Association and Advanstar Communications. While at AMA he helped develop their Code of Ethics for Online Marketers. He is a longtime participant in IETF working groups developing mail authentication standards such as SPF, DKIM and ADSP. He represents American Greetings at DMARC.org, is Co-Chair of the Brand SIG at the Messaging Anti-Abuse Working Group and was 2012 Member of the Year of the Online Trust Alliance.

Detailed Presentation:

From Cave Man to Business Man, the Evolution of the CISO to CIRO

The CISO is evolving to CIRO. Successful IT security leaders are transforming their skills to meet the demands for today and future needs of their organization. A CIRO understands how to prepare board presentations, information risk management, third-party risk and regulatory requirements, and how to balance those with the needs of the business. Earn your seat at the table by becoming a CIRO!

Speakers

James Christiansen ( @Riskydata ) 

VP, Third Party Risk Programs, Optiv

James Christiansen is a seasoned business leader with deep technical expertise and is recognized as a global thought leader. As the VP, Third Party Risk Programs for Optiv, he is responsible for developing and delivering a comprehensive suite of strategic services and solutions to help CISO’s and IT executives change their security strategies through innovation. Prior to joining Optiv, Christiansen was Chief Information Risk Officer for Evantix and CSO for Experian Americas. He joined Experian after serving as CISO for General Motors where his responsibilities included worldwide implementation of security plan for the largest financial (GMAC) and the largest manufacturing corporation in the world. He also served as SVP and Division Head of Information Security for Visa International.

Detailed Presentation:

The Measure of Success: Security Metrics to Tell Your Story

Information Security as a problem is rather complex and it gets more difficult in terms of quantification. This presentation helps us with some metrics that will help us make security more understandable.

Speakers

Julie Bernard ( @juliein10A ); Wendy Frank; Lisa Lee ( @lisainmiami )

Detailed Presentation:

Partnership with a CFO: On the Front Line of Cybersecurity

'Many CFO's know that they need to spend more on cyber risk management', many such facts can help us understand the cyber security industry today. Communicating properly to the CFO can solve many pain points and this presentation helps us do so. Learn about Drivers, Compelling Arguments and more.

Speakers

Dr. Christopher Pierson ( @DrChrisPierson ); Terry Ragsdale

Detailed Presentation:

Security Program Development for the Hipster Company

Cloud services have evolved and can now replace nearly every facet of traditional infrastructure. This movement has enabled rapid scale while introducing a considerable element of risk. This session will discuss a framework for getting started building a security program in an organization that is built purely on cloud services, covering the contradictions and opportunities of that business model.

Speakers

Robert Wood ( @robertwood50 )

CISO, Nuna Health, Inc.

Robert Wood runs the security team at Nuna Health. Coming originally from a consulting background, Wood has experience with threat modeling, red teaming, incident response, static analysis and penetration testing, having been engaged in these capacities across many industries and business types. His background, coupled with a keen interest in cloud security, has enabled Wood to build and execute a strategy and a team at Nuna Health that is aimed at protecting and managing the risk around it’s core assets. Prior to joining Nuna Health, Wood was a Principal Consultant at Cigital where he founded and led the red team assessment practice and worked with strategic clients across the United States in an advisory capacity.

Detailed Presentation:

How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience

This presentation gives you an understanding of the present security industry with key insights and also a roadmap to move ahead, threat landscape etc.

Speakers

Jan Nys ( @Jankbc777 )

Detailed Presentation:

Super CISO 2020: How to Keep Your Job

This presentation gives some great insights on the present 2016 security scenario. Find content like security leadership in leading organizations, the C-Level stakeholders CISO needs to balance with, the workforce today, behavioral trends & more.

Speakers

Todd Fitzgerald ( @securityfitz )

Detailed Presentation: