Braking the Connected Car: The Future of Vehicle Vulnerabilities

In this presentation, analysts from Kelley Blue Book’s Automotive Industry Insights will illustrate how the connected car is quickly becoming an unrestricted playground for cyberthreats and how the next generation of in-car technology will intensify already-present vehicle vulnerabilities.

Speakers

Akshay Anand ( @iamakshayanand ); Karl Brauer ( @karlbrauer ) 

Manager, Commercial Insights, Kelley Blue Book

Akshay Anand is the Senior Insights Analyst for Kelley Blue Book’s KBB.com. In this role, he develops and provides insights reflecting Kelley Blue Book’s position as the market leader for new- and used-car research. Anand regularly produces data and reports, developing and sharing powerful storylines and actionable information with executives in the automotive industry. This information also is shared for media release with coverage from top-tier publications, and Anand regularly lends his insight on automotive news and information via commentary to media.

Karl Brauer serves as the Senior Director of Automotive Industry Insights for Kelley Blue Book. In this role, he develops and provides insights to position Kelley Blue Book as the market leader for new- and used-car research. Working with many departments within Kelley Blue Book and AutoTrader Group, Kelley Blue Book’s parent company, Brauer cohesively synthesizes available data and reports, developing and sharing powerful insights with the automotive industry. In addition to this role, Brauer is a Senior Editor and regularly contributes to Forbes.com, CNBC.com and other publications. As a veteran industry analyst, Brauer has been interviewed by, or appeared on, the New York Times, CNN, CNBC, the Wall Street Journal and more.

Detailed Presentation:

Integrating Cybersecurity into Supply Chain Risk Management

Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.

Speakers

Jon Boyens 

Program Manager, Cyber Supply Chain Risk Management (SCRM), NIST

Jon Boyens is a Senior Advisor for Information Security in the Information Technology Laboratory, within the Department of Commerce’s National Institute of Standards and Technology (NIST). He leads NIST’s Cyber Supply Chain Risk Management Program and works on various policy and technical projects. Boyens helps develop and coordinate the department's cybersecurity policy among the department’s bureaus. He represents the department in the administration’s interagency cybersecurity policy process. Boyens has worked on various White House–led initiatives, including those on trusted identities, botnets, supply chain and, most recently, the Cybersecurity Executive Order and related work on Cybersecurity Incentives, Government Acquisition Policy and the Cybersecurity Framework and Roadmap.

Detailed Presentation:

Hardware Attacks and Security

Physical side channel attacks and physical unclonable functions (PUFs) are discussed. Topic 1: Enhancing Side-Channel Analysis of Binary-Field Multiplication with Bit Reliability Authors: Peter Pessl and Stefan Mangard Topic 2: Towards a Unified Security Model for Physically Unclonable Functions Authors: Frederik Armknecht, Daisuke Moriyama, Ahmad-Reza Sadeghi and Moti Yung

Speakers

Daisuke Moriyama; Peter Pessl 

Daisuke Moriyama received a Ph.D. from the Institute of Information Security in 2011. He worked as a researcher in the National Institute of Information and Communications Technology from 2011. His research interests include cryptographic authentication protocols for resource constrained devices, e.g., Internet of Things, provably secure cryptographic protocols and those building blocks (lightweight block ciphers and PUFs).

Peter Pessl is a Ph.D. student at the Institute for Applied Information Processing and Communications (IAIK) of Graz University of Technology. His main research interests include side-channel analysis and efficient hardware implementations of cryptography. More specifically, his focus is on algebraic methods in SCA and lattice-based cryptography. Before starting his Ph.D. studies in 2014, he received his M.Sc. in information and computer engineering. His master’s thesis covered efficient hardware implementations of the SHA-3 hashing algorithm and elliptic-curve signature algorithms.

Detailed Presentation:

Lattice Cryptography

Somewhat homomorphic encryption schemes using lattices and lattice libraries are discussed. Topic 1: Which Ring-based Somewhat Homomorphic Encryption Scheme Is Best? Authors: Anamaria Costache and Nigel Smart Topic 2: NFLlib: NTT-based Fast Lattice Library Authors: Carlos Aguilar-Melchor, Joris Barrier, Serge Guelton, Adrien Guinet, Marc-Olivier Killijian and Tancrède Lepoint

Speakers

Anamaria Costache; Joris Barrier

Anamaria Costache is a first-year Ph.D. student at the University of Bristol in England, working under the supervision of Prof. Nigel Smart. She completed her master of mathematics at Warwick University, with a dissertation investigating Brauer groups and applications to the Brauer-Manin obstruction. Presently, her area of research is in the field of fully homomorphic encryption, with a focus on ring-based schemes.

Detailed Presentation:

DevSecOps in Baby Steps 

Here's an overview of the presentation: Getting to DevOps; DevOps to DevSecOps; Planning your Epics & Sprints; Use Cases & Examples

Speakers

Hart Rossman ( @HartDanger )

Detailed Presentation:

Bring Your Own Internet of Things: BYO‐IoT

Here's an overview of the presentation: What is loT?; What's the Problem?; What's the Attack Surface?; IoT Security - Current State; Response and Actions

Speakers

Carsten Eiram ( @carsteneiram ); Jake Kouns ( @jkouns )

Detailed Presentation:

Embedded Systems Security: Building a More Secure Device

Here's an overview of the presentation: What are common embedded systems?; What issues do they face?; Recommendations for securing embedded systems

Speakers

Randall Brooks ( @randallsbrooks )

Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, SSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. 

Detailed Presentation:

Transforming Security: Containers, Virtualization and Softwarization

This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.

Speakers

Dennis Moreau ( @DoctroMoreau )

Dr. Dennis Moreau is a Senior Engineering Architect at VMware, focusing on security innovation in highly dynamic utility computing environments. Moreau has over three decades of experience in the representation, visualization, analysis and control of complex system behavior and security. He has been a Sr. Technology Strategist at EMC/RSA, a founder/CTO of Configuresoft (now a VMware technology), the CTO Baylor College of Medicine, and a tenured Computer Science faculty member, with research sponsored by NASA/Jet Propoulsion Laboratories, Bell Laboratories, IBM, the U.S. Department of Commerce, National Institutes of Health, National Library of Medicine and the National Science Foundation. He holds a doctorate in Computer Science and speaks regularly at security conferences worldwide. 

Detailed Presentation:

Estimating Development Security Maturity in About an Hour

The session describes a simple method of estimating a development team’s security maturity, i.e. how well they make a secure software product, by looking at five key factors. The factors and a simple rating system will be shown coupled with real-world samples. Applicable usage scenarios as well as comparison to other security maturity models will be given.

Speakers

Matthew Clapham ( @ProdSec )

Principal, Product Development Security, GE Healthcare

Matthew (Matt) Clapham makes products more secure. His career is a rare blend of both product development and enterprise operations. He is currently a Principal, Product Development Security at GE Healthcare. Clapham previously worked as a Software Tester, IT Policy Author, Auditor and Security Advisor to all things games at Microsoft. He is quite familiar with security foibles of the Industrial Device Internet of Things and how to overcome them. Clapham is a frequent speaker and author of magazine articles on IT, security, games or some combination thereof. He holds degrees in engineering and music from the University of Michigan.

Detailed Presentation:

Understanding the “Why” in Enterprise Application Security Strategy

The Hershey Company initiated a strategic initiative to identify all of the truly critical IT assets that enable the company’s continued success. The evaluation confirmed the importance of protecting their business critical SAP systems. To get executive cross functional buy-in the security team implemented an SAP Vulnerability Management program with a clear strategy of “why” to influence results.

Speakers

Troy Grubb ( @TroyRGrubb ) 

Information Security Manager, GRC & SAP Security, The Hershey Company

Troy Grubb is an accomplished Information Security Professional with over 10 years of experience in Information Security with a strong focus on enterprise applications and SAP Security. Grubb obtained a B.S. degree from East Stroudsburg University of Pennsylvania, with a dual major in computer science and computer security. Grubb currently works as an SAP Security Specialist for a fortune 500 company in the consumer goods industry. In his career, Grubb has worked on a large number of information security projects focusing heavily on the development of secure standards of access control models, configurations, software development and technical infrastructure of enterprise applications.

Detailed Presentation:

DevSecOps in Baby Steps

Here's an overview of the presentation: Getting to DevOps; DevOps to DevSecOps; Planning your Epics & Sprints; Use Cases & Example

Speakers 

Hart Rossman ( @HartDanger )

Detailed Presentation:

Open-Source Security Management and Vulnerability Impact Assessment

Re-usage of Open Source Software (OSS) has increased in commercial software development by orders of magnitude. This presentation will show how OSS vulnerabilities can be managed at large scale (about 10,000 OSS usages in our case), and how to address sins from the past. At last a concept will be shown which automates the analysis of the exploitability potential of an insecure OSS component.

Speakers

Gunter Bitz; Henrik Plate

Senior Manager Legal Compliance, SAP SE

Gunter Bitz is the Senior Manager for the European and APJ Technology Legal Compliance team. His team is supporting SAP’s product engineering groups in managing legal compliance and software security aspects arising from the consumption of open source software and freeware during the software development lifecycle.
Prior to his current role Bitz was responsible for product security governance at SAP and held the position of the product security spokesperson. In his first role at SAP he was protecting the organization’s intellectual property by designing and implementing global policies and information security technology.
Bitz has spoken at many international security conferences, in particular RSA conferences and was member of the program committee of RSA Europe and RSA APJ.

Henrik Plate works as a Senior Researcher in the Product Security Research group within SAP since 2007. During this time, he was coordinator and scientific lead of the European FP7 research project PoSecCo, built up an SAP-wide security training for application developers and performed security assessments of SAP applications. Currently, he researches new approaches and tooling for ensuring a secure consumption of third party components in the software supply chain. Before joining the SAP research group, Plate held different positions as a software engineer, and studied computer science and business administration at the University of Mannheim. He holds a diploma from the University of Mannheim and is a CISSP.

Detailed Presentation:

Agile Security—Field of Dreams

PayPal started its Waterfall to Agile transformation journey two years ago. That meant that the software security program had to morph as well. The Field of Dreams question of “if you build it, will they come?” was no longer a valid question! Come hear about real-world insights about integrating security into Agile—approaches, processes and tools put in place and the results from them.

Speakers

Laksh Raghavan ( @laraghavan )

Laksh Raghavan works at PayPal Inc. as Senior Security Strategist in the Information Security organization specializing in Application Security. He is currently responsible for managing the Secure Product LifeCycle program for all PayPal applications including the web and mobile apps supporting PayPal’s more than 170 million active accounts. Raghavan has fifteen years of experience in the areas of application security and information risk management and has provided consulting services to various Fortune 500 and Financial Services companies around the world before joining PayPal in 2009. Laksh has been a speaker at BayThreat and Microsoft Security Development conferences. He is also the co-author of two books on the topic of Secure and Resilient Software Development.

Detailed Presentation:

Introducing a Security Program to Large Scale Legacy Products

A discussion of the real-world work and challenges to introduce and maintain a comprehensive security program to a large and complex set of legacy storage products. This includes developing a security architecture, vulnerability response, pushing for necessary security enhancements and application security. In this session, you will hear about which efforts worked well and which didn’t.

Speakers

Millard Taylor ( @tad_taylor )

Security Architect, Self

Millard (Tad) Taylor has been working in various aspects of computer security for over 30 years. Starting at NSA, he helped to develop the Rainbow series and guided research into security and formal methods. Then came a stint as a Consultant and Researcher into security while at RTI and Computational Logic, Inc. Afterwards, he became a Security Tester and Developer for Trusted DG/UX and “the security person” for a string of products at Data General/EMC, finally becoming the Security Architect for the Celerra, VNX and VNXe product lines. While at EMC, he also consulted to other product groups, helped to develop corporate-wide standards and guidelines, and continually pointed out that the RSA division doesn’t have sole responsibility for security of all of EMC’s products.

Detailed Presentation:

Embedded Systems Security: Building a More Secure Device

Here's an overview of the presentation: What are common embedded systems?; What issues do they face?; Recommendations for securing embedded systems

Speakers

Randall Brooks ( @randallsbrooks ) 

Randall Brooks is an Engineering Fellow for Raytheon Company (NYSE: RTN), representing the company within the U.S. International Committee for Information Technology Standards Cyber Security 1 (CS1) and the Cloud Security Alliance. Brooks has nearly 20 years of experience in Cybersecurity with a recognized expertise in Software Assurance (SwA) and secure development life cycles (SDLC). In addition to holding seven patents, Brooks is a CISSP, SSLP, ISSEP, ISSAP ISSMP, and CCSK. Brooks graduated from Purdue University with a Bachelors of Science from the School of Computer Science. 

Detailed Presentation:

IOCs Are Dead—Long Live IOCs!

Indicators of Compromise were meant to solve the failures of signature-based detection tools. Yet today’s array of IOC standards, feeds and products haven’t impeded attackers, and most intel is shared in flat lists of hashes, IPs and strings. This session will explore why IOCs haven’t raised the bar, how to better utilize brittle IOCs and how to use intrinsic network data to craft better IOCs.

Speakers

Ryan Kazanciyan ( @ryankaz42 ) 

Ryan Kazanciyan is the Chief Security Architect for Tanium and has twelve years of experience in incident response, forensic analysis, penetration testing and security architecture. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, a FireEye company, partnering with dozens of Fortune 500 organizations impacted by targeted attacks. Ryan is a frequent presenter at industry conferences, has taught classes for corporate security teams and federal law enforcement, and is a co-author of Incident Response and Computer Forensics, 3rd Edition (2014). 

Detailed Presentation:

Bridging the Gap Between Threat Intelligence and Risk Management

Here's an overview of the presentation: Bridging Risk & IR in Verizon's DBIR; Building Understanding; Finding Common Ground; Bridging the Gap; Crossing the Divide

Speakers

Wade Baker ( @wadebaker )

Detailed Presentation:

STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015

Amid privacy concerns and after a decade-long battle, the U.S. Cybersecurity Information Sharing Act (CISA) of 2015 was passed. Critics claim CISA is a surveillance bill in disguise; proponents claim the act provides a needed legal framework for information sharing. Can CISA actually improve cyberdefense without risking privacy? Are there unforeseen roadblocks? What about STIX/TAXII?

Speakers

Bret Jordan ( @jordan_bret ); Mark Davidson 

Director of Security Architecture and Standards, Blue Coat Systems

Bret is a seasoned business leader and cyber security architect with over 20 years of experience in cyber security. He has worked with an eclectic mix of global enterprise companies, startups, non-profits, academic institutions, and currently works at Blue Coat Systems where he heads security architecture and standards in the Office of the CTO. Bret is also a co-chair of the OASIS-CTI-TAXII sub-committee.

Mark Davidson is a cybersecurity leader and information sharing subject matter expert. Davidson heads up software development at Soltra and is a Co-Chair in the STIX/TAXII standards group. Davidson has experience in security operations, cyber R&D and product development. Before leading the development of Soltra Edge, he was a core member of the STIX/TAXII team at MITRE where he was the lead author for TAXII 1.0 and TAXII 1.1 and contributed measurably to the development of STIX and CybOX. Before that, Davidson was an analyst in a Fortune 100 SOC where he developed solutions for information collection and fusion across multiple subsidiaries, geographic regions and political environments.

Detailed Presentation:

Dreaming of IoCs Adding Time Context to Threat Intelligence

Find an interesting Intelligence Framework followed by a good undertanding of logstash & logstash filtering, tardis, kibana reporting etc.

Speakers

Travis Smith ( @MrTrav )

Detailed Presentation:

The Measure of Success:Security Metrics to Tell Your Story

Information Security as a problem is rather complex and it gets more difficult in terms of quantification. This presentation helps us with some metrics that will help us make security more understandable.

Speakers

Julie Bernard ( @juliein10A ); Wendy Frank 

Detailed Presentation: