Head of the Advisory CISO team at Duo Security (now Cisco)
Time and Risk Dimensions in Security
When it comes to cybersecurity response and planning, time is not on our side. When incidents happen in milliseconds, but innovations take years, how do we close the time gap? In this session, we will talk about how to use time to our advantage: to react faster, plan better, and develop a path to the unknown future.
In an evolving risk landscape, it’s easy to become distracted by the flood of incoming information and security alerts. With tightening resources, from teams working remotely to shrinking budgets, leveraging the odds via threat intelligence to mitigate risks becomes key. We will highlight how to use threat intelligence as a force-multiplier to bridge the business risk and security risk divide.
Principal Director for Applied Cyber Intelligence at Accenture Federal Services
Reducing Information Overload Via an Analog Model for Cyber Risk
Cybersecurity relies on Security Operations Center (SOC) personnel to conduct data triage on large numbers of automated alerts to identify true threats to networks. To achieve this goal, SOC personnel must not only filter out false positives in data streams, but also coalesce disparate pieces of data to generate information that yields a conclusion of an existing exception condition in the desired state of cybersecurity and requires action.
Additionally, false negatives in data streams may later be identified when a compromise is discovered via human reporting or other means. Limitations of Turing machines used as automated sensors, ever-increasing network size and speed of transmission, limited numbers of qualified personnel, and the necessity to work in uncertainty, all serve to exacerbate the continual condition of information overload for network defenders.
This research addresses information overload by reducing the information that is presented to personnel working in a SOC. It proposes a new framework for determining cybersecurity risk as a time-dependent function, which allows for reduced information overload and at least equivalent cybersecurity posture.
How to take the 'suck' out of supplier risk management – a story about how we did it
IU Health is a healthcare provider with over 1,300 vendors. We face risks of scale. We needed to come up with means by which we could state our requirements, evaluate vendors for risks, and credibly present that we had addressed risks.
Current third-party vendor risk solutions do not present the requirements for a risk-based approach needed to address the intent of regulations. A score based upon controls we have no insight into and reported data breaches does not provide evidence of risk mitigation. The processes used by most organizations revolve around Business Associate Agreements to address security terms and conditions and detailed commitments to controls are not made.
Our challenge, the same faced by many organizations, was insurmountable workload in managing our supplier risk. We were overloading our attorneys, our third-party risk team, and several outside firms, along with vendors.
So, we spent a year and a half on researching this problem. We interviewed practitioners, CISOs, vendors and peer institutions. We developed security standards for emerging technologies. We examined upcoming standards and sent recommendations and shared our ideas with vendors.
We published this work on our website on November, 2019 for everyone to use.
In a world of advanced persistent threats and increasingly sophisticated countermeasures, it is more important than ever to focus on security basics first. While we need the capabilities new security technologies bring, in almost all cases, the effectiveness of these tools depends on basic security principles being operated effectively. In this session, we will discuss common mistakes organizations make with security basics, how those mistakes can render more advanced security controls ineffective, and what we can do to help avoid such errors.
Land, space, sea and air, all fair game for hackers. Discover vulnerable, remotely exploitable or misconfigured systems using open source intelligence gathering tools and techniques. Protect your organization or find out if your home alarm system is exposed insecurely to the internet. This journey takes you through computer systems, databases, ICS industrial control systems, email servers and settings, intelligence agencies, crackable encryption, internet of things devices, hydroelectric dams, solar panels, fire alarms, home cinemas, maritime, space, aircraft and more.
From Passive Reconnaissance to Compromise with OSINT and Third-Party Apps
Join us to learn how attackers use Open Source Intelligence (OSINT) and third-party apps to obtain information that eventually leads to a successful corporate or home network compromise. Tyrone will demonstrate how to use various tools and an attacker's mindset, to gather relevant information without getting caught. We will see the entire information attack process from start to finish.
Always on the edge of your seat when it comes to new exploits and tricks. From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers.
But how does our brain process gamification and threats as hackers?
This gamified/interactive talk shares how our brains are stimulated by them and how to up your game.
Vice President of Research and Analysis at Interos
Rethinking Cyber Risk in a Reglobalized World
COVID-19 has exposed the fragility and insecurity of a hyper-globalized world system. The pandemic is accelerating global shifts and further entrenching disparate approaches to security, privacy, and data protection across the globe. From digital authoritarians and techno-nationalism to nascent signs of digital democracies, these distinct approaches significantly affect digital security and privacy risks.
We will briefly detail these competing digital frameworks, with a focus on their core components and current examples. Cyber attacks and disinformation remain persistent threats, but the range of risks expands beyond these usual suspects. We will explore the growing aperture of cyber risk considerations, including: government-mandated access to data, internet blackouts, evolving hardware regulations and pacts, and third-party and supply chain risks. As globalization continues to transform, it is essential to evolve cyber risk frameworks to account for these transformations in the ‘new normal’.
High Value Adversary Emulation through Purple Teaming
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.