What’s the Threat and What Should You Be Doing About It?
Today organizations continue to suffer from the inevitable breach. Perimeters security stacks are frequently bypassed, endpoint security technology is often ineffective, and sooner or later a breach will happen. We read report after report from vendors too numerous to mention on how attackers are getting into an enterprise regardless of what a CISO spends to prevent compromises. During this presentation we will talk about the most interesting and applicable nuggets in those reports, and which reports security teams should pay attention to and read each year. We’ll also jump into actions an organization can take based on those reports that will help them minimize the chance of a compromise and help mitigate the impact from those attacks. There is no perfect set of solutions out there however there’s a lot of great information available every year that can help us ensure we’re doing everything possible to counter the inevitable compromise.
13 Treasures in 81 Minutes: Identity, Data Privacy, and the Isabella Stewart Gardner Heist
In the early hours of March 18, 1990, two men entered the Gardner Museum. They left 81 minutes later with 13 pieces of artwork, including two Rembrandts, a Vermeer, a Degas, and an ancient Chinese vase. The heist remains unsolved today, with no leads and no suspects — and the museum is offering a $10 million prize for the safe return of the pieces.
Given that background, you might assume that this was another session about zero trust. It’s not.
The massive reward offered by the Gardner speaks to the value it places on its artwork. Recently, a growing emphasis on data privacy has sought to treat identities and their associated data as valuable works of art as well, worthy of protection and compensation for use — attempting to return control of identity data to the user. Through the lens of the Gardner theft, we’ll evaluate the current proposals, legislation, and concepts around user-owned data and explore the benefits and pitfalls of each.
We'll step through the heist, recreate those 81 minutes, and discover how identity data is not the “new oil” — it’s the new Vermeer. Note: If we somehow crack the case together, we'll split the $10 million between us all.
A traditional tabletop exercise (TTX) involves gathering various teams from around the company and running through your disaster recovery (DR) plan. Normally these exercises will start with a disaster such as a ransomware outbreak, fire in your main data center, etc. Teams have built plans to deal with such situations, and a TTX is intended to run through these scenarios to ensure that the plans meet the need. However there is a flaw - teams always seem to succeed. This constant success is known as following the happy path, and it is incredibly detrimental to the effectiveness of your plans. Disasters rarely follow a “happy path”, so why should your TTX?
Let’s face it, running an insider threat program is like being a piece of fruit trying to predict the behavior of a kangaroo. Well, maybe not that bad, but it sure isn’t easy.
In this session, we’ll work out what it means to have an insider threat program, we’ll talk about how you might structure a program, and we’ll do a case study on an existing program so you can compare notes. We’ll have a chat about who is watching the watchers, and we’ll chew on how useful these programs really are (hint: no one knows). It will be fun!
Head of the Advisory CISO team at Duo Security (now Cisco)
Time and Risk Dimensions in Security
When it comes to cybersecurity response and planning, time is not on our side. When incidents happen in milliseconds, but innovations take years, how do we close the time gap? In this session, we will talk about how to use time to our advantage: to react faster, plan better, and develop a path to the unknown future.
Vice President and Chief Security Strategist, Exabeam
Failed Response: Breach response for leadership
A botched response to a breach is worse than the breach itself. Figuring it out on the fly isn’t advisable, so to whom should you turn as a guide? How do you lead through something that you’ve never yourself done? For this in leadership, breach response is both part art and science. It’s the translation of atomic indicators to board members and while explaining the sins of the past to external auditors and lawyers – and you can’t afford to get it wrong without disastrous and expensive outcomes. Equal parts leadership and grit, learn from past mistakes, and firsthand experiences from someone who has done it and helped others do it. Hear from Stephen Moore, a guy forced to figure it out on the fly during one of the most significant breaches ever.
In an evolving risk landscape, it’s easy to become distracted by the flood of incoming information and security alerts. With tightening resources, from teams working remotely to shrinking budgets, leveraging the odds via threat intelligence to mitigate risks becomes key. We will highlight how to use threat intelligence as a force-multiplier to bridge the business risk and security risk divide.
Principal Director for Applied Cyber Intelligence at Accenture Federal Services
Reducing Information Overload Via an Analog Model for Cyber Risk
Cybersecurity relies on Security Operations Center (SOC) personnel to conduct data triage on large numbers of automated alerts to identify true threats to networks. To achieve this goal, SOC personnel must not only filter out false positives in data streams, but also coalesce disparate pieces of data to generate information that yields a conclusion of an existing exception condition in the desired state of cybersecurity and requires action.
Additionally, false negatives in data streams may later be identified when a compromise is discovered via human reporting or other means. Limitations of Turing machines used as automated sensors, ever-increasing network size and speed of transmission, limited numbers of qualified personnel, and the necessity to work in uncertainty, all serve to exacerbate the continual condition of information overload for network defenders.
This research addresses information overload by reducing the information that is presented to personnel working in a SOC. It proposes a new framework for determining cybersecurity risk as a time-dependent function, which allows for reduced information overload and at least equivalent cybersecurity posture.
Parting the Cloud-- Securing Privileged Identities in Modern Environments
As organizations rapidly move human and machine access and workloads to the Cloud, scale and efficiency are at an all-time high. With this exponential increase of scale, attackers are taking advantage of the lack of visibility and over-permissioning that tends to occur as a result of the, often rapid, transformation.
In this session we’ll discuss tactics to discover and remediate privilege faux paus for the people and robots that need powerful access into your Cloud infrastructure.
In a world of advanced persistent threats and increasingly sophisticated countermeasures, it is more important than ever to focus on security basics first. While we need the capabilities new security technologies bring, in almost all cases, the effectiveness of these tools depends on basic security principles being operated effectively. In this session, we will discuss common mistakes organizations make with security basics, how those mistakes can render more advanced security controls ineffective, and what we can do to help avoid such errors.
How to take the 'suck' out of supplier risk management – a story about how we did it
IU Health is a healthcare provider with over 1,300 vendors. We face risks of scale. We needed to come up with means by which we could state our requirements, evaluate vendors for risks, and credibly present that we had addressed risks.
Current third-party vendor risk solutions do not present the requirements for a risk-based approach needed to address the intent of regulations. A score based upon controls we have no insight into and reported data breaches does not provide evidence of risk mitigation. The processes used by most organizations revolve around Business Associate Agreements to address security terms and conditions and detailed commitments to controls are not made.
Our challenge, the same faced by many organizations, was insurmountable workload in managing our supplier risk. We were overloading our attorneys, our third-party risk team, and several outside firms, along with vendors.
So, we spent a year and a half on researching this problem. We interviewed practitioners, CISOs, vendors and peer institutions. We developed security standards for emerging technologies. We examined upcoming standards and sent recommendations and shared our ideas with vendors.
We published this work on our website on November, 2019 for everyone to use.
The Value of a Virtual/Fractional CISO in Small/Mid-tier Business
Larger organizations have the ability to justify the resources and expense of having a full time CISO (Chief Information Security Officer) on staff to manage their Cyber Security program. That said, small and mid-tier businesses have the same Cyber Security challenges, but without the resources and funding to respond.
This Discussion will help you understand how a Virtual CISO can help you assess your security profile and guide you through remediating any outstanding issues within a constrained budget. Welcome to the first 30 days of a vCISO engagement!
Land, space, sea and air, all fair game for hackers. Discover vulnerable, remotely exploitable or misconfigured systems using open source intelligence gathering tools and techniques. Protect your organization or find out if your home alarm system is exposed insecurely to the internet. This journey takes you through computer systems, databases, ICS industrial control systems, email servers and settings, intelligence agencies, crackable encryption, internet of things devices, hydroelectric dams, solar panels, fire alarms, home cinemas, maritime, space, aircraft and more.
From Passive Reconnaissance to Compromise with OSINT and Third-Party Apps
Join us to learn how attackers use Open Source Intelligence (OSINT) and third-party apps to obtain information that eventually leads to a successful corporate or home network compromise. Tyrone will demonstrate how to use various tools and an attacker's mindset, to gather relevant information without getting caught. We will see the entire information attack process from start to finish.
Social engineering tests are generally useless games of gotchas. While they might find some unique vulnerabilities, they do little to make significant changes in awareness or the overall security program. This presentation will use a variety of case studies to show how to proactively construct social engineering simulations to be repeatable and provide for the identification of systematic changes within awareness programs and the overall security program.
Always on the edge of your seat when it comes to new exploits and tricks. From bug bounties, CTFs, live hacking events, simulations, and interactive educational modules, they have been proven to stimulate and enforce new tools and knowledge to become stronger red teamers.
But how does our brain process gamification and threats as hackers?
This gamified/interactive talk shares how our brains are stimulated by them and how to up your game.
Vice President of Research and Analysis at Interos
Rethinking Cyber Risk in a Reglobalized World
COVID-19 has exposed the fragility and insecurity of a hyper-globalized world system. The pandemic is accelerating global shifts and further entrenching disparate approaches to security, privacy, and data protection across the globe. From digital authoritarians and techno-nationalism to nascent signs of digital democracies, these distinct approaches significantly affect digital security and privacy risks.
We will briefly detail these competing digital frameworks, with a focus on their core components and current examples. Cyber attacks and disinformation remain persistent threats, but the range of risks expands beyond these usual suspects. We will explore the growing aperture of cyber risk considerations, including: government-mandated access to data, internet blackouts, evolving hardware regulations and pacts, and third-party and supply chain risks. As globalization continues to transform, it is essential to evolve cyber risk frameworks to account for these transformations in the ‘new normal’.
High Value Adversary Emulation through Purple Teaming
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.