Wendy Nather (Keynote)
Retail Cyber Intelligence Sharing Center (R-CISC)
Wendy Nather is Research Director at the Retail Cyber Intelligence Sharing Center (R-CISC), where she is responsible for advancing the state of resources and knowledge to help organizations defend their infrastructure from attackers. She was previously Research Director of the Information Security Practice at independent analyst firm 451 Research, covering the security industry in areas such as application security, threat intelligence, security services, and other emerging technologies.
Wendy has served as a CISO in both the private and public sectors. She led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), as well as for the Texas Education Agency. She speaks regularly in locations around the world on topics ranging from threat intelligence to identity and access management, risk analysis, incident response, data security, and societal and privacy issues. Wendy is co-author of The Cloud Security Rules, and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014. She is an advisory board member for the RSA Conference, and serves on the board of directors for Securing Change, an organization that helps provide free security services to nonprofit groups. She is based in Austin, Texas.
Caleb “chill” Crable & Evan “detro” Keiser
Caleb is a Malware Analyst at Cylance, practicing dirtywhitehat, and frequent contributor to the information security community both online and at technology security events. Caleb enjoys long walks on the beach with polymorphic malware in his leisure.
Evan also serves as a Malware Analyst at Cylance, constantly disseminating new threat intelligence among his team and performing security incident reconstruction in his spare time. Based in Raleigh-Durham, North Carolina, in his free time Evan is an avid lock picking enthusiast and penetration tester who enjoys finding holes in virtual and physical security controls of all kinds, belgian waffles and hacking all the things.
Cloud & Control: Where do we go from here?
With so many people taking advantage of the cloud, no one really thinks about how the cloud is taking advantage of you. We will be taking an in-depth look at the pros, and mostly cons, of the datacenter clusters that we harmlessly refer to as cloud infrastructure. Whether it be saucy selfies, bank or medical records, or even just highly valued data in general; How safe do you actually think it is…on someone else’s computer?
Inga Goddijn & Becky Swanson
Risk Based Security / Markel
Becky Swanson is the Managing Director of Miscellaneous E&O at Markel; this includes the Misc. Professional Liability, Information Technology Professional and Data Breach Liability coverage. She began her insurance career in 1996 and is an experienced miscellaneous professional, technology professional and cyber liability specialist with experience in all professional liability insurance coverages. Managed a team of underwriters providing training and leadership with a focus on misc./technology professional and employment practices liability risks. Her focus has been on Miscellaneous and Technology Professional and Cyber liability coverage for the past 10 years. As the Managing Director of Misc. E&O, Technology and Cyber Liability products at Markel Corporation, she is responsible for policy language analysis and development, creation and implementation of underwriting guidelines, rate strategy analysis, training and continued education. Presentations including continuing education instructor on Cyber and Misc. Professional Liability insurance, coverage panels sponsored by brokerage firms, Data Privacy and Security Exposures for public entities, Panel discussions for ACI’s Cyber & Data Forum, NetDiligence Cyber Forum, PLUS panel discussions on Emerging Trends in Professional Liability and What’s New in the Realm of Real Estate and Cyber Security World panel on cyber insurance.
Inga has been involved with technology risk and specialty insurance coverages since 1993 and has a wealth of experience with information risk identification and transfer. Her focus is the strategic management of data privacy and security exposures, with an emphasis on leveraging data-driven risk assessment to build sustainable and scalable programs.
As the leader of the insurance practice group at Risk Based Security, Inga is responsible for a variety of client advisory services including management and mitigation of data security and privacy risk, policyholder risk reduction programs and the development and implementation of cost effective breach response solutions. As a strong advocate for sharing knowledge, Inga has presented at a variety of industry forums and has led many continuing educations sessions throughout the U.S. She currently holds a CIPP/US designation.
Show Me The Money! Uncovering The True Cost of a Breach
It’s become the quintessential million dollar question, how much does a data breach cost? Unfortunately reliable open sources for answering that question are few and far between. With budgets under a microscope and resources stretched thin, being able to reasonably estimate breach costs is an import part of gaining buy-in for new security initiatives and defining acceptable levels of risk. This session will demystify the process of estimating breach costs by taking a closer look at the different factors that drive event expenses. Using real case examples taken from actual breaches, the session will break down the various elements that contribute to the cost of a breach and include ideas for calculating these expense factors. We’ll round out the session with a discussion of how the breach, along with the response effort, influences “soft” costs as well, such as reputation damage and lost business.
Joey has more than 20 years of experience in the information technology industry, specializing in information security for over 15 years. Prior to joining the Citrix Security team, he served as the director of professional services for GuidePoint Security, heading up the security assessments, application and mobile, and cloud security consulting practices. Joey is an active member of the information security community, speaking frequently at conferences and events such as BSides, RVAsec, OWASP, and TakeDownCon. He has also written, or appeared in, articles by Hakin9, SC Magazine, SD Times, and Network World.
Deceptive Defense: Beyond Honeypots
Everyone knows malicious hackers utilize deception all the time. Maybe it’s a tactical DDoS attack, meticulously timed to misdirect defenders from an initial intrusion, or perhaps a data exfiltration event. Attackers reuse competitors’ code, and compile malware in languages other than their own to encourage false attribution. The examples are endless. Quarterbacks are masters of deception, too. This talk compares deceptive practices of top NFL quarterbacks with practical deception in the Enterprise, and offers suggestions on how security practitioners can utilize ruses, disinformation, misdirection, and other techniques to increase the cost of targeting an organization to the point that the risk no longer justifies the reward. The presentation covers effective recommendations deployed in production environments today that don’t require purchasing expensive deception systems.
Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Andrew was the Director of Research at OpenDNS (acquired by Cisco) and was the Director of Applied Security Research and Chief Evangelist at CloudPassage, Inc.
Maneuvering Management Madness
Why do practitioners have such a hard time convincing their management team about the value of investing in security training, tools, and other initiatives? Is it because they’re too stubborn or busy to take the time to assess the concerns or is it more likely that you haven’t found the best way to communicate the threat to the business in a language that they understand?
Business leaders have implemented their own language, much of which was learned in business school, to better communicate with shareholders, board members, partners, and peers. Unfortunately, this language is often as foreign to most security practitioners as yours is to them. So what can practitioners do to better communicate with management?
This session will discuss several tactics to help convince your management team that your concerns are valid with examples on how to justify requests for headcount, procedures, policies, and human, tool, and training investment.
Ben Smith is Field Chief Technology Officer (Field CTO – US East) with RSA, The Security Division of EMC. He is a trusted advisor and consultant to RSA’s global financial services customers, as well as customers in other vertical markets. With over 25 years’ experience in the networking, information security and telecommunications industries, he is responsible for consulting on RSA’s strategic vision around architecture and technical roadmaps for the company’s security and risk management solutions. Prior to joining RSA, he held senior technical positions at UUNET, Intuit, CSC, and the US Government, along with a string of technology-oriented startups. He holds a number of professional technical certifications, including the Certified Information Systems Security Professional (CISSP) certificate, and has presented on RSA’s behalf, both domestically and internationally, at cybersecurity events sponsored by Gartner, FS-ISAC, ISSA, ICI, (ISC)2, ISACA, InfraGard, HTCIA and other organizations.
Measuring Security: How Do I Know What a Valid Metric Looks Like?
There is no universally accepted method to measure security. So how do we translate operational measurements into meaningful security metrics for the business? Doing so effectively is essential, because you can’t manage what you don’t measure. This session will touch on the following general questions: Why are security metrics important, from both a compliance and an operational perspective? What are some best practices to keep in mind when selecting security metrics? Does your audience(s) dictate which metrics to select? What behaviors are you trying to influence with these metrics? What are some unexpected sources of security metrics? How should you communicate those metrics internally within your organization for maximum impact? Are there any examples of poor metrics which should be avoided in most cases?
Andrew McNicol is driven by his passion for helping organizations identify exploitable vulnerabilities before an adversary. He is currently the CTO at BreakPoint Labs specializing in offensive security services, mentor for SANS, and one of the founders and lead authors of Primal Security. Previously, he lead a penetration testing team and worked on an incident response team focusing on malware analysis and network forensics for DoD, Law Enforcement, and Commercial companies.
Andrew holds an M.S. in Information Assurance, and variety of InfoSec qualifications (OSCE, OSCP, OSWP, GICSP, GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, etc.)
Beyond Automated Testing
Have you ever run a vulnerability scan and thought “Okay… now what?” This talk is all about how to go beyond automated testing to find vulnerabilities that scanners miss. The goal of the talk is to help inspire others to reach beyond Nessus and Burp Suite scans to help their organization identify vulnerabilities that expose high impact risk.
Evan Johnson is an engineer at CloudFlare in San Francisco. He previously worked at LastPass and can distinguish diet coke from diet pepsi by taste.
Staying Above A Rising Security Waterline
Security is not a destination, it’s a journey. At CloudFlare, the journey is taking place daily at light speed. More products, more features, more services, more attack surface. I’ll talk about the technical work and process we created to maintain a high standard of security internally without burdening our developers.
Enjoys long walks with a debugger. As well as profound conversations with IDA. All while eating tacos and drinking redbull.
Reversing for humans.
This talk is about reversing malware in the easiest way possible. While the tactics and procedure for doing so are not new the goal is to show you how you can get the simple things out and quickly identify the ‘things’ you need to asses its threat in your environment. This talk is for those that like to get dirty
RVA locals with an AppSec obsession, Brenton Kohler and Jacob Ewers.
Brenton Kohler is a Managing Consultant with Cigital, a software security company. Brenton has a MS degree from James Madison University in Secure Software Systems. He has professional experience as a developer, researcher, and consultant. Brenton’s security expertise includes software security group management, penetration testing, security assessments, and secure code reviews in a diverse set of technologies. In his spare time Brenton enjoys being active and spending time with his family.
Jacob Ewers, a Senior Consultant with Cigital, has over five years of experience working with clients to implement and optimize their security initiatives. After performing and leading countless dynamic and static assessments, Jacob began to focus on tackling the harder problems of how organizations can make sure that they’re doing AppSec “right” as solving the AppSec puzzle never looks the same for each type of organization.
So you’ve purchased a SAST tool
Despite the marketing, deployment of static application security testing (SAST) tools is much more than a point and click adventure. If you have purchased a SAST tool, you’ve undoubtedly had the thoughts, “Are we more secure?” “Are we done?” “Was that successful?” We will discuss the path for a successful SAST tool deployment, attempt to cut through the FUD in the industry regarding SAST, and highlight the real potential pitfalls you may face along the way through case studies.
Newport News Shipbuilding A Division of Huntington Ingalls Industries
Troy has been in the IT and Infosec industry for over 10 years working in a wide array of roles such as application and system administration, network intrusion detection, wireless security, host and network digital forensics and incident response. Today, he leads the incident response team at his current employment and is also focused on cyber intel processing, IOC hunting, advanced adversary tracking, malware analysis and custom tool development. When Troy is not cybering the things, he enjoys being in the outdoors, taking things apart, home brewing and spending time with his wife and children.
Troy currently holds a B.S. in Computer Engineering and Computer Science from Christopher Newport University and has multiple certifications, including: GSEC, GCIA, GCIH, GAWN, GREM, GCFA, GNFA, CISSP
Bro’s before Flows
During an incident response, acquired network activity is critical in attempting to fully identify the what, when, where and how of a given incident. Security practitioners often find themselves losing “the full picture” over time and therefore constrained to context-less logs to help explain an already complex problem. This talk will explore multiple levels of network data acquisition; from full packet capture solutions to rudimentary network logs such as routers and firewalls. We will attempt to find the acquisition “sweet spot” using tools such as the Bro IDS platform and how such tools can be tailored to your organization.
Chris Romeo is CEO, Principal Consultant, and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012.
Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris is a sought after conference speaker, with experience speaking at the RSA Conference, ISC2 Security Congress, AppSec USA, and many others. Chris holds the CISSP and CSSLP certifications.
AppSec Awareness: A Blue Print for Security Culture Change
How does an individual change the application security culture of an organization? By deploying an application security awareness program with engaging content, humor, and recognition. See the blue print for how you can build an application security awareness program based on real life experience. Change the security DNA of everyone in your organization.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world including roles as:
• Principal at The Chertoff Group
• Appointed by President Obama as DHS’s first Deputy Under Secretary for Cybersecurity
• VP and Chief Security Officer at the North American Electric Reliability Corporation (NERC)
• Appointed by Governor Arnold Schwarzenegger as California’s first Chief Information Security Officer
• Chief Information Security Officer for the State of Colorado
• US Navy Cryptologic Officer
In addition, Mark was:
• Selected as SC Magazine’s “CSO of the Year” award in 2010
• Named one of the “10 Most Influential People in Government Information Security” by GovInfoSecurity in both 2012 and 2013
• Selected for the 2013 CSO Compass Award for leadership achievements in the security community
(Your) Inevitable Path to the Cloud
Like the switch from steam to electric power a century ago, the shift to cloud computing is inevitable—in fact, it’s already here. But what this brings in efficiency, it misses in security as the lack of visibility in the virtual environment allows too much room for malicious activity. This presentation details the structure and blind spots of data centers and cloud environments and addresses ideas for companies to consider in securing their data assets.
Black Box Network Services
Rockie Brockway serves Black Box as Information Security and Business Risk Director and Senior Engineering Director. With over two decades of experience in InfoSec/Risk, he specializes in Information Security Risk Management and the inherent relationship between assets, business system and process, adversary and threats. For the past 6 years he has served in a vCISO role for a F500 manufacturing organization creating and improving their global Enterprise Security Architecture while building teams of trained red team killers and risk analysts for Black Box.
Enterprise Threat Management Like a Boss
Attribution is hard. And in most business cases unnecessary. Threat Management, like Vulnerability Management, is a core pillar in most Enterprise Security Architectures (ESA), yet is a very different beast with completely separate functions, processes and skillset requirements. Similar to my previous talk on Enterprise Class Vulnerability Management, this talk takes the framework of the OWASP ASVS 2014 framework and applies it to Enterprise Threat Management in an attempt to make a clearly complicated yet necessary part of your organization’s ESA much more manageable, effective and efficient with feasible recommendations, based on your business’ needs.
Red Hat, Inc.
Dave is a career Open Source security advocate, evangelist, and problem solver. Working closely with the product and platform security teams at Red Hat, developing skills and knowledge of not just ensuring the Linux host is secured, but ensuring this level of security is maintained over time.
Open Source Identity Management: From Password to Policy
Learn how Open Source technologies such as FreeIPA
(IdM) and SSSD can provide intelligent policy management and access
control for your Linux environment, tighter Active Directory
integration through cross forest trusts, and a variety of methods by
which one can authenticate using Smart Cards, SAML, and OTP among
others to systems and services. This session will also cover how to
use the additional features and functionality of FreeIPA to provide a
robust PKI infrastructure and DNS management to your environment.
Dawn-Marie Hutchinson brings 15 years of enterprise information technology experience to her role as a senior consultant in the Office of the CISO at Optiv. She is an innovative business partner with extensive
experience serving on Enterprise Risk Management teams. She is an expert in providing data privacy and security solutions to manage information risk, improve IT governance and strengthen internal controls.
Beyond the Security Team: The Economics of Breach Response
Breaches are expensive. So expensive that cyber insurance coverage is often lacking. This presentation explores the economics of breaches, the differences between breach and incident response and how you can align your security team’s goals with company values.
Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential “Responsible Vulnerability Disclosure Process” IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST’s Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security
methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.
Toward Consistent, Usable Security Risk Assessment of Medical Devices
“CVSS? For *my* medical device?” It’s more likely than you think.
With so many different stakeholders in the medical device ecosystem – including manufacturers, hospitals, researchers, third-party coordinators, and patients – it’s no wonder that risk assessment is looking kind of discombobulated right now. When a new medical device vulnerability comes out, rarely is there any agreement about how bad it is. It can be very difficult for health care providers to use existing information to make appropriate, defensible risk decisions
If only there were a common vulnerability scoring system to stop the madness! Enter CVSS. But how can this IT-oriented system be used for evaluating medical device vulnerabilities, and should it? Fortunately, FDA’s CDRH has tasked MITRE to work with the medical device community to find out, so I’ll tell you all about it.
Michelle Schafer & Tim Wilson
Michelle Schafer is Senior Vice President and runs the cybersecurity team at Merritt Group, an integrated marketing and public relations firm based in the DC area. Over the past decade, Michelle has represented more than 50 security companies including BlackHat, CrowdStrike, Mandiant, Netwitness, Venafi, MACH37, PhishMe, (ISC)2, PGP and Fortify Software, among others. She is a MACH37 mentor and frequently presents at conferences like RVASec and Security B-Sides about the role of media in cybersecurity.
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech’s online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.
The Changing Mind of the Security Pro — How Hype and Media Shape Infosec Priorities
One of the most difficult jobs of today’s security professional is setting priorities in a storm of news reports, vulnerability disclosures, and product announcements. With so much hype and misinformation on the Web and in the media, how can infosec pros determine which problems to tackle first? In this informative session, top experts in the fields of security PR and media will discuss the various ways that threats and technology are overhyped — and how you can sort through the noise to determine what really matters to your organization.