DevOps and DevSecOps pipelines are all the rage, and every day there is a seemingly increase in the number of uses of the term DevSecOps. A pure DevSecOps pipeline is ideal, but almost always unrealistic given organization-specific technical or business constraints (i.e., intra-organizational approvals, business cycles and objectives, regulatory approvals). Much like Donald Rumsfeld once said: "You go to war with the army you have, not the army you might want or wish to have at a later time." As leaders of the cybersecurity industry, we need to achieve actionable, high-quality cybersecurity solutions despite organizational imperfections. Automation of the Sec element within DevSecOps requires a delicate balance between speed and security, automation and human awareness, and great and good enough.

Actionable threat intelligence should provide organizations with the ability to quickly detect (and react to) current threats beyond using the traditional signature and behavior-based security tools. Many organizations, however, currently only view threat intelligence as generic free or paid feeds containing indicators of compromise related to historical attacks used to enrich their own data. Although this approach is common, information gathered through it is of limited use for the organizations and cannot be thought of as “actionable intelligence”. In this presentation, we will look at how raw, freely available data and tools may be used in a DIY fashion to create a tailored threat intelligence program that supplies the organization with data of real actionable value.

Security teams cannot afford to continue utilizing outdated linear project execution practices such as waterfall. A security team that is forced to lock resources into a long running project is not able to effectively respond to major threats and events as they crest the horizon. This talk will focus on FirstBank's journey to and through a Pivotal Security model of Agile-based security projects and tasking. It will cover the genesis, hurdles, growing pains and successes that have been realized by applying Agile principles. FirstBank has been able to boost work throughput and create a process that is flexible enough to pivot to the ever-changing demands and priorities with which our security team is presented. We now go faster and do more work.

With a full scale ZTA implementation, it is unlikely that adversaries will be able to spread through a corporate network using a compromised endpoint. However, the already authenticated and authorised session of the compromised endpoint can be leveraged to perform limited malicious activities, ultimately rendering endpoints the Achilles heel of ZTA. In order to effectively detect such attacks, distributed intrusion detection systems with an attack-scenario-based approach have been developed. That said, APTs have demonstrated their ability to bypass this approach with high success ratio. Motivated by the convergence of ZTA and blockchain-based intrusion detection and prevention, we examine how ZTA can be augmented onto endpoints.

Time and again, we see that the key hosts implicated in cyber incidents, those where threat actors gain initial access or exploit to spread throughout the network, aren't even supposed to BE there anymore. These are testing servers that were stood up during testing and were supposed to have been shut down afterward. They are old development systems that linger, long forgotten, unmatched and unmonitored. They are legacy application servers "temporarily" exempted from security requirements. In this talk, we will look at several examples of how this can happen even in large, well-resourced organizations with otherwise mature IT operations. We will discuss how we can avoid this phenomenon in our organizations and use our awareness of this phenomenon in defending and threat-hunting on our networks.

COVID-19 demonstrated to the world that supply chains are critical to our society and are vulnerable to many different types of disruptions. Not just cybersecurity disruptions. We must understand that supply chains are more than logistics, more than risk assessments orSOC reports on a vendor’s cybersecurity, or due diligence. Today’s supply chains need ongoing monitoring and attention. They require third-party risk management. This presentation will explain the processes and procedures needed to properly select a vendor, perform due diligence, determine inherent risk, calculate residual risk, manage contracts, establish ongoing monitoring, document and report to senior management and the board, maintain oversight & accountability and terminate vendors. All while protecting their supply chains.

No doubt, you've heard about the recent attack that leveraged a technology software supplier, SolarWinds, to compromise a large number of organizations, including many in the IT industry and U.S. government agencies. This was one of the world’s most serious nation-state cyberattacks, and has raised a number of questions, including "How do I know if I was impacted?" In this session, we''ll talk about how the attack was carried out, and, more importantly, how customers can identify the TTPs indicating a compromise in their own environment.

Ever wonder how we defined the programs that we have today? Many security professionals security started with PCI, HIPAA or SOX compliance. This presentation will take you on a journey from the creation of the Computer Security Program for Mission Operations at Johnson Space Center, NASA. That program was based on data security principles, the Orange Book and the Computer Security Act of 1986. The journey continues through the creation of several more programs; adding compliance, metrics and, in the end, drawing on the past to create a program that was able to be agile enough to meet the rapidly changing needs of the business during a pandemic. This presentation will focus on tricks, traps, lessons learned and standards created along the way.

In 2020, FAIR Institute membership passed 10,000, representing more than 40% of the Fortune 1000, and spanning 118 countries. In only five years, use of this open standard approach to risk quantification has reached critical mass and is now recognized by NIST, COSO and HITRUST. Boardrooms are increasingly averse to risk colors and heat maps using ambiguous, ordinal scales. For centuries, the language of business risk has been in dollars and time. IT and cybersecurity risk must embrace the next evolutionary step and learn to speak this language with accuracy and confidence. This session will explore foundational measurement and quantification concepts, failures of current models and enlightening research. It will also introduce the global standard Factor Analysis of Information Risk (FAIR) concepts and ontology.