Welcome and GOH Address (Day 1)

Dec 6, 2023 9:05am ‐ Dec 6, 2023 9:15am

Identification: SAP2301

Opening Keynote: Reframing Cybersecurity: Preparing the Cyber Workforce of Tomorrow to Protect the Global Public Good

Dec 6, 2023 9:30am ‐ Dec 6, 2023 10:00am

Identification: SAP2302

In today's rapidly advancing digital world, it's vital to understand the interconnected nature of cyber threats as they affect the global public good, highlighting the urgency for cyberpeace across all dimensions. As the cyber threat landscape expands, with emerging technologies and malicious actors posing risks that resonate across borders and sectors, it's imperative to consider cybersecurity as a public good. This approach underpins collective resilience and protects nations, industries, and individuals. At the same time, addressing the widening cybersecurity workforce gap is critical, as the lack of skilled professionals spans from private to public sectors, affecting organizations of all sizes. The dialogue will explore effective practices to cultivate a diverse workforce equipped with the necessary skills for a secure digital future.

ISC2 Singapore Chapter Update

Dec 6, 2023 10:00am ‐ Dec 6, 2023 10:15am

Identification: SAP2303

This session aims to provide an overview and status update of ISC2 Singapore Chapter programmes and activities for ISC2 members.

• To provide an overview and status update of ISC2 Singapore Chapter programmes and activities.

Control Validation Through Adversary Emulation at DTCC

Dec 6, 2023 10:25am ‐ Dec 6, 2023 11:05am

Identification: SAP2305

In this compelling presentation at the Secure Asia Pacific, I will delve into the cutting-edge practice of control validation through adversary emulation, specifically within the context of Depository Trust & Clearing Corporation (DTCC). Focusing on the crucial task of ensuring the effectiveness of our cyber security monitoring controls, I will highlight DTCC's innovative approach of emulating threat actors or adversary campaigns using the well-established MITRE ATT&CK framework. Through insightful analysis and real-world examples, I will demonstrate how DTCC successfully mimics adversarial behavior, allowing us to assess the robustness of our defensive measures. Attendees will gain valuable insights into the benefits and challenges of this proactive validation approach, as well as the practical steps taken by DTCC to implement it within the organization. From identifying control gaps to evaluating response capabilities, this presentation offers a comprehensive exploration of control validation through adversary emulation, offering attendees practical strategies to enhance their own cyber security practices.

• Learn about the practice of adversary emulation using MITRE ATT&CK framework.
• Gain valuable insights into DTCC's control validation practices, providing attendees with actionable guidance to establish or enhance their own control validation programs.
• Acquire firsthand experience with the tools, resources, and processes employed in adversary emulation, allowing attendees to develop practical skills and knowledge in this crucial area of cyber security.

The Evolution of Access Control in Cloud Environments: Embracing ABAC over RBAC

Dec 6, 2023 10:25am ‐ Dec 6, 2023 11:05am

Identification: SAP2304

As cloud-native infrastructures evolve, the need for advanced security controls such as Attribute-Based Access Control (ABAC) over traditional Role-Based Access Control (RBAC) becomes apparent. This talk will explore the journey from RBAC to ABAC, highlighting the limitations of RBAC and how ABAC's fine-grained, context-sensitive controls meet modern demands. We'll discuss ABAC's key benefits, supported by case studies of successful transitions from RBAC to ABAC. Additionally, we'll offer practical advice on implementing ABAC effectively. Attendees will gain insights into the future of access control in cloud environments, helping them leverage ABAC to enhance their organization's security.

• Grasp limitations of traditional RBAC models as cloud infrastructures evolve and scale, recognizing the need to evolve access controls
• Understand key capabilities of ABAC and appreciate benefits over RBAC, including fine-grained, dynamic controls that provide better security
• Acquire best practices for transitioning from RBAC to ABAC through real-world case studies and examples, focusing on risk mitigation, integration, policies and realizing enhanced security

Sponsored Session 1 (placeholder)

Dec 6, 2023 11:25am ‐ Dec 6, 2023 12:20pm

Identification: SAP23SS01

Elevating Efficiency and Cloud Security: SaaS Products in Public Sector

Dec 6, 2023 11:25am ‐ Dec 6, 2023 12:20pm

Identification: SAP2306

This session will explore how the public sector can leverage Software as a Service (SaaS) products for optimal efficiency and cloud security. Discover best practices in adopting SaaS solutions while upholding robust security measures, data protection, and regulatory compliance. Gain insights from real-world examples and learn about effective vendor evaluation, authentication controls, data governance, and ongoing security monitoring.

• Learn best practices for adopting secure and efficient SaaS solutions in the public sector.
• Gain insights into effective vendor evaluation, authentication controls, and data governance for SaaS implementation.

Sponsored Session 2 (placeholder)

Dec 6, 2023 12:30pm ‐ Dec 6, 2023 1:25pm

Identification: SAP23SS02

Inside a Blackcat Ransomware Attack

Dec 6, 2023 12:30pm ‐ Dec 6, 2023 1:25pm

Identification: SAP2307

Over the years, malware infections are becoming a norm and attackers has become evidently better technically, posing challenges to cybersecurity professionals. In the light of escalating cyberthreats, I am here to shed some lights into an actual Blackcat ransomware incident that crippled one of the largest manufacturing companies in Singapore leading to millions of losses. I will address some of the lessons learnt and painpoints in details as well as preparation effort that can be put in place to effectively manage security incidents.

• Blackcat Ransomware
• Security Incident Management

Managing Cyber Risk for IT and OT using NIST, IEC62443 & ISO27001

Dec 6, 2023 2:30pm ‐ Dec 6, 2023 3:15pm

Identification: SAP2310

Sandra will explain how cyber risk for both IT and OT (IACS) is managed enterprise-wide based on the company's Enterprise Cyber Security Governance Framework, which is comprised of two main elements - the Cyber Security Risk Management process and the integrated Control Framework. Sandra will explain the main elements of the Cyber Risk Management process and how it is applied to both IT and OT, reflecting a risk-based approach whilst at the same time meeting the compliance requirements of various standards and regulations, both global and country specific. The Control Framework includes multiple relevant standards such as NIST, IEC/ISA 62443, ISO27001+, multiple countries' Data Protection standards (e.g. EU, UK, Canada, Malaysia, Australia, etc), OWASP and PCI DSS.

• Learn how to create and apply a GRC framework for cybersecurity risk governance and management, that can be applied to both IT and OT (IACS), whilst addressing multiple standards, and diverse country and industry requirements
• Learn practical tips and advice on deploying and implementing the framework to diverse stakeholders