Achieving HITRUST on a Budget.

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1778670

HITRUST is the most-sought certification by healthcare organizations but the cost, resources, and time required are daunting. On average, the direct and indirect costs and time of achieving the HITRUST certification are more than $300K+ and 18 months. At Ginger, we took a different approach and completed our HITRUST assessment in less than half that budget and 11 months. This presentation will outline how nine best practices and projects implemented at Ginger helped us in our HITRUST journey. These practices include the best course for obtaining management support, implementing cross-functional projects between technical and governance teams, starting an organization-wide security program, pre-work required for the audit, tools that helped us, and lessons learned.
Learning Objectives:
  • Learn to conduct a HITRUST assessment on a budget and in a timely manner.
  • Initiate a successful organization-wide security program and cross-functional projects between technical and compliance teams.
  • Shortlist the tools (vendor-neutral) that are must haves to expedite the audit process and strengthen the security controls.

Stay ahead of the game: automate your threat hunting workflows

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1778672

It is very important nowadays to stay up to date with all of the cyber threats from around the world. It is widely known that there are not enough resources to be found to fill up every security operations center (SOC). Therefore, many organizations struggle with the massive amount of new type of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint and cloud products. This session is targeted at SOC management, cybersecurity engineers, threat hunters and analysts. It will touch on threat detection, investigation and response.
Learning Objectives:
  • Effectively hunt for active cyber threats in an environment and contain them using integrated connections to network, endpoint and cloud products.
  • Efficiently use the necessary code which will be made available after the session.
  • Properly educate your team on how to effectively execute threat detection, investigation and response within an organization.

Container Security for clusters running at Scale (T-Mobile)

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1778661

Kubernetes has been the de-facto standard at T-Mobile, deployed across AWS, Azure, on-prem and using managed kubernetes services to support critical production workload applications at scale. Containers do offer many opportunities for building and deploying more secure applications and environments, but they also trigger new security challenges. This talk demonstrates how we took the challenge of securing 150+ clusters running 200,000+ containers in a strategic way to achieve shift-left security design coupled with flawless implementation, and backed by solid operational excellence guidelines in managing the T-Mobile Container Security Platform.
Learning Objectives:
  • Learn how to handle container security in real-world to secure production workloads with out the risk of downtime.
  • Learn what are the guiding principles T-Mobile has adopted, in securing clusters at scale, that can well be mapped to their organization environment running platforms at scale.
  • Understand the design and policy rollout strategy that is key for implementing container security in iterative fashion.

What are you leaking? Practical steps in knowing your OPSEC.

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1778626

Every day companies - massive companies - get hacked. Why? Could it be what the company themselves leak through their own website, through DNS, through their staff. This talk will look at what operations security (OPSEC) is; how knowing your OPSEC can help protect your business, providing practical steps to better understand your leaks and what attackers will use to target you. We'll show real examples of OPSEC mistakes that impact the security of the organization and also show how attackers turn innocuous leaks into targeted attacks. Concluding, we'll outline how to mitigate some of your leaks and limit your exposures. Many of the secrets of the threat intelligence community are achievable yourself using basic open-source intelligence exercises. Get your Google-Fu on this will be fun!
Learning Objectives:
  • Understand what OPSEC is and how that knowledge can benefit an organization and allow it to take practical steps to limit leaks and mitigate some of threats.
  • Make use of the simple tools and techniques provided during this session to start their OPSEC journey.
  • Return to your organization and practically demonstrate to senior staff how their respective organization may be leaking information that an attacker can use.

Creating a virtual first line of defence for secure software development

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1778606

This session sets out an approach that combines the security, IT risk and assurance domains to create a sustainable secure software development process. The approach first defines a set of common audit controls and designs them into the process, where they can be inherited by every change. Then it defines a set of tailored controls to satisfy the security requirements of each of the changes that flow through the process. Finally, it creates a virtual-first line of defense, ensuring that as the change flows through the process,security requirements are met and common audit controls are inherited, resulting in every change passing through the development process being secure, compliant and authorized.
Learning Objectives:
  • Define a set of common audit controls to satisfy the audit requirements of each phase of the software development process.
  • Define a set of tailored baseline controls to satisfy the security requirements of each development change.
  • Use a process integrity tool to create a virtual first line of defence that designs these controls into the software development process and manages there day-to-day execution.

No Trust Without Verification - The Journey to Zero Trust in a Hybrid Environment

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1778576

Security architecture is changing. Zero Trust is a response to accelerating trends that include flexible working, bring your own device (BYOD) and more services moving to the cloud. The increasing complexity of enterprise infrastructure has outpaced legacy methods of perimeter-based network security, which are also insufficient for preventing lateral movement once attackers have breached a network boundary. We need a new security paradigm. “No trust without verification" - removing inherent trust from the network and gaining confidence in users, devices and services - can be challenging to implement in a complex and shifting landscape of people, processes and systems. This session will focus on guiding principles and practical techniques that can be applied to plan your journey to Zero Trust in a complex hybrid environment.
Learning Objectives:
  • Define Zero Trust architecture design principles.
  • Describe how Zero Trust architecture design principles can be applied in a hybrid environment.
  • Understand the challenges of implementing Zero Trust architecture design principles in a hybrid environment with legacy systems, and be able to describe how to begin the journey to a Zero Trust architecture.

“Go Ask Alice”: Feed Your Head with Practical Approaches to the Ever Changing Regulatory Landscape

Oct 18, 2021 1:45pm ‐ Oct 18, 2021 2:45pm

Identification: 1859825

The amount of data being generated on a daily basis has been growing rapidly over the last few years. For most organizations, this data is both indispensable and invaluable.

The problem is two-fold: (1) regulations are changing all the time and (2) methods for data management and governance range from manual records to privacy tools with all the bells and whistles. This program will bring together the observations and experiences of two perspectives, one legal-centric and one tech-centric, on how to assess and evaluate this problem. The goal is to create a discussion that will leave the participant with a high-level overview of state-by-state privacy requirements while arming them with a framework for determining the best methods to achieve defensible compliance.

Learning Objectives:
  • Provide Background and Update on GDPR, CCPA and CCPA-like regulations in the US.
  • Compare Baseline Requirements of Different Schemes
  • Discuss Different Approaches/Tips to Designing/Implementing a Compliance Plan

Exhibit Hall Break

Oct 18, 2021 2:45pm ‐ Oct 18, 2021 3:15pm

Identification: 1856935


Developer First - A new way to look at Application Security

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778620

Today in cloud environments, it is possible to create and destroy services on demand. Yet, most application security programs focus on tried and true methods of scanning, blocking and throwing vulnerabilities over the wall. Today, application security teams have more capabilities and methods available to them to bring application security to the next level. It's time to move to a developer-centric style of application security through education, automation, artificial intelligence, chatbots and ultimately, application security as a service. This model of application security as a service provides engineers the tools needed to access security information while they are developing and prior to code being integrated and deployed.
Learning Objectives:
  • Understand the current state of application security in most organizations.
  • Understand what capabilities are available to application security teams to be able to provide better services to the development organizations they partner with.
  • What an AppSec as a Service model looks like and how to get started.

GDPR Security Post-Mortems: 10 MORE Critical Lessons You Can Apply Now

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778601

Since EU supervisory authorities began GDPR enforcement, at least 600 companies and government agencies have been punished for privacy and security failures. These failures have resulted in excess of €275 million in fines, plus orders for remediation. Remarkably, only a few GDPR Articles, such as Articles 5 (Principles), 6 (Legal Basis), and 32 (Security) are consistently cited by those authorities. Moreover, in the majority of cases, the failures were attributable to basic privacy and security practices. In this follow up to last year’s presentation, a data protection industry legal veteran will review several new post-mortems, determine what went wrong, and discuss the implications for your security and privacy program.
Learning Objectives:
  • Understand what regulators consider when issuing a GDPR-related penalty.
  • Appreciate the potential costs of mandatory remediation orders.
  • Apply these lessons for California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) compliance.