Security Automation: Research Findings, Best Practices, and Lessons Learned

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778597

This presentation combines the findings of a doctoral study into security automation in the financial sector with real-world experiences in implementing security automation. The research focused on strategies financial institutions need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. Learn from the experiences of companies that have implemented or are implementing security automation. This session will look at what to expect from security automation (and what not to expect), how to decide what to automate, strategies to help ensure a successful security automation program and lessons learned from successes and failures.
Learning Objectives:
  • Describe the strategies for a successful security automation initiative based on the experiences of cybersecurity professionals from the financial services industry.
  • Demonstrate how to select practical use cases to achieve success and quick wins with security automation.
  • Describe common challenges and pitfalls of implementing security automation and how to avoid them.

GDPR Security Post-Mortems: 10 MORE Critical Lessons You Can Apply Now

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778601

Since EU supervisory authorities began GDPR enforcement, at least 600 companies and government agencies have been punished for privacy and security failures. These failures have resulted in excess of €275 million in fines, plus orders for remediation. Remarkably, only a few GDPR Articles, such as Articles 5 (Principles), 6 (Legal Basis), and 32 (Security) are consistently cited by those authorities. Moreover, in the majority of cases, the failures were attributable to basic privacy and security practices. In this follow up to last year’s presentation, a data protection industry legal veteran will review several new post-mortems, determine what went wrong, and discuss the implications for your security and privacy program.
Learning Objectives:
  • Understand what regulators consider when issuing a GDPR-related penalty.
  • Appreciate the potential costs of mandatory remediation orders.
  • Apply these lessons for California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) compliance.

Developer First - A new way to look at Application Security

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778620

Today in cloud environments, it is possible to create and destroy services on demand. Yet, most application security programs focus on tried and true methods of scanning, blocking and throwing vulnerabilities over the wall. Today, application security teams have more capabilities and methods available to them to bring application security to the next level. It's time to move to a developer-centric style of application security through education, automation, artificial intelligence, chatbots and ultimately, application security as a service. This model of application security as a service provides engineers the tools needed to access security information while they are developing and prior to code being integrated and deployed.
Learning Objectives:
  • Understand the current state of application security in most organizations.
  • Understand what capabilities are available to application security teams to be able to provide better services to the development organizations they partner with.
  • What an AppSec as a Service model looks like and how to get started.

Cloud Top Threats Case Studies and (im)proving your security?

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778642

What are the threats to your cloud application? A survey conducted in 2021 looked at major issues that have caused business/financial/reputational impacts to users of cloud services. In the past, the Cloud Security Alliance’s “Top Threats to Cloud Computing: Egregious Eleven” provided an excellent resource for threats and issues that cloud services have to deal with. Documents such as the CSA Top Threat Working Group’s “Cloud Threat Modeling Guidance” provides an excellent basis to perform threat modeling. These new threats can be applied to this guidance with considerations of mitigating controls (such as the Cloud Controls Matrix) to determine one's attack surface and residual risk.
Learning Objectives:
  • Visualize a detailed description of the 2021 Cloud Security Alliance's Top Threats survey.
  • Apply the CSA's Top Threats Working Group's Threat Modeling Guidance with consideration of the new survey threats.
  • Utilize the Cloud Controls Matrix to minimize one's attack surface.

InfoSec Lessons From a Saguaro Cactus

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778666

The recent pandemic has many seeking the outdoors, where we can all learn lessons from any environment. The saguaro cactus is a symbol of strength and perseverance within the harshest elements, just like the sole information security professional in a small / medium business. One must be willing to stand tall and put their experience on the line to help the business to not just know better, but to do better. This can be challenging in an SMB environment where the threats are not always obvious and there may not be clear regulatory requirements. We will share proven methods to encourage strong security practices in an SMB world without getting prickly.
Learning Objectives:
  • Introduce security standards based on the NIST Cyber Security Framework that make sense for small and medium businesses.
  • Identify opportunities to encourage strong security practices and introduce them to the SMB even when they may not be required by regulations.
  • Leverage free materials to provide information security training that helps employees and their families in addition to the business. Security information that applies to both personal and professional life is the most likely to be used and remembered.

How Franchisees & Midsized Businesses Elevate their Cybersecurity to Protect their Data, Organization, and Brand

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778647

Many franchisor/franchisee environments do not clearly delineate compliance ownership. In many instances the delineation is either blurry, non-existing or suffocated by legal language. Ultimately, the franchise brand will be the most impacted in the event of a breach - in terms of financial liability and reputational loss. We'll share lessons gained from collaborating with the franchisor/franchise ecosystem of 150+ members to pragmatically and operationally implement security controls and best practices that would collaterally facilitate PCI DSS compliance.
Learning Objectives:
  • Define and understand compliance challenges in the franchise ecosystems.
  • Define and understand compliance custody/ownership in the franchise business.
  • Have research and steps from lessons learned after implementing a PCI DSS compliance program to implement in their own work.

Cyber Guardian Exercise: A Case Study in Brazil to Address Challenges in Cybersecurity

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778651

Discussions about cybersecurity concerns in critical infrastructure quite often have an alarmist approach. Threats may employ cyberspace for actions that generate kinetic and non-kinetic effects on national defense. In this context, we will outline how the Cyber Guardian Exercise coordinated by the Cyber Defense Command to establish cyber protections around important national and critical infrastructure sectors in Brazil. This was done by building a strong cybersecurity community based on the exchange of experiences and partnerships among 38 government and military agencies, defense-related firms, academic entities, and representatives from the financial, energy, telecommunications and other critical sectors.
Learning Objectives:
  • The need for rapid information sharing to cope with the dynamism and uncertainties of cyber threats, as well as identify subsidies important to the National Network Incident Treatment Plan.
  • The importance of a permanent exchange of experiences relating to best practices and mutual knowledge that make up the cyberspace.
  • The importance of the National Cybersecurity Strategy for the integration of initiatives, normative alignment and maturity of society on the cybersecurity efforts.

Secure My Privacy

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1778671

Privacy engineers are an integral part of ensuring that privacy risk is mitigated and privacy implications are addressed. The efficacy of privacy engineers is fundamentally dependent on their ability to influence. The cross-functional nature of privacy engineering dictates that privacy risk and impact assessments shall consider third-party risk, legal and compliance requirements, security as well as business drivers to build a culture of privacy by design over time. Security plays a significant role in implementing risk mitigation strategies to address privacy risk. While privacy principles are high level, a common governing framework integrating privacy and cybersecurity aligned with the enterprise-level risk management framework can assure that privacy considerations are embedded at the design phase and monitored on an ongoing basis.
Learning Objectives:
  • Gain an understanding of the comprehensive security and privacy framework, NIST Privacy Framework and its relationship to NIST CSF.
  • Learn about measuring and reporting on efficacy of privacy mitigation strategies and understand how the outcome of privacy risk/impact assessment feeds into security risk mitigation strategies.
  • Understand the significance of establishing a Privacy by Design mindset integrated into security by design as part of product design.

In Their Own Words: Focus Group Research Details Diverse Perspectives and Experiences Working in Cybersecurity

Oct 18, 2021 3:15pm ‐ Oct 18, 2021 4:15pm

Identification: 1868932

The need for diversity in cybersecurity is firmly established. Diverse perspectives help generate innovative ideas needed to solve the complex problems facing our industry. (ISC)² is deeply committed to advancing diversity, equity and inclusion (DEI) across the cybersecurity industry and in everything we do as an organization. Earlier this year, (ISC)² convened a focus group of diverse professionals working in the cybersecurity industry around the globe who provided first-person accounts of their experiences working in the industry. In this session, we will discuss the findings from that research, as well as have an open discussion with some of the research participants into how we can improve and accelerate diversity, equity and inclusion in the workforce.
Learning Objectives:
  • Provide insight into the experiences of women and people of color in the cybersecurity industry.
  • Offer suggestions on how to create a more inclusive workplace and how to recruit diverse talent.
  • Provide resources for participants to support their organizations in a DEI journey.

Trivia and Drinks

Oct 18, 2021 4:30pm ‐ Oct 18, 2021 6:00pm

Identification: 1856917