Reset

Advanced Filters
Monday
Kickoff & Welcome | Keynote - Defend Today, Secure Tomorrow
09:00am - 10:30am Eastern - October 18, 2021
Credits Available: 1.50 CPE

Concurrent Sessions - Select One
11:00am - 12:00pm Eastern - October 18, 2021

Monday
Red Teaming with Dark Web and GitHub PoC Exploits
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V600-Taylor Rondenell
Track: Cutting Edge
Tags: Intermediate
Credits Available: 1.00 CPE
Examined is a collection of open source tools that are used in an authorized red team engagement of a cloud-native Kubernetes cluster environment to discover application security defects. Our collection of dark web and GitHub proof-of-concept (PoC) tools provide a red team with an advanced adversarial advantage over traditional commercial tooling across all stages of an engagement. We report the results in relation to our understanding of the cloud shared responsibility model as it applies to IaaS, PaaS, and SaaS. Several flaw discovery and exploit tools with be demonstrated to show their utility. We explore how CVEs are weaponized on the internet and how having red team a-priori knowledge of them can help organizations create defense-in-depth mitigating controls.

Objectives:
  • Plan a penetration test using open source tools.
  • Recall specific dark web toolkits for red teaming.
  • Demonstrate an understanding of GitHub proof-of-concept (PoC) exploits and their applicability to red teaming engagements.
Monday
How to make Black Swans extinct and why ISO31000 is the weapon of choice
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V700-Jeremy Becker
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
We lack an agreed definition for cybersecurity and even worse, despite an international risk management standard endorsed by more than 160 nations, our profession uses multiple differing security risk management frameworks. If every employer, client and supplier has a different view of risk management, how can we expect to keep up with the bad guys, let alone beat them consistently? Even if your cybersecurity framework is best in the world, we all need to be in alignment. When 100 security professionals developed the Security Risk Management Body Of Knowledge, we integrated best practice from around the world. And it started with the ISO31000 Risk Management Guideline. This presentation is about applying ISO31000 principles, framework and process in the real cybersecurity world, and in the internet of things.

Objectives:
  • List the internationally agreed six-word definition of risk, explain the key implications of this risk definition, and describe the key components of the ISO31000 Risk Management Guideline.
  • List the key limitations of existing risk management frameworks and describe why some of the current approaches to risk management enable attackers to breach systems far too easily.
  • Argue for a better risk management framework, explain the critical importance of objectives and describe the implications of the internet of things in the context of risk management.
Monday
Human Security Engineering: A Strategy to Address "The User Problem"
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V800-Paul Jackino
Track: Human Factors
Tags: Advanced
Credits Available: 1.00 CPE
When users make a harmful action, cybersecurity professionals believe that the solution is more awareness. This is like saying that if a canary dies in a coalmine, the solution is healthier canaries. When the user fails, it is a failure of the entire system. The problem is not that users cause a loss, but that they can potentially initiate a loss. The solution is to engineer the user out of the process, or at least filter out an attack. When a user is in the position of possibly initiating a loss, you create a user experience and provide awareness to avoid initiating a loss. You anticipate the loss being initiated and put detection and reaction in place. We call this Human Security Engineering.

Objectives:
  • Understand conceptually how a user is only an operational part of a system, and how the initiate loss, but not create it.
  • Strategically define technologies and processes to mitigate loss throughout the entire life cycle of an attack, from initiation to user action to mitigating the harm resulting from the user action.
  • Determine how users are put in the position of potentially initiating a loss, and to examine if a user can be removed from the process.
Monday
Introducing Law, Regulation and its Increasing Intersections with Information Security
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V900- Craig Carpenter
Track: Regulation
Credits Available: 1.00 CPE
Law and regulation are of increasing importance for information security programs and professionals. Cybersecurity risks are directly tied to legal and regulatory risk. This presentation provides a foundational knowledge of law and the specific laws applicable to cybersecurity programs. It demystifies and explains important legal concepts as well as the evolution of law and regulation applicable to cybercrime and cybersecurity. All of this empowers infosec pros to understand and comply with the growing body of legal rules, and have productive conversations about the law.

Objectives:
  • Understand foundational legal concepts and how they relate to information security.
  • Understand the evolving legal and regulatory framework surrounding information security, cybersecurity and privacy.
  • Communicate more effectively about laws, regulations, and how they relate to information security programs and actions.
Monday
Just How Far Can We Trust ‘Zero Trust’
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V1000- Owen Meldrum
Track: Zero Trust
Tags: Basic
Credits Available: 1.00 CPE
SolarWinds and other recent cybersecurity events have brought renewed attention on zero trust architectures (ZTAs), and whether ZTAs can be a single solution to current and future threats. Organizations have become dependent on an ever-increasing number of third-party providers who do a greater percentage of overall services. Cybersecurity threat exposure is further complicated by the sage of cloud service providers, remote workers, Internet of Things (IoT) and Bring Your Own Device (BYOD). It is recognized that ZTA can be "a solution," but is it "the solution" for cybersecurity challenges of today and tomorrow? Organizations that partially or fully shift to ZTA need to understand the impacts to cybersecurity, and also the impacts to programmatics, organizational structures, financials and missions.

Objectives:
  • Understand the impact Zero Trust Architectures (ZTAs) have on an organization's cybersecurity posture and related organization changes.
  • Conduct assessments of the impact of ZTA and other solutions that may be layered to achieve organization cybersecurity goals.
  • Quantify and prioritize the attributes of ZTA and recognize the problems they address and the common gaps that remain.
Monday
Lessons learned from enterprise cloud security programs
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V1100-Jon Moody
Track: Cloud Security
Tags: Intermediate
Credits Available: 1.00 CPE
In the on-premises world, cybersecurity risks were limited to your organization’s network perimeter. In the era of cloud computing, both the impact and likelihood of potential risks are significantly higher. With the corresponding rise of DevOps methodology, security is now the responsibility of everyone who is part of the application development lifecycle, not just security specialists. In this session, we will present findings on methods and processes to build the cloud security framework that make sense for both your business and your developers. The session is based on real-life experiences from implementing cloud security programs in some of the largest enterprises in the world.

Objectives:
  • List key components of succesful cloud security programs.
  • Identify new gaps in their current public clouds security state.
  • Translate existing security requirements to the cloud.
Monday
Does Cyber Security have an Image Problem?
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V1200-Craig Ciccolella
Track: InclusionREADY
Tags: Basic
Credits Available: 1.00 CPE
The shortage in skilled cybersecurity workers is well documented. Conventional wisdom suggests that the shortage was historically related to low unemployment in developed nations. However, the increased spike in unemployment due to the Covid-19 pandemic put this idea to rest. As such, it is critical to consider why the information security industry is simply unable to recruit enough men and women to meet global demand, identified by the (ISC)2 Cyber Security Workforce Study at more than 3 million needed today. This presentation will consider some of the potential causes for the skills shortage, what the opportunities look like and what we as cybersecurity professionals can do to create a more positive vision of our industry to attract the best and brightest to the field.

Objectives:
  • Understand some of the perceptions and stereotypes related to cybersecurity careers by those not in the industry, and appreciate how these perceptions inhibit potential interest in a cyber career.
  • Better understand and appreciate the non-technical career options that exist in cybersecurity that will make the field more appealing to personalities that do not consider themselves as analytical / technical in nature.
  • Understand what a cyber career path can and should look like and better appreciate the value of tertiary education, on-the-job experience, vendor accreditations and industry certifications as part of a well-rounded skillset.
Monday
How to Prepare and Secure Critical Infrastructure for the Future of Digitalisation
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V200-Atticus Kaiser
Track: ICS/Critical Infrastructure
Tags: Intermediate
Credits Available: 1.00 CPE
Digitalization is here to stay and critical infrastructures are not an exception. Even before the pandemic, we have seen an increased number of connected OT systems to the internet. It leads to no separation of IT and OT networks due to the increase in data, connectivity, complexity and costs. What makes the protection for the digitalization of critical infrastructure difficult is the convergence between IT and OT. Threats that normally impact IT can move between cyber and physical environments. Therefore, cybersecurity is a key factor for the success of digitalized critical infrastructure. The presentation will share key principles and guidelines the presenter developed and refined over the years working in several industries. The application of the principles has helped prepare and secure critical infrastructure for the future of digitalisation.

Objectives:
  • Better assess environments for the future of critical infrastructure digitalization.
  • Determine key initiatives for long-term protection.
  • Identify actions to better information their cybersecurity programs.
Monday
Measuring Security Effectiveness
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V400-Kyle Lewis
Track: Research
Tags: Intermediate
Credits Available: 1.00 CPE
How do you measure the effectiveness of security? In 2016, we established a security function within software engineering. Taking a software engineering approach to security, we created testing services, hired developers to build tools, conducted secure code reviews and created our AppSec training program. In 2020, we challenged ourselves to evaluate the effectiveness of our program by analyzing the impact of our team’s services on pen-test findings. A three-month data analysis found that development teams working with us fixed their pen-test findings faster and had significantly fewer new pen-test findings than teams we didn’t work with. In this talk, we will share the specific application security practices that led to these improved outcomes, and how we adjusted our services in response to our findings.

Objectives:
  • Identify the key application security practices that have been shown to reduce risk.
  • Understand how to analyze the security data and adjust a program in response.
  • Know how to set up and run a experiment to evaluate the effectiveness of a security control.
Monday
The Map and the Territory: MITRE ATT&CK In Theory and Practice
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V500- Joe Trusso
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
Cybersecurity practitioners have often drawn insights and ideas from other domains, relying on their insights, adopting their maxims and terminology. Sun Tzu famously wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Carl Linneaus is credited with developing the standard taxonomy for naming organisms. Only recently, however, has our industry begun to effectively apply the synthesis of such ideas. The MITRE ATT&CK Framework, publicly released in 2015, has been growing in scope and influence, but it is not the first of its kind. How does it compare with its predecessors in improving our understanding of adversary behavior and our defenses? This talk describes key concepts and goals of MITRE ATT&CK to help support successful implementations.

Objectives:
  • Understand the origins, design goals and components of the MITRE ATT&CK Framework.
  • Compare and contrast the MITRE ATT&CK Framework with other frameworks in order to judge appropriateness for and applicability to an organization's security programs.
  • Use the MITRE ATT&CK Framework to correlate between offensive actions and defensive capabilities and measure coverage of ATT&CK techniques.
Monday
What to Expect When You’re Expecting Ransomware - Sponsored by Cisco
11:00am - 12:00pm Eastern - October 18, 2021 | Room: V2400-Chad Ritter
Track: Cyber Crime
Tags: Intermediate
Credits Available: 1.00 CPE

We all want a perfect environment to operate securely. In a perfect world, we would have all the resources we need to successfully defend our networks. Reality though paints a much more complex picture. We beg the desktop support team to deploy our endpoint security agents. There is a Windows 2000 server hosting a critical business application stuffed in an old cabinet which no one will take responsibility for upgrading but cannot be removed. Matthew Aubert, a Manager on the Cisco Talos Incident Response team will present a short, but informative talk on what immediate actions should be taken when there is an active adversary on a network. How do you protect your critical resources, contain the adversary, and deal with a possible worse-case-scenario?



Objectives:
  • Demonstrate the need for leadership in a crisis.
  • Identify critical containment measures in the middle of a breach.
  • Reinforce the requirement for stakeholder communication.
Monday
Town Hall
01:00pm - 02:30pm Eastern - October 18, 2021 | Room: V200-Atticus Kaiser
Tags: Basic
Credits Available: 1.50 CPE
Join us for (ISC)2 Security Congress Town Hall to learn what’s next for (ISC)² and hear directly from members of the Board of Directors. CEO Clar Rosso will provide a strategic update for our association, including recent accomplishments and milestones, as well as what members can expect in 2022 and beyond. Then, a panel consisting of (ISC)² Board members and management will answer members’ questions about the association, membership, certifications, workforce trends and other cybersecurity issues and challenges facing the profession. Town Hall is open to (ISC)² members and associates, as well as all Security Congress attendees. Featuring: Clar Rosso, CEO, (ISC)² Zachary Tudor, CISSP, Board of Directors Chairperson Lori Ross O'Neil, CISSP Board of Directors Vice Chairperson Dr. Casey Marks, Chief Qualifications Officer, (ISC)²
Concurrent Sessions - Select One
02:45pm - 03:45pm Eastern - October 18, 2021

Monday
No Trust Without Verification - The Journey to Zero Trust in a Hybrid Environment
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V1300- Josh Ensley
Track: Zero Trust
Tags: Advanced
Credits Available: 1.00 CPE
Security architecture is changing. Zero Trust is a response to accelerating trends that include flexible working, bring your own device (BYOD) and more services moving to the cloud. The increasing complexity of enterprise infrastructure has outpaced legacy methods of perimeter-based network security, which are also insufficient for preventing lateral movement once attackers have breached a network boundary. We need a new security paradigm. “No trust without verification" - removing inherent trust from the network and gaining confidence in users, devices and services - can be challenging to implement in a complex and shifting landscape of people, processes and systems. This session will focus on guiding principles and practical techniques that can be applied to plan your journey to Zero Trust in a complex hybrid environment.

Objectives:
  • Define Zero Trust architecture design principles.
  • Describe how Zero Trust architecture design principles can be applied in a hybrid environment.
  • Understand the challenges of implementing Zero Trust architecture design principles in a hybrid environment with legacy systems, and be able to describe how to begin the journey to a Zero Trust architecture.
Monday
SSCIM: An OSI-like model for Supply Chain Cyber Security
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V1100-Jon Moody
Track: Cutting Edge
Tags: Intermediate
Credits Available: 1.00 CPE
Supply chain security is challenging due to the inherent complexity of global supply chains. The challenge of supply chain security programs is the ability to manage the interdependencies of hardware, software, firmware, and the human relationships and factors that introduce the product into your environment. In Secure SCM, you are only seen as a snippet of code lifted from Github by a coder paid for by a junior developer through an odd-job posted on Fiverr. This same complexity was inherent when the Open Systems Interconnection (OSI) model set a standard communication and data processing structure that is used today. We will propose a model to articulate supply chain risk, mitigating controls, and a risk scoring methodology for the security of the supply chain.

Objectives:
  • Articulate the complex process of supply chain management.
  • Identify a model to manage supply chain risk.
  • Define mitigating controls and a risk scoring methodology for supply chain security risk.
Monday
Creating a virtual first line of defence for secure software development
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V1200-Craig Ciccolella
Track: Application Security/Software Assurance
Tags: Intermediate
Credits Available: 1.00 CPE
This session sets out an approach that combines the security, IT risk and assurance domains to create a sustainable secure software development process. The approach first defines a set of common audit controls and designs them into the process, where they can be inherited by every change. Then it defines a set of tailored controls to satisfy the security requirements of each of the changes that flow through the process. Finally, it creates a virtual-first line of defense, ensuring that as the change flows through the process,security requirements are met and common audit controls are inherited, resulting in every change passing through the development process being secure, compliant and authorized.

Objectives:
  • Define a set of common audit controls to satisfy the audit requirements of each phase of the software development process.
  • Define a set of tailored baseline controls to satisfy the security requirements of each development change.
  • Use a process integrity tool to create a virtual first line of defence that designs these controls into the software development process and manages there day-to-day execution.
Monday
Excelling in a cybersecurity career path
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V900- Craig Carpenter
Track: Student Focused
Credits Available: 1.00 CPE
Cybersecurity employee shortages put a demand on current professionals to find qualified applicants. Participants will be introduced to numerous educational career paths they can employ while developing their careers. Each path will be explained along with the significance of following that path, with an emphasis on apprenticeships and the opportunities for advancement of diversity. An exploration of the many forms of networking will be a differentiated with importance of each.

Objectives:
  • Identify multiple educational career paths for cybersecurity.
  • Differentiate the reasons apprenticeships are valuable to the employer and employees.
  • Compare the different means of networking and the importance of each to a career.
Monday
Pandemic, Proximity, and Privacy
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V1000- Owen Meldrum
Track: Privacy
Tags: Basic
Credits Available: 1.00 CPE
This session will use a consumer-centricapproach to address the ethical concerns posed by COVID-19 contact tracing technologies and significant privacy harms due to the collection of sensitive personal information. We will outline the tradeoffs between the sharing of sensitive data to address the crisis and privacy implications due to the re-identifiability risk while responding to public health emergencies during the pandemic.  As we step through the data protection principles challenged while combatting the pandemic, we will consider possibilities for companies, researchers and regulators to recalibrate policies and support sharing of personal information to promote public health initiatives during outbreaks without jeopardizing individual privacy rights and freedom.

Objectives:
  • Understand trade-offs between protecting an individual's sensitive information and the public's right to information during a public health crisis.
  • Evaluate privacy-preserving mechanisms to protect, store and re-purpose geolocation data safely, following the resolution of the pandemic in a privacy-aware manner.
  • Learn possible considerations for managing regulatory compliance during the pandemic between various stakeholders interested in responsible data sharing to support public health response.
Monday
Ransom-wave Aware
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V800-Paul Jackino
Track: Cyber Crime
Tags: Intermediate
Credits Available: 1.00 CPE
Ransomware is a combination of social engineering, deception, technology, encryption algorithms, stealth, data analytics, business analysis, high-pressure negotiation, and a highly unusual manifestation of customer service. Defending against ransom and ransomware is still a moving target. Every day organizations that believe their ransomware defense is under control must deal with the cruel reality of breaches and long-lasting consequences. We take a new look at ransom-based attacks based on recent, real-life events. Learn about current trends and discuss detection/prevention techniques. We provide a practical example of what to do if you are ever faced with a successful ransom(ware) attack, and how to resolve the most difficult and stressful situation to the most acceptable outcome.

Objectives:
  • Understand current ransom and ransomware attacks.
  • Create an action plan for approaching ransom and ransomware defenses.
  • Effectively prevent ransom and ransomware attacks.
Monday
What are you leaking? Practical steps in knowing your OPSEC.
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V700-Jeremy Becker
Track: Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
Tags: Basic
Credits Available: 1.00 CPE
Every day companies - massive companies - get hacked. Why? Could it be what the company themselves leak through their own website, through DNS, through their staff. This talk will look at what operations security (OPSEC) is; how knowing your OPSEC can help protect your business, providing practical steps to better understand your leaks and what attackers will use to target you. We'll show real examples of OPSEC mistakes that impact the security of the organization and also show how attackers turn innocuous leaks into targeted attacks. Concluding, we'll outline how to mitigate some of your leaks and limit your exposures. Many of the secrets of the threat intelligence community are achievable yourself using basic open-source intelligence exercises. Get your Google-Fu on this will be fun!

Objectives:
  • Understand what OPSEC is and how that knowledge can benefit an organization and allow it to take practical steps to limit leaks and mitigate some of threats.
  • Make use of the simple tools and techniques provided during this session to start their OPSEC journey.
  • Return to your organization and practically demonstrate to senior staff how their respective organization may be leaking information that an attacker can use.
Monday
Container Security for clusters running at Scale (T-Mobile)
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V600-Taylor Rondenell
Track: DevSecOp
Tags: Intermediate
Credits Available: 1.00 CPE
Kubernetes has been the de-facto standard at T-Mobile, deployed across AWS, Azure, on-prem and using managed kubernetes services to support critical production workload applications at scale. Containers do offer many opportunities for building and deploying more secure applications and environments, but they also trigger new security challenges. This talk demonstrates how we took the challenge of securing 150+ clusters running 200,000+ containers in a strategic way to achieve shift-left security design coupled with flawless implementation, and backed by solid operational excellence guidelines in managing the T-Mobile Container Security Platform.

Objectives:
  • Learn how to handle container security in real-world to secure production workloads with out the risk of downtime.
  • Learn what are the guiding principles T-Mobile has adopted, in securing clusters at scale, that can well be mapped to their organization environment running platforms at scale.
  • Understand the design and policy rollout strategy that is key for implementing container security in iterative fashion.
Monday
Achieving HITRUST on a Budget.
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V300- Jeff Graham
Track: Healthcare Security
Tags: Intermediate
Credits Available: 1.00 CPE
HITRUST is the most-sought certification by healthcare organizations but the cost, resources, and time required are daunting. On average, the direct and indirect costs and time of achieving the HITRUST certification are more than $300K+ and 18 months. At Ginger, we took a different approach and completed our HITRUST assessment in less than half that budget and 11 months. This presentation will outline how nine best practices and projects implemented at Ginger helped us in our HITRUST journey. These practices include the best course for obtaining management support, implementing cross-functional projects between technical and governance teams, starting an organization-wide security program, pre-work required for the audit, tools that helped us, and lessons learned.

Objectives:
  • Learn to conduct a HITRUST assessment on a budget and in a timely manner.
  • Initiate a successful organization-wide security program and cross-functional projects between technical and compliance teams.
  • Shortlist the tools (vendor-neutral) that are must haves to expedite the audit process and strengthen the security controls.
Monday
Stay ahead of the game: automate your threat hunting workflows
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V500- Joe Trusso
Track: Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
Tags: Intermediate
Credits Available: 1.00 CPE
It is very important nowadays to stay up to date with all of the cyber threats from around the world. It is widely known that there are not enough resources to be found to fill up every security operations center (SOC). Therefore, many organizations struggle with the massive amount of new type of attacks and generated alerts from their tooling. During this session, you will learn how to hunt (and automate your hunt) for active cyber threats in your environment and contain them using integrated connections to network, endpoint and cloud products. This session is targeted at SOC management, cybersecurity engineers, threat hunters and analysts. It will touch on threat detection, investigation and response.

Objectives:
  • Effectively hunt for active cyber threats in an environment and contain them using integrated connections to network, endpoint and cloud products.
  • Efficiently use the necessary code which will be made available after the session.
  • Properly educate your team on how to effectively execute threat detection, investigation and response within an organization.
Monday
“Go Ask Alice”: Feed Your Head with Practical Approaches to the Ever Changing Regulatory Landscape
02:45pm - 03:45pm Eastern - October 18, 2021 | Room: V2400-Chad Ritter
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE

The amount of data being generated on a daily basis has been growing rapidly over the last few years. For most organizations, this data is both indispensable and invaluable.

The problem is two-fold: (1) regulations are changing all the time and (2) methods for data management and governance range from manual records to privacy tools with all the bells and whistles. This program will bring together the observations and experiences of two perspectives, one legal-centric and one tech-centric, on how to assess and evaluate this problem. The goal is to create a discussion that will leave the participant with a high-level overview of state-by-state privacy requirements while arming them with a framework for determining the best methods to achieve defensible compliance.



Objectives:
  • Provide Background and Update on GDPR, CCPA and CCPA-like regulations in the US.
  • Compare Baseline Requirements of Different Schemes
  • Discuss Different Approaches/Tips to Designing/Implementing a Compliance Plan
Concurrent Sessions - Select One
04:15pm - 05:15pm Eastern - October 18, 2021

Monday
How to Effectively Communicate to the Board about Third Party Risk
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V1900-Jacob Fish
Track: 3rd Party Risk
Tags: Intermediate
Credits Available: 1.00 CPE
Cybersecurity risk posture only considers the capability of bad guys to penetrate network defenses, but risks resulting from doing business with third-party vendors who have unvetted access to company data pose just as great a risk. Communicating this to a board of directors may pose the biggest challenge of all to cybersecurity leaders. Whether your company outsources software developers not properly trained in security or uses a payment processing vendor whose cyber defenses are not as stringent as their customers', you are exposing your data to exploitable vulnerabilities. This session will detail the third-party risk issues that are fundamental to a mature cyber risk program and offer a process you can take to effectively communicate this to your board.

Objectives:
  • Discover how to evaluate a third party's security posture and perform a gap analysis to uncover any cyber gaps.
  • Explore tactics for explaining third-party risk type of risk to company board members.
  • Learn how to monitor vendors throughout the business relationship to identify any new cyber gaps and provide updates to the board.
Monday
Security Automation: Research Findings, Best Practices, and Lessons Learned
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V2000-Alex Aarson
Track: Security Automation/Artificial Intelligence/Machine Learning
Tags: Intermediate
Credits Available: 1.00 CPE
This presentation combines the findings of a doctoral study into security automation in the financial sector with real-world experiences in implementing security automation. The research focused on strategies financial institutions need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. Learn from the experiences of companies that have implemented or are implementing security automation. This session will look at what to expect from security automation (and what not to expect), how to decide what to automate, strategies to help ensure a successful security automation program and lessons learned from successes and failures.

Objectives:
  • Describe the strategies for a successful security automation initiative based on the experiences of cybersecurity professionals from the financial services industry.
  • Demonstrate how to select practical use cases to achieve success and quick wins with security automation.
  • Describe common challenges and pitfalls of implementing security automation and how to avoid them.
Monday
GDPR Security Post-Mortems: 10 MORE Critical Lessons You Can Apply Now
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V2100-Sondley Cajuste
Track: Privacy
Tags: Basic
Credits Available: 1.00 CPE
Since EU supervisory authorities began GDPR enforcement, at least 600 companies and government agencies have been punished for privacy and security failures. These failures have resulted in excess of €275 million in fines, plus orders for remediation. Remarkably, only a few GDPR Articles, such as Articles 5 (Principles), 6 (Legal Basis), and 32 (Security) are consistently cited by those authorities. Moreover, in the majority of cases, the failures were attributable to basic privacy and security practices. In this follow up to last year’s presentation, a data protection industry legal veteran will review several new post-mortems, determine what went wrong, and discuss the implications for your security and privacy program.

Objectives:
  • Understand what regulators consider when issuing a GDPR-related penalty.
  • Appreciate the potential costs of mandatory remediation orders.
  • Apply these lessons for California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) compliance.
Monday
Developer First - A new way to look at Application Security
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V2200- Jordan Garcia
Track: Application Security/Software Assurance
Tags: Intermediate
Credits Available: 1.00 CPE
Today in cloud environments, it is possible to create and destroy services on demand. Yet, most application security programs focus on tried and true methods of scanning, blocking and throwing vulnerabilities over the wall. Today, application security teams have more capabilities and methods available to them to bring application security to the next level. It's time to move to a developer-centric style of application security through education, automation, artificial intelligence, chatbots and ultimately, application security as a service. This model of application security as a service provides engineers the tools needed to access security information while they are developing and prior to code being integrated and deployed.

Objectives:
  • Understand the current state of application security in most organizations.
  • Understand what capabilities are available to application security teams to be able to provide better services to the development organizations they partner with.
  • What an AppSec as a Service model looks like and how to get started.
Monday
Cloud Top Threats Case Studies and (im)proving your security?
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V100-Jeremy Speakes
Track: Cloud Security
Tags: Intermediate
Credits Available: 1.00 CPE
What are the threats to your cloud application? A survey conducted in 2021 looked at major issues that have caused business/financial/reputational impacts to users of cloud services. In the past, the Cloud Security Alliance’s “Top Threats to Cloud Computing: Egregious Eleven” provided an excellent resource for threats and issues that cloud services have to deal with. Documents such as the CSA Top Threat Working Group’s “Cloud Threat Modeling Guidance” provides an excellent basis to perform threat modeling. These new threats can be applied to this guidance with considerations of mitigating controls (such as the Cloud Controls Matrix) to determine one's attack surface and residual risk.

Objectives:
  • Visualize a detailed description of the 2021 Cloud Security Alliance's Top Threats survey.
  • Apply the CSA's Top Threats Working Group's Threat Modeling Guidance with consideration of the new survey threats.
  • Utilize the Cloud Controls Matrix to minimize one's attack surface.
Monday
How Franchisees & Midsized Businesses Elevate their Cybersecurity to Protect their Data, Organization, and Brand
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V1500-Nicholas Kogut
Track: Small/Medium-sized Business Security
Tags: Intermediate
Credits Available: 1.00 CPE
Many franchisor/franchisee environments do not clearly delineate compliance ownership. In many instances the delineation is either blurry, non-existing or suffocated by legal language. Ultimately, the franchise brand will be the most impacted in the event of a breach - in terms of financial liability and reputational loss. We'll share lessons gained from collaborating with the franchisor/franchise ecosystem of 150+ members to pragmatically and operationally implement security controls and best practices that would collaterally facilitate PCI DSS compliance.

Objectives:
  • Define and understand compliance challenges in the franchise ecosystems.
  • Define and understand compliance custody/ownership in the franchise business.
  • Have research and steps from lessons learned after implementing a PCI DSS compliance program to implement in their own work.
Monday
Cyber Guardian Exercise: A Case Study in Brazil to Address Challenges in Cybersecurity
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V1600-Charlene Budziszewski
Track: ICS/Critical Infrastructure
Tags: Intermediate
Credits Available: 1.00 CPE
Discussions about cybersecurity concerns in critical infrastructure quite often have an alarmist approach. Threats may employ cyberspace for actions that generate kinetic and non-kinetic effects on national defense. In this context, we will outline how the Cyber Guardian Exercise coordinated by the Cyber Defense Command to establish cyber protections around important national and critical infrastructure sectors in Brazil. This was done by building a strong cybersecurity community based on the exchange of experiences and partnerships among 38 government and military agencies, defense-related firms, academic entities, and representatives from the financial, energy, telecommunications and other critical sectors.

Objectives:
  • The need for rapid information sharing to cope with the dynamism and uncertainties of cyber threats, as well as identify subsidies important to the National Network Incident Treatment Plan.
  • The importance of a permanent exchange of experiences relating to best practices and mutual knowledge that make up the cyberspace.
  • The importance of the National Cybersecurity Strategy for the integration of initiatives, normative alignment and maturity of society on the cybersecurity efforts.
Monday
InfoSec Lessons From a Saguaro Cactus
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V1400-Brad Lutz
Track: Small/Medium-sized Business Security
Tags: Basic
Credits Available: 1.00 CPE
The recent pandemic has many seeking the outdoors, where we can all learn lessons from any environment. The saguaro cactus is a symbol of strength and perseverance within the harshest elements, just like the sole information security professional in a small / medium business. One must be willing to stand tall and put their experience on the line to help the business to not just know better, but to do better. This can be challenging in an SMB environment where the threats are not always obvious and there may not be clear regulatory requirements. We will share proven methods to encourage strong security practices in an SMB world without getting prickly.

Objectives:
  • Introduce security standards based on the NIST Cyber Security Framework that make sense for small and medium businesses.
  • Identify opportunities to encourage strong security practices and introduce them to the SMB even when they may not be required by regulations.
  • Leverage free materials to provide information security training that helps employees and their families in addition to the business. Security information that applies to both personal and professional life is the most likely to be used and remembered.
Monday
Secure My Privacy
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V1700-Ryan Baill
Track: Privacy
Tags: Intermediate
Credits Available: 1.00 CPE
Privacy engineers are an integral part of ensuring that privacy risk is mitigated and privacy implications are addressed. The efficacy of privacy engineers is fundamentally dependent on their ability to influence. The cross-functional nature of privacy engineering dictates that privacy risk and impact assessments shall consider third-party risk, legal and compliance requirements, security as well as business drivers to build a culture of privacy by design over time. Security plays a significant role in implementing risk mitigation strategies to address privacy risk. While privacy principles are high level, a common governing framework integrating privacy and cybersecurity aligned with the enterprise-level risk management framework can assure that privacy considerations are embedded at the design phase and monitored on an ongoing basis.

Objectives:
  • Gain an understanding of the comprehensive security and privacy framework, NIST Privacy Framework and its relationship to NIST CSF.
  • Learn about measuring and reporting on efficacy of privacy mitigation strategies and understand how the outcome of privacy risk/impact assessment feeds into security risk mitigation strategies.
  • Understand the significance of establishing a Privacy by Design mindset integrated into security by design as part of product design.
Monday
Safe vs Scared : When Does Security Awareness Go Too Far?
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V1800- Salem Zarou
Track: Human Factors
Tags: Basic
Credits Available: 1.00 CPE

All too often we focus on how to test/train our staff with security awareness. In many cases we start to see a drift toward no trust of anything that comes in. In this discussion we will go over what it takes to train your staff to be security aware without being security afraid. Sometimes it's more than just slapping hands to get them to behave better.



Objectives:
  • Learn about what it means to train your staff versus make them afraid.
  • Learn about failures of security awareness programs.
  • Learn about how to move the ball toward awareness and active participation and away from frozen staff.
Monday
In Their Own Words: Focus Group Research Details Diverse Perspectives and Experiences Working in Cybersecurity
04:15pm - 05:15pm Eastern - October 18, 2021 | Room: V200-Atticus Kaiser
Track: InclusionREADY
Tags: Basic
Credits Available: 1.00 CPE
The need for diversity in cybersecurity is firmly established. Diverse perspectives help generate innovative ideas needed to solve the complex problems facing our industry. (ISC)² is deeply committed to advancing diversity, equity and inclusion (DEI) across the cybersecurity industry and in everything we do as an organization. Earlier this year, (ISC)² convened a focus group of diverse professionals working in the cybersecurity industry around the globe who provided first-person accounts of their experiences working in the industry. In this session, we will discuss the findings from that research, as well as have an open discussion with some of the research participants into how we can improve and accelerate diversity, equity and inclusion in the workforce.

Objectives:
  • Provide insight into the experiences of women and people of color in the cybersecurity industry.
  • Offer suggestions on how to create a more inclusive workplace and how to recruit diverse talent.
  • Provide resources for participants to support their organizations in a DEI journey.
Tuesday
Keynote - Into the Unknown: How Leadership, Ingenuity, and Perseverance Put a Rover on Mars
08:00am - 09:00am Eastern - October 19, 2021 | Room: V100-Jeremy Speakes
Track: Keynote
Credits Available: 1.00 CPE
Only Adam Steltzner and his talented team at Jet Propulsion Lab could follow their “Curiosity” rover success with the stunning Mars 2020 mission to land the rover “Perseverance” on the red planet. The magnificent landing on Mars on February 18, 2021, was akin to hurling a dart from New York City to land in a 5-foot circle in Washington, D.C. More than a technological achievement, the successful mission stands as an extraordinary leadership accomplishment in the midst of a global pandemic. In his exhilarating keynote, full of fascinating anecdotes and breathtaking images, Steltzner shares his own innovation challenges, leadership struggles and flawless execution. Most importantly, he shows how you can overcome daunting obstacles in times of uncertainty and change. The human spirit is boundless, and Steltzner leaves you unafraid to journey from your comfort zone to explore your own exciting future.
Tuesday
Keynote - Daymond John's 5 Shark Points for Success *
09:00am - 10:00am Eastern - October 19, 2021 | Room: V200-Atticus Kaiser
Track: Keynote
Credits Available: 1.00 CPE
From FUBU to Shark Tank and countless ventures in between, Daymond John’s phenomenal entrepreneurial journey has spanned more than 25 years. In this dynamic presentation, Daymond breaks down the core tenets of his success, which he has distilled into tangible takeaways that he calls his five S.H.A.R.K. points. Whether you’re an entrepreneur, intra-preneur, student, corporate employee or executive, this talk will inspire you, as it has thousands of people around the world, to reconsider your approach to making positive changes in your life.
Concurrent Sessions - Select One
10:30am - 11:30am Eastern - October 19, 2021

Tuesday
Augmenting ZTA to Endpoints using Blockchain
10:30am - 11:30am Eastern - October 19, 2021 | Room: V1100-Jon Moody
Track: Zero Trust
Tags: Intermediate
Credits Available: 1.00 CPE
With a full scale ZTA implementation, it is unlikely that adversaries will be able to spread through a corporate network using a compromised endpoint. However, the already authenticated and authorised session of the compromised endpoint can be leveraged to perform limited malicious activities, ultimately rendering endpoints the Achilles heel of ZTA. In order to effectively detect such attacks, distributed intrusion detection systems with an attack-scenario-based approach have been developed. That said, APTs have demonstrated their ability to bypass this approach with high success ratio. Motivated by the convergence of ZTA and blockchain-based intrusion detection and prevention, we examine how ZTA can be augmented onto endpoints.

Objectives:
  • Understand the why behind the needed transition to borderless networks from perimeter-based networks and therefore defenses.
  • Understand, describe and further discuss a major weakness in ZTA, namely the endpoint itself. This will provoke further discussion into a proposed solution via blockchain, including when and where it might be most useful.
  • Gain understanding and insights of the available ZTA deployments models as well as their mapping to real world implementations (such contains vendor reference but can be removed and stick to available models and their attributes).
Tuesday
Pivotal Security: Successfully Applying Agile Practices to a Security Program
10:30am - 11:30am Eastern - October 19, 2021 | Room: V1000- Owen Meldrum
Track: Security Architecture/Engineering
Tags: Basic
Credits Available: 1.00 CPE
Security teams cannot afford to continue utilizing outdated linear project execution practices such as waterfall. A security team that is forced to lock resources into a long running project is not able to effectively respond to major threats and events as they crest the horizon. This talk will focus on FirstBank's journey to and through a Pivotal Security model of Agile-based security projects and tasking. It will cover the genesis, hurdles, growing pains and successes that have been realized by applying Agile principles. FirstBank has been able to boost work throughput and create a process that is flexible enough to pivot to the ever-changing demands and priorities with which our security team is presented. We now go faster and do more work.

Objectives:
  • Identify opportunities in a security program to apply Agile principles to reduce wasted time and resources.
  • Break down security work into manageable chunk,s which will result in a better understanding of what their team is doing and at what velocity.
  • Prioritize the work that really matters to an organization.
Tuesday
Actionable threat intelligence using the DIY approach
10:30am - 11:30am Eastern - October 19, 2021 | Room: V900- Craig Carpenter
Track: Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
Tags: Intermediate
Credits Available: 1.00 CPE
Actionable threat intelligence should provide organizations with the ability to quickly detect (and react to) current threats beyond using the traditional signature and behavior-based security tools. Many organizations, however, currently only view threat intelligence as generic free or paid feeds containing indicators of compromise related to historical attacks used to enrich their own data. Although this approach is common, information gathered through it is of limited use for the organizations and cannot be thought of as “actionable intelligence”. In this presentation, we will look at how raw, freely available data and tools may be used in a DIY fashion to create a tailored threat intelligence program that supplies the organization with data of real actionable value.

Objectives:
  • Create an effective threat intelligence program tailored to the needs of their organization.
  • Differentiate between specific types of threat intelligence.
  • Select appropriate tools for use in security architectures that will provide both detection and/or reaction capability as well as threat intelligence data.
Tuesday
"But we've never done it that way!" Disruptive Security Change in Times of Covid
10:30am - 11:30am Eastern - October 19, 2021 | Room: V700-Jeremy Becker
Track: Cutting Edge
Tags: Basic
Credits Available: 1.00 CPE
...and then it all changed. In the past year many security clients have seen sweeping changes in how their information is protected--ranging from the adoption of strong authentication and new work patterns to accepting Zero Trust environments. Change is occurring at an unprecedented, often unplanned rate. This sudden burst of change has had security staff jumping to find solutions to security issues that were perceived as "off in the future." In this presentation we will look at real-life scenarios and how they were approached in the new workplace of highly distributed workers.

Objectives:
  • Communicate security changes to their office environment.
  • Exemplify technologies that can be adopted to secure a distributed workforce.
  • Discuss remote security tools and practices with senior management.
Tuesday
Achieving Automation of the 'Sec' Processes within a Highly Performant DevSecOps Pipeline
10:30am - 11:30am Eastern - October 19, 2021 | Room: V800-Paul Jackino
Track: DevSecOp
Tags: Basic
Credits Available: 1.00 CPE
DevOps and DevSecOps pipelines are all the rage, and every day there is a seemingly increase in the number of uses of the term DevSecOps. A pure DevSecOps pipeline is ideal, but almost always unrealistic given organization-specific technical or business constraints (i.e., intra-organizational approvals, business cycles and objectives, regulatory approvals). Much like Donald Rumsfeld once said: "You go to war with the army you have, not the army you might want or wish to have at a later time." As leaders of the cybersecurity industry, we need to achieve actionable, high-quality cybersecurity solutions despite organizational imperfections. Automation of the Sec element within DevSecOps requires a delicate balance between speed and security, automation and human awareness, and great and good enough.

Objectives:
  • Define the critical processes and benchmarks involved in various automation approaches to the Sec element of a DevSecOps pipeline.
  • Understand the attributes of a successfully automated (fully automated or man-on-the-loop automated) Sec element of a DevSecOps pipeline, and recognize common attributes of unsuccessful Security automation practices.
  • Appreciate the operational, technical and financial advantages (to cybersecurity staff, projects, organizations, and user communities) of a successfully implemented automated Sec processes within a DevSecOps pipeline.
Tuesday
NIST Zero Trust - understanding and navigating NIST Zero Trust under the current threat landscape
10:30am - 11:30am Eastern - October 19, 2021 | Room: V300- Jeff Graham
Track: Zero Trust
Tags: Intermediate
Credits Available: 1.00 CPE
We will discuss NIST Zero Trust Architecture (ZTA) guidelines, reviewing the pros and cons of the three ZTA methodologies discussed within those guidelines. We will cut through buzzwords and the noise and discuss an agnostic POV on the most efficient Zero Trust controls. We will examine both the technology and business impact of ZTA in the era of the remote workforce and multi-cloud environments. Additionally we will review recent security breaches, discuss lessons learned from current cyber trends. We will explain how Zero Trust controls provided a strong defense against breaches. Finally, we will wrap up the session with recommendations for evaluating ZTA initiatives within your organization.

Objectives:
  • Describe the pros and cons of the three Zero Trust architecture approaches.
  • Demonstrate an understanding of NIST Zero Trust Architecture guidelines, and how those guideline can be applied to the enterprise.
  • Define controls that provide an effective defense in the current climate (remote workforce, threat landscape, hybrid multi-cloud).
Tuesday
Digital First - a progressive approach to Information Security
10:30am - 11:30am Eastern - October 19, 2021 | Room: V600-Taylor Rondenell
Track: Workforce Trends (Diversity/Recruiting)
Tags: Intermediate
Credits Available: 1.00 CPE
The presentation will focus on drivers to develop a digital-first model, including problems / pain points Giesecke+Devrient encountered with the "old" model during its digital transformation process. We'll discuss: -Requirements we needed to take into consideration (regulatory, internal, etc.). -Definition of terms in this context. -Positioning of information security as a corporate center in the company (mission, vision, added value proposition, etc.). -The organizational model (information security and IT organizations and the role of the Cyber Defense Center). -Challenges encountered since its introduction, adaptations to the model since its definition/implementation in 2018 and the influence of the pandemic on accelerated digitization and subsequently information security.

Objectives:
  • Explain why diversity is a key to the continuous improvement of information security and its support of digitization initiatives within a global company.
  • Explain to senior management and the business how information security can be a true enabler adding value to the digitization process.
  • Embark on a similar successful journey to a modern digital-first information security organization by providing a blueprint for a modern organization.
Tuesday
Should You Trust That Email? Technologies and Strategies That Can Help!
10:30am - 11:30am Eastern - October 19, 2021 | Room: V400-Kyle Lewis
Track: Cyber Crime
Tags: Intermediate
Credits Available: 1.00 CPE
Email protocols (such as SMTP, POP, IMAP, MIME) were designed to deliver messaging functionality rather than security. It is relatively simple to spoof a sender and/or their domain using email. Yet, the bulk of business communication remains driven through email. Email is also the primary vector used for malware attacks, phishing attacks, business email compromise and other attacks. What to do? Can you trust the source of that the email you received? We discuss strengths and drawbacks of existing technical standards (such as SPF, DKIM, DMARC) to prevent email spoofing and secure email protocols such as S/MIME. We discuss AI/ML- and reputation-based approaches to improve confidence in email origination as well as a novel known-sender-profiling approach that can further protect a user against email spoofing.

Objectives:
  • Identify the weaknesses of standard email protocols and how spoofed emails can result in serious cybersecurity and business compromise.
  • Identify and implement existing technical protocols that prevent attackers from spoofing their domain and/or senders, while realizing that these techniques are not very helpful in preventing attackers from sending spoofed emails to users within their own domain.
  • Learn about and apply additional existing tools and techniques as well as a novel known-sender profiling technique to achieve a higher level of protection against email spoofing.
Tuesday
What to read after you've gotten your certification (or you need a break from studying)
10:30am - 11:30am Eastern - October 19, 2021 | Room: V500- Joe Trusso
Track: Professional & Career Development
Credits Available: 1.00 CPE
This talk suggests a wide list of non-fiction, non-textbook, cyber-related books that should be part of your reading list. These titles help put what we as cybersecurity professionals do in the broader context of international conflict, government and society. We all know the "what" and "how" of cybersecurity. A lot of these authors help provide the "why." Starting with Clifford Stoll's 1989 The Cuckoo's Egg and working through books that talk about current hot topics that touch on privacy, misinformation, e-commerce, ARPANET and international cyber conflict, we provide suggestions that should spark interest and discussion - including audience recommendations.

Objectives:
  • Have an extensive list of books to help inspire, enlighten and communicate to peers and co-workers a deeper understanding of why what they do is important.
  • Be inspired to seek out new books that help put the daily grind in a broader societal and historical perspective.
  • Know where to go to find historical knowledge of how the profession has evolved in recent decades.
Tuesday
Women in Cybersecurity - a discussion of the journey, the challenges, and the opportunities
10:30am - 11:30am Eastern - October 19, 2021 | Room: V1200-Craig Ciccolella
Track: InclusionREADY
Tags: Basic
Credits Available: 1.00 CPE
At 25% workforce penetration, women are still underrepresented in cybersecurity. The question is: Why? And what do we do about it? This panel of diverse women at different career stages and varying roles will share their experiences, goals and insights. They will discuss their journey, perspectives and visions for the future for women in cybersecurity. The panelists want to help more women find their way through what continues to be a male-dominant field; to inspire women to join in the opportunities that come with a career in cybersecurity.

Objectives:
  • Understand why various non-technical backgrounds are needed in cybersecurity.
  • Discover how to contribute to a growing field that needs more women.
  • Have conversations about why diversity and inclusion is necessary for a successful cybersecurity program.
Tuesday
"That Server Wasn't Even Supposed to BE There Anymore..."
10:30am - 11:30am Eastern - October 19, 2021 | Room: V100-Jeremy Speakes
Track: Incident Response/Investigations/Forensics
Tags: Intermediate
Credits Available: 1.00 CPE
Time and again, we see that the key hosts implicated in cyber incidents, those where threat actors gain initial access or exploit to spread throughout the network, aren't even supposed to BE there anymore. These are testing servers that were stood up during testing and were supposed to have been shut down afterward. They are old development systems that linger, long forgotten, unmatched and unmonitored. They are legacy application servers "temporarily" exempted from security requirements. In this talk, we will look at several examples of how this can happen even in large, well-resourced organizations with otherwise mature IT operations. We will discuss how we can avoid this phenomenon in our organizations and use our awareness of this phenomenon in defending and threat-hunting on our networks.

Objectives:
  • Describe how cyber threat actors seek out and take advantage of vulnerable hosts in enterprise networks.
  • Determine the most likely hosts in their enterprise that could be used by a cyber threat actor to gain or maintain access.
  • Describe the reasons why vulnerable hosts linger in organizations and how to detect and avoid this in their own organizations.
Tuesday
Exploring the Relationship Between Cybersecurity Ratings & Stock Performance - Sponsored by Security Scorecard
10:30am - 11:30am Eastern - October 19, 2021 | Room: V2400-Chad Ritter
Track: Governance, Risk & Compliance
Tags: Basic
Credits Available: 1.00 CPE

This session will go over the results of an independently conducted study that explores the relationship between a publicly traded company’s cybersecurity rating, and the performance of its stock price over time. Researchers from the Journal of Cyber Policy monitored security ratings and returns on share prices for companies listed within the S&P 500 index for a period of 52-weeks, and discovered surprising findings. Alex Heid, Chief Research Officer of SecurityScorecard, will discuss the results of the Journal's report, as well as the continously growing interconnected relationship between business risk and cyber risk.



Objectives:
  • Attendees will be given a deep dive into a case study conducted by the Journal of Cyber Policy about the relationship between stock prices and cyber ratings.
  • Attendees will learn about the emergences of new nuances of cyber risk that may directly impact business operations in unexpected ways.
  • Attenees will be armed with new information to put into action for risk management practices.
Concurrent Sessions - Select One
11:45am - 12:45pm Eastern - October 19, 2021

Tuesday
Introduction to the Factor Analysis of Information Risk (FAIR) risk quantification standard
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V200-Atticus Kaiser
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
In 2020, FAIR Institute membership passed 10,000, representing more than 40% of the Fortune 1000, and spanning 118 countries. In only five years, use of this open standard approach to risk quantification has reached critical mass and is now recognized by NIST, COSO and HITRUST. Boardrooms are increasingly averse to risk colors and heat maps using ambiguous, ordinal scales. For centuries, the language of business risk has been in dollars and time. IT and cybersecurity risk must embrace the next evolutionary step and learn to speak this language with accuracy and confidence. This session will explore foundational measurement and quantification concepts, failures of current models and enlightening research. It will also introduce the global standard Factor Analysis of Information Risk (FAIR) concepts and ontology.

Objectives:
  • Solidify understanding of typically ambiguous terms and concepts surrounding current IT risk management practice.
  • Demonstrate the failures of current qualitative risk management standards and processes.
  • Understand the basic concepts of the FAIR risk quantification framework and how its use can integrate IT/cyber risk into the broader business risk construct and discussion.
Tuesday
The Evolution of Information Security Management
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1300- Josh Ensley
Track: Governance, Risk & Compliance
Credits Available: 1.00 CPE
Ever wonder how we defined the programs that we have today? Many security professionals security started with PCI, HIPAA or SOX compliance. This presentation will take you on a journey from the creation of the Computer Security Program for Mission Operations at Johnson Space Center, NASA. That program was based on data security principles, the Orange Book and the Computer Security Act of 1986. The journey continues through the creation of several more programs; adding compliance, metrics and, in the end, drawing on the past to create a program that was able to be agile enough to meet the rapidly changing needs of the business during a pandemic. This presentation will focus on tricks, traps, lessons learned and standards created along the way.

Objectives:
  • Appreciate much of the history upon which many of our standards and programs are built.
  • Use (often forgotten) principles and lessons learned from the past to help create a data-centric and risk-based program that meets the changing needs of business.
  • Ask questions from a seasoned professional who has helped to create some of the processes and standards through the evolution of computer security, network security, cloud security to cybersecurity.
Tuesday
Third-Party Risk Management & Supply Chain Security
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1500-Nicholas Kogut
Track: 3rd Party Risk
Tags: Intermediate
Credits Available: 1.00 CPE
COVID-19 demonstrated to the world that supply chains are critical to our society and are vulnerable to many different types of disruptions. Not just cybersecurity disruptions. We must understand that supply chains are more than logistics, more than risk assessments orSOC reports on a vendor’s cybersecurity, or due diligence. Today’s supply chains need ongoing monitoring and attention. They require third-party risk management. This presentation will explain the processes and procedures needed to properly select a vendor, perform due diligence, determine inherent risk, calculate residual risk, manage contracts, establish ongoing monitoring, document and report to senior management and the board, maintain oversight & accountability and terminate vendors. All while protecting their supply chains.

Objectives:
  • Create secure supply chains for an organization.
  • Identify the weak links in supply chains and develop business continuity management measure to protect organizations from loss.
  • Accurately assess the risk in their third-party risk management programs, apply those metrics to the entire supply chain and determine the overall risk to their enterprise.
Tuesday
Getting Burned by Solar Winds - How to Hunt for it in a Microsoft Network
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1400-Brad Lutz
Track: Malware
Tags: Intermediate
Credits Available: 1.00 CPE
No doubt, you've heard about the recent attack that leveraged a technology software supplier, SolarWinds, to compromise a large number of organizations, including many in the IT industry and U.S. government agencies. This was one of the world’s most serious nation-state cyberattacks, and has raised a number of questions, including "How do I know if I was impacted?" In this session, we''ll talk about how the attack was carried out, and, more importantly, how customers can identify the TTPs indicating a compromise in their own environment.

Objectives:
  • Understand how the SolarWinds breach was carried out.
  • Understand what the attackers were able to do.
  • Understand how to threat hunt for attacks like SolarWinds in an environment.
Tuesday
Pandemic: Changes in Social Engineering Defence, and in Attacker's Tactics, Techniques, and Procedures
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1800- Salem Zarou
Track: Human Factors
Tags: Basic
Credits Available: 1.00 CPE
How did the role of humans change with pandemic? Why do we always say that humans are the weakest link, and why we should start saying the opposite? During these difficult times, it is more than ever evident how humans are important to protecting our networks. This presentation walks the audience through some approaches to engagement and how this knowledge can help attendees protect themselves, their loved ones as well as their organizations. We will explain how attackers' approaches changed during pandemic, and how we should adjust too to defend ourselves in this new situation.

Objectives:
  • Understand how the pandemic changed social engineering attackers' tactics, techniques, and procedures.
  • Understand how to better protect yourself, loved ones and organizations against social engineering attacks.
  • 'Understand the importance of knowing the human threat landscape.
Tuesday
Pen-Testing Your Cloud Infrastructure Environment
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1600-Charlene Budziszewski
Track: Cloud Security
Tags: Intermediate
Credits Available: 1.00 CPE
Pen testing is standard security practice for simulating attacks to identify system vulnerabilities, and most industry compliance audits require them. But most pen testing efforts overlook the No. 1 risk in the cloud: misconfiguration. In this session, we will walk through pen testing your cloud security posture - what it looks like, how to approach it in-house, and how to evaluate vendors to ensure they understand cloud misconfiguration and how to exploit it. This session will provide security professionals with a framework for approaching pen testing cloud environments and feature real-world misconfiguration exploits and actionable information you can use to begin incorporating your cloud attack surface in your pen testing plan.

Objectives:
  • Define the differences between traditional pen testing and cloud pen testing and how to think like a hacker in pen testing cloud environments.
  • Describe cloud misconfiguration attacks, and perform internal cloud security testing and vulnerability assessments.
  • Define a bounty-driven exercise to employ white hat hackers to probe your cloud environment to identify vulnerabilities that compliance and security tools can miss.
Tuesday
Data Science in Cybersecurity: How We Tackle Ambiguous and Undefined Problems
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1700-Ryan Baill
Track: Professional & Career Development
Tags: Intermediate
Credits Available: 1.00 CPE
This presentation discusses the definition and value of Cybersec Data Science (CSDS) and why it is more than threat intelligence and risk analysis. We'll look at nine main types of CSDS work and how organizations leverage CSDS in the public sector, finance and health industries and marketing. We'll key in on actionable outcomes and dealing with dirty or half-relevant data. Additionally, we'll discuss how to clean, cross-reference, and bucketize security data, as well as use machine learning, statistical models and data-pivots to construct metrics. From there, we'll demonstrate how to communicate findings and more.

Objectives:
  • Have a clear understanding of Cybersec Data Science and how can it be used in a variety of organizations and missions. Specific tasks and operational examples will be provided, such as how large financials integrate it into adversary assimilation and real-world risk decision support.
  • Learn effective techniques derived from Cybersec Data Science practices such as cross-referencing internal metrics with industry norms, tracing cybercrime monetization strategies, attack flow modeling, conducting results-driven analysis, and prioritizing control efforts. Tips will also be given on clearly communicating findings to executives.
  • Explain how can become a cybersecurity data scientist (or hire a good one), which skills are necessary (and how to learn them), what goes into building an effective team (and where the team should sit within an organization), and the proper mindset and mission of the team.
Tuesday
CyberLeaders 3.0: Case Study on Leadership Development to Retain Cyber Talent
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V2000-Alex Aarson
Track: Professional & Career Development
Tags: Basic
Credits Available: 1.00 CPE

Cyber organizations struggle to retain cyber talent. Why re-hire blue teams, red teams, CIRT and cyber analysts, if we can forge a team that stays? This case study describes how a 230-person cyber team supporting a major U.S. federal agency developed intrinsically rewarding programs that solidified commitment to a shared mission. Session participants receive guides with actions and flow charts needed to establish CyberLeaders 3.0 leadership development programs. Results: through the cohorts presented to date, our team decreased talent flight by 50% and boosted participation by female cyber professionals (>50%) and underrepresented demographics (>30%). We'll We'll include statistical analysis of program process metrics and outcomes. This CyberLeaders case study decreased cost as well as risk because our experts already know our adversaries.



Objectives:
  • Describe the three key performance indicators that distinguish a successful leadership development program tailored to cyber professionals, as measured by a virtual poll conducted at the start and end of the presentation.
  • Identify the two key ingredients needed to sustain a leadership development program, as measured by a virtual poll conducted pre- and post-presentation.
  • Identify the one unique component that needs to be included in cybersecurity leadership training to make it suitable for the cybersecurity arena, as measured by a virtual poll conducted pre- and post-presentation.
Tuesday
Lies, Damned Lies and Statistics, Cyber Security in the Misinformation Age
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V1900-Jacob Fish
Track: Human Factors
Tags: Intermediate
Credits Available: 1.00 CPE
Cybersecurity is primarily concerned with protecting the value of information, directly or indirectly against theft. Yet we see increasing attacks designed to cause suspicion and uncertainty and undermine confidence in, or promote a particular narrative or ideology. Recently we have seen misinformation attacks intended to undermine confidence in the U.K.'s fights against COVID-19, influence the U.S. elections and destabilize Ukraine’s democratic government. In this session we explore the relationship between the subjective truth and objective facts in the context of fake news and new forms of subtle attacks. We discuss the role that social media, psychology and culture plays. We'll also talk about how, while traditionally an information security problem, this increasingly requires AI-based cybersecurity techniques and technology to detect and mitigate.

Objectives:
  • Understand the difference and relationship between the objective facts and subjective truth and the ways attackers exploit these to spread misinformation, often using fake news and subtle influences in order to promote their own agenda.
  • Recognize more clearly signs of misinformation and fake news, the rationale behind them, how they manifest, and the different techniques and attack vectors used, often so subtle that they are not immediately obvious on their own.
  • Recognize and assess the risk of misinformation and fake news attacks and decide on what cybersecurity tools, techniques and strategies are available for identifying, analyzing and mitigating these as well as how to implement these tools as part of a wider strategy.
Tuesday
Does size matter in security?
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V2100-Sondley Cajuste
Track: Small/Medium-sized Business Security
Tags: Intermediate
Credits Available: 1.00 CPE
Big companies have all these security resources we hear, while small companies just don’t have the money or people. But does size equal security? Small and large companies have much more in common than they realize. With all the solutions that large companies have implemented and tried, what lessons can a small security team take from these? Small companies have to be nimble and think differently; what can a large company learn from them? Come join us to learn how much security everyone has in common and some learnings that could help your organization take things to the next level.

Objectives:
  • Appreciate the challenges of different-sized security teams and what we can learn from those differences.
  • Demonstrate that security issues impact organizations regardless of size.
  • Define strategies to learn from the successes and failures of other security teams.
Tuesday
The PCI Dream Team: Solving the biggest PCI DSS nightmares
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V2200- Jordan Garcia
Track: Governance, Risk & Compliance
Tags: Advanced
Credits Available: 1.00 CPE
Since 2006, PCI DSS compliance has been required for any company that stores, processes or transmits credit card data. But as networks, payments and applications get more complicated, and security threats increase, so too do the potential PCI solutions. This panel brings some of the smartest and most experienced PCI professionals in the industry to the table. They have seen the best and the worst in the payment industry, and will share the successes to make you effective, and a number of horror stories so you don’t lose your job. The panel will detail a number of eloquent solutions to common PCI issues, and answer pesky problems that are plaguing attendees. No good question will be left behind.

Objectives:
  • Get real world answers to PCI DSS questions.
  • Level set what is needed to meet PCI DSS compliance.
  • Understand some of the most vexing PCI requirements.
Tuesday
Critical Infrastructure Resilience Hinges on Cyber-Physical Convergence
11:45am - 12:45pm Eastern - October 19, 2021 | Room: V2300-Nick Malczewsky
Track: ICS/Critical Infrastructure
Tags: Intermediate
Credits Available: 1.00 CPE
Cyber-physical systems are delivering an increasing portion of the infrastructure services at the heart of our economy and national security, and you don’t have to look far for examples of technology-enabled, industrial control, and the internet-of-things in the core operations of healthcare, food and agriculture, energy, transportation, or manufacturing. Further, one has only to look at the contemporary examples of our systems under stress, such as the JBS and Colonial Pipeline cyber attacks, to understand the fragile risk ecosystem confronting infrastructure owners and operators of cyber-physical systems. In fact, the title of this talk is purposefully a catch-22, meaning that just as infrastructure resilience is inherently dependent on safe and secure cyber-physical systems, so too is the collective work to see cyber and physical security achieve resilience tethered to the great steps we take in the 21st century to automate and make more complex operating environments within critical infrastructure.
Concurrent Sessions - Select One
01:45pm - 02:45pm Eastern - October 19, 2021

Tuesday
Lessons Learned Building an Information Security Program from Scratch
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V1200-Craig Ciccolella
Track: Small/Medium-sized Business Security
Credits Available: 1.00 CPE
Organizations are starting to understand the security risks that must be addressed within their organizations resulting in businesses hiring CISOs, directors of information security, and other security professionals to address this problem. The question then becomes, where to begin? Using the NIST Cybersecurity Framework as a baseline will give clarity of the security gaps and what needs are to be addressed. The next step is how will this be communicated to the C-Suite to obtain buy-in and, more importantly, budget. This session will present a process for security professionals to build an information security program from the beginning, obtain buy-in from executives, facilitate a culture of security throughout the organization and communicate security posture to the executive team in their language.

Objectives:
  • Use the NIST Cybersecurity Framework as roadmap that can include metrics to determine progress.
  • Develop an outline of an information security program for small and mid-size companies.
  • Develop business cases for security controls and solutions that will be needed to reduce cybersecurity risk.
Tuesday
Getting offensive with your third parties
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V1000- Owen Meldrum
Track: 3rd Party Risk
Tags: Intermediate
Credits Available: 1.00 CPE
Reading about supply chain attacks can cause anxiety when companies today procure much of their software and services from third parties. The tick-box approach of vetting suppliers with cursory audits misses many of the pain points that are often leveraged in real attacks. This session will cover integrating offensive security into traditional third party vetting approaches or using offensive security as its own benchmark prior to integrating third-party software and services into your environment. We'll cover examples of how to apply this approach to your own third-party vetting, and include some real-life success stories of vulnerabilities found in products already in use by many companies.

Objectives:
  • Understand how and when to apply offensive security in third-party risk assessments.
  • Know and appreciate the limitations of current third-party onboarding.
  • Apply this knowledge within your own third-party onboarding.
Tuesday
Ransomware
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V700-Jeremy Becker
Track: Cyber Crime
Tags: Intermediate
Credits Available: 1.00 CPE
Experience the cybercrime victim navigation process, or journey to recovery. Explore symptoms, experiences, pressure and challenges experienced during the crisis and learn industry techniques, best-practices and processes you can take to protect your business.

Objectives:
  • Comprehend/understand the journey to recovery from a ransomware attack.
  • Understand/comprehend the lessons learned from impact to recovery after a cybercrime is committed.
  • Apply best practices, tools and techniques to mitigate the threat vector[s].
Tuesday
Driving Change and Managing an Effective Awareness and Training Program through a Global Pandemic
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V1100-Jon Moody
Track: Mobile/Remote Workforce Security
Tags: Basic
Credits Available: 1.00 CPE
The shift to remote work during the COVID-19 pandemic forced our enterprise security awareness and training (A&T) program into an immediate and rapidly adaptive state in March 2020. Our traditional methods were made ineffective by prohibitions against live engagement and by our workforce being inundated with pandemic messaging. Effective A&T programs must by their nature be continually adaptive. We will present on the forced evolution of our approach, which resulted in a successful – and in many ways improved – strategy. We’ll show how this ultimately resulted in new initiatives, a more engaged community and a surprisingly very clean audit of the program. We’ll demonstrate what worked, what didn’t and why the pandemic actually moved our program to the next maturity level.

Objectives:
  • Identify steps to increase effectiveness of A&T programs.
  • Evolve A&T programs to meet the challenge of remote learners.
  • Structure an A&T program to successfully satisfy auditor assessment.
Tuesday
Software Supply Chain - lessons learned
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V800-Paul Jackino
Track: Supply Chain Security
Tags: Intermediate
Credits Available: 1.00 CPE
The SolarWinds hack represented a very public example of what can happen with a compromised or insecure supply chain. Unfortunately, SolarWinds is not unique. Consider the number of Java and OpenSSL vulnerabilities disclosed during the past decade. Solarwinds does drive home the importance of monitoring your environment and, more particularly, its software supply chain. Of course this raises the question: How can we monitor our supply chain? This session will provide a soup-to-nuts example of the elements you need to build your supply chain analysis tool. It will also identify where you might get some of those elements (for free) and explain key decisions you will need to make along the way.

Objectives:
  • Understand the components required to develop and implement a strategy to track application components in their environment or products.
  • Evaluate and communicate application component risks to an internal environment.
  • Conduct environmental component audits and respond to risks faster.
Tuesday
What Cybersecurity Can Learn from Honeybees
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V900- Craig Carpenter
Track: Zero Trust
Tags: Basic
Credits Available: 1.00 CPE
You can learn a lot about cybersecurity best practices from studying honeybees. Organizationally--and operationally--honeybee colonies function a lot like cybersecurity teams. Like cybersecurity organizations, honeybee colonies are interconnected superorganisms. Individuals progress through lifecycle stages while protecting against external--and internal--threats. A honeybee colony’s No. 1 goal is good decision-making to ensure the security and propagation of the hive. This means continuously assessing risk, detecting threats, responding to attacks, preventing intrusions, and closing hive security gaps. Direct parallels to malware, data exfiltration, insider threats, viruses, using AI and machine learning, allocating resources, SASE, and even NIST 800.207 can be made. Join this informative talk that will teach you a little about bees while sharing how to look at your cybersecurity program from another paradigm.

Objectives:
  • Understand risk-based decision-making and frameworks in cybersecurity, told through a honeybee analogy.
  • Understand SASE and zero trust.
  • See your cybersecurity program through a new paradigm
Tuesday
Yes, the FBI Really Can Remove Malware Without Your Permission
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V400-Kyle Lewis
Track: Malware
Tags: Intermediate
Credits Available: 1.00 CPE
In April of 2021, the FBI executed a search warrant upon a series of “Certain Microsoft Exchange Servers Infected with Web Shells.” This warrant was different from typical ones, however: it authorized the FBI to not only find and copy the malware instances, but to delete them entirely from the servers. These actions were undertaken in the ongoing battle against state-sponsored malicious actors but have come to be seen as unprecedented. In this session, information security legal veterans will review why the U.S. government took this action, whether it was legally justified, and why your organization might be on the receiving end of such a warrant.

Objectives:
  • Understand the circumstances that prompted this new tactic.
  • Evaluate the scope of the search warrant and underlying affidavit.
  • Determine what legal recourse your organization may have in such a case.
Tuesday
We Fail at the Basics...and then We Get Hacked
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V600-Taylor Rondenell
Track: Small/Medium-sized Business Security
Tags: Basic
Credits Available: 1.00 CPE
We know that exciting new technologies and advances in areas like AI/ML always generate attention, but even after three decades of incredible advancements in cybersecurity, most breaches still fall into one of two major categories: (1) APTs perpetrated by nation-states or other organized groups intent on succeeding by any means necessary; and (2) an entire panoply of malicious hacks largely resulting from human shortfalls or foundational vulnerabilities that could be secure if organizations kept their eye on the basics. Our panelists are all battle-tested CISOs who will use personal anecdotes, practical advice and the CIS 20 for approaching asset inventory and management, threat logs and alerts, prevention capabilities at the endpoint, and configuration management to fortify the defenses of any size organization.

Objectives:
  • Be armed with a checklist to better tackle their current challenges around asset inventory and management; they will also learn shortcuts for managing massive threat logs and alerting systems.
  • Have a quick shorthand method (ICARM) to ensure all solutions are installed and configured completely and correctly--and how to keep them that way.
  • Know how to defend against "automated drive-by hacks" with tools they may already own but are languishing in their arsenals--and the critical importance of continuous remediation.
Tuesday
Creativity and Innovation in Infosec
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V500- Joe Trusso
Track: Human Factors
Tags: Basic
Credits Available: 1.00 CPE
Creativity and innovation are critical in any rapidly changing field like infosecurity. Creativity includes coming up with new ideas, new applications of existing ideas and new ways of looking at existing challenges. There is plenty of scientific research on creativity. However, creativity alone is of limited use; we need innovation, the implementation and practical use of creativity, to produce any value. As innovation involves execution of creative ideas, planning is essential for innovation. In this talk we look at the research behind creativity and innovation, Ted Demopoulos’ multiyear long experimentation with various techniques, and their application to infosecurity. This is a practical talk, focused on techniques to increase creativity and implementing the most promising creative ideas.

Objectives:
  • Understand techniques to increase creativity and implement them in our daily lives.
  • List creativity killers and work towards avoiding them.
  • Effectively plan and execute promising creative ideas to provide practical value.
Tuesday
The Temporary Crown : A talk with two vCISO's
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V100-Jeremy Speakes
Track: Small/Medium-sized Business Security
Tags: Intermediate
Credits Available: 1.00 CPE
Ever wondered what a vCISO is or does? Ever wanted to know what they have the opportunity to see as they move from company to company on a daily basis? Sit down with two professionals who bring decades of information security Experience to the discussion. From defining the role and value of a vCISO to exploring what they're seeing as they get a unique perspective of a constantly moving view of the industry, bring your questions and be ready for an interesting talk.

Objectives:
  • Learn what vCISOs are, what they do and how they bring value to an organization.
  • Learn about what two vCISOs with decades of experience are seeing, not from being stuck in one trench but moving from place to place.
  • Learn what type of threats you might be missing, whether in a large company or a small company, if you only have a limited view.
Tuesday
First Look: 2021 (ISC)² Cybersecurity Workforce Study
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V300- Jeff Graham
Track: Professional & Career Development
Tags: Basic
Credits Available: 1.00 CPE
The (ISC)² Cybersecurity Workforce Study is well known for its annual workforce gap analysis, but our association’s flagship study offers a much deeper and unmatched dive into the challenges and opportunities facing today’s workforce. Join us for an exclusive first look at key findings from a global survey of your peers. In 2021, our study had record participation. Data provides insights into how cybersecurity professionals feel about their jobs, professional growth opportunities, anticipated future investments, strategies for overcoming staff shortages, hiring trends, advice for job seekers and much more. We will also share what we learned about the ongoing impact of COVID-19 and how it is impacting the cybersecurity workforce around the world.

Objectives:
  • Explore the opportunities and challenges facing the cybersecurity workforce.
  • Better understand the outlook on key issues and opinions of the global cybersecurity workforce.
  • Learn how cybersecurity professionals around the world are coping with the ongoing impact of COVID-19.
Tuesday
Compliance as a Catalyst for Reducing Risk - Sponsored by Reciprocity
01:45pm - 02:45pm Eastern - October 19, 2021 | Room: V2400-Chad Ritter
Track: Governance, Risk & Compliance
Tags: Basic
Credits Available: 1.00 CPE

Compliance is a required part of risk management. But are your compliance initiatives helping you bridge compliance and risk? Effective compliance is a catalyst for developing a proactive, risk management program by providing effective controls and tools that assess, manage, and monitor risk. Compliance isn’t about checking the box, it’s about proactively protecting your company and providing assurance so that others trust doing business with you. And, demonstrating trust will be the next market shaper.

● Challenges in Compliance and Risk Programs

● Five Best Practices in starting a Risk Program

● Compliance Considerations that will Improve Your Risk Posture


Concurrent Sessions - Select One
03:00pm - 04:00pm Eastern - October 19, 2021

Tuesday
Developers Dislike Security: Ten Frustrations and Resolutions
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1600-Charlene Budziszewski
Track: Application Security/Software Assurance
Tags: Intermediate
Credits Available: 1.00 CPE
Developers dislike security but won't tell you that to your face. Developers think differently, and security keeps saying that developers need to embrace security in a DevSecOps world. Developers make the most meaningful security decisions, and many times, they are doing it without us. Why do developers dislike security? How can security meet developers where they are in a collaborative approach? Security doesn't understand development and often tries to force a process and toolset that is not optimized. Developers are indifferent towards security and, in extreme cases, detrimental to security's success. Explore the ten main frustrations that cause security dislike and a collaborative and culture-focused solution to address these frustrations. Learn to walk a mile in your developers' shoes, practicing developer empathy as a security person.

Objectives:
  • Understand the ten frustrations that impact developers in regards to security.
  • Apply the ten resolutions to build stronger application security programs.
  • Practice developer empathy, walking a mile in the shoes of a developer.
Tuesday
Engineering Zero Trust Cloud Architectures
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1700-Ryan Baill
Track: Security Architecture/Engineering
Tags: Intermediate
Credits Available: 1.00 CPE
As more organizations move towards using a cloud-native architecture (e.g., microservices, containers, orchestration), they come to the realization that their security controls are also changing. They are moving from being perimeter-based to also being cloud-native. The firewall is dead, and zero trust architecture is here to replace it. Zero trust security is a model where application components or microservices are considered discrete from each other and no component or microservice trusts any other. Implementing and migrating towards a zero trust strategy for cloud is an engineering effort, to say the least. But the payoff is huge in terms of scalability and resilience to attack. We explore the design principles and then illustrate them in reference architectures for AWS, Azure and GCP that are reusable.

Objectives:
  • Describe the zero trust model as it applies to cloud architecture and cloud-native applications.
  • List the threats associated with zero trust architectures.
  • Plan the migration of a legacy cloud environment to a design that is based upon a zero trust architecture.
Tuesday
Taking a Practical Timely Opportunity to Evaluate the Security of Your Cloud Video Surveillance Solution
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1500-Nicholas Kogut
Track: 3rd Party Risk
Tags: Intermediate
Credits Available: 1.00 CPE
These days it is not unusual to walk too far before you see the endpoint of a video surveillance system. Consider the cameras you have seen on homes, at traffic stoplights (look up), in stores, at the gym, in your workplace (when you are back in the office), transportation centers, warehouse facilities ... the list can go on and on. Video surveillance is a necessity in many environments. There are many use cases for video surveillance that make security sense. This session will provide a background into the steps a team can take to self-assess their physical security video surveillance infrastructure to avoid being hacked as in the case of Verkada.

Objectives:
  • Awareness to IoT and video surveillance infrastructure.
  • Practical steps an organization's IT and security team[s] can take to evaluate their hardware solution.
  • Practical steps organizations can take to evaluate their software and cloud video surveillance solution.
Tuesday
Embrace the Shadow: The beauty in unsanctioned IT
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1900-Jacob Fish
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
Since the beginning of information technology systems, there have been informal systems developed by users to compensate for shortcomings in the official systems. This presentation will examine the cause of informal business systems; how they can be identified in the IT environment; and how they can be properly evaluated as asset or threat. The discussion will include drivers and causes of shadow and rogue IT, and how organizations are modifying their governance structures to take advantage of the user-driven innovation often represented by these DIY systems. Ultimately, participants will understand how to evaluate user-derived IT solutions for their potential and risk, encouraging innovation while meeting regulatory and data protection obligations.

Objectives:
  • Understand the forces that result in unsanctioned IT systems operating in the business environment.
  • Discuss how to identify, through audit and inquiry, when and where shadow IT systems are being used.
  • Implement changes in governance that will enable the organization to realize the benefits from user-driven IT innovation while still controlling the risk and costs related to the unmanaged use and development if unsanctioned IT systems.
Tuesday
Cyber Incident Response and Litigation: Today's Incident Response Determines Tomorrow's Legal Outcomes
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1800- Salem Zarou
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
The bad guys are once again held at bay, everything is locked down, the incident is wrapped and your work here is done. Or is it? More and more of today's cyber incidents are leading into civil litigation where your best defense strategy starts with the first steps of incident response. Litigation preparedness needs to be a key aspect of your incident response plan; and if it's not, you are likely leaving your organization open to significant risk and future expense. Join us while we cover the basics of litigation, the rules you need to prepare to follow and why actions you take during incident response can be deciding factors on how that future litigation unfolds.

Objectives:
  • Describe the actions needed during incident response to prepare an organization for potential future litigation.
  • Describe how to avoid the pitfalls and simple mistakes that can cause significant adverse assumptions against an organization during litigation.
  • Update incident response plans to include litigation preparedness aspects to help protect an organization against the risk of incident-related litigation.
Tuesday
Cyber-resiliency vs. Cybersecurity. What's the difference and Why Care?
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V2000-Alex Aarson
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
Many client organizations are confused by our industry's lingo and particularly similar or interchangeable terms. This session will discuss cybersecurity vs. cyberresiliency in the following context: --What's the difference in definitions and scope? --Why is this important to the practitioner to explain and communicate to clients? --What are potential negative impacts of not differentiating for your clients? --Is it time for a terminology refresh to accommodate new technologies and updated terminology among various industry sectors?

Objectives:
  • Define cyber resiliency vs. cybersecurity.
  • Communicate effectively to clients the importance of understanding and addressing both.
  • Discuss or demonstrate examples of negative impacts of not fully addressing both in risk assessment and continuity planning.
Tuesday
OSINT Methods and Techniques for Blockchain Investigators and IT Auditors
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: Simu-Live
Track: Cyber Crime
Tags: Advanced
Credits Available: 1.00 CPE
This presentation provides hands-on guidance of resources, methods and techniques available to investigate blockchain-related illicit usage. It also expands understanding of how cryptocurrencies can circumvent the requirements of KYC and AML to support the facilitation of illicit transactions, as well as how to follow the money to locate and possibly block their liquidation.

Objectives:
  • Learn whhich cryptocurrencies are ideal for illicit transactions, and how modern cryptocurrencies such as Monero and Dash can offer more anonymity vs. Bitcoin or Ether to aid in making illicit online transactions harder to follow.
  • Understand the most common types of various blockchain exchanges, what differentiate them, who uses them and their roles in converting illicit transactions to legitimate fiat currency.
  • Learn key patterns, trend and typologies to flag illicit addresses. Learn the tools and techniques to detail the flows of illicit transactions using real-life examples. Identify the key controls to ensure compliance to KYC and AML and limit your exposure to the usage of cryptocurrencies for illicit transactions.
Tuesday
Do Secure API or Do Not: Defend the Supply Chain with Secure APIs and Identity
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V200-Atticus Kaiser
Track: Supply Chain Security
Tags: Advanced
Credits Available: 1.00 CPE
Data is the digital currency of today. Access to data via APIs can enable digital transformation and at the same time allow malicious attackers to subvert the enterprise software supply chain. This API-focused approach leads to one directive: Enterprises must implement secure APIs to protect the data at all costs. To operate successfully, these secure APIs use a validated identity authorization to scope them to least access while at the same time remaining agile to DevSecOps flows allowing privileged access when needed. This session provides a detailed technical architecture and operations model to use identity access validation and risk response to protect APIs against supply chain and other software subversion attacks against the organization today.

Objectives:
  • Gain understanding of APIs and their impact on digital transformation and threat risk to the organization's data access.
  • Learn how secure APIs reduce risk to data of the organization through the use of user access verification and privileged access risk management.
  • Capture and understand the technical and operational model of secure APIs in order to leverage in attendee's organization. This will enable attendees to secure APIs against supply chain and other software subversion attacks against their organization today.
Tuesday
What should your DevSecOps program look like?
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1300- Josh Ensley
Track: DevSecOp
Tags: Intermediate
Credits Available: 1.00 CPE
DevSecOps is a major pillar for a successful security program as organizations are growing their ecosystems through interconnected information systems. The consequences of a poorly implemented program can render organizations insolvent as a single application-level data breach can impact an organization’s reputation, customer retention, and financial performance. Building a DevSecOps program is an insurmountable challenge for many security teams already struggling to meet a plethora of regulatory requirements. This presentation, representing a year of research with security professionals from companies around the world, helps you to understand DevSecOps. We will provide a clear description of what a DevSecOps program looks like based on our research including the systems, processes, governance, team, and environment needed to deliver a well-built DevSecOps program for your organization.

Objectives:
  • Describe what DevSecOps is and how it integrates with DevOps, including the system architecture, governance models, team structures and process integrations.
  • Describe the pillars of a well-built DevSecOps program, including how to measure the program's effectiveness.
  • Describe some of the potential challenges in developing a DevSecOps program.
Tuesday
Implementing ISO 27701 with ISO 27001 - a potent combination to tackle Privacy and InfoSec
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V1400-Brad Lutz
Track: Privacy
Tags: Intermediate
Credits Available: 1.00 CPE
Implementation and certification to the Information Security Management System under ISO 27001:2013 provides organizations with a consistent framework of risk management and governance and forms a foundation of sound information security practices. With stricter privacy requirements, both in the United States and internationally, adding the Privacy Information Management System under ISO 27701:2019 provides further adherence to privacy requirements and adds specific controls for data controllers and/or data processors. This standard requires ISO 27001 certification. The combination of these two standards provides an organization with ongoing compliance and sustainability of evolving technologies and requirements. We'll present a review of each standard and quick review of current privacy legislation with case studies of organizations that reduced risk, increased efficiencies and boosted customer confidence.

Objectives:
  • Identify critical relationships between privacy and information security and how common controls can provide a greater value to managing legal, regulatory, contractual requirements.
  • Learn strategy to gain management and customer confidence through applying a standardized, systematic method for the protection of multiple types of information as a data custodian, data processors or data collector.
  • Analyze the current privacy and information security program within your organization to determine potential gaps and areas of improvement
Tuesday
Fundamentals of Deepfakes: How are they made and how do I spot them?
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V2100-Sondley Cajuste
Track: Security Automation/Artificial Intelligence/Machine Learning
Tags: Intermediate
Credits Available: 1.00 CPE
Due to advances in machine learning, the tools for making deepfake audio and video content are becoming both more refined and more accessible at a rapid pace. These factors are leading to an increased incidence of deepfakes and, as a result, increased security risks. This talk will explain the fundamentals of deepfakes, including describing different types of deepfakes and the machine learning techniques used to create them. Further, security concerns relevant to deepfakes will be presented along with discussion of real-world incidents. Building on this foundation, we'll present current approaches for deepfake detection such as practical human detection methods and automated machine learning-based detection processes. A look at deepfake detection methods will include a summary of the current state of the art.

Objectives:
  • Understand the processes for creating deepfake audio and video files, and list different types of deepfake creation techniques.
  • Describe methods for detecting deepfakes, including both human achievable approaches and machine learning-enabled automated solutions.
  • Appreciate the security and safety risks that deepfakes pose and understand preventive actions that can be taken.
Tuesday
Breathe In, Breathe Out – Finding Balance to Keep Burnout at Bay
03:00pm - 04:00pm Eastern - October 19, 2021 | Room: V2200- Jordan Garcia
Track: Professional & Career Development
Tags: Basic
Credits Available: 1.00 CPE
Cybersecurity is a stressful career. Practitioners are always one misstep away from being the victim of an attack and that leads to a stressful existence. Maintaining balance is critical. This panel will focus on pragmatic approaches to keeping a healthy work/life balance. With hobbies and activities ranging from exercise, gym classes and yoga, to reading, playing music and even taking up flying lessons – our panelists will engage in a lively discussion around keeping balance in our lives by doing things other than work and how those activities can even greatly improve the quality of your work.

Objectives:
  • Recognize the damage caused by an unhealthy work/life balance.
  • Identify some potential areas for improving their own work/life balance.
  • Recognize the value of external activities to the betterment of a career and current work.
Concurrent Sessions - Select One
04:30pm - 05:30pm Eastern - October 19, 2021

Tuesday
Cyber-Peloton - Breaking Away from the Pack
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V1000- Owen Meldrum
Track: Professional & Career Development
Tags: Intermediate
Credits Available: 1.00 CPE
As a cybersecurity professional, there are many opportunities for those with a cyber skillset. With more people are looking to change their career or advance within a cybersecurity space, they begin to ask: How will I stand out from the other cybersecurity professionals applying for the same job opportunities? Think of your career development like training for the Tour de France. There are several stages that must be achieved before you can get closer to wearing the yellow jersey and stand on the podium, i.e., achieve your career goal. Training for the stages of a Tour de France is similar to training for the stages of your own career development. However, the stages in your development will be measured in years vs. miles.

Objectives:
  • Learn and understand that professional development and growth, in cybersecurity, is a multi-year process with planned milestones for success. Every stage of your development must be deliberate with experiences and knowledge that must be obtained before moving to the next stage.
  • Understand that personal growth starts from within. It will require mental and physical development to endure career challenges/obstacles when becoming a cybersecurity professional. And that getting ahead doesn't always mean moving up.
  • Learn to be better positioned for success when when grooming others through leadership, mentoring and motivating. When you make it an objective to develop the cyber skillset of those around you, your yellow jersey becomes easier to obtain.
Tuesday
Breaking Dark Web Barriers
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V900- Craig Carpenter
Track: Human Factors
Tags: Intermediate
Credits Available: 1.00 CPE
In the past several years, dark web activities have spread far beyond traditional boundaries. Today’s competition and overabundance of stolen data broke traditional dynamics and forced a rapid evolution of cybercrime. One stolen users’ credential may bring down an entire company, as ransom and ransomware continues to evolve. Stolen data is drawing record sale prices. Zero-day vulnerabilities are more effective and expensive. Social engineering attacks are complex and often impossible to distinguish from real activities. Insider threats are even more dangerous. All of these threats and changes in cybercrime make the dark web more dangerous and impactful than ever. Our deep dive into the current state of the dark web should provide a better background for improving defenses today and tomorrow.

Objectives:
  • Understand current dynamics of the dark web.
  • Recognize new attack patterns and abuse techniques.
  • Defend infrastructures from new waves of attacks.
Tuesday
Securing your Supply Chain from their Insider Threats
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V800-Paul Jackino
Track: Supply Chain Security
Credits Available: 1.00 CPE
Recently, the U.S. has fallen victim to the most pernicious and skillful cyber espionage campaign known in our history, SolarWinds. The days to come will reveal more vulnerabilities, other points of weakness in the supply chain and further weaken technical defenses. Supply chains are complex and ever-changing. Consider third-party integrators, addition of new software or hardware products into the environment, and employees of the companies that make up the supply chain. Today’s dynamic technology fabric creates a greater need for due-diligence and common security control baselines as a standard for doing business. Basic reviews typically focus on “questionnaire” type audits that don’t address or satisfy the risks of the third-party workforce. (The 2018 (ISC)2 Cybersecurity report noted that 33% of small businesses admit that their employees had mishandled client credentials.) We, as leaders in cybersecurity, must begin to seriously address all aspects of the supply chain and respond to the weakest links.

Objectives:
  • Understand components of the supply chain and frameworks for assessing cybersecurity risks
  • Understand how Zero-trust enables better third-party risk management
  • Discuss a Roadmap for a successful supply chain insider threat program
Tuesday
Decoding Cyber - Supply Chain Risk Management through NIST
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V700-Jeremy Becker
Track: Supply Chain Security
Tags: Advanced
Credits Available: 1.00 CPE
Cyber supply chain risk has become the most discussed topic in late 2020.The increased use of suppliers for various functions in the organization has made this even more important than before and, in this process, there is a loss of visibility of technology that is being integrated into the organization. Recent supply chain attacks and the constant discussion on cyber supply chain risk management raises the most important aspect for organizations - i.e., not evaluating the critical processes and their dependent suppliers and the impact of compromise. The solution to this challenge is by approaching it in two-fold processes (Internal to an organization and external to organization). It is time to integrate cyber supply chain risk management into enterprise risk management.

Objectives:
  • Gain clear understanding of cyber supply chain principles to build policies/procedures for supplier risk management at an organization.
  • Understand which standards can be tailored to an organization and decide to choose a new standard or leverage existing ones for their CSCRM.
  • Approach cyber supply chain risks holistically by removing the perception that CSCRM is an IT issue and understand CSCRM risks at enterprise level.
Tuesday
Trends and Trajectories in Control System Cyber Security: Findings of the (CS)2AI-KPMG 2021 CSCS Report
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V500- Joe Trusso
Track: ICS/Critical Infrastructure
Tags: Basic
Credits Available: 1.00 CPE
Control Systems Cyber Security Association International (CS2AI), in collaboration with a team of SMEs from an alliance of supporting cybersecurity organizations, conducts a yearly analysis on the current state of ICS cybersecurity. Leveraging the participation of multiple stakeholders across roles and industry sectors (from within its membership of 20,000+ security professionals and unaffiliated practitioners), the survey is designed to help answer key questions about how we can best protect critical systems in the face of ever-growing and -evolving threats and decision support tools that help guide control system cyber security practitioners, management and leadership teams to make well-informed and prioritized decisions regarding the protection of critical assets. This session will present key findings of the 2021 research project.

Objectives:
  • Determine how organizations compare against industry control system cybersecurity benchmarks.
  • Identify optimization targets within their control system cybersecurity programs based on real-world performance reporting on security budget allocation effectiveness.
  • Understand risks to an organization's control system operations and assets, and assess specific threats, vulnerabilities and controls.
Tuesday
Why I Quit Security For A While And Came Back (But Might Leave Again)
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V600-Taylor Rondenell
Track: DevSecOp
Tags: Intermediate
Credits Available: 1.00 CPE
After having every job in information security (from log review to CISO), I took a break to spend time running production engineering for a major PaaS vendor. I learned a lot about the fine details of engineering management, but I learned a whole lot more about how security could be done more effectively. I'm back in the security world and starting to implement what I learned. Here's a little bit of insight that might make a difference in your world. But I might not stay - there are a lot of good ways to accomplish things, but I'm even less sure that security should be a separate discipline. Hard-won lessons to share.

Objectives:
  • Clearly describe the key points of interaction failure between engineering and security organizations.
  • Demonstrate an awareness of the knowledge and perception gap between engineering and security cultures.
  • Conduct analysis of their own organizational interactions to find opportunities for improvement.
Tuesday
Higher (Hire) Expectations
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V1100-Jon Moody
Track: InclusionREADY
Tags: Basic
Credits Available: 1.00 CPE
Building on last year's talk about retaining staff, this talk focuses on hiring - because you can retain staff members if you can't manage to successfully hire them. We'll dig into how we interview and the message your process gives potential future staff. In this talk you will understand: -What an attractive hiring process looks like. -Where to look for the best candidates. -How to build a team that is Diverse by Design. At the end of this talk you will leave with: -A list of next steps to take back to your business. -A blueprint for the ideal hiring process.

Objectives:
  • Describe what an attractive hiring process looks like.
  • Know where to look for the best candidates.
  • Build a team that is Diverse by Design.
Tuesday
Legal and Compliance Issues - On the Brink of A Global Cybersecurity Crisis
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V2400-Chad Ritter
Track: Privacy
Tags: Advanced
Credits Available: 1.00 CPE

Executives and boards should ensure they understand the potential multijurisdictional conflicts that may arise from differing privacy and data protection laws around the globe. This allows us to develop policies and procedures that are consistent with the organization's strategy and risk appetite, particularly when some outcomes for corporate non-compliance create high penalties or potential criminal liability. Developing an understanding of the international regulatory framework will be critical to support hybrid and remote workforces for a level playing field and for continued economic recovery.



Objectives:
  • Identify new enforcement agencies, mechanisms and the latest privacy regulations around the globe that can create challenges of non-compliance for companies and executives, as well as gain an understanding of how GDPR variations, CCPA-like laws and other spin-offs may also impact compliance.
  • Comprehend critical detail about key domestic and international cybersecurity law and privacy law cases that can impact companies that do business globally with financial and criminal repercussions.
  • Adapt policies to suit hybrid and remote workforces, re-acclimating onsite workforce, and understand what new solutions and new technologies could create dangerous violations that include hefty fines or criminal liability in the changing security landscape.
Tuesday
Threat Intelligence and IoT Patent Considerations
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V300- Jeff Graham
Track: Internet of Things (IoT)
Tags: Basic
Credits Available: 1.00 CPE
Artificial Intelligence and IoT technology implicate increasingly complex data security risks due to broadening device interrelationships (e.g., IoT webcams, health tracking, children’s toys, automobile software, wireless security equipment). The focus of this presentation is best practices for obtaining high value cybersecurity patents and the goal is to provide an overview regarding potential patent issues related to AI and IoT U.S. patent applications that focus on cybersecurity. This is not an exhaustive presentation, but it does include developing areas of law. We will cover claimed subject matter that resulted in patent damage awards in cybersecurity and potential hurdles that are unique to U.S. software/cybersecurity patents, such as subject matter eligibility and indefiniteness.

Objectives:
  • Be better prepared for potential issues in obtaining a software/cybersecurity patent in AI or IoT technology from the USPTO.
  • Understand how cybersecurity patents are categorized and at least one approach for monetizing cybersecurity technology via patents.
  • Understand the different types of enhancements that result in software patents being found to be more than an "abstract idea," which generally results in ineligibility.
Tuesday
Modern Android Security
04:30pm - 05:30pm Eastern - October 19, 2021 | Room: V100-Jeremy Speakes
Track: Mobile/Remote Workforce Security
Tags: Basic
Credits Available: 1.00 CPE
As of 2021, there are 3 billion Android devices in use globally. Enterprise and government use of Android devices has surged in the last year due to an increase in remote working. Ensuring company data is secured and preserving users' privacy is paramount. In this session, we will provide insight into how modern Android security has evolved to broker more trust with verifiable third-party validations. Google requires all device manufacturers and carriers globally to adhere to mandatory standards including hardware-backed security, OS anti-exploitation and Google Security Services. Please join us to learn more about modern Android Security for enterprise use cases.

Objectives:
  • Describe how modern Android security safeguards company data with native built-in security services and to control those services with EMM solutions.
  • Describe to stakeholders the benefits of managing Android devices with Android Enterprise including complete application management. Customers will be able to conduct risk assessments more accurately by understanding the capabilities of modern Android devices.
  • Articulate and put into action best practices for deploying and managing Android devices and take advantage of built in services to include SafetyNet Attestation, Verify Apps and Google Play Protect.
Wednesday
Keynote - Women in Security: A Strategy for Safety
08:00am - 09:00am Eastern - October 20, 2021 | Room: V2400-Chad Ritter
Track: InclusionREADY
Tags: Basic
Credits Available: 1.00 CPE
Gender diversity in tech is a hot topic for organisations, as many understand the benefits that women can bring, such as greater profitability, innovation, and lower costs. However, when it comes to cybersecurity women offer another advantage. They think differently to men and this includes how they see risk. Join best-selling author, and 23-year cybersecurity veteran Jane Frankland to hear about the unique differences between men and women in terms of risk and how a failure to attract and retain women in cybersecurity is making us all less safe. Key takeaways include: Understand the current situation and why women in cybersecurity really matter. Learn how women see risk in a different way to men, and why this is advantageous. Gain a true understanding of the three main challenges the industry needs to overcome if it’s going to increase the numbers of women. Learn how to remove barriers to entry whilst obtaining the right calibre of professional. Discover how to cultivate talent through internal and collaborative programmes. Find out what cultural changes you can make in the workplace right now so you remain operating happily within it or cultivating a more diverse workforce.
Wednesday
Keynote - The Rise of the New Inside Threat
09:00am - 10:00am Eastern - October 20, 2021 | Room: V100-Jeremy Speakes
Track: Keynote
Credits Available: 1.00 CPE
The days of old school corporate espionage are long behind us. The “classic” insider threat had a risky job to appropriate information and then faced a logistical nightmare to sell it. Those times are long gone replaced by something far more effective, sinister and less detectable. U.K. intelligence agency, Mi5, are so deeply concerned by the rise of insider threats created by “social manipulation techniques” they have helped launch a campaign to increase awareness. In this talk you will hear stories of how key, loyal employees with access to critical IP and R&D have been socially engineered and fed convincing stories to give nefarious actors at all levels access to the Crown Jewels. Would be lovers, people posing as human rights activists, businessmen and recruiters looking for talent, conferences that didn’t exist and even someone who believed he had started working for Mi6. All these people unknowingly became insiders. All handed over IP and commercially sensitive information. How did they fall for it? Hear their stories in this keynote.
Concurrent Sessions - Select One
10:30am - 11:30am Eastern - October 20, 2021

Wednesday
Not another boring Cyber Insurance discussion
10:30am - 11:30am Eastern - October 20, 2021 | Room: V800-Paul Jackino
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.00 CPE
Based upon the published OMG discussion paper, "The State and Future of Cyber Insurance," the co-authors will briefly present a synopsis of the paper, leaving ample time for open discussion with attendees regarding the current cyber insurance market and its shortfalls. We will then cover the emerging market that includes the embedded sale of cyber for the cloud market and the potential for streamlining the underwriting process, resulting in a more dynamic insurance product. Finally, we will dive into parametric insurance products and areas it can remedy in cyber insurance, including the new market for non-fungible tokens (NFTs).

Objectives:
  • Understand the cyber insurance market and its current shortfalls, as well as the importance of a quantified risk assessment in the process and understanding the policy.
  • Understand how elastic cyber insurance, embedded in cloud agreements, will shape the future of the cloud market.
  • Describe parametric insurance and its many advantages and obtain an early education on the product and how it will change the cyber insurance market.
Wednesday
How We Can Learn to Stop Worrying and Love Machine Learning
10:30am - 11:30am Eastern - October 20, 2021 | Room: V700-Jeremy Becker
Track: Security Automation/Artificial Intelligence/Machine Learning
Tags: Intermediate
Credits Available: 1.00 CPE
The explosion of machine learning, data science and artificial intelligence research and applications in the past few years present both great opportunities and great risks for cybersecurity managers and practitioners. Organizations need to clearly understand the fundamentals of machine learning algorithms, including their current capabilities and limitations, before facing the vast array of tools, applications and groups eagerly offering solutions. This presentation will discuss some of the recent advances and applications of machine learning and artificial intelligence capabilities for the cybersecurity of critical infrastructure. We will focus on understanding the limitations of the algorithms (and implementations) to determine the potential impacts to both security and safety. Most importantly, we will discuss ways to assess and evaluate these capabilities from an overall risk management perspective.

Objectives:
  • Identify machine learning capabilities that can improve the cybersecurity of critical infrastructure.
  • Discuss the potential risks with machine learning capabilities and their implications.
  • Discuss the ways to assess whether a machine learning algorithm (or system) will work to improve the cybersecurity of their critical infrastructure assets.
Wednesday
2021 DBIR and the VERIS A4 Threat Model
10:30am - 11:30am Eastern - October 20, 2021 | Room: V900- Craig Carpenter
Track: Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
Tags: Intermediate
Credits Available: 1.00 CPE
VERIS, or the Vocabulary for Event Recording and Incident Sharing, is a set of metrics designed to provide a common language for describing cybersecurity incidents (and data breaches) in a structured and repeatable manner. VERIS provides cyber defenders and intelligence practitioners with the ability to collect and share useful incident-related information - anonymously and responsibly - with others. The VERIS Framework underpins the annual Data Breach Investigations Report (DBIR). VERIS employs the A4 Threat Model to describe key aspects of incidents and breaches that affect victim organizations. Simply put, the A4 Threat Model seeks to answer: who (actor) did what (action) to what (asset) in what way (attribute) for threat modeling, intelligence analysis, breach mitigation and detection / response improvement.

Objectives:
  • Understand data breaches and cybersecurity incidents through the VERIS lens.
  • Identify the four components of the VERIS A4 Threat Model: actors, actions, assets, attributes.
  • Apply use cases for the VERIS A4 Threat Model.
Wednesday
10 MORE Things Attorneys Can Do For Your InfoSec Team
10:30am - 11:30am Eastern - October 20, 2021 | Room: V1100-Jon Moody
Track: Incident Response/Investigations/Forensics
Tags: Basic
Credits Available: 1.00 CPE
What are “supplementary measures” and why are my EU business partners asking me to implement them? Can law enforcement search my cellphone at border crossings? What qualifies as a breach vs. an incident? When does an investigation need attorney-client privilege? Do I need to make a bitstream copy, or is an image enough? Over the past five years, these questions have likely come up with regularity, underscoring the need for legal insight in infosec. Just some of the areas where attorneys can assist you include incident response/breach notification, contract negotiations, policy writing and review, and working with insurance carriers. In this follow up to last year’s presentation, infosec legal veterans will describe 10 more things that attorneys can do for your team.

Objectives:
  • Discern which infosec and privacy problems require legal involvement.
  • Understand how to work with counsel to achieve the best results.
  • Respond to the latest infosec trends that have legal implications
Wednesday
Incident Response: How To Keep Your Company Name Out Of The Evening News
10:30am - 11:30am Eastern - October 20, 2021 | Room: V1000- Owen Meldrum
Track: Incident Response/Investigations/Forensics
Tags: Basic
Credits Available: 1.00 CPE
This presentation will shift away from antiquated ways of handling incident response to modern-day approaches that are much more effective. Among discussion items: -There needs to be a paradigm shift of how incident response is handled. Stop just responding, start proactively threat hunting and threat modeling. -Incident Response is not centric to CSIRT teams. Mature incident response involves the entire organization, including the business (legal, privacy, HR, etc.) - A CSIRT that is purely built on technical skills is inefficient. Diverse backgrounds and especially soft skills on a CSIRT are imperative. -Stop trying to document/create a playbook for everything. Creativity and flexibility lend to much more effective incident response.

Objectives:
  • Conduct a holistic analysis of their incident response program and identify the weak areas that need improvement.
  • Understand the importance of diversifying an incident response (or CSIRT) team to include not just the technical folks, but those from other lines of business.
  • Describe what approaches to incident response are antiquated, and understand what new processes/ideas should be adopted.
Wednesday
Securing Critical Infrastructure Through Cyber-Focused Procurement Language
10:30am - 11:30am Eastern - October 20, 2021 | Room: V1200-Craig Ciccolella
Track: ICS/Critical Infrastructure
Tags: Basic
Credits Available: 1.00 CPE
We are all regularly buying, building and deploying vendor and contractor equipment, systems and services, but how do we know that the products and services purchased have appropriate levels of cybersecurity? Are vendors and contractors designing, building and operating their products with cybersecurity in mind? Are they consistently searching for and addressing cybersecurity weaknesses? Do they have secure supply chains ? This talk shares an approach for cybersecurity procurement language developed for the U.S. Army’s Office of Energy Initiatives that focuses on cybersecurity requirements for contractors designing, constructing and operating energy generating facilities within Army installations. These procurement cybersecurity requirements protect the installation lifecycle for operational technology networks and industrial control systems of contractor-owned and -operated systems.

Objectives:
  • Understand the current landscape of cyber-focused procurement language, gaps that exist, and what procurement clauses and processes would enable systems to be secure throughout their lifespan.
  • Identify well written, quantifiable cybersecurity procurement clauses that can be measured and enforced.
  • Identify and construct cybersecurity procurement clauses applicable to their particular installation and application, which will serve throughout the lifecycle of the implementation.
Wednesday
Why you should be introducing DevSecOps to your Organization
10:30am - 11:30am Eastern - October 20, 2021 | Room: V600-Taylor Rondenell
Track: DevSecOp
Credits Available: 1.00 CPE
In a time where DevOps is becoming commonplace, there is a desire for rapid technical automation and deployments to keep up with the pace of demand by organizations. The lightning speed at which this occurs can lead to security being an afterthought and having to be bandaged at a later date. By integrating a security capability into the culture of the organization, security can be "shifted left" and DevSecOps can be ingrained. This results in a proactive protection of the organization's key services. The need for tactical solutions are reduced and the strategic security posture is enhanced.

Objectives:
  • Understand what DevSecOps is.
  • Understand why DevSecOps is needed.
  • Understand how DevSecOps can be implemented.
Wednesday
Self-Protecting Data - an Artificial Intelligence & Zero Trust Use Case
10:30am - 11:30am Eastern - October 20, 2021 | Room: V500- Joe Trusso
Track: Zero Trust
Tags: Advanced
Credits Available: 1.00 CPE
Recently, data surpassed oil as the world's most valuable asset. Current data protection methods have too many dependencies on systems and networks through which data passes. So far, attempts to solve this problem have not adequately minimized external dependencies. The self-protecting data concept, as a zero trust use case, involves adding protections to data objects to make such objects "self-protecting." The protections would include metadata tags and tamper-awareness and action logic that allows the data object to automatically, or remotely, choose courses of action when a given threat is detected. Artificial intelligence techniques are needed due to the complexity involved with managing numerous data attributes as metadata; the need for autonomous access control, infrastructure independence; and automation of detection, alerting, and response.

Objectives:
  • Describe basic requirements for a self-protecting data object.
  • Understand what research has been done so far on self-protecting data.
  • Understand how self-protecting data can leverage artificial intelligence techniques to improve data protection in zero or low-trust environments.
Wednesday
AWS, Azure and GCP security
10:30am - 11:30am Eastern - October 20, 2021 | Room: V400-Kyle Lewis
Track: Cloud Security
Tags: Intermediate
Credits Available: 1.00 CPE
Which leading cloud provider has the most effective security features -- AWS, Azure or Google Cloud (GCP)? We'll look at three common use cases and provide live demonstrations to compare security architectures and features across all three cloud platforms. The discussion includes: Identity: Cloud customers typically create multiple AWS accounts, Azure subscriptions or GCP projects. How should a centralized source of identity be architected? Private Networking: Security-conscious cloud customers use private networking as part of a defence in depth strategy. How can this be achieved with cloud services such as storage or serverless functions which are internet-facing by default? Content Delivery Network: How can a web application be presented to global users with low latency and a high level of security?

Objectives:
  • Develop a knowledge of practical implementations around cloud security principles studied for the CCSP certification.
  • Compare security services and features across AWS, Azure and GCP with real-world examples.
  • Demonstrate an understanding of centralized identity architectures across multiple AWS accounts, Azure subscriptions and GCP projects.
Wednesday
Outsourcing IT, would you like security with that?
10:30am - 11:30am Eastern - October 20, 2021 | Room: V200-Atticus Kaiser
Track: Small/Medium-sized Business Security
Tags: Basic
Credits Available: 1.00 CPE
Many organizations have small IT departments or maybe just one IT "guy" and no security personnel. These organizations understandably turn to third parties to outsource most and sometimes all IT. However, they don't ask for security and the outsourced IT companies don't always offer or provide secure IT solutions. Small and medium-sized businesses need to learn how to outsource IT that comes with security. They need to have the tools to ask the right questions and make sure they are not just getting IT, but getting secured IT with an organization that understands security. This talk will provide information organizations need to bring in secure IT vendors and help IT vendors think about why they should be including security in all IT outsourced services.

Objectives:
  • Understand the security controls their outsourced IT vendors should be providing.
  • Evaluate their current outsourced IT services for security gaps.
  • Compare IT outsourced service offerings to ensure they are getting a complete and secure service.
Wednesday
Diversity is a result of inclusive cultures
10:30am - 11:30am Eastern - October 20, 2021 | Room: V300- Jeff Graham
Track: InclusionREADY
Tags: Basic
Credits Available: 1.00 CPE
An advanced society requires complex human interactions. We now need teamwork skills at a greater scale than ever before which means our emotional intelligence (EQ) skills need strengthening. This starts with a set of common behavioral standards. EQ is a (noun) meaning “the capacity to be aware of, control, and express one's emotions, and to handle interpersonal relationships judiciously and empathetically.” Hence, the standards for interactions depend greatly on our EQ skills. This talk will define the standards for interactions, and together, we will grow our EQ. Our security, privacy, economic well-being and mental health depend on the ability to engage others positively, for example win-win communication. When we establish a baseline of standards for human interactions, with win-win communication, humans will excel.

Objectives:
  • Share with others the Human Behavior Inclusion Standard.
  • Lead the charge on creating strong culture allies in the workplaces and professional networks.
  • Empower those around them to participate in inclusion on an ongoing basis.
Wednesday
Ransomware Happens, We Stop It From Spreading - Sponsored by illumio
10:30am - 11:30am Eastern - October 20, 2021 | Room: V2400-Chad Ritter
Track: Cyber Crime
Tags: Basic
Credits Available: 1.00 CPE

With the number of attacks on the rise it’s fair to say that ransomware happens, there’s unfortunately no way to avoid it. The trick is to try and prevent the spread of breaches through your network. During this presentation we’ll offer simple approaches for mitigating the damage ransomware and other cyberattacks can have across your hybrid cloud network, data estate and endpoints.

Points we’ll discuss include learning how to:

• Gain the visibility required to quickly identify the most vulnerable applications and workloads

• Block risky ports and non-compliant data flows commonly abused by ransomware and other cyberattacks

• Find deprecated services and see how legacy unpatched systems can be reached

• Reduce internal frictono and forge tighter collaboration across NetOps, SecOps, and DevOps

• Integrate real-time Illumio data into your SIEM/SOAR during SecOps investigation



Objectives:
  • How to visualize communications across your applications, devices and the cloud, to better understand your systems at risk, and easily enforce least privilege access to prevent the spread of breaches.
  • How to limit your breach exposure and improve your digital defenses by pinpointing the applications and systems most at risk.
  • Proactive (before breach) and reactive (after breach) capabilities that stop malicious code from spreading and isolate critical systems from infection.
Concurrent Sessions - Select One
11:45am - 01:00pm Eastern - October 20, 2021

Wednesday
Confessions of a CIA Spy - The Art of Human Hacking
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1600-Charlene Budziszewski
Track: Human Factors
Tags: Intermediate
Credits Available: 1.25 CPE
A former CIA intelligence officer with over two decades of experience breaching the security of his targets overseas identifies the threat actors behind today's data breaches along with their motivations and objectives. He reveals human hacking methodologies that increasingly incorporate OSINT, especially social media platforms, to identify, assess and manipulate key insiders to facilitate the breach. This presentation will demonstrate several advanced social engineering techniques going far beyond commonly known phishing attacks. It also identifies and promotes a two-pronged risk mitigation strategy incorporating organizational and personal information control along with a "verify, then trust" discipline when confronted by potential human hacking attempts.

Objectives:
  • Identify five distinct categories of human hackers (threat actors) behind successful data breach attempts along with their respective motivations and objectives.
  • Describe the methodologies utilized by human hackers for the selection, assessment and manipulation of insiders to successfully accomplish the breach.
  • Mitigate human hacking threats by adopting a two-pronged strategy.
Wednesday
Exploring Security Controls needed to protect Medical Wearable Devices
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1700-Ryan Baill
Track: Healthcare Security
Tags: Advanced
Credits Available: 1.25 CPE
The internet of things (IoT) has been a significant advancement in technology, modernizing repetitive tasks, streamlining data collection, and providing new ways to collect, interpret and disseminate information. Numerous industries have benefited from advancements in IoT technology, including healthcare. Medical IoT (MIoT) has deployed several devices, including internet-connected sleep apnea machines, blood pressure regulators, glucose monitors and mobile echocardiogram and heart rate monitors. The advancement in MIoT has revolutionized the treatment of care. Both treatment facilities and patients perform a significant amount of care solutions from their homes, saving the patient time and money. The integration of technology to maintain potential life-sustaining functions within the patients comes with the challenge of ensuring that data integrity and patient safety are not compromised.

Objectives:
  • Identify emerging threats towards medical wearable devices.
  • Identify key risk factors and threats towards medical treatment facilities and users.
  • Learn different strategies to protect users and medical treatment facilities and wearable devices.
Wednesday
Evolution of the EU "Cookie Law"
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1800- Salem Zarou
Track: Privacy
Tags: Basic
Credits Available: 1.25 CPE
The ePrivacy Regulation is still not there, but cookies (and other tracking mechanisms) have been under close scrutiny from European Data Protection Authorities. This sessions will review the actual scopes and requirements of the “cookie law” implementation in various EU member states, along with the requirements changed by the GDPR. Some common pitfalls and misconceptions will be explained and pragmatic solutions presented. The session will also review how Isabel Group proceeded to the selection and implementation of its cross website cookie consent management solution, and how the solution has helped the company and the changed it triggered.

Objectives:
  • Understand better the scope and requirements of the EU "Cookie Law."
  • Identify applicable requirements of the EU "Cookie Law."
  • Put in place measures to comply with the EU "Cookie Law."
Wednesday
Securing the Architecture of the Industrial Internet of Things: from the Edge to the Cloud
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1400-Brad Lutz
Track: ICS/Critical Infrastructure
Tags: Basic
Credits Available: 1.25 CPE
The advent of Industry 4.0 will require secure ICS, IoT and cloud architectures to embrace an agile methodology to meet industrial and business demands. These architectures will need to take into consideration the security of embedded components and SCADA systems, sending traffic to the cloud as well as the security of cloud environments. Data privacy can impact architecture if personal identifiable information is collected to aid in analysis in these cloud environments. Furthermore, we will look at the ISA/IEC 62443 standard and its impact on and applicability to these architectures. Concepts on network architecture design, defense-in-depth network, component selection and hardening, as well as the security development lifecycle’s importance on IoT, the edge and cloud architecture, will be presented and solutions discussed.

Objectives:
  • Describe the particulars of embedded ICS components and the challenges they present when architecting security solutions and how these devices interact within an edge computing environment.
  • Understand the ISA/IEC 62443 standard's relevance in helping design and define secure architectures for the IoT and the cloud.
  • Conduct proper network segmentation, utilizing security architecture safeguarding critical functionality to ICS processes during cloud communications.
Wednesday
Evolving Threat Modeling for Agility and Business Value
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1500-Nicholas Kogut
Track: Application Security/Software Assurance
Tags: Intermediate
Credits Available: 1.25 CPE
Many threat modeling approaches exist with new techniques and tools to perform the same activity for different scenarios. However, methodologies like DevSecOps pose a huge challenge for threat modelers in incorporating the demands of different teams including scaling and quality issues and in successfully demonstrating business value. This requires moving away from traditional practices to fit DevSecOps needs. After an elaborative study, we introduce a Maturity Model for Threat Modeling, focused on how it can be integrated with the enterprise. You will witness threat modeling as a central tool for security risk management, how various functions in the enterprise can be involved to address risk and finally preparing organizations to experience the right outcome for recommended tool categories at every maturity level.

Objectives:
  • Address the challenges in traditional threat models to suit DevSecOps methodology.
  • Describe a maturity model to prepare organizations for the right levels of threats.
  • Recommend the right tool categories for every maturity level.
Wednesday
FROM ZERO TO FULL DOMAIN ADMIN - Tracking the digital footprint of a ransomware attack
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1300- Josh Ensley
Track: Incident Response/Investigations/Forensics
Tags: Intermediate
Credits Available: 1.25 CPE
Follow in the footsteps of a cybercriminal and uncovering their digital footprint. This is a journey inside the mind of an ethical hacker’s response to a ransomware incident that brought a business to a full stop, and discovering the evidence left behind to uncover their attack path and the techniques used. Malicious attackers look for the cheapest, fastest, stealthiest way to achieve their goals. Windows endpoints provide many opportunities to gain entry to IT environments and access sensitive information. This session will show you the attacker’s techniques used and how they went from zero to full domain admin compromise that resulted in a nasty ransomware incident.

Objectives:
  • How attackers gained access to systems.
  • What tools were used.
  • How "AD elevation" was achieved.
Wednesday
Cracking the Cyber Liability Code
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V1900-Jacob Fish
Track: Incident Response/Investigations/Forensics
Tags: Intermediate
Credits Available: 1.25 CPE
Cyber insurance? Do we need it? Who better to discuss cyber insurance than with actual underwriters. Go behind the scenes to learn about the current cyber liability landscape. We know insurance forms are complex, coverages are vague, and there are often hidden exclusions. We provide you with the knowledge to understand these issues, highlight how you can efficiently work through the application process, understand what insurance companies look for, and ask the right questions to effectively negotiate your coverages and premium. Additionally, we discuss real-life scenarios that lead to denial of claims.

Objectives:
  • Understand the current cyber liability market.
  • Identify common coverages and exclusions, and understand why claims may be denied.
  • Identify key factors to determine how much insurance you need, what insurers look for, and know the do's and don'ts when filling out your application.
Wednesday
Help Organizations Protect against Doxing Attacks
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V2100-Sondley Cajuste
Track: Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
Tags: Advanced
Credits Available: 1.25 CPE
Doxing is a term derived from documents, and hence consists of collecting information on an organization or individual through social media websites, search engines, password-cracking methods, social engineering tools and other sources of publicly displayed information. The main purpose of doxing attacks is to threaten, embarrass, harass and humiliate the organization or individual. Various tools are used to perform doxing. Tools such as Maltego visualize an organization’s architecture, which helps determine weak links within the organization. This presentation discusses different ways organizations and employees can be doxed and suggests measures to protect against doxing attacks.

Objectives:
  • Take measures and create awareness as to how organizations can protect themselves from doxing attacks.
  • Understand the potential impacts of doxing and its consequences.
  • Understand the different tools and methodologies used for doxing.
Wednesday
Translating Compliance - The importance of Effectively Bridging Technology and Audit Speak
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V2000-Alex Aarson
Track: Governance, Risk & Compliance
Tags: Intermediate
Credits Available: 1.25 CPE
Compliance means conforming to rules, such as specifications, policies, regulations or standards and laws. As information security professionals, we know that things are not black and white and that controls, however well intended, may break a system or render it unable to perform it's business function. But how do we make sure that we understand the true intent behind a control in order to effectively demonstrate compliance? Where engineers are left not understanding a control's intent or unable to effectively explain mitigating controls, auditors have a hard time breaking down the components of a control to make them understandable. Each scenario can lead to false positives and erroneous findings. Let's explore how to effectively translate between technology speak and audit jargon.

Objectives:
  • Define the gaps in understanding that accompany failing controls.
  • List the common pitfalls in effectively communicating a compliance need.
  • Effectively challenge vague and indistinct controls in order to build a stronger control framework.
Wednesday
Inspecting TLS
11:45am - 12:45pm Eastern - October 20, 2021 | Room: V2200- Jordan Garcia
Track: Privacy
Tags: Intermediate
Credits Available: 1.25 CPE
Cryptography is commonly used to protect the secrecy and integrity of data. It is a good thing that secure transportation is now commonly used. However, usually the owner of the data does not know with certainty which of their data is transferred. The transportation is guarded by cryptographic techniques so it is impossible for the owner to inspect the data-stream. The only way to inspect this process is to inspect the source code and to verify that the used program matches the inspected code. Not all parties are willing to have their code inspected. We are presenting the early findings for possibilities and feasibilities for the data owner to temporarily inspect the encrypted transportation for a limited time and we will demonstrate the prototype.

Objectives:
  • At the end of this session participants will be understand the initial phase of TLS in particular "key exchange".
  • At the end of this session participants will be understand how "the shared secret" can be obtained by auditing parties.
  • At the end of this session participants will be understand how this mechanism has only impact on a few connections (restricted in time)). So the general protection of TLS is not compromised.
Wednesday
How to Get Results From Threat Detection and Response Solutions - Sponsored by Securonix
11:45am - 01:00pm Eastern - October 20, 2021 | Room: V2300-Nick Malczewsky
Track: Threats (Detection/Hunting/Intelligence/Mitigation/Monitoring)
Tags: Intermediate
Credits Available: 1.25 CPE
The security market is full of solutions to support threat detection and response: EDR, NDR, SIEM, XDR, SOAR, you name it. But just deploying tools is not enough to get results. Organizations must ensure they have the appropriate coverage of threats and technologies to detect and respond to incidents and minimize impact. This session introduces the coverage concept and how it affects the performance of threat detection and response, as well bringing some important lessons learned from real world deployments.

Objectives:
  • At the end of this session participants will be able to understand what coverage is in relation to threat detection and response practices.
  • At the end of this session participants will be able to apply the MITRE ATT&CK framework to map and expand the threat coverage of their threat detection and response practices
  • At the end of this session participants will be able to comprehend what parts of their technology environment must be covered by their threat detection and response practices.