IANS Information Security Forum Curriculum

Transcription

1 2015 IANS Information Security Forum 2015 Curriculum

2 IANS Forums: A Unique Experience This is not your typical industry or technology event. IANS Information Security Forums deliver a unique experience for security, risk management, audit and GRC professionals. Our goal is to help you make progress in aligning your organization s information security strategy with the goals of the business. The IANS Faculty, comprising of the world s foremost expert practitioners, provide actionable information that delegates can take back to their companies and immediately use. IANS Forums are free of commercial noise and hype, and are hallmarked by: Faculty-led information sessions IANS Faculty relate their work with clients regarding the tactical and strategic issues that your infosec team and company are dealing with every day Peer-to-peer networking and exchange Join information security professionals from your industry or other industries and learn from each other s experiences No vendor trade show or exhibit tables Solution providers are available via opt-in Technology Spotlight sessions that deliver real-world insights on the latest technologies and use cases No reporters or journalists IANS events are closed to the media. Information that is shared and exchanged is considered confidential. This enables delegates to share ideas, challenges and solutions within a discreet and private environment. IANS Faculty Independent Thought Leadership and Advice IANS Forums are led by our world-class Faculty of independent thought leaders who deliver expert insights and advice based on real-world experience. Dave Shackleford Alex Hutton Gunnar Peterson Marcus Ranum Kevin Johnson Diana Kelley John Strand Aaron Turner

3 Track 1: Perimeter-less Data Protection Track 1 Sessions Securing Data in the Cloud 2.0 As enterprises move more workloads to the cloud, they need to ensure their critical data is as secure as it was on premises. To that end, what are the best tactics, techniques and methods when it comes to cloud encryption, data privacy and access controls? How should you approach third-party reviews, data classification and identity management? Key Management: Turning a Headache into a Head Start Encryption is a key strategy for protecting corporate data wherever it resides, but in many cases, worries around key management become a stumbling block to leveraging new initiatives such as cloud and mobile. Who should own the keys and why? What are the major encryption use cases and what new key management solutions are coming to market to help? Application Security: Faster, Better, Smarter In an age of DevOps and other agile development initiatives, how can security provide value-add impact to the Software Development Lifecycle (SDLC)? This session will explore methods and practices to ensure that every app meets or exceeds security goals without slowing down the process. Getting the Most Bang for Your Data Loss Prevention (DLP) Buck In just a couple of years, data loss prevention (DLP) has moved from next-big-thing to barely-betterthan-av status in most organizations. But are we truly leveraging all that DLP brings? How can you get the most from your DLP investment? What strategies help (and hinder) the process? Making Identity Work in a Perimeter-less World As more corporate data resides outside the company in the cloud, at third-party service providers and more the need to implement comprehensive identity management processes becomes critical. Should you pursue federated ID? How do you securely extend provisioning beyond employees to customers, suppliers and partners?

4 Track 2: Fight Advanced Malware Track 2 Sessions Learning from Patient Zero: Dissecting Recent Data Breaches to Evolve Our Defenses High-profile breaches seem to happen every day, but are we learning anything from them? In this session, we review the ways in which Target, Community Health, Home Depot and other organizations were breached and deliver actionable methods to evolve our defenses and prevent similar compromises. Best Practices in Finding, Crippling and Eliminating Advanced Malware No one expects antivirus tools alone to stop today s rash of advanced malware threats. What else is required? What mix of strategies and tools can optimally meet the challenge of ever-evolving and ever-more-targeted malware? How can malware be neutralized before it causes damage? You re Probably Already Compromised: Now What? The latest Verizon Data Breach report finds most organizations go weeks, months and even years before discovering malware on their networks. In this session, we detail tried-and-true techniques to uncover bad actors on the network while showing how to apply Lockheed Martin s Cyber Kill Chain methodology to ensure your environment becomes and remains an unattractive target. The Latest in Agile Security: What Works and What Doesn t As threat actors evolve and become ever more agile and targeted in their attacks, information security must respond in kind. What are the key new tools and strategies leading-edge companies are adopting to ensure their networks are hard-to-hit targets? What are the most promising, cost-effective and practical strategies? Know Your Enemies: Developing a Company-Specific Threat Profile Who or what poses the greatest threat to your organization? Nation-states? Competitors? Organized crime? Hacktivists? Disgruntled employees? What digital assets are they after, and which will cause the worst damage if they are stolen? Having a clear understanding of your adversary and the assets that matter helps crystalize where to allocate your budget dollars and where to devote your efforts.

5 Track 3: Regain Control Track 3 Sessions BYOD: An Idea Whose Time Has Come and Gone? When BlackBerry fell out of favor, IT and security were blindsided by executives and employees alike rushing to buy their own Androids and iphones to leverage as key business tools. But with Apple and Google making real efforts to be business-friendly, is now the time to end BYOD and bring devices back in-house? What are the cost, technology, security and people ramifications of such a move, and what are the key steps to take? Architecting the Cloud for Security Success Many organizations have a Cloud First policy, and security professionals are tasked with identifying risks and protecting data. What are the proven cloud security reference architectures? What practical steps can you take to ensure you architect your cloud implementation in a secure, agile, risk-aware manner? Inserting Security Into the IT Supply Chain As more business units go around IT to source their apps and projects, security quickly falls by the wayside. What practical tactics and strategies can information security use to discover these initiatives and insert itself into the supply chain to ensure the business remains both agile and secure? Securing Virtualized Environments: What Works and What Doesn t Virtualization now underpins every data center, but security tools and strategies are struggling to catch up. What are best practices here? What security tools scale well in a virtualized environment and which ones don t? How can we ensure bulletproof security in hypervisor environments? Getting from MDM to Mobile Management: Time to Focus on Apps and Data As more employees access critical apps and data on the go, security must pivot from seeking to control mobile devices to securing access to corporate apps and data. What combination of device, app, data and other controls help mobile work best? What new tools support this change?

6 Track 4: Improve Visibility Track 4 Sessions The Promise of Security Automation: Emerging Tools and Tactics Information security needs to detect and respond to threats and mitigate vulnerabilities more rapidly than ever before. Leveraging automation tools like Puppet, Chef and scripting tools to secure both in-house and cloud-based assets holds a lot of promise. What tools and technologies are emerging to help automate repetitive tasks or processes? What are the pitfalls to avoid? No Pain, No Gain: Building an Internal Forensics Program that Works A forensics program is only as good as the people, processes and tools it has on hand. How can you ensure your forensics program is fast, comprehensive and skilled enough to help your organization learn and grow stronger from each security event it encounters? How Secure Are Your Business Partners? Reducing the Risk From Third Parties Is your HVAC provider leaving your network vulnerable? How can you manage your third-party relationships to ensure they aren t presenting undue risk to the business? What are best practices in terms of vetting third parties and conducting comprehensive risk assessments? Taking Vulnerability Management to the Next Level Vulnerability management encompasses scanning, configuration management, patch management and more. How are organizations adapting their vulnerability management programs to deal with more data? How does vulnerability management tie back to change and configuration management, and help improve patching programs? Moving from Log Management to Security Intelligence Existing network monitoring tools don t deliver a clear picture. What collection of new technologies (e.g., advanced SIEM), better collection of network data (e.g., scanner results and NetFlow data) and better processes will improve the security intelligence picture? How can data analytics help clarify the results?

7 Track 5: Think Business Track 5 Sessions From Techie to Risk Expert: Honing Skills for Security s Next Phase What skills (both hard and soft) are critical in today s security organizations, and what aren t? How can you ensure you evolve your skillset to serve the business and go beyond the tactical capabilities that are on your company s next-to-be-outsourced list? Security Awareness: Moving from Gotcha to Empowerment Security awareness programs tend to run off the rails when information security focuses on tricking users instead of instilling secure behaviors that benefit the company as a whole. How can security incent such behaviors? What tools, tactics and strategies help users feel knowledgeable and empowered enough to be true partners in protecting the business? Understanding the GRC Process Integrating security and true risk assessment into the fabric of the business is no easy feat. How can security master governance across the organization, from within IT, at the business unit level and out to audit and compliance? What egrc tools ease the process? Compliance Pitfalls: How to Spot Them, How to Avoid Them Compliance is never easy, but add mobile, cloud, social media and privacy initiatives into the mix, and it becomes nearly impossible. What are the most common compliance pitfalls today s organizations face and what are the best strategies for avoiding them? Creating Security Metrics that Matter to the Business How do you create (and present to management) operational metrics that both help information security be more productive and ensure the business makes informed, risk-aware decisions? What works best? What should you avoid? How are metrics best communicated?

8 2015 IANS is the leading provider of in-depth security insights and decision support delivered through research, community and consulting. Fueled by interactions among IANS Faculty and information security practitioners, IANS experience-driven advice helps IT security, risk management and compliance executives make better, faster technical and managerial decisions. IANS Research, Inc. 15 Court Square Suite 1100 Boston, MA Telephone: Facsimile: Web: