December 8 th 10 th 2014, Barton Creek Resort Austin, TX AGENDA Understanding and Managing the Information Risks in an Agile Connected Business 4:30pm 6:00pm Roundtable Sessions Track 1: GRC and the Business Value of Security Moderator: Derek Brink, Aberdeen Track 2: The Changing Threat Landscape Moderator: Marc Othersen, Hess Track 3: Best Practices in Security Controls Moderator: Frank Roppelt, BNY Mellon 6:00pm 7:00pm COCKTAILS AND NETWORKING 7:00pm 10pm GALA DINNER AND KEYNOTE SPEECH Five 2015 Imperatives for Savvy CISOs Marc Othersen CISO Hess Corporation Dec 8 th - Day 1 This year saw a continued escalation in attacks from a wide range of threat sources, each possessing greater capabilities than seen before. Likewise, corporate governing bodies have increased their interest in and understanding of cybersecurity. Given this growing complexity and scrutiny, what should CISOs be thinking about in 2015? Join Marc Othersen as he explores his top five imperatives that CISOs must address this coming year and discusses the strategic elements needed to maintain positive momentum while addressing the everincreasing threats to corporate information, assets and operations.
Dec 9 th DAY 2 7:00am 8:00am BREAKFAST AND REGISTRATION 8:10am 8:50am OPENING KEYNOTE PANEL User Behaviours and Security Risk Introduced and moderated by: Derek Brink VP & Research Fellow, Aberdeen There are two sides of the coin with respect to user behaviours and security risks: In spite of all the technical security controls designed to prevent an occurrence, we all know that incidents still do occur and the root cause for many (if not most!) of these incidents are the actions of users. For this reason, changing user behaviours e.g., through investments in user awareness and training represents the critical last mile of reducing risks on the prevention side of the security risk equation. On the impact side of the security risk equation, we also know that it makes sense to be in a position to detect, respond and recover from security-related incidents more quickly when they do occur. For this purpose, leveraging visibility into user behaviours with big data and advanced analytics capabilities can help to detect and respond to insider threat (e.g., fraud, theft of IP, sabotage of IT infrastructure). In this session, panellists will share their views on: Approaches and results from investments in user awareness and training exercises (e.g., phish-train-phish ), and the corresponding reduction in risk Approaches to monitoring and recording the activities of authorized end-users and end-user systems, and how this can be used both retrospectively (e.g., audits and investigations) and proactively (e.g., identifying anomalous, potentially malicious behaviours) The appropriate balance and mix between the two, and why 9:00am 9:40am SESSION 1 Understanding the Implications of Geopolitical Events on the Security of Your Business Jim Motes, CISO, Rockwell Automation We operate in a world where corporations have global presence and thinking domestically is a luxury multi-national security officers can t afford. Security professionals have to combine foundational security knowledge with an examination of world events and the analytical application of open source intelligence. The successful security professional will have a process for tracking and associating related events. Just as important, security officers need to monitor analogous behaviors exhibited by governments to attempt predicting potential outcomes based on previous patterns. Monitoring government activities and getting a sense of the reasoning behind those activities requires us to use multiple sources for information. This program can t be successful if only one country s perspective is used. There is a growing need for security to become precognitive. Businesses are employing analytics to better use big data and there is every indication that for security has to follow the same footpath if we hope to become less reactive and improve our value to the business.
Key Takeaways: 1. Discussion of best tools to track and manage events 2. Analyzing the information How and what matters 3. Sources of information Good vs. bad sources 9:45am 10:25am SESSION 2 New Strategies for Addressing Emerging Threats and Targeted Attacks Grant Asplund- Director of Evangelism, Blue Coat Today s unknown malware, "one day wonder" websites and zero-day threats continue to evade even the best traditional security defenses. The last few highly publicized breaches in security have proven that no walls are high enough to keep out attackers. Threat actors vary enormously, and the fluidity of talent, techniques and technology behind an incident makes holistic prevention virtually untenable. To combat these threats, a modern approach to security is necessary: one that integrates real-time protection, dynamic analysis and post-breach investigation and remediation. Join this interesting discussion led by Grant Asplund to share new approaches that close the gap that exists between ongoing security operations and incident discovery, containment and resolution. 10:30am 11:10am SESSION 3 Cross-Industry Knowledge Transfer at the Intersection of Compliance and Security Dr. Dirk E. Mahling, CIO, Seattle City & Light Many industries, such as financial, utilities, and health care operate under compliance rules from government oversight organizations. The relationship between compliance rules centered on cybersecurity and a full-fledged security program are not well understood; sometimes they are even at odds with each other. Comparing notes from different industries coping with similar compliance/security issues may open innovative avenues. 11:15am 11:55am SESSION 4 Just In Time, Just Enough Access via Adaptive Privilege Management Richard Weeks- VP, Channel Sales & Business Development, Lieberman Software The reality is that you are dealing with: A porous perimeter APTs like pass-the-hash Ineffective firewalls, anti-malware, and anti-virus software Make the assumption that intruders are already within your environment because they will get in. What can you do to limit their access? We will discuss best practices to minimize persistent access by intruders. This session will explain how adaptive privileged security is used to: 1. Minimize lateral motion in the environment 2. Time-limit the value of credentials 3. Control scope of access for authorized users with real reasons for access
12:00pm 12:45pm SESSION 5 Growing Cyber Threats Demand Advanced Mitigation Strategies Jeff Synder VP Cyber Programs, Ratheon 12:50 pm 1:50pm Lunch & Networking 1:55pm 2:35pm SESSION 6 The New Security Model: Before, During, and After an Attack Jason Wright- Senior Field Product Manager, Cisco In the real world, it's no longer a matter of if an attacker will get in, but when. Security professionals need to evolve their strategy from a point-in-time approach to a continuous model that addresses the full attack continuum before, during and after an attack. BEFORE: You can't protect what you can't see. To defend against threats you need complete visibility of devices, operating systems, services, files, applications, users, vulnerabilities and more. This information is used to create access control policies and identify users. DURING: Advanced threats require advanced threat detection. Point in time detection methodologies must be sophisticated and updated with automated threat detection feeds for effective blocking of known threats. AFTER: But what about the unknown threats? Invariably some of these attacks will be successful. The future of network security relies on the ability to look back at the decisions made in the DURING phase and ask if the right decision was made. As new information becomes available, technologies need the ability to change their mind! 1. Explore the Cisco approach to cybersecurity that is visibility-driven, threat-focused and platform-based 2. Perform live policy and attack demos that illustrate solutions to real-world problems across multiple products 3. Illustrate tools that enable a before, during and after security solution in action 2:40pm 3:20pm SESSION 7 The Road to Automated Threat Hunting Marc Othersen CISO, Hess Corp As cyber threats continue to evolve in frequency, complexity, and impact, successfully hunting for threats with a technology environment is a critical capability of modern IT security programs. In this presentation, Marc Othersen will discuss the importance of threat hunting capabilities to detect advanced threats, outline a framework for a threat hunting capability, and will present a case study on how automation can give IT security programs a significant advantage versus manual hunting activities. Key takeaways: The basic building blocks for an effective threat hunting capability Techniques and requirements for automation Caveats for consideration when starting the automated threat hunting journey
3:25pm 4:05pm SESSION 8 Lessons From One Trillion Transactions Best Practices in Internet Security Dan Druker- CMO, Zscaler The world of IT security is undergoing tremendous change. The unstoppable momentum of the Internet and cloud computing, the ubiquity of mobile devices and the emergence of the Internet of things have together turned the IT security landscape upside down. Zscaler is one of the world s largest Internet security providers we protect more than 5,000 global enterprises, governments and military organizations with our award-winning Security as a Service platform helping them stay safe from cyber-threats, stop leakage of intellectual property, and ensuring compliance with corporate, legal and statutory requirements for Internet usage. In this session, Zscaler will share the latest Internet security and compliance findings from mining more than one trillion transactions. We ll cover best practices for dealing with Internet security and compliance in today s cloud and mobile-first world. In addition we will share and discuss: 1. The latest cyber-threat landscape what attacks are trending, who the bad guys are, what they are up to and how you can protect yourself. 2. How Google, Facebook and virtually all commercial cloud providers are forcing the use of SSL encryption on the Internet potentially making you blind to what s going on with more than 50% of your traffic and opening a new way for evil-doers to hide their malicious efforts. 3. The case for cloud-based Internet security just like the CRM market shifted from Siebel to Salesforce and the email market shifted from Microsoft Exchange to Gmail and Office 365, hardware appliance-based approaches to Internet security are rapidly giving way to cloud-based Security as a Service platforms. 4. Lessons learned from more than 5,000 leading global organizations, including Nestle, Coca-Cola, GE, United Airlines, Humana, British American Tobacco, Pitney Bowes, the United States Marines and NATO, that have adopted cloud-based Internet security. 4:10pm 4:50pm SESSION 9 Incident Response Communications The Good, The Bad and The Ugly Derek E. Brink-Vice President and Research Fellow, Aberdeen Group We strongly regret the unauthorized disclosure of your personal information We want to assure you that we take security and privacy very seriously. If your organization has experienced a security breach (even if it has done all the right things), you still have to communicate to your customers about an awkward and unpleasant topic. Platitudes such as we regret and we take this very seriously just don t cut it. There are certain things they want to know: What happened? Who is accountable? What steps are being taken to prevent it from happening again? How will they be made whole? This workshop, led by Aberdeen Group research fellow Derek Brink, will: Highlight some of his work in the area of how organizations communicate publicly about security incidents (be forewarned: most of it is very bad) Establish a framework for effective incident response communications Use the framework to grade a couple of public incidents for group discussion Participants will gain a new perspective on their organization s current state of preparation for potential crisis communications related to information security and most likely a new item on their to-do list for when then get back to the office.
4:55pm 5:35pm SESSION 10 Third Party Risk Management How are you Managing the Vulnerabilities of your Third Parties Leader: Frank Roppelt BMY Mellon The use of 3rd Party Service Providers is continuing to grow within your organizations and will remain an upward trend for the future as cost savings compel the business to outsource their operations and streamline their processes for maximum efficiency. The presentation will provide insight on common risks related to engaging 3rd party vendors, the process of risk assessing a vendor s services and controls, guidance on how to partner with Legal, Procurement, and Finance to ensure a vendors security services and possible risks are properly reviewed and communicated. Throughout the presentation we will discuss in detail how Security needs to enable the business to succeed and therefore must inject themselves into the many processes it takes to onboard a vendor. These include but are not limited to: Security Language in the RFP to potential vendors making sure their services meets the minimal security requirements of your organization. Contract Reviews with Legal to ensure that security terms and conditions are integrated into contracts for vendors who store, process, or transmit customer, employee, or sensitive company information. Additionally that security has the right and the authority to review and make changes to contracts as they see fit. Key takeaways: - How to partner with critical departments within our organization to ensure security is part of the vendor selection - Process of Integrating Security Language into 3rd Party contracts and having a seat at the table with Legal Counsel for contract reviews and sign-off - Art of performing a detailed security risk assessment of the vendor (going beyond the checkbox methodology) - Key to performing Onsite Visits and Audits of Datacenters, SOC s, and Sensitive Information Processing Areas, verifying appropriate controls are in place - Clearly reporting risk about 3rd party vendors that make sense to the business and driving closure of risks in a timely manner. 6:45pm 7:30pm COCKTAILS AND NETWORKING 7:30pm 10pm DINNER 7:00am 8:00am: BREAKFAST 8:10am 8:50am SESSION 11 Security Risks for Operational Technologies John Patterson, Merck December 10th DAY 3 Recent events including the Stuxnet attack and various government sponsored research projects have shown that operational technologies critical to the electrical power-grid, manufacturing systems and health care infrastructure are vulnerable to external cyber attacks and intrusions. What has complicated this challenge is that although modern infrastructure and operational technologies have been developed to take advantage of the communication capabilities of the internet, the cyber security counter measures vary significantly and appear in some cases to be inadequate in mitigating the risks introduced by the use of the internet. Furthermore, if the cyber security gap is not adequately addressed, a major incident could limit the ability to fully develop new technologies that depend on internet based operation and communication. Additionally, the US government has recently issued various
directives and is now considering legislation relating to security requirements particularly in high risk areas such as medical devices. This workshop will review the current state, evaluate existing and proposed legislation and offer practical use cases on how to identify and mitigate the cyber risks associated with operational technologies. 8:55am 9:35am Session 12 Balancing Security and Opportunity in the Mobile Era Mobile technology is enabling new ways businesses can engage with their employees and customers. With the proliferation of mobile devices and apps in the workplace, the concern for security has significantly heightened. In this session we ll discuss best practices you can use to implement a layered approach to protecting corporate data and employee privacy, while elevating productivity in this new model. 9:40am 10:25 am Roundtable Sessions: Track 1: GRC and the Business Value of Security Track 2: The Changing Threat Landscape Track 3: Best Practices in Security Controls 10:30am 11:10am SESSION 13 Do the Top N Security Controls Really Make Sense? Derek Brink, VP & Research Fellow, Aberdeen The Australian Defense Signals Directorate has its DSD Top 4 the SANS Institute has its First Five Quick Wins, as part of 20 Critical Security Controls the key question for this workshop is: Do these initiatives provide a welcome way to cut through the complexity of potential security controls that has been referred to as the fog of more, Or do they represent an impossible one size fits all approach to the balance of risk, cost, compliance and usability that every organization has to decide for itself? This workshop, led by Aberdeen Group research fellow Derek Brink, will: Present a simple framework to map security controls in two primary dimensions: physical, administrative, or technical ; and deter / prevent, or detect / respond / restore Show a heat map of how currently deployed security controls fit in this simple framework, based on a number of benchmark studies Describe the DSD Top 4 and the SANS CSC 20 in this simple framework Discuss the key question: are the Top N controls a welcome simplification, or an impossible one-size fits all approach 11:15am 11:55am SESSION 14 Meetings & Networking 12:00pm 1:00pm LUNCH AND NETWORKING 1:05pm 1:45pm SESSION 15 TBD 1:50pm 2:30pm SESSION 16 TBD
3:20pm 3:50pm ROUNDTABLE FEEDBACK AND WRAP-UP