New York Metro Joint Cyber Security Conference

Registrations

To be confirmed

Break

Data has become king in the enterprise.  As organizations are in an “arms race” to leverage data, attackers are equally as interested in the data.  The CISOs must rethink traditional security to both protect data and use data against the adversary.  Various strategies, security models, tactics and tools to keep data secure across an infrastructure including cloud, hybrid, BYOD; changing business models leveraging business partners and various data sources.  Additionally, the role of data and data analytics in establishing metrics to drive and measure the efficiency and effectiveness of components of a security program. 

Takeaways:Understanding of Data Centric Security Models & how to leverage it to enhance enterprise securityHow Data Centric Security Models can be used to contain security costs by limiting PCI scope, eliminating need for redundant systems and containing regulatory compliance costsLearn the most effective secure data solutions for your business requirements, why and when to use each solution.Providing data for metrics on security program effectiveness

As the world becomes increasingly Smart, we rely more and more on remote sensor data to be our eyes and ears. From the cameras used by security guards at a bank to the turbine RPM sensor used by control room operators at a power plant. Both humans and algorithms make decisions based on this data, all day, everyday.
But what if that information is wrong? What if an attacker manipulates the decision makers (be it man or machine) into doing the wrong thing? An intelligent adversary can wreak havoc on a Smart system by faking sensor information, thus creating an illusion of a false state. The lie can hide malicious activity by simulating a normal system state, or even worse: fooling the system into damaging itself.
In this talk we’ll discuss several real life scenarios of damage done by state awareness failure, from statewide blackouts to traffic jams. We’ll talk about the unique fingerprint of every physical process and state - and see a demonstration distinguishing 2 identical motors. Then we’ll use this technique to detect synthetic and fake data by “reading between the lines” of the signal.
Finally, we’ll show a live SCADA attack demonstration from our lab that hides the damage it’s causing from the control room operators and demonstrate how such an illusion can be broken using intelligent algorithms.

Much myth surrounds the dark web. In fact, even defining it is a challenge, as often it is described in vague, sensationalized terms. Using data collected by our data intelligence platform, we’ve observed that while the dark web is large, it is not intractably so. It primarily consists of several thousand domains and a few hundred forums and marketplaces where illegal content and materials are most often traded. It is certainly not well-represented by the ubiquitous iceberg image often used to describe it.

In this session, we will present detailed statistics about the types of content that are most notable on the dark web. We will describe examples relating to fraud and data theft and show that by using a data intelligence approach, organizations can efficiently monitor these parts of the internet and detect data breaches much earlier. The data intelligence approach relies on technologies that are automated, actionable, and affordable, or what we call the three A’s. By focusing on these three characteristics, organizations of all sizes can start to light a candle instead of cursing the darkness.

Knowing how to analyze malware has become a critical skill for incident responders and other infosec professionals. A good way to get started with such efforts involves examining how malicious software behaves in a controlled laboratory environment. In this session, Lenny Zeltser demonstrates key aspects of this process, walking you through behavioral analysis of a real-world Windows malware specimen by using several free tools.

You will see practical techniques in action and understand how malware analysis will help you to triage the incident to assess key capabilities of the malicious software. You will also learn how to determine ways of identifying this malware on systems in your environment by establishing indicators of compromise. You will:

• Learn the most essential aspects of malware analysis in the context of incident response and forensic investigations.
• Understand how to perform initial malware triage by extracting static properties and metadata from the suspicious executable.
• Know how to use freely-available tool to examine the behavior of a malicious Windows executable.

Break

Often technology and even security professionals approach security of their entire infrastructure in the same way. However, this is NOT a best practice, it is a worst practice. Come to this session to see how securing on-premises is very different from securing cloud resources. As we migrate workloads to the cloud, there are REAL considerations to do it right. It is far easier to do it right the first time than to do it again to fix your errors and gaps. Learn about the inherent benefits of cloud and cloud security and why you should implement them in your organization.

As the cyber threat landscape evolves and as software dependencies grow more complex, understanding and managing risk in the software supply chain is more critical than ever. The Internet of Things (IoT) will inevitably lead to a massive proliferation of a variety of types of software-reliant, connected devices used across multiple environments. With IoT increasingly dependent upon software of unknown provenance and pedigree, composition analysis and signoff are needed to determine 'fitness for use' and trustworthiness in terms of quality, security, safety, and licensing.

This presentation addresses risk management and security-enhanced practices in software development and acquisition, various types of testing needed to provide sufficient coverage, standards-based security automation required to enable scalable actions, and Software Composition Analysis and Signoff as means for securing applications and better enabling IoT supply chain risk management in support of enterprise resilience.

This presentation will cover those things which security practitioners need to know about cryptography that cryptographers do not know and schools do not teach. These include applications, measures of strength, capabilities, limitations, and weaknesses; principles, applications, and uses of key management; cryptanalysis, attacks, and their limitations. It will cover some useful truths and dispel some dangerous myths. It will improve the security professional's ability to select, use, manage, and operate crypto systems, and applications effectively and efficiently.

You probably have an incident response program in place, but do you have a *vulnerability* response program? Organizations are swimming in application vulnerabilities and getting hit with new ones all the time. Some come from developers as they develop new code. Others are in libraries included in projects as part of the software supply chain. Still more are novel flaws discovered by talented security researchers. Each of these vulnerabilities represents risk to your organization and each demands a unique structured response across your portfolio built from various options, each with strengths and challenges:

• Fix the code - now or later
• Upgrade to the latest library version
• Defend at HTTP level with WAF or filter
• Defend at code level with RASP
• Defend with CVE shields
• Prevent flaw architecturally
• Enhance tools to detect throughout portfolio
• Enhance detection to detect attempts to exploit
• Put it in a risk or vulnerability management tool and forget it
• Accept the risk
• A combined approach

How do you choose the right approach for responding to a vulnerability? How do you set policies for vulnerabilities in general? When should the response happen? Do you have an SLA around vulnerability response? Who needs to be involved in this decision? How can you minimize the cost of emergency code re-engineering to solve vulnerabilities? In this talk, Jeff will describe best practices for building an efficient, safe vulnerability response programs including threat

Lunch & Meet the vendors

The Standard Dilemma

Break

How Secure is the Cloud? It is about to become the most secure storage platform in History.

Cloud computing is rapidly changing the way data is stored and retrieved. However, even with explosive changes to the cloud infrastructure, many companies are holding off on cloud adoption for fear of a rainy day. While the cloud is here to stay, it is about to get a major overhaul that will make it the most secure storage platform in History. Presentation includes a live demonstration of prototype technology that has not been seen by the public.

• Learn why the current Cloud environment is a tumultuous storm waiting to happen.
• Find out why the big companies are worried about adopting the cloud.
• Three things to consider before you find yourself in the Cloud of regulatory hell.
• Learn what future technologies will have a major impact on Cloud security, and why the Cloud will become the safest storage platform in History.
• A live demonstration of prototype technology that has not been seen by the public.

An all too common headline is becoming “business held for ransom” as organizations begin to see a spike in ransomware attacks being conducted against them. While there are numerous checklists in existence, such as the OWASP Anti-Ransomware Guide (https://www.owasp.org/images/a/a8/Anti-RansomwareGuide.pdf), that can provide guidance to organizations on the types of security controls they can put in place to prevent and mitigate malware attacks, these guides do nothing to help organizations ensure that the controls they selected are implemented both properly and effectively. Moreover, such guides do little to ensure that the people designated to respond to a malware incident do so in an optimal way. Organizations should never assume a control is effectively implemented without taking the time to see if there are ways in which a control can be circumvented or, worse yet, actually verifying that the control is even actually in place. In order to vet the controls that organizations have implemented and the responses of their employees, organizations should turn towards red team exercises, such as conducting mock malware incidents. This presentation will walk participants through several mock malware incidents used to test and improve the security of a Brooklyn-based medical center and will describe the types of lessons that can be learned from conducting such incidents.

We’ve been using Access control to protect data for years, but it’s just not working anymore. In this session you will learn about applying conditions to protect data.
Think about this, you grant a user permission to the finance share and he, or she, copies data to a non-approved location. Now any user can look at the data.
In this session, you will learn how to apply conditions to data so the user can only work and save data where you want them to. You will also be able to limit access based on group membership and Location rules. You will also learn how you can automatically apply encryption rules to data.

Meet Hal, my new AI-intelligent cyber security incident responder. Yes, AI-Intelligent Automated Incident Responder. Responding to the realities of the IoT and likely more than 50 billion mobile devices, several organizations have or are in the process of developing automated, machine driven Incident Response Hardware to both monitor their networks and endpoints, and to respond to cyber attacks before they have an opportunity to damage, harm or encrypt your network. This hardware will be the new normal and likely the required "normal" for large entities and regulated financial institutions, banks and investment advisers and funds. Importantly this hardware will not replace the human, but will help them discern false positives from real Alerts, and will help them best orchestrate an immediate response. The Future is here, and his name is Hal.

Break

Recent security breaches such as the ones at SWIFT and Target are entering the realm of nine-digit defects, where damages can exceed $100 million. This makes the security of business applications a boardroom issue. Advances in static analysis technology enable IT to detect weaknesses in the source code that can be exploited to gain unauthorized entry. Both the Software Engineering Institute and CAST Software have recently found that weaknesses causing reliability problems can in many cases be exploited for unauthorized entry, indicating that poor quality code is also insecure code.

The Consortium for IT Software Quality (CISQ) is chartered by its industrial sponsors to create automatable measures of software size and quality. CISQ measures include standards recently approved by the Object Management Group for Automated Function Points, Reliability, Security. Performance Efficiency, and Maintainability. The four quality measures are based on definitions of these attributes in ISO 25010 and provide source code level measures that supplement the largely behavioral measures in ISO 25023. In particular, the Security measure is based on measuring 22 of the Top 25 Common Weakness Enumerations (i.e., CWE/SANS Institute Top 25 most dangerous software errors, OWASP Top 10) that can be detected through static analysis. These weaknesses include well-known culprits such as SQL injection, buffer overflows, and cross-site scripting. This measure provides an accurate estimate of the likelihood that an attacker can find an exploitable weakness in an application.

The continuing flow of breaches exploiting SQL injection, a weakness known since the late 1990s, suggests that IT needs a major undertaking similar to the Y2K endeavor to rid source code of the most easily exploited weaknesses. Executives both in and outside IT need to assess the cybersecurity risk of their systems using measures such the CISQ standards and enforce remedial actions based on them.

IAST (& RASP) are revolutionary technologies, which are starting to get traction in the market. While this is becoming a buzz, the vast majority of security experts do not understand the details of this technology and how it works. In this talk we will do a deep dive and explain the nitty gritty details. (The talk will focus on the technology and how it is working only, and will not have any specific product references.)  

Brief Layout:
The presentation will begin by providing (very brief!) background information on challenges in appsec security testing and existing solutions in the space (SAST/DAST). We will then present the basic concept of runtime analysis and what are the key principles behind this approach.

Following the introduction, we will start by explaining the different possible techniques available for runtime analysis, including debugging, instrumentation, aspect-oriented injection, modification of runtime environment, compilation of runtime hooks, etc. We will explain the merits of each technique, and focus specifically on instrumentation which is the most widely used approach for runtime code analysis. We will show how instrumentation can be used to inject code into the memory of the process to demonstrate the level of granularity achievable with runtime analysis.

After understanding how runtime analysis works, the talk will continue onto explaining its usage. In this part, we will demonstrate various common vulnerabilities (such as SQL Injection, XSS, CSRF, Parameter Tampering, etc.) - And show how runtime analysis can be used to detect these issues in the code. This will include specific code samples, showing the vulnerable piece of code, combined with the request launched against it and how it is
executed in the memory, in runtime, and identified by a runtime analysis engine.
Finally, we will discuss the usage of runtime code analysis, such as AppSec testing (IAST) and vulnerability detection and blocking (RASP).

Talk will present relevant research on why most cyber security awareness efforts fail and what the impact is. Specific flaws to be discussed include: alignment within the organization, ownership, content, testing, and validation. Real world cases of successful awareness strategies and their results will be discussed. Exercises will be used to allow attendees to leverage content and begin to formulate successful strategies. Finally, a set of tools and resources will be provided to guide practitioners in assessing their current strategies, identifying gaps, and planning next steps to improve their own organizations awareness programs.

The sad truth is Cybersecurity Awareness Programs can be stale, boring and ineffective leaving many employees and managers to grudgingly complete their annual training requirement without really understanding the importance of good cyber hygiene. And while you may hold periodic table top exercises to test your Cybersecurity Incident Response Plan, often the C-Suite is not fully engaged (if at all). Red Teaming the C-Suite will bring buy-in from your company’s executive leadership team by making Cybersecurity personal and tangible, not some abstract discussion point in a slide deck. This presentation/demo will look at ways your internal Cybersecurity Team can conduct Red Team Exercises on a budget that will engage your C-Suite and hopefully increase their awareness and advocacy (funding!) for your Cybersecurity program.

Break

The Future of Cyber Security, Risk Mitigation, and Threat Management 

Abstract - Theme  

A universe of ambiguity exists between cyber risk and business action, and the gap between compliance and security is ever widening. Most organizations are overburdened with the myriad of cyber defense solutions available in the market today. Every vendor represents a novel approach and untested methodology, which only solves a small part of a much larger problem.  For board executives, CXOs, and CISOs, this challenge is confounding, and the lack of clarity it creates is dangerous.

Bottom-line:    Real business risk is accelerating at a pace faster than the business opportunity.   Consequently, the current risk environment requires a more aggressive senior leadership engagement and oversight of threat management activities across all key risk areas of the business.  This required level of engagement should be focused on comprehensive threat management to ensure:

1)   appropriate internal awareness, understanding, and focus on proactive threat management;

2)   absolute clarity for executive oversight, responsibility, accountability, and organizational governance;

3)   reliable and integrated cyber and non-cyber intelligence capture and threat recognition, and,

4)   proven incident response processes in place from threat inception & recognition through final remediation.