Day 1, Oct 08, 2019
08:30 - 09:00
West Ballroom and Ballroom Foyer
Welcome Coffee & Registration
09:00 - 09:15
Grand Ballroom
Opening Plenary Session — Joint Welcome by KuppingerCole & OASIS
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
John Tolbert, Lead Analyst And Managing Director Of KuppingerCole, Inc (US), KuppingerCole
09:15 - 09:45
Grand Ballroom
Opening Plenary Session—Keynote: The Future of Cyber Operations
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Dave Luber, Executive Director (ExDIR), United States Cyber Command (USCYBERCOM)
09:45 - 10:15
Grand Ballroom
Opening Plenary Session—Keynote: A Random Walk Through Cyber Security
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Ed Amoroso, Chief Executive Officer, TAG Cyber LLC
Dr. Amoroso takes attendees on a fast-paced journey through a variety of current topics in cyber security including protection of national elections from tampering, reduction of nation-state cyber risk, protection of emerging cloud services from threats, and deployment of machine learning and artificial intelligence for modern security protection.
10:15 - 10:45
West Ballroom and Ballroom Foyer
Coffee & Networking
10:45 - 11:45
Holeman Lounge
Plenary Panel - Fight Smarter, not Just Faster
Track : Borderless Cyber Track (BC)
Speakers
John Felker, Assistant Director, Integrated Operations Division (IOD), Department Of Homeland Security’s Cybersecurityand Infrastructure Security Agency (CISA)
Harley Parkes, IACD Lead, JHU APL
Geoff Hancock, CISO, Advanced Cybersecurity Group
Our community is adopting SOAR to speed up SOC processes. This leads to demonstrable improvements in response time, but is that enough? Can we ever get faster than the adversary? Is there a way to shift the advantage to the defender?The makeup of this panel attempts to span different perspectives of what it means to scale network defenses and different realities or limitations that affect scalability. The intent is to offer a well-balanced multi-faceted perspective on using more scalable approaches to gain an advantage over the adversary, or at least narrow the gap. There will be plenty of time for Q&A because that is where the real potential of this panel lies – the ability to bring the participants into the conversation which in turn brings out more perspectives…and hopefully inspires individuals to come up with solutions.Everyone keeps focusing on speed (or the lack thereof) in cyber operations. There is a desire to automate as much as possible, share as much as possible, and detect/respond as fast as possible – but it is unclear if this is going to have the impact or result that is desired. All of these need to be done, but how do you do them in a way that actually increases the effectiveness of operations (not just the efficiency)? How do you share threat intelligence that is consumable and usable by network defenders, in an automated manner? While current operations are overly reliant on human beings to make decisions there is a reason and need to have humans involved with the operations OODA loop. How can we shift operational processes and activities such that there is time to involve humans as appropriate and still impact the adversary? There is a need to think about scale when addressing cyber security operations – and discussing what that means and how to achieve it is an important first step.For example: There are millions of IOCs associated with known malware, hundreds of vulnerabilities exploited by that malware, but only 10-20 ways in which the adversary uses that malware to achieve objectives. It seems that finding a way to share these techniques or procedures, develop detection mechanisms for them, and provide processes for investigating and mitigating instances would have a lot more impact on the adversary than blocking IOCs. But how do we share this type of information and how do we make it actionable? What scales with respect to network defense and cyber security operations? The makeup of this panel attempts to span different perspectives of what it means to scale network defenses and different realities or limitations that affect scalability. The intent is to offer a well-balanced multi-faceted perspective on using more scalable approaches to gain an advantage over the adversary, or at least narrow the gap. There will be plenty of time for Q&A because that is where the real potential of this panel lies – the ability to bring the participants into the conversation which in turn brings out more perspectives…and hopefully inspires individuals to come up with solutions.Key take-aways:The intent of this panel is to inspire participants to think differently about threat intelligence, automation, and orchestration in the hopes of spawning new ideas and implementations that are more scalable for net defense.
11:45 - 12:15
Grand Ballroom
Plenary Session — Breaking news: Global, multi-vendor cybersecurity ecosystem launches at Borderless Cyber & CyberNext
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Darren Thomas, Senior Product Manager, Open Data Exchange Layer, McAfee
Jason Keirstead, Chief Architect, Threat Management, IBM Security CTO Office
IBM Security, McAfee, and leading organizations from around the world will unveil a new alliance for sharing data among cybersecurity tools. This exciting initiative will be supported by the OASIS Open Project program. Details are still under wraps, but Borderless Cyber attendees will hear about it first.
12:15 - 13:15
West Ballroom and Ballroom Foyer
Lunch & Networking
13:15 - 13:45
Holeman Lounge
BC Track: Opening Pandora's Box with FAIR + ATT&CK + SOAR = An Improved Cyber Security Response Strategy
Track : Borderless Cyber Track (BC)
Speakers
Tyler Rorabaugh, Director Technical Business Development, Palo Alto Networks
When I meet with CISOs and Cyber Security Directors, they usually ask what use cases should they target first. I generally proceed with a few simple questions and immediately recommend going after general use cases or low hanging fruit or a strategy based on how mature their organization is.During this session, you'll find out what questions I ask, what answers I get, and why I propose approaching a cyber security response using FAIR + ATT&CK + SOAR.Risk and compliance managers and disaster recovery experts have been applying a variety of risk models to organizations and businesses for many years and they have just begun the complex process of truly understanding cyber risk. Part of the reason that cyber security insurance exists for corporations is that risk and compliance managers have a way of protecting the organization from liabilities which may be out of their control or because they simply do not understand the cyber security problem domain. One of the core reasons behind this is that risk and compliance managers focus on corporate risks such as disaster recovery or compliance risks like GDPR, PCI, SOX, HIPPA, which do not really protect or reduce the risk of cyber threats to the organization. While useful, these risks are a somewhat different realm than protecting the organization from cyber security threats or reducing risk on a continuous basis in their cyber security program. The result and outcome of all of this is a lack of focus around improving their cyber security response strategies for potential or real breaches to their organization when or if they occur.When developing cyber security response strategies it's obvious to CSOs, incident responders and security operations staff members that they should specifically develop solutions based on either a quantity of alerts, the cyber threat event frequency, responding to known vulnerabilities, or simply going after and protecting against low hanging fruit or things that take the most time within the organization.However, cyber security response activities generally do not align with the overarching goals for risk managers or compliance officers nor do risk management teams necessarily understand cyber security risks. The primary reason is that risk managers and compliance managers are thinking of loss of financial or reputational value to the organization. It is much easier for risk managers to understand what the expected financial or reputational loss will be if a building burns down than the financial or reputational loss to the organization if a breach to an intern's laptop.So how can we improve this Wackamole? This is where potentially combining the FAIR (Factor analysis of information risk) model, with the Mitre ATT&CK and a SOAR (Security Orchestration and Automated Response) strategy can improve and enable organizations to prioritize their cyber security response strategies and process. In this talk, I will discuss the basics around the FAIR model and ATT&CK framework, as well as address how the combination of these with SOAR to prioritize an organizations response capability can attempt to reduce the risk for the organization. In order to reduce real cyber risks to an organization, it requires an active commitment to risk management combined with a continuous approach to cyber security response by not just the CISO or Directors of Security within the organization, but by the risk management staff who stand beside them. Key take-aways:A basic understanding of FAIR, ATT&CK, and SOAR An approach option to improve your cyber security response initiatives using FAIR, ATT&CK, and SOAR
13:15 - 13:45
Grand Ballroom
CNS Track: AI in Cybersecurity: Between Hype and Reality
Track : Cyber Next Summit Track (CNS)
Speakers
Alexei Balaganski, Lead Analyst, KuppingerCole
Artificial Intelligence is surely one of the hottest topics in nearly every industry nowadays, and not without reason. Some of its practical applications have already become an integral part of our daily lives – both at home and in offices; others, like driverless cars, are expected to arrive within a few years. With AIs beating humans not just in chess, but even in public debating, surely, they've already matured enough to replace security analysts as well?In this session, we are going to look at the current state of AI in cybersecurity and try to see behind the buzzwords on product labels. What are the benefits and inherent limitations of current machine learning technologies? Should we expect any major breakthroughs in the upcoming years? And, last but not least, should we human security experts start worrying about our jobs already?
13:45 - 14:15
Holeman Lounge
BC Track: DODCAR Overview: Standardizing and Automating Cyber Threat Understanding for Threat-based, Cybersecurity Assessments
Track : Borderless Cyber Track (BC)
Speakers
Owen Sutter, Principle Technical Architect For Threat-Based Cybersecurity, DOD Cybersecurity Analysis & Review (DODCAR)
Karin Breitinger, DODCAR Planner, Tensley Consulting INC.
The DoDCAR performs threat-based, cybersecurity architecture assessments to ensure DoD leadership has the insight and knowledge to make well-informed, prioritized cybersecurity investment decisions to enable dependable mission execution on the unclassified and classified environments. This approach establishes a threat-based, analysis-driven, repeatable process to synchronize and balance cybersecurity investments, minimize redundancies, eliminate inefficiencies, and improve all-around mission performance. The DODCAR framework provides a foundation for automation through a data standardization and tagging framework to develop analytics and machine learning in cyber security.This talk will provide an overview and deeper understanding of the DODCAR methodology and its objectives, and to lay a foundation for data standards and tagging to help better understand cyber threat for the whole cybersecurity community.The Department of Defense Cybersecurity Analysis and Review (DoDCAR) is sponsored by the Department of Defense (DoD) Chief Information Officer (CIO) Deputy CIO for Cybersecurity, National Security Agency (NSA) Deputy National Manager for National Security Systems, and the Defense Information Systems Agency (DISA) Director. DoDCAR performs threat-based, cybersecurity architecture assessments to ensure DoD leadership has the insight and knowledge to make well-informed, prioritized cybersecurity investment decisions to enable dependable mission execution on the unclassified and classified environments. DODCAR objectives are twofold:Support the Cybersecurity Reference Architecture for the DOD Information Networks (DODIN) based on an end-to-end holistic review of the current cyber security capabilities and planned cybersecurity capabilities based on threatsProvide observations, affirmations and prioritized recommendations focused on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) functions, such as Identify, Protect, Detect and RespondThe DODCAR approach establishes a threat-based, analysis-driven, repeatable process to synchronize and balance cybersecurity investments, minimize redundancies, eliminate inefficiencies, and improve all-around mission performance. This approach also provides the insight and knowledge necessary to support effective, prioritized, and integrated cybersecurity capability investments. The end goal of the DODCAR methodology is to talk about cyber security within the framework so everyone can understand, regardless of their technical background or level of expertise. Communication of a threat prior to DODCAR is often explained through the Godzilla analogy. That is, if the architects and engineers see Godzilla from the lower floors of the building, they would see feet, but the system administrators see knees, and so on up to the operators and executives who just see the teeth. Because IT network engineers see and fear things differently than operators/users, it makes the discussion of cyber threat and potential solutions quite difficult based on the differing perspectives.The standardization of cyber data is a prevailing problem as we buy technologies that are not standardized. Metadata and data tags have been initially normalized through efforts like OASIS' STIX/TAXII. This, however, offers a low-level view of data normalization because we still cannot talk about threat holistically from a single perspective, and we do not have a standard framework to view cyber threat. Data governance, through NIST and Department of Defense (DoD) wide implementation policies, is currently being established to ensure the normalization of cyber data. This normalization will become the foundation for us to look at big data and to create analytics and machine learning from the government's perspective. Key take-aways:To provide an overview and deeper understanding of the DODCAR methodology and its objectivesTo lay a foundation for data standards and tagging to help better understand cyber threat for the whole cybersecurity community
13:45 - 14:15
Grand Ballroom
CNS Track: Machine Learning & the SOC
Track : Cyber Next Summit Track (CNS)
Speakers
Cory Missimore , Manager, Baker Tilly
Security Operation Centers (SOC) s are continuously monitoring an ever-increasing scope of assets, both those incorporated by a company and independent devices, stemming from the ever-amorphous "Internet of Things" that are brought into a workplace environment. This creates a massive amount of alerts or "noise", most of which are benign, but still requires a security analyst to review and confirm its banality, drawing a security analyst's time, and attention away from potentially real threats or attacks. Cutting down the "noise" amount of false positives, or nonthreatening alerts is a primary concern for security analysts, chief information security officers, and chief executive officers alike. Machine learning, while not a silver bullet, can become a powerful tool if utilized appropriately to reduce the noise.
14:15 - 14:45
Holeman Lounge
BC Track: Improving IoT Safety using Standards to Improve IoT Security
Track : Borderless Cyber Track (BC)
Speakers
Duncan Sparrell, Chief Cyber Curmudgeon, SFractal Consulting LLC
The Internet of Things (IoT) is growing faster than our ability to safeguard ourselves. As IoT becomes ubiquitous, it is important to consider the safety impacts of cyber-physical systems. In the interest of public safety, future cybersecurity systems will adapt to threats in real time based on the standards being developed today.This talk will cover identify several key industry standards and how they will contribute to IoT safety. It will conclude with a vision of how future IoT systems will be safer by tieing these activities together.The Internet of Things (IoT) is growing faster than our ability to safeguard ourselves. As IoT becomes ubiquitous, it is important to consider the safety impacts of cyber-physical systems. In the interest of public safety, future cybersecurity systems will adapt to threats in real time based on the standards being developed today.The downsides of ignoring safety will be discussed with some IoT examples from the transportation, healthcare, factory, and utility sectors. After setting the stage on the importance of cybersafety using Fear, Uncertainty, and Doubt (FUD), I'll argue against using FUD and present the proven risk management scientific principles that should be used instead for all security decision making. Instead decisions will be done algorithmically based on proven scientific methods using security policy, risk tolerance, and the potential safety/financial impacts of the threat. Factor Analysis of Information Risk (FAIR) is a practical framework for understanding, measuring and analyzing information risk, and ultimately, for enabling well-informed decision making. The talk will give a brief introduction to FAIR and the Open Group standards related to it, as well as how it applies to IoT.Modern software systems involve increasingly complex and dynamic supply chains. Lack of systemic transparency into the composition and functionality of these systems contributes substantially to cybersecurity risk. This talk will cover the work underway in a NTIA Working Group on Software Transparency and the use cases for Software Bill of Materials (SBoM).The third principle necessary for IoT safety is responding to a cyber-attack at machine speed. The talk will cover why that is important to IoT and what should be done to achieve response in cyber-relevant time. The economic benefits of automation and machine-speed response will be presented. The OASIS OpenC2 standards for command & control (C2) will be discussed and how those standards will facilitate automation in IoT, particularly in conjunction with several other OASIS standards on sharing threat intelligence (STIX/TAXII) and playbooks (CACAO). The talk will conclude with a vision of how future IoT systems will be safer by tying these activities together.Key take-aways:Attendees will learn about several standards that will help make IoT safer.Attendees will learn how to make more informed decisions based on risk tolerance. Attendees will learn about the use cases for Software Bill of Materials (SBoM), and they will leave desiring their suppliers to provide SBoM and desiring to create SBoM's for any software they supply. Attendees will learn about the use cases for OpenC2, STIX/TAXII, and CACAO in the context of IoT safety.
14:15 - 14:45
Grand Ballroom
CNS Track: Evaluating Our Defenses with a Data Science Approach
Track : Cyber Next Summit Track (CNS)
Speakers
Brennan Lodge, Data Scientist, Goldman Sachs
SOC analysts are under siege to keep pace with the ever-changing threat landscape. The analysts are overworked, burnout and bombarded with the sheer number of alerts that they must carefully investigate. This intense workload can be a true testament against anyone's patience. We need to empower our SOC analysts to overcome this monotonous work that is leading to career burnout.Our industry is struggling to keep up and is alternatively promoting silver bullets and panaceas to catch zero days, defend against APT and use AI to detect attacks better and faster. Instead of detecting or preventing better and faster, we should be looking inwardly at our SOCs to be better serve our human analysts.Security departments should be seeking data-driven approaches for more efficient evaluations on operations. Approaches like data science and algorithms to statistically evaluate the operations within a SOC will help.Big data is becoming a big problem for SOCs. But instead of it being a problem, it should be a solution. Analyst's laborious investigations already include a variety of data points, logs, analyst's notes, escalations, and conclusion tags. Combining these data points or independent variables can feed a ML algorithm against a dependent variable or conclusion tags to build an evaluation score against sensors and detection rules.With proper labeling and data wrangling, an evaluation score can be gleaned from a logistic regression algorithm. This output can evaluate the efficacy of alerts from SIEM's. With this insight security engineers, management and analysts alike can be empowered to make data driven decisions to tune and lessen the burden on the SOC from investigating fewer false positive related cases.Key takeaways: 1. SOC analysts are continually overwhelmed with the honorable job of investigating many alerts. But analysts are overwhelmed by tedious investigations that continue to be resolved with false positive or business as usual conclusions.2. We can score these cases by implementing a machine learning model to get closer to signal and more meaningful investigations rather than noisy or false positive related conclusions.
14:45 - 15:15
Holeman Lounge
BC Track: Making CTI Actionable: Closing the Feedback Gap
Track : Borderless Cyber Track (BC)
Speakers
Michael Pepin, Security Engineer, Celerium
So you're receiving cyber threat intelligence (CTI) from outside sources. Great. Now what? How do you find the intelligence that's relevant to you and your organization? And how can you use that information to adopt a more proactive cyber defense posture?This presentation will outline a strategy that information security analysts and engineers should consider to help them isolate relevant intelligence and make it more actionable by using their existing infrastructure of sensors and controls. With this strategy in play, teams and organizations will be able to think about cyber defense in proactive terms, and move away from only reacting after an attack has already hit their systems.Questions answered by the speaker include:How CTI is typically used todayWhat is the "Feedback" gapHow to close the gapHow this helps real-time (at machine speed) cyber defense
14:45 - 15:15
Grand Ballroom
CNS Track: Panel - Artificial Intelligence in Cybersecurity: Recent Advances
Track : Cyber Next Summit Track (CNS)
Speakers
Brennan Lodge, Data Scientist, Goldman Sachs
Al Lewis, Doctoral Candidate, Independent Researcher
Alexei Balaganski, Lead Analyst, KuppingerCole
Numerous malware variants are being created daily. To adjust to this evolution, machine learning tools are being utilized by security companies to detect the novel threats and new attack vectors. Same for the threat hunting, where the ML helps in proactively and iteratively parsing through networks detecting the advance threats. Important question is where we want to apply these advanced techniques. The technology should be applied in a smart way to tackle specific problems. In this panel we will discuss the current state of AI in cybersecurity and what the future will hold.
15:15 - 15:45
West Ballroom and Ballroom Foyer
Coffee & Networking
15:45 - 16:15
Holeman Lounge
BC Track: Rethinking the Future of Identity with Zero Trust
Track : Borderless Cyber Track (BC)
Speakers
Corey Williams, VP Strategy, Idaptive
As companies continue to move to the cloud and house more and more data online, the number of vulnerable endpoints for cybercriminals to target has expanded exponentially. We need a paradigm shift in cybersecurity, and that's doable through a Zero Trust security approach, supported by machine learning and AI. In this session, Corey Williams will discuss the importance of Zero Trust security, backed by cutting edge AI and machine learning technology to make security postures truly watertight. Governments, private businesses, and other organizations need to get ahead of the curve and adopt Zero Trust security, today.As companies continue to move to the cloud and house more and more data online, the number of vulnerable endpoints for cybercriminals to target has expanded exponentially. The cybersecurity industry has seen tremendous growth over the last decade – it's estimated that companies spent more than $120 billion on cybersecurity in 2018 to prevent attacks. But it's no longer just about technology and individual solutions. We need a paradigm shift in cybersecurity, and that's doable through a Zero Trust security approach, supported by machine learning and AI.Today, 81% of data breaches occur as a result of compromised credentials, making Zero Trust the best way to prevent against attacks. While there's a lot of diversity in the IAM space regarding technology and product offerings, there's one issue where experts are starting to agree – the future of identity lies with a Zero Trust approach to security, and needs to be backed by automation and AI to preempt security vulnerabilities. Vendors, consultants, and IT professionals are all singing the praises of Zero Trust, and what was once a buzzword is slowly moving from hype to reality.But what does that all mean for CISO? In this session, Idaptive VP of Strategy Corey Williams discusses the pillars of Zero Trust, and why it's so important for individuals, companies, and other entities to adopt a Zero Trust security approach. Corey will discuss some cutting-edge technologies from around the industry that're making Zero Trust possible – from machine learning to advanced cloud-based analytics. Corey will walk through several case studies of Zero Trust in practice, describing how companies have taken big steps across an entire organization to holistically defend against breaches. Corey will pay special attention to healthcare and finance industries, who are typically more vulnerable, given they safeguard troves of sensitive user data. But the steps they've taken to secure that data represents a shift in approach towards never trusting and always verifying, on the heels of massive consumer data breaches over the last five years.Corey Williams, armed with 20 years in the industry and backed up by recent industry data and analyst reports, will make the case for Zero Trust, and what's next in the cybersecurity industry in the coming decade. Ultimately, Corey will demonstrate how, for public and private organizations, Zero Trust security is becoming a real, tangible concept.Key take-aways: Participants will understand the value of Zero Trust, how it operates, and why it's the most effective method of preventing against data breaches.Participants will learn how automation, AI, and machine learning integrate with cybersecurity solutions to continuously evolve and adapt to threats, almost instantly automating processes that are normally subject to human error and timelines.
15:45 - 16:15
Grand Ballroom
CNS Track: Pragmatic CyberSecurity and Risk Reduction
Track : Cyber Next Summit Track (CNS)
Speakers
Bruce Hafner, President, ClearArmor Corporation
Organizations are at a tipping point, overwhelmed by cyber events, day to day operations, budget, and availability. Increasing triggers are compounding the problem along with increasing standards, compliance, and an overabundance of next best tools resulting in unsustainability.A rapid-fire session will engage attendees on a pragmatic approach to risk reduction through a pragmatic CyberSecurity which simplifies the approach. Bringing clarity and focus to risk reduction efforts, while adhering to structure and standards is critical Organizations will benefit from a risk-based approach, prioritize efforts, reduction of gaps, impacts, and overall risk. The result is a move from continuous busy work is replaced by continuous improvement, reactive response is replaced by proactive efforts.A corresponding PowerPoint and Excel Spreadsheet will be provided to attendees, kick-starting their move to pragmatic CyberSecurity and Risk Management.Key takeaways:1) CyberSecurity is not about tactical solutions, but requires very real strategic thinking.2) To maximize the update and effectiveness of strategic CyberSecurity, a pragmatic approach is best. one key option in Pragmatic CyberSecurity is using a risk based approach while embedding risk management into the equation.3) Slowing down the shotgun approach to an endless cycle of tactical tools procurement and failed implementations is understanding 'why' you are doing what you area doing. Then, prioritizing efforts and focus will lead to the successful adoption of the overall program as well as adoption of tools.
16:15 - 16:45
Holeman Lounge
BC Track: Security Automation and Adaptive Cyber Defense Strategies for Success - Experiences from the Financial Sector
Track : Borderless Cyber Track (BC)
Speakers
Donnie Wendt, Security Engineer , Mastercard
This presentation will examine the findings of a doctoral study into the strategies cybersecurity professionals need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. This is an opportunity to learn from the experiences of cybersecurity professionals within the financial services industry who have implemented or are implementing security automation. The session will cover strategies to ensure success, challenges faced, use cases implemented, and benefits from security automation and adaptive defense methods. The conceptual framework for this doctoral study proposed using automation and intelligence sharing to speed the detection of and response to cyber attacks while using deception and adaptive defense methods to slow the attack. It was determined that defenders must address both sides of the equation to narrow the gap between the attackers time to compromise and the defenders time to respond.This presentation examines findings of a doctoral study into the strategies cybersecurity professionals need to reduce the gap between the attacker's time to compromise and the defender's time to detect and respond. This is an opportunity to learn from the experiences of cybersecurity professionals within the financial services industry who have implemented or are implementing security automation. The exploratory qualitative study used semi-structured interviews to collect information from 10 participants with cybersecurity experience in the financial services sector, including analysts, engineers, senior management, and CISOs. An iterative open-coding process was used to analyze the data, from which the following six themes emerged: (a) use of automation in security operations, (b) benefits of security automation, (c) requirements for successful security automation, (d) use of intelligence sharing in security operations, (e) minimal use of deception and automated response, and (f) impediments to effective intelligence sharing.Cyber defenders must improve detection and response times to help counter the increasing cyber threats. Recent advances and research into security orchestration and adaptive cyber defenses seek to lessen the advantage enjoyed by the attackers. The leading research addresses the problem through three major concepts: (a) community sharing of security intelligence, (b) automation and orchestration of security responses, and (c) the use of adaptive cyber defenses. This study explored the strategies that cybersecurity professionals within the financial services industry can employ to improve cyber defenses using automation, intelligence sharing, deception, and adaptive response.Cyber attackers enjoy a significant advantage over the defenders in cyber conflict. The attackers' advantage stems from multiple issues, including the asymmetry of cyber conflict, the increased sophistication of cyber attacks, the speed and number of attacks, and a global shortage of cybersecurity talent. Current human-centered cyber defense practices cannot keep pace with the threats targeting financial services organizations. Cyber defenders must address both sides of the equation to narrow the gap between the attackers' time to compromise and the defenders' time to respond. An integrated approach involving security orchestration, automated response, information sharing, and advanced defense methods can reduce the competitive gap between attackers and defenders. The conceptual framework for this study proposed using automation and intelligence sharing to speed the detection of and response to cyber attacks while using deception and adaptive defense methods to slow the attack. By addressing both sides of the equation (the speed of defense and the speed of attack), the framework sought to decrease the attacker's advantage.The study identified several strategies that cybersecurity professionals in the financial sector could employ. These strategies include focusing on quick wins when implementing security automation, using automation to mitigate data quality and relevancy concerns with intelligence sharing, and developing trust in automated response methods. The findings of this study support the need for and benefits of security automation. There are many use cases for security automation in the financial sector. Further, the financial sector can derive significant benefits from automation. The findings show that financial institutions actively participate in intelligence sharing; however, several impediments to effective intelligence sharing exist. The main concerns with intelligence feeds relate to the quality of the data, the relevance of the data, and the recency or currency of the indicators. Cybersecurity professionals in the financial services industry could use a security automation strategy to help address each of these impediments to effective intelligence sharing. The findings suggest that the use of deception and automated response methods may not be prevalent within the financial sector. However, there is a strong interest in the future use of deception and automated response methods. The most significant challenge to overcome related to automated responses is developing trust and support by demonstrating that the automation is taking the correct action. Also, cybersecurity professionals need to consider how to counter or undo incorrect actions taken by automation.Key take-aways: Learn the strategies for a successful security automation initiative based on the experiences of cybersecurity professionals from the financial services industry Discover use cases for and benefits derived from security automation within the financial sector Hear about the challenges cybersecurity professionals faced when implementing security automation and the strategies to overcome these challenges
16:15 - 16:45
Grand Ballroom
CNS Track: Real and Perceived Threats to the Energy Sector - 2019 and 2020
Track : Cyber Next Summit Track (CNS)
Speakers
John Bryk, Cyber And Physical Threat Intelligence Analyst, Downstream Natural Gas Information Sharing And Analysis Center (DNG-ISAC)
What are the cyber threats posed to natural gas? What's the state of cyber defense for our pipelines?Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC) Threat Analyst will provide an overview of the dynamic cyber and physical threats faced by the natural gas and pipeline sub-sector in 2019 and 2020. Industry data will be summarized to paint a picture of current challenges to the safety and operation of our national critical energy infrastructure using insights provided by industry executives and security professionals. We'll explore how natural gas operational intelligence has benefited cross-sector and public partners.
16:45 - 17:15
Holeman Lounge
BC Track: Is the Damage Already Done? Automating Vulnerability Investigation
Track : Borderless Cyber Track (BC)
Speakers
John Moran, Sr Product Manager, DFLabs
As evidenced by many of the recent breaches, vulnerability management is a critical process for every enterprise. However, discovering and remediating vulnerabilities alone may not provide the enterprise with the complete risk picture. Remediation means that the vulnerability can no longer be exploited, but has it already been exploited? Scanning schedules, deployment testing and patch window mean that a vulnerability may persist for some time prior to remediation. Â Implementing an automated process of vulnerability investigation through a Security Orchestration, Automation and Response (SOAR) solution can help enterprises quickly find evidence of possible vulnerability exploitation and ongoing risk. This talk will outline the gaps in our existing vulnerability management methodologies and how these gaps can lead to unknown risk in the organization. We will then discuss how a SOAR solution can be used to identify any potential risk to the organization for automated or manual mitigation. We will conclude with a use case, showing how this can be achieved in practice.Key take-aways:Gaps present in our current vulnerability management methodologiesHow SOAR can help address these gaps and minimize risk
16:45 - 17:15
Grand Ballroom
CNS Track: Protect the Homeland and Stay in Business: Why Privately-Owned Companies Need a Cyber Intelligence Program
Track : Cyber Next Summit Track (CNS)
Speakers
Al Lewis, Doctoral Candidate, Independent Researcher
The private sector continues to be victimized by an onslaught of sustained cyber assaults aimed at undermining the United States economy, weakening its military, and threatening its democracy. The need for the US government and private industry to share information has long been viewed as the only viable solution to thwarting cyberattacks. Despite the information sharing efforts, spanning nearly two decades, private industry continues to hemorrhage its intellectual property and economic resources. In response to the cyber-based threat, a new field has emerged; cyber intelligence. The literature not only reflects the lack of a clear definition, education, and a sustaining value proposition but highlighted the interest and need for relevant, timely, cyber-based intelligence. Using a qualitative method, this paper examines current literature and the author's personal experience. This study examines the role of cyber intelligence in the private sector and asserts that the information and intelligence provided by vendors and the United States government is not adequate to meet the needs of business. There are two key findings resulting from the research and analysis; cyber intelligence is not defined, and an internal cyber intelligence capability is the only option capable of meeting the demands of business.
17:15 - 20:00
Happy Hour - Everyone is welcome to gather across the street at MACKEY'S (1306 G Street Northwest) for an informal Happy Hour!
Day 2, Oct 09, 2019
08:30 - 09:00
West Ballroom and Ballroom Foyer
Coffee & Networking
09:00 - 09:30
Grand Ballroom
Plenary Session—Keynote: The Information Protection Lifecycle
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
John Tolbert, Lead Analyst And Managing Director Of KuppingerCole, Inc (US), KuppingerCole
Too often those of us in the cybersecurity space get wrapped up in comparing, deploying, and managing point solutions. While this is a necessary consequence of both the fragmented nature of the market and the highly specialized nature of our work, sometimes we need to step back and look at the big picture. What kind of information am I charged with protecting? How can I discover and keep track of it all? What kinds of controls can I apply? How can data be protected in different environments, on different platforms, etc? We'll look at the various stages in the life and death of information and how to best manage and protect it.
09:30 - 10:00
Grand Ballroom
Plenary Session—Keynote: The Questions a Judge Will Ask You After a Data Breach
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Chris Cronin, Board Chair, The DoCRA Council
If you are breached and your case goes to litigation, you will likely be asked to demonstrate "due care" and that your controls were "reasonable." Many are surprised to learn that a breach by itself does not constitute negligence in most cases. But judges will ask a set of questions that help them determine whether your controls were reasonable. These questions bear a close resemblance to information security risk assessments; they both try to balance the likelihood and impact of foreseeable threats against the burden of safeguards. This presentation will explain judicial balancing tests, how they relate to regulatory definitions of "reasonable" risk, and how to conduct risk assessments that prepare you to answer the tough questions before you need to be asked.Attendees will learn:- How to define "reasonable" in a way that makes sense to business, judges, and regulators.- How to design and run a risk assessment that is meaningful to technicians, business, and authorities.- Learn from case studies involving regulatory oversight, law suits that happened, and law suits that never happened.
10:00 - 10:30
Grand Ballroom
Plenary Session—Innovation Talks
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Todd Weller, CSO, Bandura Cyber
Chase Norlin, CEO, Transmosis
Our sponsors take the main stage during this session to talk about... Building our next Cybersecurity Workforce through CollaborationsChase Norlin, CEO, TransmosisPresentation TBATodd Weller, CSO, Bandura Cyber
10:30 - 11:00
West Ballroom and Ballroom Foyer
Coffee & Networking
11:00 - 11:30
Grand Ballroom
Plenary Session—Innovation Talks
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Yaniv Avidan, CEO & Co-Founder, MinerEye
Markku Rossi, Chief Technology Officer, SSH.COM
Our sponsors take the main stage during this session to talk about... Detect Personal Information in Hybrid Cloud Environments Using AIYaniv Avidan, CEO & Co-Founder, MinerEyeInnovating Access to the Critical IT InfrastructureMarkku Rossi, Chief Technology Officer, SSH.COM
11:30 - 12:00
Grand Ballroom
Plenary Panel: Critical Infrastructure, IoT, and Security
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
David Batz, Senior Director, Cyber & Infrastructure Security, Edison Electric Institute
Tom Stockmeyer, Account Executive, Unbound Tech
Christopher Magnan, Senior Manager, General Dynamics Information Technology
12:00 - 13:00
West Ballroom and Ballroom Foyer
Lunch & Networking
13:00 - 13:30
Holeman Lounge
BC Track: The (r)Evolution of Cyber Threat Information Sharing – Past, Present, and Future
Track : Borderless Cyber Track (BC)
Speakers
Daniel Harkness, Group Lead, Cyber Research, DOE/Argonne National Laboratory
The sharing of cyber threat information can be traced back to the response to the Morris worm in 1988. We will discuss the history of cyber threat information sharing and give an overview of where we stand today. Recognizing a sense of disillusionment with today's landscape, we will provide a vision of what the future of cyber situational awareness and defense can look like, and how cyber threat information sharing can help us get there.In November 1988, the Morris worm opened the world's eyes to cyber threats. Shortly after, Carnegie Mellon University started up the Computer Emergency Response Team Coordination Center (CERT/CC), the Department of Energy formed the Computer Incident Advisory Capability (CIAC), and many others did the same. By 1990, it was clear that communication and collaboration across teams would be needed and the Forum of Incident Response and Security Teams (FIRST) was formed to respond to this need[1]. Fast forward to the early 2000s and the idea of automated sharing of cyber threat information began with such early examples as: the Argonne National Laboratory's Cyber Fed Model (grassroots effort that began in 2004) and the Research and Education Networks Information Sharing and Analysis Center's Security Event System. Fast forward again, to the present, and these platforms have grown, new ones have gained the spotlight, standard representations such as Structured Threat Information Expression (STIXTM) and Trusted Automated Exchange of Intelligence Information (TAXIITM) have gained traction, and cyber threat information sharing has become a hot topic. But, despite the growth and advancement, the World Economic Forum, at their 2018 Annual Meeting in Davos, Switzerland, declared that "Currently, information sharing is not living up to expectations."[2]This presentation will start with an overview of the cyber threat information sharing landscape. This will include a brief history, an overview of different approaches (e.g. manual vs. automated; indicators vs. intelligence), and a discussion of associated pros, cons, and challenges. These current approaches and associated challenges will be used to illustrate the view that the movement is "not living up to expectations." Having laid the groundwork, the presentation will focus on the future of cyber threat information sharing; namely, that the current focus on information sharing needs to shift. The focus should not be on information sharing as an end goal, but rather the use of information sharing as a foundational capability that can be leveraged for improved cyber situational awareness and more rapid cyber defense. Automated information sharing involves machine-to-machine connections and trust relationships that can be leveraged for orchestration beyond the simple sharing of atomic pieces of cyber threat information.By passing queries (i.e. requests for information) information sharing can become a foundational capability used by cyber analysts to simplify the processes used in the research, disposition, and response to anomalous events. Combining this distributed query model with automation and orchestration will expand the datasets available and reduce the time to collect context used by analysts in disposition of an event or finding. This same infrastructure then becomes the foundational capability to orchestrate the defensive response to a given threat. Moving cyber threat information sharing from a "publish" model to a "research" model may require more revolution than evolution but will empower analysts to tackle more complex research. By orchestrating and automating pieces of the single-event analysis process, analysts can be freed up to start shifting to a campaign- or adversary-focus. A single-event response may result in a fast-paced game of whack-a-mole with an adversary rapidly moving from one piece of their infrastructure to another. But a campaign- or adversary-focused response will consider the behaviors and motivations behind the attack and look at the multi-step (and therefore multi-event) processes used. With a more comprehensive understanding of the threat and the availability of automation and orchestration capabilities, analysts will be able to disrupt the adversary in ways that will cost significantly more time and effort to work around than today's typical response of blocking an atomic indicator. This shift of focus does not mean that cyber threat information sharing is no longer important. Nor does the automation and orchestration mean that analysts are removed from the picture. But, by focusing on the end goals of improved situational awareness and orchestrated defense, we can recognize that information sharing needs to be treated not as a solution on its own, but rather as a foundational capability that leads to an improved end state.[1] FIRST History. www.first.org/about/history. Accessed 31 July 2019.[2] "Meeting Notes." AM 18 Session - Mitigating Risks in the Innovation Economy. World Economic Forum, 23 Jan. 2018, Davos, Switzerland.Audience interaction/engagement:Audience interaction will include simple polling of the audience on their level of experience or familiarity with different information sharing topics. Additionally, more in-depth engagement will involve the use of "What would you do/need?" type of questions to illustrate response processes (and associated gaps) to hypothetical threats.1) Participants will leave this presentation with an understanding of cyber threat information sharing history and the current landscape. 2) Participants will recognize that there is a need to move beyond the status quo to improve situational awareness and cyber defense. 3) Participants will see a vision of how automation and orchestration can evolve information sharing and empower them to improve the cyber defense landscape of the future.
13:00 - 13:30
Grand Ballroom
CNS Track: Endpoint Protection/Anti-Malware and Endpoint Detection & Response - Leadership Compass Preview
Track : Cyber Next Summit Track (CNS)
Speakers
John Tolbert, Lead Analyst And Managing Director Of KuppingerCole, Inc (US), KuppingerCole
Preview of the upcoming Leadership Compasses on Endpoint Protection/Anti-Malware and Endpoint Detection & Response. In this session, we'll talk about the Leadership Compass methodology and the criteria that are reviewed and compared to generate these research reports. 
13:30 - 14:00
Holeman Lounge
BC Track: Save the Threat Intelligence-based Workflow, Save the Cyber Analyst
Track : Borderless Cyber Track (BC)
Speakers
Katie Kusjanovic, Senior Solutions Engineer, EclecticIQ
The progression of Threat Intelligence (TI) data and use cases is a primary contributor to the blurring of the lines between TI and Incident Response (IR). Collaborative and cooperative workflows are increasingly needed to reap the overall cyber efficiencies promised by threat intelligence vendors.First, the session will dissect an abstracted version of the "previous gen" (and quasi-independent) threat intelligence and incident response disciplines with special attention paid to their respective uses of threat intelligence data. Next, we'll dive into a detailed walk-through of a publicly-reported security breach, explicitly covering how the incident response and threat intelligence workflows operate independently. Synthesis naturally follows with an exploration of how the two workflows can cooperate. Sample Standard Operating Procedures (SOPs) that explicitly address analyst efficiency, analyst collaboration metrics will be introduced during the cooperative workflow that can be readily customized in an organization. Key objectives:Explore the operational differences between Threat Intelligence (TI) and Incident Response (IR) use cases, and the use of STIX-based data models for both TI and IR use cases.
13:30 - 14:00
Grand Ballroom
CNS Track: Digital Pickpockets: Analyzing Mobile Malware
Track : Cyber Next Summit Track (CNS)
Speakers
Marita Fowler, Senior Analyst, Capital One
Mobile malware authors invest a lot of time and energy into code development to ensure their campaigns are successful. Attendees will also learn about these different campaigns and how the attacks are evolving.This evolution includes anti-emulator detection, antivirus suppression, chunked update downloads, etc. A list of analysis tools and resources used during the analysis will be provided at the end of the session. 
14:00 - 14:30
Holeman Lounge
BC Track: What Really Means Actionable Threat Intelligence Today?
Track : Borderless Cyber Track (BC)
Speakers
David Bizeul, CTO, SEKOIA
14:00 - 14:30
Grand Ballroom
CNS Track: Panel - Achieving Endpoint Security for Organisations
Track : Cyber Next Summit Track (CNS)
Speakers
Jason Keogh, VP Of Product, 1E
Marita Fowler, Senior Analyst, Capital One
Chris Calvert, Co-Founder & VP Of Product Strategy, Respond Software
14:30 - 15:00
West Ballroom and Ballroom Foyer
Coffee & Networking
15:00 - 15:30
Holeman Lounge
BC Track: Automating Open-Source Zeek (Bro) for Threat Mitigation and Response
Track : Borderless Cyber Track (BC)
Speakers
Allan Thomson, CTO, LookingGlass Cyber Solutions Inc.
This presentation describes how a common open-source tool Zeek (Bro) that has been used, until today, primarily for threat detection can be extended to provide threat response including mitigation of attacks including those aspects that can be tied to the MITRE ATT&CK framework.Today Zeek/Bro has a large open-source and active community that contributes using Zeek/Bro scripts that include detecting attacks such as Heartbleed and many other behavioral (TTP) based detections. This presentation will have the following structure:Introduction to Zeek/Bro event-based detection techniques including behavioral detection aspects Show those detection techniques can be applied to MITRE ATT&CK framework to provide the audience with a common taxonomy on what Zeek/Bro does Introduction how Zeek/Bro event-based programming model can be extended for threat mitigation and response and what the benefits of those extensions would provide orgs Show specific Zeek/Bro examples that highlight the power of extending the Zeek/Bro paradigm - including simple actions such as being able to respond to Heartbleed after it is detected to then respond with a mitigation action to stop the behavior progressing through the kill-chainHighlight how this framework can be further extended for automation across a network of sensors and mitigation driven by orchestration tools - show how Zeek/Bro fits into orchestration tools including possible playbooks that are written for security operations that tie detection with automated mitigationSummarize the approach to extending Zeek/Bro and the value to security organizations
15:00 - 15:30
Grand Ballroom
CNS Track: IoT & Cybersecurity
Track : Cyber Next Summit Track (CNS)
Speakers
Christopher Magnan, Senior Manager, General Dynamics Information Technology
Cybersecurity is critical to protecting IoT and mesh networks. Network sensors and endpoints are the most vulnerable network assets. As endpoint diversity expands to nontraditional assets and applications, stakeholders must adopt cybersecurity best practices to protect their networks. This talk focuses on strategies to harden the IoT security posture. 
15:30 - 16:00
Holeman Lounge
BC Track: CACAO: Insights on Cybersecurity Orchestration Cooperative Collaboration
Track : Borderless Cyber Track (BC)
Speakers
Allan Thomson, CTO, LookingGlass Cyber Solutions Inc.
Bret Jordan, Director, Office Of The CTO, Symantec
To defend against threat actors and their tactics, techniques, and procedures, organizations need to manually identify, create, and document prevention, mitigation, and remediation steps. These steps when grouped together into a course of action (COA) / playbook are used to protect systems, networks, data, and users. The problem is, once these steps have been created there is no standardized and structured way to document them, verify they were correctly executed, or easily share them across organizational boundaries and technology stacks.This presentation introduces work underway by a group of interested industry companies to define a standard way to implement a playbook model for cybersecurity operations. We'll cover aspects of CACAO including:How playbooks are created and document COAs in a structured machine-readable format.How organizations perform attestation including verification and authentication on COAs and their playbooks.How sharing and distribution of COAs across organizational boundaries and technology stacks may include protocols, apis, interfaces and other related technology to support sharing across different vendors, organizations.How organizations can verify COA and playbook correctness prior to deployment.How organizations would monitor COA activity after successful deployment. Learning objectives:An introduction to the requirements and issues that CACAO addresses specifically on cybersecurity response collaboration and orchestration The relationship of CACAO to other standards work (STIX2, OpenC2...etc) and proprietary mechanisms interplay (Cisco IOS, JunOS...etc)Practical examples on how CACAO would work and help organizations define standards-based cybersecurity response playbooksHow either consuming organizations or vendors could engage to further define/improve the CACAO work 
15:30 - 16:00
Grand Ballroom
CNS Track: Secure Code Signing for IoT with Multi-Party Computation
Track : Cyber Next Summit Track (CNS)
Speakers
Tom Stockmeyer, Account Executive, Unbound Tech
In 2019, interconnectivity and growth of data have exploded. The digital world continues to expand at breakneck speed, with 20 billion networked devices and data anticipated to grow tenfold from 2017 to 2025. 96% of companies now use cloud services and 81% of enterprises operate multi-cloud landscapes. There are over 5 billion mobile phone users, with 2 billion customers preferring mobile banking rather than enter a physical branch.IoT is an integral part of the future of data technology - and it may hinge on safe code-signing. The increased importance and intelligence of software operating IoT devices, and the need for frequent code updates to address rapidly changing service functionality and security requirements, are driving the need for IoT device software and firmware signing. Without good code signing hygiene, manufacturers incur major risks as attackers can alter the software running on deployed devices, stealing information or tampering with device functionality. This presentation will review code-signing best practices for IoT – and how to strike a balance between security and usability – through multi-party computation.Key Takeaways:1. Code-signing keys are both notoriously difficult to manage and integral to the heart of enterprise data security2. Hardware-based code-signing solutions are neither scalable nor flexible enough to keep up with the growth of IoT devices3. Multi-party computation-based solutions offer hardware-grade security via software-defined cryptography - cryptographic key management for the digital era4. Code-signing best practices for enterprise include:a. Protecting code signing keys: Key exfiltration is the riskiest because it gives attackers the most freedom to sign any code anywhere. Use cryptographic key protection and management solutions to help ensure that attackers cannot get hold of the valuable private keys.b. Establishing advanced quorum authorization for sensitive signing operations: By requiring multiple people and/or systems to authorize sensitive cryptographic operations, such a signing code-especially code that can impact low-level system operations-you can eliminate rogue actors tainting the code with malware.c. Monitoring and auditing all code signing transactions: A comprehensive log of all operations including the source of those operations can help quickly identify the source and mitigate attacks after they occur.
16:00 - 16:30
Holeman Lounge
BC Track: Decision Automation: Teaching machines to hunt
Track : Borderless Cyber Track (BC)
Speakers
Kumar Saurabh, CEO And Co-Founder, LogicHub, Inc.
Threat Detection in today's environment requires Security Operational Center (SOC) teams to go beyond SIEM rules and simple correlation. Yet, "blackbox" AI systems often fall short by creating too many false positives and often missing true incidents. Decision Automation is the new paradigm that brings the power of expert root-cause analysis using the 5 Whys approach, coupled with Machine Learning and easily-configured automation platforms, enabling security teams to create powerful intelligent threat detection. This session will explore the fundamentals of Decision Automation along with relevant case studies.Many enterprise security teams rely on rules and searches to create alerts. Such rules not only have high false positive rates, but have very high false negative rates too. It is easy for a rule based system to miss some very simple attacks that it has not seen before. However, if we give that data to an analyst, they are more often than not, able to detect suspicious behavior and attacks that they have never seen before.In this talk, we will see how we can build a fully automated system that uses the same techniques as an analyst does, and methodically analyze the data autonomously in order to decide which events are risky and should be turned into incidents. This talk will focus on how to automate threat hunting by using a framework to capture the expertise and techniques of a skilled threat hunter.Key take-aways:Learn common techniques threat hunters use to hunt for threats without apriori knowledge of what those threats like.Discover how to automate threat hunting, so that you can find threats much more effectively at machine speed. Learn how to apply automation, machine learning and feedback loops to build a much better Threat Detection system.Hear about success stories from real world implementations that are applying automation to alert triage. Learn about a process that has been applied in many companies to measure the effectiveness of automation and how that leads to higher trust in automation.
16:00 - 16:30
Grand Ballroom
CNS Track: Cyber Mutual Assistance – A New Model for Electric and Gas Companies Preparing and Responding to Cyber Security Emergencies
Track : Cyber Next Summit Track (CNS)
Speakers
David Batz, Senior Director, Cyber & Infrastructure Security, Edison Electric Institute
Owners and operators of the electric grid in the United States are facing an unprecedented number of physical and cyber security risks. This session will discuss the methods that electric utilities are using to address the wide variety of risks, with special focus on the program Cyber Mutual Assistance.
16:30 - 17:00
Holeman Lounge
BC Track: Making Threat Intelligence a Shared Resource for Network Defense
Track : Borderless Cyber Track (BC)
Speakers
Todd Weller, CSO, Bandura Cyber
Jason Mok, Initiative Lead, IACD, JHU/APL
Can small to medium organizations use what the larger organizations learn about threats to take action in a prioritized, appropriate, and automated manner? Is there an incentive for an organization to share opinions and sightings about Indicators of Compromise (IOCs)? How can a service provider share the insight gained by all these contributors so organizations can directly use that insight? Bandura Cyber has partnered with the IACD team to demonstrate the potential value of: community sharing of opinions/sightings, confidence scores to provide updated context, and dynamic prioritization to drive local response actions. This talk will describe the joint experiment, results, and lessons learned.How can small to medium organizations use what the larger organizations learn about threats to take action in a prioritized, appropriate, and automated manner? Is there an incentive for an organization to share opinions and sightings about Indicators of Compromise (IOCs)? How can a service provider share the insight gained by all these contributors so organizations can directly use that insight, even if they do not have the staff to analyze all the associated information? Bandura Cyber has partnered with the IACD team to demonstrate the potential value of: community sharing of opinions/sightings, confidence scores to provide updated context, and dynamic prioritization to drive local response actions. This talk will describe the joint experiment, results, and lessons learned.The experiment uses a simulated AIS feed, a threat intelligence gateway, a SOAR platform, and traditional security products to address an IOC associated with a watering hole attack. The demonstration uses the opinions and sightings from organizations to update the AIS confidence score which is used by the gateway to create a dynamic score. This score is used to block/allow or pass the IOC and context on to an orchestrator for processing. The scenario moves from IOC is good, to IOC is questionable, to IOC is bad, back to IOC is questionable, back to IOC is good. The contributions from the community build a perspective on the changing nature of the IOC, and the gateway can block or allow when appropriate threshold is met. It can also send to the orchestrator when the IOC is questionable.The intent of the experiment was to: demonstrate a value to community members for sharing sightings/opinions, etc; attempt to use insight from other organizations to deal with a temporal aspect of an IOC; show a way to combine multiple insights into a single value to provide updated context to organizations; and identify the type of information that is needed to define the different actions to invoke under the different conditions based on local policy.Key take-aways:Participants who attend this session will leave with an understanding of how they can obtain value from providing local insight into community shared threat intelligence. They will also see a way to use dynamic prioritization to drive different actions in their environment, which may make it more appropriate to process IOCs and associated response actions in an automated manner.
17:00 - 19:00
Happy Hour
Day 3, Oct 10, 2019
08:30 - 09:00
West Ballroom and Ballroom Foyer
Coffee & Networking
09:00 - 09:30
Grand Ballroom
Plenary Session— Keynote: Managing the Space-Time Continuum of Cyberdefense
Track : Cyber Next Summit Track (CNS) | Borderless Cyber Track (BC) | Joint CNS-BC Plenary Session
Speakers
Tony Sager, Senior Vice President And Chief Evangelist, The Center For Internet Security, Inc. (CIS)
Attackers in cyberspace seem overwhelming, but they are not superhuman. Attackers also have a budget, a boss, an objective, and their own "risk model" of behavior. Our goal is not to create a perfect defense, but instead to dynamically manage defenses that: force the attacker into less space; and allow the defender to deal with them earlier in time. At its heart, cyberdefense is a decision-making, risk-managing machine, fueled by information. Narrowing attack opportunities through prevention, threat intelligence, automation, interrupting attacker life-cycle, rapid detection and effective response – these are all crucial defensive actions that need to be seen as part of a holistic cyberdefense machine that manages space and time to defensive advantage. In this talk, we will discuss various models and the dynamics of cyberdefense, and set the stage for the role of automation and orchestration to empower this machinery. 
09:30 - 10:30
Holeman Lounge
BC Track: Panel - Quantum Science Meets Cyber Reality
Track : Borderless Cyber Track (BC)
Speakers
Daniel Riedel , Founder, New Context
Tommy Gardner, CTO, Quantum Lead, HP Federal
Duncan Earl, President And CTO, Qubitekk
Arthur Herman, Director, Quantum Alliance Initiative And , Senior Fellow At The Hudson Institute
Corey McClelland, Vice President, Qubitekk
The panel will take you on a journey from the origins of quantum science through to how it is applied to today's cybersecurity challenges and applications. The promise and full potential of quantum computing is still somewhere off in the distance though great strides are being made. While quantum computers are important the panel will talk to how quantum sciences are being used today for communication security with quantum key distribution, differences between entangled photon and single photon cryptography, fiber optic vs free space applications, quantum random number generators, the use of QKD within the 5G ecosystem, quantum science international standards, US and international policy issues, US competition with other international players and what to expect in the future for quantum science applications in cybersecurity.Participants will walk away with a better understanding of: 1) How quantum science is being applied to cybersecurity today. 2) US and international policy and standards issues facing the application of quantum science. 3) How quantum science is being applied to cybersecurity applications today with quantum key distribution. 4) Basic knowledge of how entangled photon cryptography is different from the use of single photon cryptography.  5) Future use of quantum science for cybersecurity.
10:30 - 11:00
West Ballroom and Ballroom Foyer
Coffee & Networking
11:00 - 12:00
Grand Ballroom
CNS Track: Panel - Global State of Privacy and Why Secure Identity Solutions are Needed
Track : Cyber Next Summit Track (CNS)
Speakers
Kimberly Sutherland, VP Of Fraud & Identity Market Planning, LexisNexis
Denise Tayloe, Co-founder And CEO, PRIVO
John Tolbert, Lead Analyst And Managing Director Of KuppingerCole, Inc (US), KuppingerCole
Philipp Schneidenbach, Principal, Ventum Consulting
Lisa Hayes, Vice President, Strategy & General Counsel , Center For Democracy & Technology (CDT)
The introduction of new regulations around data privacy and security globally has resulted in a significant shift in the digital landscape. Recent enforcement actions, adoption of state-based laws, and proposed legislation demonstrate more change is imminent. Trust for brands is more important than ever and nowhere is that more critical today than how brands use consumer data and handle identity. In this panel discussion, you will hear insights from industry leaders addressing the following:- What's the common thread in existing privacy regulations and what's coming next?- What does privacy have to do with security?- How do robust identity solutions secure privacy challenges?- What place does a consortium have for privacy and security risk mitigation?- Use cases focusing on the book ends of the consumer identity life cycle (e.g., minors, seniors)
12:00 - 13:00
West Ballroom and Ballroom Foyer
Lunch & Networking
13:00 - 13:30
Holeman Lounge
BC Track: Insights for secure API usage in conjunction with security automation and orchestration
Track : Borderless Cyber Track (BC)
Speakers
Cody Bramlette, Cybersecurity Engineer, JHUAPL
Nam Le, IACD Integration Team Lead, Senior Systems Engineer, JHU/APL
Organizations are expanding the use of automation and orchestration in their security operations. An indication of this is the sharp rise in the adoption of Security Orchestration Automation and Response (SOAR) platforms. The security of these platforms is a key concern, and in particular the security of Application Programming Interface (API) keys used by both the SOAR platform and Security Operations Center personnel. The exposure of APIs from security tools is crucial to permitting automation and orchestration, however it is also important to secure the usage of these capabilities. This presentation highlights methods for securing API usage and ways to remediate compromised API keys.According to a recent Gartner publication, Security Orchestration Automation and Response (SOAR) adoption is predicted to rise from 1% to 15% from 2018-2020. This rapid growth is currently being realized by the explosion of options available within the SOAR marketplace. Organizations are adopting SOAR in order to adapt to the speed and scale of threats in the current cyber landscape. SOAR platforms are becoming a hub within the stack of security tools employed by an organization. This adoption is also driving the increased exposure of features from security tools via Application Programming Interfaces (APIs). These APIs are crucial to permitting the automation and orchestration of security operations, however the exposure of these capabilities provides a new attack surface with which attackers can exploit. To help address this concern, the Integrated Adaptive Cyber Defense (IACD) program has conducted research to help identify best practices for API security. As automation takes on an increasingly larger role in cyber defense, it is important for organizations to secure these new capabilities to ensure they are not abused.Through our initiatives and pilots in various critical infrastructure sectors, IACD has found that most SOAR platforms provide basic mechanisms to protect API keys. However, IACD believes that the usage and security of these APIs is often overlooked, and more should be done to secure them. Recent findings have found that many of these keys are issued and utilized with more access features than needed for specific tasks and are occasionally distributed widely throughout an enterprise's infrastructure. There have also been instances where API keys have also been compromised by attacks and used by cyber attackers to access sensitive data. This talk will provide a summary of recent research and current industry best practices to protect API usage through gaining visibility to all API requests, rapid banning and re-issue of compromised API keys, controlling which requests an API may issue based on the asset making the request, and controlling which assets are allowed to use which API key for specific requests. A Q&A session with the audience will be held at the end to discuss current concerns with API security.This talk will be provided by the IACD integration team, which has hands-on experience with a large variety of SOAR solutions and has been developing capabilities for security orchestration and cyber information sharing since 2014. IACD has continuously provided impartial technical guidance for all enterprises and has been instrumental in the creation of a large community throughout academia, industry, and critical infrastructure to further the use and development of the IACD framework.Attendees will learn techniques to address the risks associated with the rising convenience of automation, proactive vs. reactive automation practices, and will help mitigate current security gaps faced by organizations with and without security automation.Key take-aways: Attendees will learn best practices for managing API usage through the use of an API gateway. Additionally, remediation methods will be explored to address compromised access of security tools via stolen API keys.
13:00 - 13:30
Grand Ballroom
CNS Track: The Journey Towards a Passwordless Enterprise
Track : Cyber Next Summit Track (CNS)
Speakers
Alexei Balaganski, Lead Analyst, KuppingerCole
Everyone knows that the password is dead, yet most companies are still struggling with them. With such a broad choice of strong authentication products on the market, what can possibly prevent their broader adoption?If you are still thinking about finding the right balance between security and user experience, you're doing it wrong. Even more, if you are still thinking about password replacement as just a matter of introducing strong authentication into your company, you really need to take a step back and see the big picture.Going passwordless is a journey that requires a holistic strategy that incorporates not just user authentication, but expands to machine-to-machine communications as well – both for smart IoT devices as well as for legacy systems which are stuck with passwords for the rest of their lifecycle.In this session, we'll go beyond MFA into the realms of adaptive authentication, dynamic authorization, privileged access management and even cryptographic key management to dispel a few myths and outline the basic requirements for a comprehensive enterprise-wide passwordless strategy.
13:30 - 14:00
Holeman Lounge
BC Track: Signed Control System Firmware, Parts, and Documents – Opportunity or Pain?
Track : Borderless Cyber Track (BC)
Speakers
Ronald Brash, Director Of Cybersecurity Insights, Verve Industrial Protection
Several years ago, aviation OEMs began creating crypto graphically signed parts (called Loadable Software Aircraft Parts-LSAP) to be installed onboard an aircraft; this was true not only for the latest e-Enabled aircraft such as the Boeing 737MAX/787 Dreamliners, or Airbus A220s, but also older aircraft such as the Airbus 319s, and includes software updates, configurations, and carrier-specific data such as thrust control, and navigation data.While understanding that maintaining the integrity of onboard components and assuring that aircraft are safe to operate, or that changes came only from a valid and authorized source, LSAPs introduced several potential issues for aircraft operators. You might even ask how does one compare aviation to ICS? Well...To contrast aviation against the ICS/SCADA and critical infrastructure world, aircraft share many commonalities such as uptime, safety, reliability, third-party vendors and more. And, in fact, there are hundreds of embedded parts onboard each aircraft, and might even be akin to roaming "sites" that require the utmost rigor when managing, operating, and maintaining. Therefore, it might be fair to assume - aviation may have arrived at signed firmware before the ICS/critical infrastructure world.Unfortunately, the advent of new secure industrial devices are upon us with standards such as ISA-62443, and so many of the short falls/challenges that are present when dealing with large scale Public Key Infrastructure (PKI), certificates, signing, part/firmware/project stores and skills/resources will likely rear their heads in the near future for asset owners. And it is here that, we as a community need to create solutions that automate, minimize solution overhead, and properly enable critical infrastructure operators to employ adequate security when managing cryptographic primitives, lists, and secure files.This session is dedicated to:helping asset owners, product owners, integrators and any other party interested to learn from known challenges in the secure firmware/document/PKI world as it relates to critical infrastructureprovide insight/discussion allowing them to safely navigate those challenges as they deploy a product (and related infrastructure) that utilizes these new security features using a parallel based-on a real-world aviation use-case.
13:30 - 14:00
Grand Ballroom
CNS Track: How to Move from Always-on Privileged Access to Just-in-Time Administration and Drastically Reduce Your IT Security Risk
Track : Cyber Next Summit Track (CNS)
Speakers
Morey Haber, Chief Technology Officer And Chief Information Security Officer, BeyondTrust
A true least-privilege security model requires users, processes, applications, and systems, to have just enough rights and access-and for no longer than necessary-to perform a necessary action or task. While organizations are increasingly effective at applying the "just enough" piece using privileged access management (PAM) solutions, they have largely neglected the time-limited part of the equation. Today, powerful accounts with always-on (24x7) privileged access proliferate across enterprises. The privileges of these accounts are always in an active mode-for both legitimate use and misuse. Just in Time (JIT) Administration is an approach in which organizations dynamically assign privileges to accounts and assets to ensure identities only have the appropriate privileges when necessary, and for the least time necessary. With JIT PAM, your admin privileges are no longer always ripe for abuse, so the threat window is drastically condensed. For example, a typical always-on privileged account may be "privilege-active" 168 hours a week, versus just a couple dozen minutes using a JIT approach. Multiplying this effect across all your privileged accounts will have a truly massive impact on risk-reduction. Adopting JIT as part of your PAM approach means you can implement a true least privilege model across your enterprise.Key takeaways:Attend this session to gain a firm understanding of how to:• Significantly condense your organization's threat surface by shifting from an always-on privileged access model to a JIT approach• Identify use cases where JIT PAM is an absolutely necessity• Choose and implement JIT PAM triggers, methodologies, and workflows that will immediately help you to drive down risk enterprise-wide• Benefit from the integration between BeyondTrust PAM solutions and Identity Governance solutions to identify and reduce security risks across all your endpoints
14:00 - 14:30
West Ballroom and Ballroom Foyer
Happy Hour & Networking
14:30 - 15:00
Holeman Lounge
BC Track: Lessons Learned from almost a Decade of SCAP
Track : Borderless Cyber Track (BC)
Speakers
Charles Schmidt, Group Lead, MITRE Corporation
The Security Content Automation Protocol (SCAP) provides a way to support automation of cybersecurity assessment activities in a standardized way. First published in 2011, the SCAP standards have seen significant adoption and use. However, time has also revealed numerous gaps and weaknesses in the SCAP 1.0 standards. This talk reviews lessons learned from almost 10 years of experience with the SCAP standards and briefly introduces a vision for the next generation of SCAP: SCAP 2.0.The Security Content Automation Protocol (SCAP) is a set of standards that support automation of cybersecurity assessment activities. SCAP identifies a number of individual standards that focus on specific cybersecurity challenges and provides guidance on how these standards work together to support numerous operational use cases. SCAP 1.0 was published in April of 2011, with the most recent update (SCAP 1.3) published in February 2018.SCAP has been, overall, a very successful effort, with dozens of compliant tools and many large organizations using SCAP as a central piece of their cybersecurity strategy. However, time has revealed a number of gaps and weaknesses in SCAP. Issues of complexity, lack of desired interoperability, and difficulty in maintaining content have repeatedly cropped up. This talk looks at the current (1.3) SCAP standards and makes some observations about what has worked and what has proved problematic. It concludes with a brief introduction to SCAP 2.0, a new revision of the SCAP framework proposed by NIST that is intended to continue the success of the SCAP program while addressing many of the weaknesses that have been seen in earlier SCAP specifications.Key objectives: Provide guidance useful in supporting community-drive consensus standards efforts based on experience with the SCAP effort Educate the audience on the SCAP 2.0 vision and intent
14:30 - 15:00
Grand Ballroom
CNS Track: Identity in Local Government - Case Study of How Fairfax County Bridges Enterprise and Resident Identity
Track : Cyber Next Summit Track (CNS)
Speakers
Robert Barr, Program Manager - Revenue Services Branch , Fairfax County Government
Fairfax County, VA needed the ability to register residents to pay their taxes online and provide management for applications in the courts used by both residents and county employees. These needs needed to be met in a way that didn't sacrifice security for usability and recognized that some of the most important tasks for security required automation. The county also wanted to build a solution that avoided vendor lock-in by supporting standard protocols. Finally, the system had to work within the County's existing technology stack without requiring the hiring of specialized resources. In this case study we'll explore how the County implemented the MyFairfax system to achieve these goals from usability, DevSecOps and integration standpoints. We'll discuss several of the challenges we encountered along the way and how we over came them.The information provided in this presentation does not reflect the stance or opinions of Fairfax County. They are my observations and opinions.Key Takeaways:1. How to approach a hybrid access system between residents and employees2. How to build an automated solution that keeps libraries up-to-dates as vulnerabilities are patched3. Building a hybrid cloud solution that runs on-prem but uses cloud based services4. How to overcome challenges in mixed technology stacks
15:00 - 15:30
Holeman Lounge
BC Track: Baby steps: an organic formula for maturing your SOC with SOAR and threat intelligence
Track : Borderless Cyber Track (BC)
Speakers
Sam Hays, Senior Technical Community Manager, Splunk
Philip Royer, Research Engineer, Splunk
In this talk we would like to take you through a practical sequence of SOC improvements, bringing an example organization from a fully manual set of partially or completely undocumented workflows to a semi-automated and consistently executable process. We will demonstrate that the introduction of automation can both save analysts' time and increase the sophistication of problems they can tackle. We will show two practical examples of automated approaches to common intelligence and correlation tasks.With the emergence of SOAR technologies and enterprise-class threat intelligence exchanges at around the same time, analysts can now spend less time performing manual data collection work and can be more involved with increasingly sophisticated tasks. Due to the infinitely flexible nature of SOAR technology and the rich data provided by threat intelligence providers, practically any security workflow can be automated with some analysis, time, and effort. In this talk we will share some of the lessons learned when first starting a SOAR practice and growing it to a fully mature and operationalized state. We will demonstrate the resolution of four security incidents using increasing levels of case management and automation, from fully manual to mostly automated.First, we will operate in a purely manual mode, tracking our process with chat, email, and a wiki. At this stage our security posture is highly dependent on the quality and knowledge of the particular analyst handling the incident on that particular day. This level of maturity often lacks attribution, audit, and a consistent process to follow. It is also not uncommon to either have an action plan that is unused and out of date, an action plan that is indefinitely 'under development' and unpublished, or no action plan whatsoever.From there we will extract the processes of the team and represent them in a structured, repeatable way. In this second phase we are able to track the state of investigations, maintain an audit trail, and execute simple automated actions to expedite the enrichment of indicators and the notification of stakeholders.Moving to a third phase, we will show a playbook that starts to demonstrate the types of proactive security tasks that are incredibly inefficient without automation. We will use the popular service called "Have I Been Pwned" to check publicly exposed password breaches for the private email addresses belonging to our employees (providing during on-boarding). If there are matches we will automatically generate an email to the user with the details along with recommendations to protect both themselves and the company. We will also query internally for other systems for which those passwords may be in place, and reset them accordingly.Transitioning to a full-fledged SOAR and threat intelligence use case, we will show proactive threat hunting leveraging indicators of various types from an enterprise threat intelligence provider, and correlating those internally with any systems to which they have connected. Based on the threat score from the threat intelligence provider and a threshold that is defined in the playbook, the analyst will be able to make an informed decision on how to respond to each piece of reported data. From there the playbook will block network connections and processes related to the threat intelligence and report on the actions that were taken to other IT teams that manage the systems being controlled.By the end of our talk we hope to have educated our audience about a pathway to SOAR adoption, demonstrated the power and flexibility of incorporating automation into their security workflow, and to have inspired a few ideas for new SOAR and threat intelligence use cases.Key take-aways:We will show the thought process and practical implications to consider when designing and implementing an automated playbook for using SOAR to ingest threat intelligence, compare it against internal data, and respond when a detection is generated. We hope to inspire participants to come up with new SOAR use cases and improve their SOC maturity.
15:00 - 15:30
Grand Ballroom
CNS Track: Panel - The Movement of Security Controls to the Cloud - How Far Can We Go?
Track : Cyber Next Summit Track (CNS)
Speakers
Peter Dougherty, CEO, Mantis Networks
Reena Parekh, Associate Director, KPMG
Robert Barr, Program Manager - Revenue Services Branch , Fairfax County Government
Morey Haber, Chief Technology Officer And Chief Information Security Officer, BeyondTrust
Matthew Gardiner, Director Of Marketing For Security Services , Mimecast
15:30 - 16:00
Holeman Lounge
BC Track: From Band Practice to SOC Symphony
Track : Borderless Cyber Track (BC)
Speakers
Michael Lyons, Offering Manager, IBM
When one thinks of mechanical and rigid, one often thinks of a cymbal-banging monkey. Unfortunately, today the trends of alert volume, sprawling IT, and regulations lead to mechanical and rigid Security Operational Center (SOC) processes that are emblematic of that cymbal monkey. Organizations want automation, but incidents require dynamic investigation. Cross functional processes are crucial, but a model of trust is difficult to create. SOCs want to remediate quickly but cannot always access the last mile of IT. Join us as we discuss extending the SOCs automation capability with trust and flexibility that can make that mechanical monkey perform like never before!Getting cymbal-banging monkeys to work together in a complex environment can result in confusing priorities and uncoordinated responses. Unfortunately, today the Security Operational Center (SOC) is not much different than that imagery may suggest. Integrating a Security Orchestration and Automated Response (SOAR) platform gives the SOC a single location to manage and filter their incidents and open cases for investigation. However, as the SOC's responsibilities and reach grow within an organization, the SOAR platform's rigid process can make it no more effective than a bunch of noisy monkeys. As a SOAR platform becomes the conductor of the SOC, processes become specifically defined within it, often isolated to certain event types and lacking flexibility of investigation when the information does not fit a common case. Effective SOC response must also involve other departments across your organization, but their trust in automation is low at best, so integrating external process is challenging. Finally, IT infrastructure is sprawling more than ever and reaching the last mile of IT can take manual action to accomplish. As a result, the SOC's cyber response can falter, however there is a way to solve these problems and orchestrate our cymbal monkeys into a beautiful symphony.Automated playbook flexibility is paramount to successful investigations. Events typically enter a SOAR platform and investigation begins using a playbook for the stated event type. As the investigation unfolds, information is gathered through automated processes including a laundry list of Indicators of Compromise (IOCs). Typically, the IOC would indicate an automated remediation or containment action to stop the incident from unfolding further. However, if something unexpected is found a SOAR platform should be able to shift investigation immediately to discover new tactics, techniques, and procedures (TTPs) that an adversary may be using, breaking the automated process. Enter the dynamic playbook; the investigation may start down one avenue but go down another, as a result a playbook that allows you to plug into the full capabilities of your SOC across different tools all in a single location is critical to maintaining the flexibility that keep the adversaries at bay. When dynamic playbooks are combined with automation, one path of investigation can end gracefully where the next picks up, enabling analysts of all experience levels to act quickly and effectively. Similarly, in our monkey symphony as one refrain ends another verse follows without interruption.SOAR automation extends beyond the SOC. When a dynamic playbook does discover an IOC such as an executive's laptop, malware infected system, or new IP address, the investigation must extend to other areas of your organization. For Human Resources, the employee involved in the attack might be of interest. If the incident involves some level of fraud an entirely different team may be investigating what is happening with the identity of the account and their financial transactions using a different set of technologies, often without automation. Manufacturing Organization may have substantial Operational Technology (OT) environments that need to be protected. In legal departments the focus on identification of compromised data for regulatory notification requirements. Legal teams are increasingly becoming part of the SOC operations due to the impact of recent regulations such as GPDR, PIPEDA, etc. Like the monkeys in our orchestra, there are different sections that all must be conducted to produce a beautiful sound.Building a trust model can promote automated processes outside the SOC. Bridging the gap between the SOC and these other groups within your organization is not always easy or simple while maintaining flexibility. When automation is introduced, a trust model must be established beyond human trust to sew the process together and show improvement. Trust in the context of process automation comes with two specific requirements of explainability and validation. Validation ensures that the automation is attempting to achieve a desired state. Explainability informs whether the desired state has been achieved or not and how the automation achieved the state. When interfacing with external groups, the ability to confirm that an action is valid can drive automated response in a wider array of scenarios. Furthermore, the ability to explain what an automation did allows actions to be traced to their source in cases where automation made a bad decision and give transparency to the system as a whole. For our monkey symphony trust is found in months of practice together to produce a beautiful sound and transparency of what needs improvement.Last mile IT automation is critical to protecting an organization. With the needle of trust sewn the final frontier is to fully extend to SOC's capability to the entire organization. The IT landscape in many organizations spans across many different areas and much of it is slowly becoming automated itself. "Infrastructure as Code" has become an increasingly common way of setting up, modifying, and tearing down IT environments. Red Hat Ansible is one of those common "Infrastructure as code" automation tools that solves many of ITs infrastructure problems at the push of a button. Linking these tools with a trust model into your SOAR platform is critical being able to fully protect your organization from threats. The use of Ansible can conquer the last mile of the enterprise allowing SOCs to respond throughout an organization with traceability back to the platform, to create a trusted and fully orchestrated cyber response. Also, within our monkey symphony, the instruments used can make all the difference in the sound they play.The SOCs involvement throughout the organization is increasing on many fronts. Whether in HR, Legal, OT, Fraud management, or IT, SOC processes extend to involve people outside of the immediate environment. If those processes are to be flexible, efficient, and effective against cyber-attacks, automation will be required. The involvement of automation requires development of a trust model with explainability and validation to reach all corners of your organization in real time. The SOC's increasingly sprawling environment requires last mile automation to intelligently orchestrate a cyber defense across your organization. Join us as we show you the tools to make a cymbal-banging monkey orchestra play a symphony you will never forget!Take aways:People attending this session will learn about:• The ability to combine automate processes and dynamic playbooks• How to build an effective trust model to bridge the gap between the SOC and your organization• Extending the SOCs reach with last mile IT automation
15:30 - 16:00
Grand Ballroom
CNS Track: The Reverse Engineering of Trust - Why More Tech Is Not the Answer
Track : Cyber Next Summit Track (CNS)
Speakers
Philipp Schneidenbach, Principal, Ventum Consulting
We are at the gate to the all-digital age and see cultures, biases and routines clash with compliance, privacy regulations and governance. While social engineering attacks are being refined on a daily basis, the education of users is often falling behind.New threats are addressed with tech, the next breach calls for even more tech and so on. But is that really all it takes to make our digital lives safer, more trustworthy or even resilient?What are the key aspects to focus on when becoming a more and more data sovereign digital society?How can we apply regulations in a meaningful way and which narrative is needed?Learn about the latest insights on how to succeed within the tension of user acceptance, digitization initiatives and external requirements and about strategies for leveraging values in this triangle. 
1