2018 Phoenix Security & Audit Conference

Agenda

  Go

    • Ballroom Bonus
    • 9:45 AM  -  10:45 AM
      Cyber Immune Defense: HITRUST CSF Delivers an Active Cyber Defense
      Ballroom
      The FBI reports that over two million IoT devices may have been compromised by malware. Attack speeds exceeding 1 Tbps! Who can forget the massive cyber-attack of October 21, 2016? IoT + DDoS = Botnet army. Our past is a mirror to the future. The journey of the past had Mirai associated with it. Kaizen implies continuous improvement. The future is about a kaizen cyber defense program. And this is where HITRUST CSF comes in. HITRUST CSF as an enterprise framework, and HITRUST CSF = active cyber defense. Mirai to kaizen! The threats are “mirai”, HITRUST is the “kaizen!” The focus of Pabrai’s brief is to examine core elements of your digital business cyber immune system. From this brief, you will: (1) assess enterprise readiness for attacks such as IoT + DDoS, botnets, ransomware and more; (2) review options for and how to implement the HITRUST CSF as a cybersecurity framework; and, (3) step thru how a single standard such as HITRUST CSF addresses GDPR, NIST CsF, 23 NYCRR 500, and more.
      Speakers:
      11:00 AM  -  12:00 PM
      Reimagining Data Security Through Field Expertise and Multi-Faceted Business Experience
      Ballroom
      Addressing information security and compliance challenges in any organization has to start with the business leadership. The most talented security practitioners and audit professionals in the world still need a buy in from corporate leadership that can be difficult to acquire. In this talk I will share my insights on how to focus your efforts on meeting needs of the business through my varied experiences helping businesses of all shapes and sizes with many different security and non-security related transformational challenges. In mid 2005, immediately following the CardSystems Solutions compromise that would change the payments industry forever, my team and I at CCBill were tasked with transforming the security of one of the largest 3rd party payment processors in the world. The challenges that we faced during the five years I spent at the helm of that transition, and as an officer of our local ISACA Chapter, would forever shape the context of my career. In 2010, I helped found phoenixNAP, one of the fastest growing global Infrastructure as a Service providers in the market today. For 8 years we focused on building an infrastructure platform that would service a multitude of businesses across many different verticals. Finally, I am happy to say that I have been able to get back to my roots and start to help transform the information security posture of companies like CCBill and others through the development of a holistic security platform that they can rely on. I will share many our ideas and processes that we have developed to help shape businesses from the top down to care more about the security and availability of their data.
      Speakers:
      1:45 PM  -  2:45 PM
      US Privacy: Practical Prep for the California Consumer Privacy Act (CCPA)
      Ballroom
      While global organizations have spent the last several years preparing for the EU’s General Data Protection Regulation (GDPR), the new California Consumer Privacy Act (CCPA) will create new challenges for many businesses that process California resident personal data. In this session, we’ll discuss what this new law means for California consumers, what changes we expect to see before it’s put into effect, and how this law is impacting the status of US federal privacy law. We’ll lay out a 10-step guide to demonstrating on-going compliance with privacy regulations like CCPA, and how privacy management software can support security and GRC teams.
      Speakers:
      3:00 PM  -  4:00 PM
      IoT Security Realities & How to Defend Them
      Ballroom
      This session will review how the Internet of Things has created a world of Internet Connected Devices across various industries and have exposed these organizations, employees and members to risk. During this “IoT Security Realities and How to Defend Them” session we will discuss and provide answers to the question: “What are IoT enabled devices, why are these IoT devices vulnerable, and how are they used in cyber-attacks.” – We will review and discuss the reasons why certain organizations and employees are being targeted and hacked through IoT devices and how those attacks are taking place. The session will also review how organizations can better prepare and protect themselves and their employees from IoT attacks and will provide best practices for preventing current attacks.

    • Cyber Warfare Range
    • 9:45 AM  -  10:45 AM
      Cyber Warfare Range Session #1
      McDowell - South
      11:00 AM  -  12:00 PM
      Cyber Warfare Range Session #2
      McDowell - South
      3:00 PM  -  4:00 PM
      Cyber Warfare Range Session #4
      McDowell - South

    • Data Analytics
    • 9:45 AM  -  10:45 AM
      IoT and What This Means for Data Analytics and Information Security
      Paloma I
      According to Intel, by 2020 there will be over 200 billion connected devices worldwide. From an analytics perspective, the possibilities of new data sources are boundless but from an information security point of view IoT seems like an insurmountable challenge. With the proliferation of IoT (Internet of Things) are these two disciplines at odds with one another? While no one really has all the answers, join us for an interactive discussion and hear what the City of Mesa is doing to address these concerns.
      Speakers:
      11:00 AM  -  12:00 PM
      Winning the War on Data Breaches in a Changing Data Landscape
      Paloma I
      Gartner research predicts that data volume will grow 800% over the next five years, and up to 80% of that data will be completely unstructured. Unstructured data consists of web pages, legal documents, images, medical records, mobile content, and other types of rich media that consumers and businesses are producing every second. The astonishing pace of unstructured data growth , coupled with the fact the increased sophistication in breach techniques creates a very challenging mix for organization in this current security dispensation. The number of exploits being released for technology previously described as fairly secure has also rapidly increased from Heartbleed, Metltdown and Spectre, and even Efail. Most organizations continue to build a threat centric program as opposed to a data centric program. This presentation will go through a three-step process of determining techniques and tools for identifying sensitive data regardless of location, protection of that data and how to continuously and securely monitor the data. A major highlight will entail the implementation of AI and Big Data concepts and techniques in building an effective data-centric security protection framework. This presentation will also include a live demo of a few AI-powered features that drive that actualize the data centric security model.
      3:00 PM  -  4:00 PM
      Data Analytics: Thinking Outside the Box
      Paloma I
      This session will focus on how to design data analytics tests that are unique and specific to certain industries. Participants will learn to how design data analytic tests that go beyond the “basic” tests such as duplicate payments, duplicate vendors or general ledger analysis. A primary focus of these outside the box tests will also be on fraud detection. Participants will learn how to go about gathering source data files for their specific tests and how to plan and document these tests. Specific examples from different industries (healthcare, banking, travel, government) will be shown as part of the session.
      Speakers:

    • General
    • 8:30 AM  -  9:30 AM
      Complexities of Transferring Personal Data: Security, Privacy, GDPR and CA Consumer Privacy Act
      Ballroom
      Landmark rulings and new laws in the US and foreign territories have far-reaching implications on how personal data is being collected, stored, accessed, and used in the United States. As outsourcing and innovative technology continues to sweep the world, many small and medium-sized businesses are looking to one another for guidance on how to adapt their policies to suit the current environment and comply with Data Security, Data Privacy, upcoming CCPA, GDPR and the many variations therefrom.
      Speakers:
      12:40 PM  -  1:30 PM
      Cybersecurity 2.0 - Controls, Governance & Business Reimagined
      Ballroom
      As the threat landscape continues to shift we need to understand the role of cybersecurity in achieving the mission of our companies. Never has there been a larger threat looming to our intellectual property, sensitive & personal information, or critical infrastructure systems. Hear from not only a cybersecurity thought leader, but someone with operational experience as a CISO, General Counsel, and Chief Privacy Officer today as we discuss effective controls to mitigate the risks, how to govern with the Board, the role of assurance frameworks, and how to enable business through better cybersecurity.
      Speakers:

    • Governance, Risk, & Compliance
    • 9:45 AM  -  10:45 AM
      Quest Accepted: Gamifying Security Awareness
      Paloma III

      Security awareness training is BORING, users click through as fast as they can and guess at the questions. Then they forget everything that was just presented to them. This talk will discuss some simple strategies to gamify your security awareness program and help users care. We will discuss a simple approach that will allow you to focus on one security awareness topic at a time. Eventually you will have a full blown game and users who actually practice and have a strong security posture. We will also discuss how to make this fit any budget and how you can get creative with it.

      Speakers:
      11:00 AM  -  12:00 PM
      EMBRACE Risk in Your Digital Transformation Journey
      Paloma III
      Business Risk Management is really about ONE GOAL - helping the business grow. Companies are constantly on the lookout for opportunities – quicker speed-to-market, digitization of the business, and becoming data driven are some of the top priorities for growth. Most, if not all, organizations today are using technology to fuel their growth, it’s called the Digital Transformation. While executives see technology as key growth opportunities, this universe of growth activities also has a ‘parallel universe’ - the Risk Universe. For example, cybersecurity is a constant concern at the management level and the perception that security functions are falling behind is fueled by a variety of reasons – technology gaps, skills shortage, high visibility breaches, and significant costs associated with incidents. Management also has a common perception that risk management groups are falling behind which is why so many organizations are focused on improving risk processes. However, risk management is not just about protecting value but helping the organization move towards opportunity; managing risk in the context of business strategies and objectives. Attend this interactive session to learn how your risk program can rely on better data, more consistent processes and better reporting. As new risks continue to appear, learn how the business can be agile and move faster. Finally, learn how organizations can not only better leverage expert support in your risk/compliance/security functions (2nd and 3rd Lines of Defense) but also groom their own internal business resources (1st Line of Defense) and engage those closest to the risks as part of the risk management strategy.
      Speakers:
      1:45 PM  -  2:45 PM
      How to Communicate Security Program Effectiveness to Business Executives and the Board
      Paloma III
      Information Security Management Programs continue to face two significant challenges: the continuous evolution and adaption of attackers and the ongoing exposure to increasing and persistent threats that businesses face. Information Security teams struggle to validate their ongoing security assurance efforts and justify budget requests to the board for managing risk and defending against threats. Metrics are an effective tool for both of these challenges. However, metrics can just be noise - easily overwhelming CISOs, business executives, and the board, which confuses rather than clarify the current state of organizational security. Therefore, it’s important to collect the right metrics for the right reasons. We will review a diverse array of industries and perspectives that will offer you valuable insight and best practices you can use as you implement actionable security metrics in your organization.
      Speakers:
      3:00 PM  -  4:00 PM
      The Time for a CTSO (Chief Technology Security Officer) Is Now
      Paloma III
      With nearly all enterprises pursuing their digital transformation strategies at break neck speed, the CISO focus, time, and budget has been split. They are still responsible for running and enhancing all their current and legacy security programs for protecting the data center and corporate environment. However, digital transformation technologies such as cloud, big data, IoT, robotics, cognitive systems, augmented/virtual reality, etc need to be understood and secured prior to these technologies becoming revenue bearing systems. This reality has created a challenge for all CISO’s to fight a war at two fronts. Similar to how the CIO and CTO roles were separated in the late 1990’s to allow CIO’s to focus on the current information operations and the CTO responsibility as the technology visionary. The time for creating the CTSO (Chief Technology Security Officer) is Now!
      Speakers:

    • Hackers & Threats
    • 9:45 AM  -  10:45 AM
      Forensic Responses to Cyber Attacks
      McDowell - North
      Cybersecurity and Incident Response is an ever evolving and growing landscape, filled with technologically advanced cases of ransomware, advanced threats, malware and sophisticated email phishing schemes to name a few. All of the many types of attacks available to a cyber-criminal makes companies vulnerable to fraud, embezzlement, reputational damage and data privacy leaks. In this session, we will explore the current state of cyber-attacks, examine forensic/tactical counter measures, and take a glimpse into the sobering opportunities for cyber criminals of the (very near) future.
      Speakers:
      11:00 AM  -  12:00 PM
      Wrangling Malware for Fun and Pentesting
      McDowell - North
      As a pentester, we're always looking for ways to crack the perimeter and establish a foot hold. But we're busy right? So, why re-invent the wheel? Malware is making it past companies perimeters everyday. "Wrangling Malware for Fun and Pentesting", explores the idea of re-using malware delivery and obfuscation techniques for pentesting. We will take a phishing email with an obfuscated malware payload, deobfuscate it, review the code, replace the malware with a pentesting payload, re-package it, and deploy it for pentesting.
      1:45 PM  -  2:45 PM
      Would You Like to Play a Game?
      McDowell - North
      From CTFs at DEF CON to NetWars at SANS, there is a culture of competition and puzzle solving throughout the global security community. These “games” allow security pros to practice their craft on realistic data in a safe, challenging, and fun environment that up-levels their technical skills and improves collaboration. Why not run your own competition? In this presentation, we’ll discuss how to create custom jeopardy-style capture the flag (CTF) events for blue team education and skills development. We'll share some of our experience, from the perspective of a leading security vendor, in designing and running three versions of these globally. And, we’ll be discussing a recently-released free CTF scoring platform, a high-quality free dataset, associated questions, and tips on how to create your own fully custom competition.
      Speakers:
      3:00 PM  -  4:00 PM
      IoT Everything - Managing Risk in a "Connected Everything" World
      McDowell - North
      Internet of Things (IoT) devices have led to a massive increase in the number of endpoints to be secured and managed. Gartner predicts >20 billion IoT devices by 2020, nearly double today’s count. According to Forrester, 82% of organizations are unable to identify all the devices connected to their network, and 77% admit that increased IoT usage creates significant security challenges. This IoT "blind spot” creates significant risk to InfoSec, Audit, and Operations teams. This presentation will discuss: (1) Why IoT security is such a challenge, (2) Shortcomings of current approaches, and (3) Top 5 tips to modern IoT defense and monitoring.
      Speakers:

    • Hot Topics
    • 9:45 AM  -  10:45 AM
      I See You! Visual Incident Response
      Mohave III
      Incident Response can be a chaotic time. A typical incident involves a lot of discussion with many different opinions and theories. Perfect diagrams of the network, asset location and tool placement are not always available. Often, all the responders are not in the same room, making the analysis phase of an incident a challenge to keep coordinated and controlled. Visual incident response adds a dimension to the analysis that enables responders of all skillsets to get a common understanding; thus, speeding up the complete response process and reducing the impact of an incident.
      Speakers:
      11:00 AM  -  12:00 PM
      GDPR Impacts to Network Forensics that Use WHOIS
      Mohave III
      The implementation of GDPR will impact the ability to track the source information on malicious domain name users that create spam and malware by “masking” critical information such as domain owner, location, and contact information. This presentation will show the impact of these restrictions and what it will mean to your SOC team that is attempting to determine good traffic from bad.
      Speakers:
      1:45 PM  -  2:45 PM
      Hot Topics Session #3
      Mohave III
      3:00 PM  -  4:00 PM
      Beyond Mitigation: Avoiding Cyber Attacks Through Prediction that can be Trusted
      Mohave III
      Many existing applications of machine learning to cybersecurity are focused on detecting malicious activity already present in an enterprise. However, attacks such as NotPetya in 2017 taught us that certain threats can rapidly cause damage. The speed of contemporary attacks along with the high costs of remediation incentivize the avoidance over response. Yet, avoidance implies the ability to predict – a notoriously difficult task due to high rates of false positives, unexplainable results from machine learning algorithms, and the difficulty in finding data that is both amendable to machine learning approaches yet indicative of future events. DARKMENTION, a new approach to prediction seeks to address all these concerns. By leveraging a different type of artificial intelligence model known as temporal logic it leverages indicators derived from external sources such as the darkweb to make accurate predictions that are understandable by a human analyst. Funded by the a U.S. intelligence community program (IARPA CAUSE) DARKMENTION has been tested on real-world enterprise event data and shown to be predictive on blind tests with over 80% precision. In this talk, we provide an overview of DARKMENTION, what type of data it requires, review recent case studies, demonstrate how it works and provides feedback to SOC analysts, discuss how DARKMENTION integrates into security workflows, and look toward the future impact of this technology.

    • Info Sec
    • 9:45 AM  -  10:45 AM
      Future of Ransomware and How to Defend Against It
      Mohave II
      This session will review a timeline and history of Ransomware and other Malware and Exploit Attacks and will provide an overview of current and future attack trends. During this “Future of Ransomware and How to Defend Against it” session we will discuss and provide answers to the question: “why ransomware is effective and how ransomware will be modified and used in the future to attack organizations.” – We will review and discuss the reasons why organizations in specific industries and employees are being targeted and hacked and how those attacks are taking place. The session will also review how organizations can better prepare and protect themselves and their employees from the next generation of ransomware attacks and will provide best practices for preventing current attacks.
      11:00 AM  -  12:00 PM
      What IF? A Little Experiment on Lighting the Motivational Fire for my App Sec Team
      Mohave II
      The Cyber security field is broad with numerous domains requiring numerous skillsets. Moreover, we have a global shortage of cyber skills, unfilled positions; we are struggling to obtain and retain women in cyber, and we are lacking a solid methodology to fill those gaps. Currently teams are singularly focused on delivering work to keep their companies secure. Additionally, as we work to meet customer requirements, we must implement our code and products securely, leaving team members no time for their own growth and innovation. My presentation is unique – it isn’t focused on a deep dive technical hack, it is focused on a larger problem at hand that we MUST address: How do we spark and foster passion, build a hardworking workforce, and find and exploit those individuals who are willing to learn?
      Speakers:
      1:45 PM  -  2:45 PM
      Those Old Rules for Passwords—Gone
      Mohave II

      On 7 August 2017 the Wall Street Journal published “The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!”. In that article the author of the guidance of 2004 NIST publication on passwords stated “Much of what I did I now regret.” In June 2017 NIST issued Special Publication 800-63B Digital Identity Guidelines—Authentication and Lifecycle Management. The new publication ripped much of the earlier guidance out. People who have been responsible for establishing password policy for organizations, particularly those who were enforcing more extreme rules, are likely to get a mental whiplash as they adopt the new guidance.

      We have created a password obstacle course for our users and we have demanded they run it every ninety days. Soon we will tell them that they don’t have to visit the upper row of the keyboard to create a password and that they can keep that password for a good while. Let’s discuss how we tell them that without looking like sadistic loons for what we have forced them to do for the last ten years.

      3:00 PM  -  4:00 PM
      How to Develop a Winning Security Metrics Strategy
      Mohave II
      When properly applied, security metrics are a key tool for quantifying risk and making informed decisions to improve an organization’s security posture. Learn how to identify the right metrics, get the most from monitored data, and avoid common mistakes as you build, measure, and manage a security metrics framework aligned with the goals of your business.
      Speakers:

    • Internal Audit
    • 9:45 AM  -  10:45 AM
      Accountability: What, Why, & How
      Paloma II
      Most would agree that accountability is critical – but what is accountability? Is it the latest buzzword or a true root cause for issues? Audit, security and IT professionals embrace the concept of accountability in business operations, ethics and governance. As such, the ability to define accountability, advise on methods to achieve accountability and, most importantly, demonstrate that accountability is crucial. Learning Objectives: (1) What is accountability? (2) Why is accountability important for all of us and particularly for professionals? (3) Key strategies and tips to achieve accountability.
      Speakers:
      11:00 AM  -  12:00 PM
      Third Line of Defense for Blockchain
      Paloma II
      This session will discuss risk and audit considerations in today’s blockchain ecosystem.
      Speakers:
      1:45 PM  -  2:45 PM
      Digital IA: Risk Assessment
      Paloma II
      Leveraging digitally-enabled techniques to modernize risk assessments.
      Speakers:
      3:00 PM  -  4:00 PM
      2018 SOX Compliance Trends
      Paloma II
      Results of Protiviti's 2018 Sarbanes-Oxley Compliance Survey results will be presented. In addition to sharing the results of the survey, ways to fine tune SOX costs, hours and controls will be discussed.

    • IT Audit
    • 9:45 AM  -  10:45 AM
      EU GDPR - Post May 25th
      Mohave I
      Post May 25th brings new challenges to companies as they continue to achieve and maintain alignment with the requirements of the EU GDPR. The session will evaluate industry trends, enforcement actions, and recent guidance to summarize some of the most important aspects of the GDPR and where companies should be focusing efforts post May 25th. Additionally, the sessions will discuss the need for the performance of GDPR audits. This is a bit different than what companies might have gone through from a readiness standpoint as the audit would evaluate the documentation or artifacts in place support their alignment to the relevant GDPR requirements and ensuring the policies are being followed in practice. The discussion would also include how to perform micro audits focused on related GDPR sub activities such as DPIAs, Data Subject Rights, Consent Management, etc.
      11:00 AM  -  12:00 PM
      Artificial Intelligence: How will it change the role of the auditor?
      Mohave I
      Artificial Intelligence, or AI, is no longer a plot device in science fiction film. AI is becoming as ubiquitous as the personal computer and the opportunities of what AI can do for internal audit is almost as endless as the challenges this disruptive technology represents. In this session, attendees will learn the different forms of AI, how AI is being used today, and what challenges and possibilities AI presents to tomorrow’s auditors.
      Speakers:
      1:45 PM  -  2:45 PM
      Security Awareness is NOT a Checkbox: How to Audit & Assess a Program
      Mohave I
      The target audience for this session is the IT auditor role. This session will cover the basic elements of a Security Awareness program and how to audit a program. After years of explaining my program to auditors, regulators and third party assessors, it is time to provide this role with knowledge on Security Awareness. The Security Awareness program in any organization is more than a CBT checkbox, it is about a culture change that doesn’t take place overnight and is difficult to measure.
      Speakers:
      3:00 PM  -  4:00 PM
      IA in a Changing AI World
      Mohave I
      As the capabilities of Artificial Intelligence grows rapidly in the world today, it is time for Internal Audit to start preparing and understanding what AI is in relation to their organization. We will talk about AI perception, definitions, history, risks and Internal Audit’s role in this growing area.
      Speakers:
    Top