Abstract:

This talk will focus on “knowledge engineering-derived AI” that is used to create an expert system for active defense. Whereas “data science-derived AI” focuses on how the data set is applied to tell us about the patterns in that data silo for prediction, classification, and clustering, knowledge engineering-derived AI expert systems focus on mimicking the abilities, knowledge, skills, and tasks of domain-specific human experts.

We’ll also look at hard topics in artificial intelligence such as explainability, reproducibility, and use in zero-trust architectures to include how we’re addressing these hard topics square on with knowledge engineering-derived AI expert systems.

Hear lessons learned from the front lines of an MSSP focused on adversary pursuit, Root9B, where they are using DarkLight, a modern expert system, as a differentiator in their automation strategy. This talk will interweave lessons learned by Root9B’s operational testing and deployment.

Presenters:

Shawn Riley, Chief Visionary Officer, DarkLight Cyber

Aaron Shaha, Director of Network Defense Operations (NDO) & Data Science , root9b

Michael Forgione, Network Defense Operator, root9b

VIEW PRESENTATION SLIDES

Abstract:

This session discusses the technical role and effectiveness of end-/any-point solutions, strategic use cases, telemetry/ log/config contributions for context, and closing the loop early between DETECTION and REMEDIATION. Attendees can expect to address:

Summary of IT/OT/IOT cyber threats, related scenarios, and defining concrete use cases for targeted risk and vulnerability management

The anatomy of a solid end-point solution, including threat remediation and multimodal telemetry/log acquisition for context

Assessing asset risk and behaviors and applying them to future end-point technologies

Lessons learned when deploying OT first security solutions that enable linear convergence with IT-esque features

Presenter:

Ron Brash, Director of Cybersecurity Insights, Verve

VIEW PRESENTATION SLIDES

Abstract:

The SOAR market has grown significantly over the last 3 years, with organizations increasingly relying on automation in the SOC. Join this session to understand how organizations of varying levels of maturity are adopting SOAR, as well as hear a viewpoint on how this important technology may continue to evolve while driving efficiency and effectiveness in the SOC. We’ll also share our assessment of 10 critical capabilities security teams must consider when optimizing their security workflows in the future.

Presenter:

Rob Truesdell, Director of Product Management, Automation and Orchestration, Splunk

* Note: Slides from this presentation are not available at this time. Please check back soon.

Abstract:

With an array of cyber Security Orchestration Automation and Response (SOAR) platforms available for IT organizations, there needs to be a common visual and data format that would share workflows across these tools. Sharable Workflows is that way. It utilizes the Business Process Model & Notation (BPMN) open standard to increase adoption of cyber SOAR platform tools by having repositories of workflows libraries. Additional benefits are secure repositories, sharing of workflows across the community, reduced time and financial capital to implement and maintain orchestration, and operational ease of transition between SOAR platforms.

Common Sharable Workflows allow greater adoption of SOAR platforms throughout the cyber community. BPMN Visual and Data XML-based format allows graphical representation of the workflow with multiple third-party editors (most free and interoperable) to revise, modify, and edit. Reference Sharable Workflows repositories can host libraries of reference workflow standards that can be used as-is or modified to suit the IT organization’s policies and procedures. Workflows can be uploaded to repositories, then validated and verified, before being shared by the end user cyber community.

Presenters:

Paul Laskowski, Cyber Engineer, JHU/APL

Triton Pitassi, Software Engineer, JHU/APL

VIEW PRESENTATION SLIDES

Abstract:

The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework has emerged as the most detailed and relevant knowledge repository for adversary techniques ever compiled. This session aims to demonstrate how we can mine threat intel data as well as build models of normal versus malicious behavior from a large malware sandbox data set, by using knowledge of these tactics and techniques. Furthermore we will demonstrate a systematic method to build a threat-hunting engine to operationalize such threat intelligence and models extracted from the sand box data set.

Presenter:

Kumar Saurabh, Founder, LogicHub

VIEW PRESENTATION SLIDES

Abstract:

The Netflix Security Incident and Response Team (SIRT) has grown out of the unique Netflix culture and technology stacks. As Netflix continues to grow its business and operations, SIRT continues to evolve to meet the needs. With the growth, we recognize the need to invest in automation and engineering to have more impact with the same resources. In the talk, we will show how the team automated the security incident response workflow using a SOAR solution. We will discuss how the investment decreased the cognitive load on the responder and enabled faster resolution times. The talk will highlight how we are enabling other teams within the organization to perform crisis management in their domains using the tooling and will also share our future automation roadmap. The goal is to grow our response capabilities through engineering efforts and new approaches as opposed to large multitiered SOCs with linear staffing requirements.

Presenter:

Swathi Joshi, Senior Technical Program Manager, Incident Response, Netflix

VIEW PRESENTATION SLIDES

Abstract:

The power of machine learning to extract value from vast amounts of data is widely recognized in the industry. However, successfully integrating this powerful tool into security operations is not a trivial task.

Meanwhile, security teams are shifting their approach to automation-first—aiming to increase efficiency and save valuable analyst time while reducing response time.

Some teams have adopted full SOAR platforms, while others have full automation teams maintaining their own systems and scripts in-house.

The question remains: How can we benefit from the power of machine learning while retaining our structured and powerful security playbooks built by experts?

In this talk we will give an overview of machine learning use cases for security operations and explore the relationship between machine learning and expert-built playbooks. We will review the limitations of machine learning in the context of orchestration and automation and how to successfully merge machine learning-based classifiers with the power of orchestration playbooks.

Finally, we will discuss the human’s place in this solution and how these playbooks empower the security analyst and engage with multiple teams and stakeholders.

Presenter:

Lior Kolnik, Head of Security Research, Demisto

* Note: Slides from this presentation are not available at this time. Please check back soon.

Abstract:

Open Command and Control (OpenC2) is a concise and extensible language to enable machine-to-machine communications for purposes of command and control of cyber defense components, subsystems, and/or systems in a manner that is agnostic of the underlying products, technologies, transport mechanisms, or other aspects of the implementation. OpenC2 is being standardized under the auspices of OASIS. The OpenC2 Integration Framework is a prototype implementation demonstrating the creation and processing of OpenC2 Commands and Responses, and the use of multiple transfer protocols and serialization methods in transferring messages between OpenC2 Producers and Consumers.

Presenter:

David Lemire, Systems Engineer, Huntington Ingalls Industries

* Note: Slides from this presentation are not available at this time. Please check back soon.

Abstract:

This presentation will cover how Symantec went about implementing the OpenC2 language into Symantec Integrated Cyber Defense Exchange (ICDX) messaging bus. ICDX performs log collection of Symantec products and forwards to external log aggregation and orchestration platforms. The implementation will also show working examples of the OpenC2 inspired commands in ICDX.

Presenter:

Efrain Ortiz, Director, Office of the CTO, Symantec

* Note: Slides from this presentation are not available at this time. Please check back soon.

Abstract:

IACD strategies provide a strong reference framework for building cyber defense automation architectures. In practice, many technical and nontechnical challenges are uncovered. In this session, we will present our work establishing a threat response automation pipeline in a large-scale enterprise environment. Real-world implementation considerations include automated case management/change notification, orchestration in a heterogeneous landscape, and the inevitability of false positives. We will review architecture trade-offs, lessons learned, and recommendations for implementers considering a security automation pilot in their organization.

Presenters:

Michael Stair, Lead Member of Technical Staff, AT&T

Anthony Ramos, Lead – Technology Security, AT&T

VIEW PRESENTATION SLIDES

Abstract:

MOSAICS leverages existing commercial technologies and, where applicable, developmental technologies from government laboratories and academia to address gaps in commercial offerings. Integration of these capabilities to automate key aspects of the Advanced Cyber ICS Tactics, Techniques, and Procedures (ACI TTP) will be the primary focus of this concept demonstration. This presentation will demonstrate the early implementation of the IACD concepts into an industrial control system environment. This implementation represents the first step in the development of the MOSAICS concepts.

Presenter:

Harley Parkes, Director, IACD, JHU/APL

VIEW PRESENTATION SLIDES

Abstract:

Make analytics available where they are most useful. Embed real-time metrics and analysis tools into your end-user applications. Put contextual KPIs, visualizations, and analytics into your workflow development environment, into a human-in-the-loop decision step, into an auditor evaluation step, into a notification authoring step, and/or into many other end-user interfaces.

“Data is only as valuable as your ability to act on it.” —Dalton Ruer (a.k.a., Qlik Dork)

This session will answer these questions: What are contextual analytics? Why embed contextual analytics into your end user applications? What are some examples of contextual analytics that would be useful in a cyber security application?

This session will show some example user interfaces that include contextual analytics, provide a brief summary of how to embed contextual analytics (technical) into your application, and discuss the build versus buy decision.

Presenter:

Michael Deane, Head of Contextual Analytics, Red Alpha

VIEW PRESENTATION SLIDES

Abstract:

How do you identify and calibrate trust in automation? Studies of established pillars of safe and effective use of autonomous platforms have shown some hints. How will cloud and other future advances in cybersecurity impact trust?

Moderator:

Gill Brown, Human Systems Engineer, JHU/APL

Panelists:

Aubrey Merchant Dest, Federal CTO, Symantec

Juhee Bae, Product Manager, General Dynamics Mission Systems

Geoff Hancock, Chief Cybersecurity Executive, Advanced Cybersecurity Group

Jennifer Ockerman, Cognitive Systems Engineer, JHU/APL

VIEW PRESENTATION SLIDES

Abstract:

Over the last decade the cybersecurity community has made significant progress on collecting and aggregating intelligence that describes threat actors and campaigns, their tactics and techniques, and technical IOCs leveraged by them. However, tracking this intelligence as part of cybersecurity operations or applying it to analytical systems is difficult because it is generally unstructured. Knowledge bases like MITRE’s ATT&CK are an excellent example of how useful intelligence can be once it is organized—getting to that end state is a huge challenge.

In this presentation we will show how recent advances in natural language processing (NLP) can help us organize this intelligence and add structure to make it actionable. We will demonstrate how to use Word2Vec: a shallow neural network that understands meanings and relationships between words and can therefore be used to organize the information these documents provide. This exercise trains a Word2Vec model on open-source intelligence and vulnerability reports such as EU-CERT and NIST and clusters them into “tactical and technical categories” that can be mapped to the MITRE ATT&CK framework.

Presenters:

Nicolas Kseib, Lead Data Scientist, TruSTAR Technology

Zainab Danish, Data Scientist, TruSTAR Technology

VIEW PRESENTATION SLIDES

Abstract:

Deception has rapidly been adopted over the last couple of years as an enabler to accelerate detection and shrink dwell time. Today, security defenders utilize deception for its high-fidelity alerts via integration with SIEM systems, and just as important, playbooks, network, and EDR tools to react quickly to threats via automated and predefined response actions. As attacks become increasingly sophisticated and involve more automation, the defense must build and enable automated responses to counter new threats. This can only be accomplished through high-fidelity alerting systems with validated threat intelligence that directly integrate with existing security tools. During this session, we will discuss how deception systems are successfully countering advanced threats, including discussion about real-world use cases.

Presenter:

Tony Cole, Chief Technology Officer, Attivo Networks

VIEW PRESENTATION SLIDES

Abstract:

In 2017, GuidePoint’s managed services arm, vSOC, embarked on a large automation project to gain efficiencies for both infrastructure management and customer-facing security services. In this talk I will present some lessons learned from this journey, pitfalls and myths about automating operations, and our path moving forward. The audience will learn what tools and techniques worked as well as what failed miserably, and some tips for architecting security stack that will plug in seamlessly to their current infrastructure.

Presenter:

Patrick Orzechowski, Vice President, Research and Development, deepwatch

VIEW PRESENTATION SLIDES

Abstract:

Cyber information sharing and response in the automation space revolves around indicators of compromise. This can be problematic because indicators can be changed by the adversary, leading to short shelf lives of usefulness. Additionally, TTPs (tactics, techniques, and procedures) being shared are often nebulous or not machine consumable. The IACD Integration Team has explored how parts of the industry share information and how adversary actions could be mapped to MITRE’s ATT&CK framework to help facilitate automation. This session will include a proof-of-concept demonstration detailing a possible method to share adversarial behavior, including the accompanying concerns and challenges to take these slices of adversarial behavior to become the building blocks for machine-consumable TTPs.

Presenters:

Will Burger, Software Engineer, JHU/APL

Jason Mok, Cyber Engineer, JHU/APL

Keat Ly, Cyber Security Engineer, JHU/APL

Amar Paul, Software Engineer, JHU/APL

VIEW PRESENTATION SLIDES

Abstract:

Cybersecurity data science (CSDS) offers hope to organizations struggling with growing complexity, false positives, and data overload. CSDS brings to bear a range of methods to refine data into focused and effective alerts via analytical models. This presentation advocates a set of best practices derived from academic research, interviews with practitioners, and hands-on lessons from the field.

Lacking properly prepared data imbued with domain context, CSDS efforts flounder. The session aims to dig into areas where hype and failed projects have exposed gaps in CSDS efforts. A process-focused approach to integrated CSDS is framed.

The CSDS process encompasses data exploration to determine key features, preprocessing to impose structure, integrating distributed sources, deriving new measures, and establishing streamlined data pipelines. Model building and validation is thus situated in a larger frame. This presentation will be of interest to practitioners, experts, and planners alike.

Presenters:

Patrick Alcorn, Cybersecurity Data Scientist, SAS

John Stultz, Analytic Platform Solutions Architect, SAS

VIEW PRESENTATION SLIDES

Description:

Attivo Networks® is the leader in deception for cyber security defense. Founded in 2011, Attivo Networks provides a comprehensive deception platform that in real-time detects inside-the-network intrusions in networks, public and private data centers, and specialized environments such as Industrial Control System (ICS) SCADA, Internet of Things (IoT), and Point of Sale (POS) environments. Founded on the premise that even the best security systems cannot prevent all attacks, Attivo provides the required visibility and actionable, substantiated alerts to detect, isolate, and defend against cyber attacks. Unlike prevention systems, Attivo assumes the attacker is inside the network and uses high-interaction decoys and endpoint, server, and application deception lures placed ubiquitously across the network to deceive threat actors into revealing themselves. With no dependencies on signatures or attack pattern matching, the BOTsink deception server is designed to accurately and efficiently detect the reconnaissance and lateral movement of advanced threats, stolen credential, ransomware, man-in-the-middle, and phishing attacks. The Attivo Multi-Correlation Detection Engine (MCDE) captures and analyzes attacker IPs, methods, and actions that can then be viewed in the Attivo Threat Intelligence Dashboard, exported for forensic reporting in IOC, PCAP, STIX, CSV formats or can be used to automatically update SIEM and prevention systems for blocking, isolation, and threat hunting. The ThreatOps offering simplifies incident response through information sharing, incident response automation, and the creation of repeatable playbooks.

Website: https://attivonetworks.com/

LinkedIn URL: https://www.linkedin.com/company/attivo-networks-inc-

Twitter URL: https://twitter.com/attivonetworks

Description:

DarkLight, Inc. was created to solve a major and growing problem for industry and government – too much information with too few human analysts to make sense of it and act in a timely manner. DarkLight’s patented System for Advanced Reasoning to Enhance Enterprise Decision Making was designed to be an analyst's workflow engine and initially derived from "person of interest" research. It is a revolutionary system created by one of the United States Department of Energy (DOE) top national research laboratories, the Pacific Northwest National Laboratory (PNNL). DarkLight, formerly known as Champion Technology Company, Inc. is a 2015 R&D 100 Winner recognizing its importance in the international technology field and received a 2015 FLC (Federal Lab Consortium) award for government to commercial technology transfer.

DarkLight chose the cybersecurity industry to launch its first commercial product, DarkLight Cyber. DarkLight Cyber is an Artificial Intelligence software utilizing an Expert System with contextual reasoning capabilities. The Expert System approach solves many of the challenges not addressed by the majority of current cyber AI utilizing algorithm-based solutions. Specifically, too many false positive alerts and an inability to explain why an alert occurred in the first place. These limitations reduce productivity and increase risk. DarkLight Cyber’s Active Defense Expert System integrates threat, and risk information from current tools with critical contextual information, automates detection and investigation with shareable cognitive playbooks, validates the alerts, risks and predictions, and explains to the human analyst why DarkLight came to its conclusion in a transparent and understandable way.

DarkLight, Inc. keeps headquarters in Seattle, Washington with the Richland, Washington office focusing all its attention and expertise in applying this groundbreaking patented reasoning system to DarkLight Cyber.

Website: https://www.darklight.ai/

LinkedIn URL: http://www.linkedin.com/company/champion-technology-company-inc-

Twitter URL: https://twitter.com/DarkLightCyber

Description:

Demisto is a leading Security Orchestration, Automation, and Response (SOAR) platform that helps security teams accelerate incident response, standardize and scale processes, and learn from each incident while working together.

How can we help?

-Security teams are wilting under dual pressures:

• Rising Alerts: The volume and complexity of alerts are increasing, demanding response accuracy and agility to ensure that no alert slips through the cracks.

• Scarce Resources: SOCs face an uphill battle in trying to extract value from existing product and personnel investments. CISOs now need to quantify security ROI before executive approval.

Demisto combines security orchestration and automation, incident management, and interactive investigation to help security teams meet these challenges and best leverage existing and new security investments.

Website: https://www.demisto.com/

LinkedIn URL: https://www.linkedin.com/company/demisto

Twitter URL: https://twitter.com/demistoinc

Description:

CIS® (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.

The CIS Controls™ and CIS Benchmarks™ are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals.

Our CIS Hardened Images™ are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud.

CIS is home to both the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC™), which supports the cybersecurity needs of U.S. State, Local and Territorial elections offices.

The CIS Vision:

Leading the global community to secure our connected world

The CIS Mission:

• Identify, develop, validate, promote, and sustain best practice solutions for cyber defense

• Build and lead communities to enable an environment of trust in cyberspace

Website: https://www.cisecurity.org/

Description:

Our philosophy is simple: Do Something. Measure It. ™

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by:

• Uniting Global Communities: We must stand as a global community, across sectors and geography, if we are to effectively address cyber risks.

• Implementing Concrete Solutions: We build concrete solutions that reduce and eradicate cyber risk, and we make those solutions freely available for any organization or individual to use

• Measuring the Effect: We believe in measuring effectiveness. We must measure to know we are doing the right things, and metrics drive action. We need to know what works and what does not.

Website: https://www.globalcyberalliance.org/

Description:

The Incident Response Consortium (IRC) is a non-profit, educational community, driven to change the landscape of today’s lack of knowledge of incident response policies and procedures. The IRC is the First and Only Incident Response Community laser-focused on Incident Response, Security Operations and Remediation Processes concentrating on Best Practices, Playbooks, Runbooks and Product Connectors. In building the Community, the IRC is aimed to provide, design, share and contribute to the development of open source playbooks, runbooks and response plans for the industry community to use. These playbooks or recipes can be in the form of flowcharts, diagrams, sequences, scripts, orchestration platform playbooks, and product integration connectors. The collaborative community created by the IRC is driven to advance and address the ever-present and painful realities of today’s cybersecurity industry.

Through its free-to-attend conferences, and freely accessible online resources available at http://www.IncidentResponse.com, the IRC is working to offer resources to everyone looking to further their knowledge and work toward more effective and efficient incident response. The IRC’s next upcoming, free-to-attend event is its Incident Response Conference, “IR19,” held September 4th and 5th, 2019 in the Washington, DC area at the Arlington Renaissance Capital View Hotel in Arlington, Virginia.

Website: https://www.incidentresponse.com/

Description:

The IACI promotes information sharing through guidance, by assuring awareness of threats and providing management services supporting Government and Industry reduction of cyber risks. This coordinated development of partnerships allows all entities across the world the opportunity to become cyber resilient. IACI will continue to lead the way

Under Executive Order (EO) 13691: Promoting Private Sector Information Sharing, the Secretary of Homeland Security was called on to strongly encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs). ISAOs, like ISACs, are entities formed to share cyber threat information with its community of trust. However, whereas ISACs are sector based, ISAOs may be formed based on region, sector, subsector, or any affinity of interest. As part of the EO, DHS was to enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO). ​

The International Association of Certified ISAOs (IACI) is a 501(c)6 non-profit with offices at Kennedy Space Center, Titusville, Florida, USA and Vienna, Austria. IACI was founded by the Defense Industrial Base Information Sharing and Analysis Center, Webster University, and the Global Institute for Cyber Security Research.​

Website: https://www.certifiedisao.org/

Description:

Sector-based Information Sharing and Analysis Centers (ISACs) collaborate and coordinate with each other via the National Council of ISACs (NCI). Formed in 2003, the NCI today comprises 24 organizations designated by their sectors as their information sharing and operational arms.

The NCI is a true cross-sector partnership, providing a forum for sharing cyber and physical threats and mitigation strategies among ISACs and with government and private sector partners during both steady-state conditions and incidents requiring cross-sector response. Sharing and coordination is accomplished through daily and weekly calls between ISAC operations centers, daily reports, requests-for-information, monthly meetings, exercises, and other activities as situations require. The NCI also organizes its own drills and exercises and participates in national exercises.

Council members are present on the National Cybersecurity and Communications Integration Center (NCCIC) watch floor, and NCI representatives can embed with National Infrastructure Coordinating Center (NICC) during significant national incidents. The Council and individual members also collaborate with other agencies of the federal government, fusion centers, the State and Local Tribal Territorial Government Coordinating Council (SLTTGCC), the Regional Consortium Coordinating Council (RCCC), the Partnership for Critical Infrastructure Security (PCIS) – the Cross-Sector Council, and international partners.

The Council welcomes membership from organizations that have been designated by their sector leadership as their official forum for sharing threat information. Critical Infrastructure sectors and subsectors that have not yet established a method for sharing across their sectors are encouraged to contact the NCI to discuss how they can collaborate with the Council and participate in its activities.

Website: https://www.nationalisacs.org/

Description:

The National Cyber Security Alliance (NCSA) builds strong public/private partnerships to create and implement broad-reaching education and awareness efforts to empower users at home, work and school with the information they need to keep themselves, their organizations, their systems and their sensitive information safe and secure online and encourage a culture of cybersecurity.

Vision:

Realizing the full potential of our ever-evolving digital lives can only happen when a culture of cybersecurity and privacy is the foundation of:

• Free-flowing content

• Multiple methods and platforms for communication

• Trustworthy commerce

• Widely available and highly reliable connectivity

Mission:

To educate and empower our global digital society to use the internet safely and securely.

Underlying Value:

Securing our online lives is a shared responsibility.

Website: https://staysafeonline.org/

Description:

OASIS is a nonprofit consortium that drives the development, convergence and adoption of open standards for the global information society.

OASIS promotes industry consensus and produces worldwide standards for security, Internet of Things, cloud computing, energy, content technologies, emergency management, and other areas. OASIS open standards offer the potential to lower cost, stimulate innovation, grow global markets, and protect the right of free choice of technology.

OASIS members broadly represent the marketplace of public and private sector technology leaders, users and influencers. The consortium has more than 5,000 participants representing over 600 organizations and individual members in more than 65 countries.

OASIS is distinguished by its transparent governance and operating procedures. Members themselves set the OASIS technical agenda, using a lightweight process expressly designed to promote industry consensus and unite disparate efforts. Completed work is ratified by open ballot. Governance is accountable and unrestricted. Officers of both the OASIS Board of Directors and Technical Advisory Board are chosen by democratic election to serve two-year terms. Consortium leadership is based on individual merit and is not tied to financial contribution, corporate standing, or special appointment.

Website: https://www.oasis-open.org/