Abstract:

Sharing IOCs is necessary but not sufficient. We need to make processing/usage of IOCs as automated as possible, and we need to evolve what is being shared to be something that organizations can use to more appropriately protect and defend the network. This panel will discuss what makes threat information actionable for network defenders and what type of information (e.g., adversary TTPs) would be valuable to share.

Moderator:

Sherri Ramsay, Consultant; Former Director, NSA/CSS Threat Operations Center (NTOC)

Panelists:

Jeff Aboud, Director, Product Marketing, Kenna Security

John Jolly, President and CEO, Syncurity

Shawn Riley, CDO and CISO, DarkLight Cyber

Donnie Wendt, Security Engineer, Mastercard

READ MORE

Abstract:

Cyber Ranges offer features that can be used reduce risk and measure performance of the adoption of SOAR/IACD capabilities. A Cyber Range has the ability to recreate “worst day” scenarios that “stress test” SOAR/IACD platforms beyond the ability of limited production pilots or laboratory testing to minimize risk during production implementation and operation. Cyber ranges have tools to instrument and measure system and human activities to model improvements in SOAR/IACD capabilities. A well-engineered Cyber Range allows for high-quality data collection, which increases confidence in automated decision processes and leads to improved response.

Host:

Cory Hoyssoon, Systems Engineer, JHU/APL

Presenter:

Tim Schaad, Executive Director, Advanced Cyber Range Environment and Cyber Range Services, ManTech

READ MORE

Abstract:

Instead of asking IF we should automate cyber defenses, how about if we asked WHEN we should automate? This talk presents a benefit versus regret matrix and discusses the concept of low-regret response actions.

Presenters:

Kim Watson, IACD Technical Director, JHU/APL

Geoff Hancock, Chief Cybersecurity Executive, Advanced Cybersecurity Group

READ MORE

Abstract:

Many organizations have adopted machine learning and data analytics to help them identify security anomalies. However, mere identification isn’t good enough in a world where Petya and other modern attacks can take down 15,000 servers in a single organization in under two minutes. To combat these new types of malware, organizations need to be looking at Model Driven Security Orchestration where the security responses to emerging threats and attacks are automated and driven at machine speed. In this presentation, Aetna will provide an overview of our security orchestration program, including what worked, what didn’t, and lessons learned.

Presenter:

Jon Backus, Product Manager for AEIRS, Aetna

READ MORE

Abstract:

Cybersecurity has very few absolutes, almost everything is a best practice, and the sharing of tools and techniques is critical to making best practices a reality. There is a lot of interest in building and participating in practitioner communities where you can find individuals like yourself that you relate to and trust. Such communities allow practitioners to learn from each other, share with one another, and generally advance their expertise. This panel discusses the power of community in improving cybersecurity and defining/advancing best practices.

Moderator:

Geoff Hancock, Chief Cybersecurity Executive, Advanced Cybersecurity Group

Panelists:

Larry Johnson, CEO, CyberSponse

Curt Dukes, Executive Vice President and General Manager, Center for Internet Security

Cody Cornell, Cofounder and CEO, Swimlane

John Pescatore, Director of Emerging Security Trends, SANS Institute

Note: There is no presentation or video recording available for this panel

Abstract:

Healthcare remains the most exposed CI component and the most under-resourced. Many firms are recognizing the difficulties in keeping pace with the threats to their increasing attack surface (e.g., IoT medical devices, mobile and remote care delivery), meeting regulatory requirements, and finding/retaining qualified security personnel. However, traditional security third-party monitoring models fall short and aren’t optimized to address the volume of alerts that require investigation. In addition, current approaches don’t collectively share the granularity of data necessary to dramatically improve outcomes. As a result, a new, cooperative model is emerging in healthcare, which has been chartered by the State of Michigan and supported by Sequris Group. This session will provide an overview of this new model, highlight the differences from traditional MSS operations, and explain the critical role SOAR technology plays in delivering these services effectively and efficiently.

Presenter:

Eric Eder, Founder and President, Sequris Group

Ryan Winn, CISO and Director of IT, Munson Healthcare

John Jolly, President and CEO, Syncurity

READ MORE

Abstract:

Based on Sharable Workflow presentation and demonstration with CyberSponse. A complete life cycle of downloading a workflow, modifying it, exporting it, and importing into a Orchestration Tool will be discussed.

Presenters:

Paul Laskowski, Senior Systems Engineer, JHU/APL

Bharathram Krishnan, Solutions Architect, CyberSponse

READ MORE

Abstract:

Security automation and intelligence sharing seek to speed the detection of and response to cyberattacks. Meanwhile, deception and moving-target defenses can slow the attacker by disrupting the attacker’s situational awareness. By addressing both sides of the equation—speeding the response and slowing the attack—we can narrow the gap between attackers’ time to compromise and our time to detect and respond. Security automation allows defenders to accelerate their observe–orient–decide–act (OODA) loop through continuous situational awareness and rapid response. Additionally, defenders can operate within the attacker’s OODA loop by using deception to disrupt the attacker’s situational awareness. This discussion will present the conceptual framework underlying research into the use of security automation and adaptive cyber defense in the financial services industry.

Presenter:

Donnie Wendt, Security Engineer, Mastercard

READ MORE

Abstract:

An increasing number of organizations are exploring and integrating Security Automation & Orchestration (SA&O)/ Security Orchestration, Automation & Response (SOAR) strategies and platforms in cyber defense. During this panel, experienced organizations share SA&O, with information sharing, lessons learned, best practices, and recommendations.

Moderator:

Brett Waldman, IACD Adoption, JHU/APL

Panelists:

John Pescatore, Director of Emerging Security Trends, SANS Institute

Matt McFadden, Cyber Director, General Dynamics Information Technology

Matt Rodriguez, Cybersecurity Solutions Architect, Phoenix Cybersecurity

Lior Kolnik, Head of Security Research, Demisto

Piero DePaoli, Senior Director, Security & Risk, ServiceNow

Note: There is no presentation or video recording available for this panel

Abstract:

When your boss forwards you the latest intelligence report with an urgent flag set and the message reads: “What are we doing about this?” what do you say? To be confident in your answer, you need to understand how that adversary operates, or what’s in their Playbook. In this session, we’ll give you an in-depth report on OilRig, an adversary based in the Middle East that has launched a series of targeted attacks over the past 3 years. We’ll show you how to analyze the threat to build a structured copy of their offensive plays, so you can better prepare your defensive line.

Presenter:

Mike Harbison, Unit 42 Threat Researcher, Palo Alto Networks

READ MORE

Abstract:

This talk will explore the intersection of adversary tactics and techniques and defender resiliency effects to help defenders understand their resilience to attack within the context of the IACD observe–orient–decide–act (OODA) loop. This talk will leverage community knowledge from the NIST SP 800-160 Vol. 2 Cyber Resiliency Engineering Framework, the ODNI Cyber Threat Framework, and MITRE’s ATT&CK to give concrete examples of resiliency techniques and approaches mapped to specific adversary objectives. We’ll explore how defender resiliency effects on adversary behavior impact the defender’s risk. We’ll use the Cyber Effects Matrix to show defenders how to measure gaps, map response actions, and determine whether the desired effect on adversary behavior across the cyberattack life cycle has been achieved.

Presenter:

Shawn Riley, CDO and CISO, DarkLight Cyber

READ MORE

Abstract:

This session will provide an overview of the DoD’s MOSAICS concept demonstration with a focus on the functional requirements definition for the system. MOSAICS will leverage existing commercial technologies and, where applicable, developmental technologies from government laboratories and academia to address gaps in commercial offerings. Integration of these capabilities to automate key aspects of the Advanced Cyber ICS Tactics, Techniques, and Procedures (ACI TTP) will be the primary focus of this concept demonstration. This presentation will provide insights into the technical requirements for the MOSAICS system as decomposed from the ACI TTP and other sources.

Presenters:

Rich Scalco, Engineer, SPAWAR SYSCEN-ATLANTIC

Larry Cox, Engineer, USPACOM (AECOM)

READ MORE

Abstract:

The evolution of the SOAR market has the potential to fundamentally change classic business models because of the open integration of products and services. If companies are opening up their APIs, what other support services and opportunities does this open to small/mid-sized business development approaches and integration approaches? Tools that used to be custom-developed for integration are now commercially available and supported. What is your organization’s perspective on how a market of open integration changes for different business partners and operational activities?

Moderator:

Andy Speirs, Senior Information Security Executive, Booz Allen Hamilton

Panelists:

Christopher Carsey, Senior Solutions Engineer, CyberSponse

Cody Cornell, CEO and Cofounder, Swimlane

Vince Crisler, CEO and Cofounder, Dark3

Matt McFadden, Cyber Director, General Dynamics Information Technology

Note: There is no presentation or video recording available for this panel

Abstract:

Security teams are overwhelmed and are increasingly becoming less effective. They’re outnumbered and outgunned, and the problem isn’t getting any better. But it doesn’t have to be that way! Solving the problem and getting the upper hand against the bad guys isn’t a question of how many more resources we need to add— it’s a question of focusing what we already have on what really matters. Taking a modern approach to security means that we need to work smarter, not harder. This session will discuss a modern approach to security to help teams maximize the efficiency of their efforts to maximize their impact on the organization’s risk.

Presenter:

Jeff Aboud, Director, Product Marketing, Kenna Security

READ MORE

Abstract:

FIT recently conducted a series of experiments comparing two different implementations of IACD C2 systems: The Systems Behavior Command and Control (SBC2) distributed C2 system based on the MIRA agent framework and a “conventional” C2 system using the Phantom orchestrator and apps connecting to sensors and actuators. The experiments were conducted on an emulated electrical smart grid testbed and focused on the identification and mitigation of attacks targeting the path from the smart meter to the utility data center. The experiments measured:

Effectiveness – whether the C2 framework produces the desired result, and to what level of accuracy

Efficiency – the computational resources (space, time, messages) required to compute the result

Security – the level of security of the orchestration process throughout the communication events

Usability – the degree of difficulty in the installation, deployment, and operation of the C2 system

Each of these measurements included several different experimental conditions that are reported, along with examples of the tests conducted.

Presenters:

Thomas Eskridge, Associate Professor, Florida Institute of Technology

Marco Carvalho, Dean, College of Engineering and Computing, Florida Institute of Technology

Note: Slides will be posted soon.

Abstract:

In today’s threat landscape, the only way to disrupt attackers and protect an organization is to unite systems and people, forming a collective defense. There are many opportunities for collaboration on shared goals, allowing security teams to stretch their resources further. This session will discuss the value in leveraging the power of community for the evolution of security capabilities.

Presenters:

Lior Kolnik, Head of Security Research, Demisto

READ MORE

Abstract:

IACD and the FS ISAC have been partnering with Mastercard, Huntington National Bank, and Regions Bank for the last year on an integrated pilot for enhanced information sharing and decision support. This talk will present the initial results of that pilot.

Presenters:

Charlie Frick, IACD Financial Sector Liaison, JHU/APL

Nam Le, IACD Integration Team Lead, Senior Systems Engineer, JHU/APL

READ MORE

Abstract:

Threat intelligence has grown out of a desire to better defend against known threats. Unfortunately, most threat intelligence today consists of a curated list of known malicious indicators. Using principles extracted from proactive threat-hunting methodologies, we propose a better way forward for threat intelligence.

Presenters:

Josh Day, Senior Threat Hunter, accenture

Brad Rhodes, Senior Threat Hunter, accenture

READ MORE

Abstract:

Learn how adopting modular and decentralized design principles for automation scripts can help you keep up with the rapidly changing cyber landscape.

Creating cybersecurity automations that keep up with the rapidly changing cyber landscape is hard. You need to balance the desire to follow a proper development life cycle with the need for rapid turnaround. The solution is adopting modular and decentralized design principles for automation scripts.

Presenters:

Matt Rodriguez, Cybersecurity Solutions Architect, Phoenix Cybersecurity

Tom Goetz, Senior Cybersecurity Engineer, Phoenix Cybersecurity

READ MORE

Abstract:

Industry-wide, security teams are duplicating (and wasting) valuable time and resources to complete similar investigations, workflows, and threat responses. This is costly and unnecessary, especially when considering the ever-expanding threat landscape and global skilled staffing shortage. Imagine the alternative: Multiple organizations have investigation teams who agree to collaborate. One does an in-depth investigation, hunt, or mitigation and is able to share that process in real time with another organization. There are now multiple organizations and teams who are leveraging their skills and expertise to increase the efficacy of their collective SOCs. They are armed with the resources to prevent breaches and hunt for other threats while bolstering the security industry as a whole. Welcome to the future of collaborative security.

Presenters:

Cody Cornell, Cofounder and CEO, Swimlane

Pedro Haworth, Head of Technology, Security Innovation Alliance, McAfee

Note: There is no presentation available for this panel