Are you planning on checking out any of the Peer2Peer sessions at RSA Conference 2017?
Peer2Peer sessions are group discussions around specific security topics, where participants get the chance to really dig deeply into a topic that that care about with a group of peers. This year we've once again asked the discussion facilitators to help explain what you can expect from their sessions so that you can choose the groups and topics that will be most beneficial and interesting to you.
This post features the following six sessions:
- Dangerous Data: Is There Information We Should Not Keep? And Why...
- Keeping Up with the Crypto
- Metrics for Managing and Understanding Patch Fatigue
- How CISOs Assess Their Security Program for Success
- IoT and SCADA: Lessons Learned and Case Studies
- Building Information Security into Your Third-Party Vendor Management Program
1. Dangerous Data: Is There Information We Should Not Keep? And Why... (P2P1-R11)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: Attendees who would benefit from this session include technologists, policy professionals, and legal stakeholders engaged in the process of collecting, storing, managing, and deleting data from government and corporate databases.
Q: Why is the topic of your session important for the information security industry?
A: We used to have a problem deciding what data to keep, but now that storage costs have gone down, there is a temptation to keep every bit and byte of data in case it becomes useful later. Now, (1) we have a new administration that may request to use our stored data in different ways than we expected when the data was collected, and (2) a single piece of information does not live in isolation, but rather may be combined or processed in ways that make that piece of data “dangerous” to store. It takes some imagination to avoid these risks.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: What experience have you had in your job in your own life where you were concerned about the collection or storage of data, and how it could be used against your company, your customers/clients/constituents, your co-workers, or yourself? What policies or strategies did you implement to remedy this concern? It’s an interactive session, so anonymized real stories as well as hypotheticals are welcome!
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Participants will leave with an expanded list of “dangerous” data, including data which was previously considered innocuous to collect and store, but has become more questionable due to potential political movements and due to the Big Data combination and algorithmic processing of previously innocuous data. They will also leave with an expanded risk assessment checklist to ascertain where and how this data will affect their work.
2. Keeping Up with the Crypto (P2P1-W08)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: This session would benefit:
- IT professionals responsible for key management or PKI in their organization’s environment
- Developers and architects responsible for implementing cryptography and key management in their products
- Technology strategists and thought leaders that advise the above
Q: Why is the topic of your session important for the information security industry?
A: We have seen the dangers of outdated cryptography in major breaches (see: Yahoo! and MD5). However, the migration from SHA-1 to SHA-2 exposed significant challenges in moving from old to new algorithms. Some organizations found themselves moving off of public CAs in order to extend their use of SHA-1 until they could fully migrate all systems.
The problem will persist when we start to look at post-quantum cryptographic algorithms. Some of these algorithms have very different properties than the algorithms we are used to dealing with, and they will require different approaches to managing keys. In order to be ready when post-quantum algorithms become necessary, we need to start talking now about the likely challenges and approaches to make the transition smoother. More generally, we can better protect our data if we can simplify migrations from one algorithm to another.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: How do you manage cryptographic algorithm use in your environment or products today? How have you managed past migrations from one algorithm to another? What lessons have you learned? How might you apply this to post-quantum algorithms?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: I hope that attendees will walk away with ideas that they can implement now (in products or infrastructure) in order to be well prepared and able to respond quickly the next time a cryptographic algorithm migration becomes necessary.
3. Metrics for Managing and Understanding Patch Fatigue (P2P2-W12)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: I think that this conversation would be a great fit for anyone in a position that straddles operations and security. Whether it's somebody in the trenches dealing with security update and patches on a daily basis or a manager who wants a better understanding of exactly what their employees are dealing with, that area of IT Operations / Security Management is going to be the sweet spot for attendees to really get the most out of the conversation.
Q: Why is the topic of your session important for the information security industry?
A: Right now, we're losing the Patch Management war. We see it in the number of breaches and the constant hacks that we hear about and I saw it personally while researching the paper I coauthored on the topic of Patch Fatigue. Our current methods of handling and prioritizing fixes doesn't seem to work and the importance we place on the patches we install often feels misplaced. This conversation will hopefully help everyone walk away feeling better out dealing with the Patch Fatigue affecting their organizations.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: How much time do you spend working with patches and vendor security bulletins? What percentage of your day do you actually fight with patches, with patch management software, and with vendor notifications? How much of your job duties are tied to this vs how much time are you actually spending on working on this. How could your life be made easier? These are important questions that we're just not asking ourselves
Q; What information/skills/tools will attendees be armed with when they leave your session?
A: More knowledge around Patch Fatigue causes and hopefully coping mechanisms for dealing with the fatigue. For managers, I hope they walk away understanding what their employees are dealing with and how they can help alleviate some of the fatigue.
4. How CISOs Assess Their Security Program for Success (P2P2-T11)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: This session is on how CISO’s can evaluate and improve their security programs, with that in mind I would expect this would be for security professionals who are managing or creating a cybersecurity program.
Q: Why is the topic of your session important for the information security industry?
A: The roles of the CISO are changing, to be effective and provide value to the organization CISO’s need to continually assess and adjust their cybersecurity program. This discussion will talk about some of the skills senior security professionals are using today to be more effective and reduce the risk exposure of their organizations.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: Think about the current cybersecurity program they have in place, ideas to improve the service they are providing, ideas to build out the program and evangelize its value to their organization
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: They will have learned several methods or frameworks to use for evaluating their cybersecurity programs, specific skills that are helpful in growing a cybersecurity program in organizations and recommended sites/readings to help develop soft skills and ideas on how to incorporate the discussion into their current security program.
5. IoT and SCADA: Lessons Learned and Case Studies (P2P3-T09)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session?
A: Attendees who are directly involved in managing or designing the security of IOT or SCADA systems or connections.
Q: Do you have a specific role or job title in mind?
CIO, Chief Compliance Officer, Chief Privacy Officer
Q: Why is the topic of your session important for the information security industry?
A: IoT devices are proliferating at an astounding rate. Like SCADA systems before them, these devices are not being designed with security in mind. Connections in new and unanticipated places and applications require pro-active security and projecting security implications beyond mere breaches. Health care connections and cameras for example have clear privacy implications. Other connections such as to automobiles have profound safety implications. My session provides a safe venue to discuss these possibilities and how to minimize potential privacy and security issues.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: It would be useful if attendees had a basic familiarity with SCADA and the IoT. Familiarity with the Stuxnet and Shamoon would be particularly helpful.
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Attendees will have an analytical framework to use when evaluating the potential security issues with IoT connections. They will also have a historical perspective on previous attacks on SCADA systems which will help them formulate their analysis for potential IoT vulnerabilities.
6. Building Information Security into Your Third-Party Vendor Management Program (P2P2-T09)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: This session is for information security and contracting officers who are looking at how to develop a program to ensure that cybersecurity is embedded in their supply chain and vendor support network.
Q: Why is the topic of your session important for the information security industry?
A: Any third party that as access to your data or network constitutes risk that must be managed. While the Target breach is dated, it is still an excellent example of poor vendor risk management.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: Who are the stakeholders that manage access to data for your company today? Is there a centralized program on how they approach risk and compliance management?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: We will review a framework and key criteria to build a Third-Party Vendor Cyber Risk and Compliance Management Program
You can check out all of the Peer2Peer sessions on our agenda here: https://www.rsaconference.com/events/us17/agenda.