Are you ready for this year's RSA Conference in San Francisco? Have you decided which Peer2Peer sessions you'd like to attend?
Peer2Peer sessions are group discussions around specific security topics, where participants get the chance to really dig deeply into a topic that that care about with a group of peers. This year we've once again asked the discussion facilitators to help explain what you can expect from their sessions so that you can choose the groups and topics that will be most beneficial and interesting.
This post features the following eight sessions:
- Practical Insights in Protecting ICS Networks from Cyberthreats
- Managing the Machine: Strategies for Effective SecOps Management
- Optimizing Vendor Security Audit Value
- Implementing SecDevOps in Regulated Industries
- Finding Order in Chaos: Using the Cyber Defense Matrix to Map Vendors and Your Security Portfolio
- Developing Super Women in Security
- How to Overcome the Roadblocks of Enterprise Client-Side Encryption?
- Active Security: Building Hunt Operations
1. Practical Insights in Protecting ICS Networks from Cyberthreats (P2P2-W04)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: Information Security Managers, Information Security Program Managers, Director of Information Security, Information Security Officers, Information Security Program Leads, ICS Reliability Specialists/Engineers or anyone who is responsible for implementing a cyber security program that includes industrial control systems (with ICS vendors and third party service providers) will benefit from this session.
Q: Why is the topic of your session important for the information security industry?
A: According to the Booz Allen 2016 industrial cyber security threat briefing, more incidents involving ICS operators (organizations that depend on ICS as part of their daily operations) occurred in 2015 and into 2016 than any prior year. In 2015, ICS operators reported more security incidents to U.S. authorities than in any year prior – 15% more incidents than the highest year on record. Overall, the total number of incidents reported by ICS operators rose by 20% in 2015 (ICS-CET Monitor).
Nation state-backed groups, criminals, hacktivists and authorized insiders are part of the growing list of threat actors. Attacks against ICS infrastructure can have devastating effects, including extended (and often costly) operational outages, physical damage to devices, which could jeopardize safety and operational reliability, or result in far reaching environmental consequences.
In analyzing incidents over the course of 2015 and into 2016, several trends have emerged. It has become clear that nation state-backed groups have been and will continue to be the most significant single threat to ICS operators. As ransomware use and variety has increased tremendously in 2015/16, we may begin to see more ransomware style attacks on ICS infrastructure. With the allegations against Russian government inspired hacking activities in the last U.S. elections, political interference may become a bigger motivation for perpetrating ransomware attacks, against ICS infrastructure, in addition to financial gain. Cyber criminals were reported (in 2015) to be selling access to compromised ICS systems for the first time. As this is a well-established business model in the world of cybercrimes, this trend may continue especially as more attack tools and resources are becoming freely available, lowering the technical barrier for limited skill threat actors.
Kim Zetter, in her book “Countdown to Zero Day” said this: “Market for zero day vulnerabilities has gone commercial and exploded in the last few years, as the number of buyers and sellers has ballooned, along with prices. This trade has now been legitimized with the entry of government dollars into the arena to create an unregulated cyberweapons bazaar. The thriving underground black market that caters to crooks and corporate spies sells not just zero day vulnerabilities and exploits but also the payloads to weaponize the exploits. Vulnerabilities sold even on the gray markets (where buyers and sellers are presumed to be the good guys), are not disclosed to vendors for patching, which leaves anyone who doesn’t know about them (including other government agencies and critical infrastructure owners in the buyers own country) open to attack, should foreign adversaries or independent hackers discover the same security holes and exploit them”.
These trends underscore the need for an affective ICS security strategy, one that recognizes and adapts to the changing threat landscape. The public, employees, consumers and shareholders are all looking to the information security industry to step up and address these threats and this makes this session an important one that RSA Security Conference 2017 attendees MUST attend!
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: Execution is important in the success of any strategy, including an ICS Cyber security strategy. The one thing to think about is what practical steps can I take to ensure my ICS cyber security program succeeds?
Setting the right objectives and achieving them, is a big challenge. Cyber security frameworks, policies, standards and procedures aside, other important questions to consider include the following:
- Is my ICS cybersecurity program working effectively as required?
- What are the basic tactical, operational and strategic foundational elements?
- How can I sustain executive leadership support?
- Have I engaged the right stakeholders to support the program and are employees and third parties following approved processes and procedures?
- How do I overcome the initial roadblocks when ICS operational and/or maintenance folks say they are too busy, or that cyber security folks do not understand their environment?
- Have I set the right objectives and am I monitoring them well?
- How can I change course if things are not working?
- How can I sustain momentum in my program if I have it, knowing that bad guys just need one opportunity?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Attendees will be armed with practical insights on how to execute an effective ICS cybersecurity program, how to energize their people, set the right objectives and achieve them. More importantly, attendees will be able to meet other participants who may be experiencing similar challenges and share their experiences: what worked, what didn’t, what to watch out for and practical ways to address unique industry challenges while working in the trenches. Attendees can maintain contact, even after this year’s conference, develop relationships and forums to share information and hopefully help develop the next generation of cybersecurity professionals.
2. Managing the Machine: Strategies for Effective SecOps Management (P2P2-R07)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: I developed the concept for this Peer2Peer session with front line Security Operations Management in mind. Directors, Managers or Leads that are responsible for day-to-day security monitoring, engineering and incident response will fit right in. Looking beyond specific job roles - if you are struggling with a specific SecOps management challenge, or if you are passionate about managing SecOps and want to help your peers – then this session is for you.
Q: Why is the topic of your session important for the information security industry?
A: In my experience (and start my answer with these words very deliberately), the Information Security industry – and Security Operations in particular – is too often approached with a technology-first mindset.
So often, IT professionals rise through the ranks of the Help Desk, Tier 2 support and onto their company’s Security team. Suddenly, after excelling in a Security Engineering role, these same people have “proven they are ready” and get promoted to a managerial role. In terms of college education, if it exists it is far more likely to be in the field of Computer Science than in Business. I don’t mean any of this as a criticism – it’s just the reality (or rather, my reality).
Add to this all of other forces that shape our industry – our “constantly evolving threat landscape”, the cyber skills shortage, regulation, budget constraint (or excess – it happens!), and all of the vendors hoping to capitalize on InfoSec’s growth, just to name a few. For me, Security Operations needs a paradigm shift. The challenges we face day-to-day will not be solved simply with better technology or more people. Rather, they will be solved by starting with effective business management.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: Attendees should think about the current state of their Security Operations program and come prepared to discuss specific challenges (or successes) they are facing. We will keep the discussion focused on management strategies and techniques to address these issues (as opposed to security technologies or enhancements that might help).
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: I will consider this session a success if each attendee exits this session with at least one of the following:
- A new/untried management techniques to implement on-the-job to help with one challenge discussed in the session
- A fresh perspective on Security Operations Management
- A larger network of peers that will last long after RSA2017 ends
3. Optimizing Vendor Security Audit Value (P2P4-R11)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: Anyone tied with vendor selection or vendor due diligence or 3rd party risk
Q: Why is the topic of your session important for the information security industry?
A: Poor vendor selection processes are commonplace and lead to the introduction of major vulnerabilities in otherwise secure enterprises.
Fixing this key issue is now possible through industry collaboration at low cost.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: How many existing vendors do they have, how do they classify them, how many have access to sensitive information and how frequently are they adequately audited.
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Know about the free and low cost industry initiatives to improve vendor due diligence, and that it can add great business and security advantages while significantly reducing current costs.
4. Implementing SecDevOps in Regulated Industries (P2P3-W04)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: Attendees that will benefit the most will be those responsible for integrating security concerns into DevOps practices in their organizations. Titles for those individuals will likely include Application Security Architect or Application Security Analyst. Security Managers could also benefit by learning about the tradeoffs between security and development that are reasonable to expect as organizations move to embrace DevOps techniques.
Q: Why is the topic of your session important for the information security industry?
A: Organizations are moving to utilize DevOps in order to be able to innovate quickly and be more responsible to customers – and this move will take place whether or not security teams “sign off” on the transition. Security teams – especially those for organizations in regulated industries – will need to find ways to facilitate this transition while still implementing required security measures and not running afoul of regulators.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: How can the features of DevOps such as extreme uses of automation best be used to address regulatory requirements in their industry?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: The experiences of other practitioners from various industries who have experience success balancing the requirements of DevOps with the often-competing requirements of regulators.
5. Finding Order in Chaos: Using the Cyber Defense Matrix to Map Vendors and Your Security Portfolio (P2P4-R04)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: Anyone who has to select or evaluate security technologies would benefit from this P2P session. Roles that align would include those in engineering and architecture functions.
Q: Why is the topic of your session important for the information security industry?
A: The market is inundated with security products that purport to solve all our problems. However, dissecting through all the marketing language is difficult and cumbersome. We need a better way to organize and differentiate the technologies that are available to us. This session provides insight and methods that can help cut through the confusion and determine exactly what we need to fill gaps in our portfolio.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: How do you organize the vendor products that you see in the marketplace? How do you know if something is missing from your portfolio?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Attendees will leave with a solid framework for how to understand where technologies fit and what gaps one might have in their portfolio. Using this framework, attendees will gain a better knowledge of
6. Developing Super Women in Security (P2P4-T09)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: I think any person who is in the capacity to help develop women in security would benefit and be in a position to contribute. There is not a specific role or title we are targeting, just an open discussion about how to attract, retain and promote female talent in security & in addition develop talent from University into security professionals.
Q: Why is the topic of your session important for the information security industry?
A: With the quickly growing shortage of security professionals, we need to focus on how we attract more talent into the industry. Females in security account for less than 20% of the current security workforce, with females in a leadership position make up less than 5%.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: I think we need to look at the paradox from a fresh perspective. Should we be expanding our search for young talent outside the traditional IT space? In addition, how can we make our workplaces friendlier to the work / life balance that drive many women out of the workplace. Can security roles be more flexible with hours / job sharing and working from home?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Ideas on how to better attract women into security. Tips and tools for mentorship and development plans. Real world examples of companies who are successfully attracting women in security & ideas on how to retain them long term, and develop into leadership roles.
7. How to Overcome the Roadblocks of Enterprise Client-Side Encryption? (P2P4-W12)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: I believe several categories of attendees will benefit from this session:
- Software architects, product managers and developers who design/build encryption products (e.g. cloud encryption gateways, CASBs, zero knowledge storages, user encryption proxies for storage services, etc.) for the cloud
- IT professionals responsible for managing/deploying cloud encryption
- CISOs and security managers who have used or are looking to improve their organization's security posture by preserving the confidentiality of the data stored in the cloud
- Any individual, in general, who is interested in protecting their privacy by using encryption
Q: Why is the topic of your session important for the information security industry?
A: Unless the data is encrypted before it leaves your organization, you cannot be 100 percent sure that your data is secure in the cloud. While different encryption methods such as Data-at-rest and Data-in-motion encryption may meet the regulatory compliance, and protect against certain attacks, it may not adequately address your security concerns. For example, how do you make sure that the Cloud Service Provider (e.g. Dropbox, Box, etc.) does not access your data on its own or on behalf of a government agency? Client Side (at-source) Encryption (CSE) is the solution. However, CSE has its own problems to resolve before it can be used widely. For example, how do we retain functionality like de-duplication and searching with such encryption? I believe it will take a collective effort to ubiquitously deploy CSE while overcoming the roadblocks.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: What experience have you had using CSE or any other encryption solution in the cloud in order to protect the confidentiality of the data? What lessons have you learned? How might others apply them to their organizations? What were the pain points in using such encryption? How did you overcome them? Are the encryption methods you are using in your organization in line with the threat model? While there is some traction on CSE (Bitcasa, Tresorit, Vaultize, etc.), why do large players like Dropbox, Box (note Box EKM is not CSE - it’s an improved version of data-at-rest encryption), Google Drive etc. not support CSE (yet)? What can we do to make CSE ubiquitous? Another big issue with existing CSE solutions is that it is not clear what security guarantees they provide. How can we, as an information security community, make an informed security assessment of CSE?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Attendees will walk away with the knowledge on how to overcome some of the roadblocks specific to building CSE into products, using/deploying/managing products providing CSE, and the need to have a formal and rigorous security guarantees around CSE techniques.
8. Active Security: Building Hunt Operations (P2P1-T10)
Q: What type of attendee will most benefit from, and be best positioned to contribute to, this Peer2Peer session? Do you have a specific role or job title in mind?
A: Intended audience includes network defenders and incident responders, as well as appropriate persons responsible for crafting policies regarding incident response and security operations center management.
Q: Why is the topic of your session important for the information security industry?
A: While significant attention is paid to improving tools and technology, processes and implementation often lag behind. This peer discussion aims to ‘weaponize’ tools by identifying either already in place or proposed means to posture security teams toward active defense operations. In this way, security teams can maximize the value of equipment investment and better position organizations relative to potential attackers.
Q: What is the one thing you would like the attendees to really think about prior to the session as a way to prepare themselves for the discussion?
A: What should your security team be doing when not responding to an active incident?
Q: What information/skills/tools will attendees be armed with when they leave your session?
A: Attendees will walk away prepared to better posture security teams to seek out events rather than waiting for an incident to occur, as well as being critical of their teams’ performance, procedures, and operations. Overall, the discussion will prepare attendees to reshape their security operations to anticipate attackers rather than following up on adversaries post-incident.
You can check out all of the Peer2Peer sessions on our agenda here: https://www.rsaconference.com/events/us17/agenda.