2019 Solutions Theater Sessions
(ISC)² Solutions Theater is the opportunity to stay right on the show floor and conveniently participate in presentations featuring thought leadership in innovative infosecurity solutions and approaches to issues all practitioners face. All attendees are welcome to learn about the latest security products and services featured in these 30-minute presentations. The Solutions Theater is located at booth 400, seats about 100 people and the schedule of presentations can be found in the mobile app and the pocket guide.
First Level -Convention Hall
Monday, October 28th
Time: 10:00am-10:30am
Speaker: Jen Stone, Senior Security Analyst, Security Metrics Session Title: JavaScript Skimming: How it Works and Why Current Solutions are Ineffective
Abstract: JavaScript Skimming is a recent cyberattack where cybercriminals insert malicious JavaScript code into payment form/shopping cart web pages to steal credit card numbers and other personal information from form fields. This cybercrime impacts thousands of web pages and results in the loss of millions of dollars across the payments industry. SecurityMetrics Principal Security Analyst, Jen Stone, will give background on this attack, demonstrate a live example of JavaScript skimming, and provide an explanation why traditional security methods like FIM and antivirus cannot protect against JavaScript skimming. Time: 11:00am-11:30am Speaker: Jeff Costlow, Deputy Chief Information Security Officer (CISO), ExtraHop Session Title: Defense in Diversification: Improving Cybersecurity Through Smart Consolidation Abstract: Cybersecurity tool sprawl is has reached unsustainable levels, and research shows 66% of businesses are striving to consolidate their security portfolio. But over consolidating to a few platform solutions risks creating a vulnerable, innovation-stifling monoculture. If every organization uses a nearly identical set of security tools, compromising one means compromising them all. Heterogeneity of cybersecurity systems is itself a defense, so security teams need to approach consolidation differently. In this session, attendees will learn: • How a data-first approach to security architectures can illuminate natural consolidation points • How collaboration between security and other parts of the IT organization can improve security posture and reduce tool sprawl. • How this collaborative approach also creates opportunity to leverage other parts of the organization to improve security posture through smarter processes and practices.
Time: 1:30pm-2:00pm
Speaker: Chris Murphey, Director- Customer Success, Galvanize Session Title: CISOs in the Boardroom: Confidently Presenting Cyber Risk Storyboards
Abstract: Cyber risk is now top of mind with the Board. And now that CISOs finally have a seat at the table, they need to present the cyber risk state of the organization with confidence. This session shows how to overcome the challenges in transforming your tactical story to a higher-level story using online storyboards that confidently articulate risk with a focus on what matters most to the Board—business value.
Time: 2:30pm-3:00pm
Speaker: Shahrokh Shahidzadeh, CEO, Acceptto Corporation
Session Title: Protecting Your Most Important Resources from Breach with Continuous Behavioral Authentication
Abstract: The obsolescence of passwords is upon us and we all need to acknowledge that reliance on binary authentication methods like passwords, 2FA, MFA, biometrics solutions will lead to data breach. Organizations need a paradigm shift to recognize that post authorization is where all the evil takes place. The prevailing mindset that authentication has a start and end is flawed. Continuous authentication is the major transformation that is needed now. The team of practitioners will showcase new ways to detect and mediate faster by treating authentication as a continuous process leveraging user behavior attributes from device to data usage and application behavior to establish a fingerprint of legitimate users’ digital DNA. In this approach, employing AI combined with machine learning helps in predicting and preventing attacks.
Time: 3:30pm-4:00pm Speaker: Buzz Murphy
Session Title: Inside the Dark Web: A Guide for Security and Business Professionals
Abstract: The Dark Web continues to pose extremely dangerous threats as cyber criminal’s coordinate attacks and trade intelligence about your organization. Today, the security professional must understand the threats and challenges this part of the Internet entails. The theft of data must be discovered as soon as possible to block further attacks. While too many books and articles delve into the sensationalism of the dark netherworld and endless TOR descriptions, in today’s security conscious atmosphere, security professionals in every business and government entity must identify, evaluate and ultimately defend against the risks posed by the Dark Web. In this presentation, participants will explore the far-reaching security concerns & opportunities spawned by the Dark Web and identify “next steps” for their organization.
Tuesday, October 29th
Time: 10:15am – 10:45am
Speaker: Nadir Izrael, Co-Founder & CTO, Armis
Session Title: Ain’t Misbehavin’? Real World Stories of Mischievous Connected Devices
Abstract: We depend on a complex network of connected devices that blend seamlessly into the world around us. From vending machines that sell us snacks to medical devices that keep us healthy, there are billions of these devices all helping us get through our days faster and with less hassle. But these connected devices, sensors, and machines share a common problem: They’re massively vulnerable to attacks. That’s because they’re difficult or impossible to patch with security fixes, and they can’t host software agents required by traditional security products, leaving security teams blind to their very existence. Join us to hear real-life stories of misconfigured, mischievous, and misbehaving devices we’ve experienced, and to learn how Armis keeps these un-agentable devices safe from attacks.
Time: 11:15am – 11:45am Speaker: Tim Davis, VP WW Solutions Engineering, Bitglass
Session Title: Who’s Doing What to Whom? Regaining Visibility in a Cloud First World
Abstract: Cloud makes data security more challenging. How do you regain the level of access control, data loss protection, visibility and logging that you had when your applications and data lived on premise now that those applications and their data are moving to the cloud? Whether it’s SaaS, hosted IaaS, or some other XaaS acronym that had yet to be invented, come gain a better understanding of the data security problems in moving to cloud and hear stories of how many leaders in the industry are solving those problems.
Speaker: Matt Linde, President, IOR Analytics
Session Title: Engine Building: A hospitality company builds a governance “engine” to improve data privacy.
Abstract: A hospitality company has long been working to protect its customers’ private data. This company operates purely in the US but became inundated with requests to certify they were compliant with GDPR/CCPA after the regulations had taken effect. Their General Counsel was understandably unable to provide such guarantees but in a competitive market they knew they had to stay on top of their game or risk losing confidence of their business partners and/or large customers that accounted for significant sources of revenue. The company determined there was much more they could do to govern sensitive data but needed a way that was cost effective with realistic goals and outcomes. The presentation will provide an in-depth look at the program powering their sensitive data governance strategy.
Time: 2:30pm – 3:00pm
Speaker: Alan Rynarzewski, Undergraduate Faculty, Purdue Global
Session Title: Gamification of cybersecurity and associated certifications
Abstract: We are developing a scenario-based cybersecurity game to assist learners in passing the SSCP certification. This game is looking at increasing the learner’s knowledge and making the learner ready for real world scenarios, while also learning the information necessary to pass the SSCP certification. Cybersecurity certifications are nearly a necessity to obtain gainful employment in meaningful cybersecurity positions. The means to study for these certifications vary, usually relying on repetitious reading and question answering. The gamification of certification study is meant to keep the learner engaged for longer, leading to more studying.
Time: 3:30pm-4:00pm
Speaker: Dave Ferguson, Directory of Product Management, Web Application Security, Qualys
Session Title: Leveraging Swagger/OpenAPI to Design and Build Secure APIs
Abstract: It was the wild west in the early days of RESTful APIs. Unlike with SOAP and the Web Services Description Language (WSDL), developers had no standard specification to document their API so that consumers would know how to invoke the various operations. Documenting an API was done manually in ad-hoc ways. To address this shortcoming, several competing specifications appeared and after several years the most widely adopted has been Swagger - now called OpenAPI. With this new de facto standard, can the security posture of APIs be improved? The answer is yes! This session will present a practical solution where new APIs under development can be made highly resistant to attack by leveraging the Swagger/OpenAPI specification.