Conference: IT Security Track
Track Chair:John P. Pironti
CGEIT, CISA, CISM, CISSP, ISSAP, ISSMP
Chief Information Risk Strategist
Archer Technologies
Information security continues to evolve beyond traditional technologically focused controls into meaningful risk oriented and business aligned capabilities with compliance considerations never far behind. At the same time, the adversary community continues to refine and mature their capabilities and the global compliance and regulatory landscape is growing at a rapid pace. These changes and challenges all lead to more intelligent threat and risk driven investments, which are based on business requirements and credible intelligence. The IT Security track will focus on these challenges and the emerging concepts and leading industry practices, which are being utilized to meet them.
| Wednesday, November 18 | |||||
|---|---|---|---|---|---|
 Cover Your Assets: Real Time Application Security Assessment and Protection (Location: 1E08)A new threat vector has emerged that easily bypasses network security constructs and can destroy a brand. Armed with a Web browser, the new class of attackers can circumvent authentication mechanisms, steal identities and otherwise take advantage of vulnerable Web applications. And yet, companies depend on these websites for revenue, branding and business-to-business commerce. Addressing risk requires a two-pronged approach that enables business as usual while protecting against the new class of threats. This session includes: * Live demonstration of Web application hacking * Making a business case for application security * The key steps/technologies for risk management * Real-world examples Speaker - Brian Contos, Chief Security Strategist, Imperva
Brian Contos, Chief Security Strategist, Imperva Mr. Contos has over fourteen-years of real-world security engineering and management expertise developed in some of the most sensitive and mission-critical environments in the world. As the chief security strategist for Imperva he advises government organizations, F1000s and G2000s on security strategy related to application and data security while being an evangelist for the security space. He has written two security books including Enemy at the Water Cooler - Real Life Stories of Insider Threats and Physical and Logical Security Convergence which was co-authored with the former Deputy Director of the NSA - Bill Crowell. He is an active security blogger, host of the Imperva Security Podcast, and has delivered countless speeches around the globe at shows like RSA, Interop, OWASP, CSI, and others. He is regarded as a security expert, often quoted by the media, and has written articles for Forbes, the London Times, Computerworld, Sarbanes-Oxley Compliance Journal and many others. Mr. Contos was formerly at ArcSight where he served as their Chief Security Officer for almost seven years, and has held management and engineering positions at Riptech (now Symantec), Bell Labs, Tandem Computers (now HP), and the Defense Information Systems Agency (DISA). Speaker - Jeremiah Grossman, Founder and CTO, White Hat Security
Jeremiah Grossman founded WhiteHat Security in August 2001. A world-renowned expert in Web security, Mr. Grossman is a founder of the Web Application Security Consortium (WASC), and was named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense. Mr. Grossman is frequently quoted in major media outlets such as USA Today, the Washington Post, The Financial Times, InformationWeek, InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, CNET, CSO and NBC news. He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what's to come. Mr. Grossman was named a "friend of Google" and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc. | |||||
|
Five Common Mistakes in Securing Web Applications (Location: 1E08) Many organizations lack an overall sense of the best practices for deploying and securing web applications. Despite security practices addressing vulnerability types present within the OWASP and WASC threat classifications, a number of common mistakes are still being made. We will look at five common mistakes that are made when securing web applications and the impact of design flaws on the overall security of an application. Issues such as client-side trust relationships, failure to properly secure application redirection mechanisms, and other elements that can quickly undermine the security of an application, even when diligent security practices are in place will be addressed. Speaker - Lars Ewe, CTO, Cenzic
Lars Ewe is a technology executive with broad background in (web) application development and security, middleware infrastructure, software development and application/system manageability technologies. Throughout his career Lars has held key positions in engineering, product management/marketing, and sales in a variety of different markets. Background Prior to Cenzic, Lars was software development director at Advanced Micro Devices, Inc., responsible for AMD's overall systems manageability and related security strategy and all related engineering efforts. Lars was also AMD's representative to the board of directors of the Distributed Management Task Force (www.dmtf.org). Before AMD, Lars was senior director at Borland Software Corp., where he managed worldwide server software pre-sales, technical services, and key partner relationships. Prior to Borland he held key positions at Oracle Corporation's Server Technologies Division and Webgain. Education Lars has Bachelor of Science and Master of Science degrees in Mechanical Engineering from the Technical University of Munich, Germany. Thursday, November 19 | | ||||
|
Your Employees Are Roaming - Is Your Confidential Information? (Location: 1E08) Corporate networks extend beyond office walls. Users access the Web from laptops or mobile devices in airports, hotels and more, and continue to leverage their personal devices for business. This sparks heightened security concerns in the enterprise. This panel explores the expanding corporate perimeter and how to ensure that even while employees roam, sensitive corporate data is not compromised. Speaker - Paul Judge, CTO, Purewire
Speaker - Paul Roberts, Senior Security Analyst, The 451 Group
| |||||
|
Mining for Value in the Data Log Fire Hose: Top Five Governance, Risk and Compliance Metrics in Logs (Location: 1E08) Logging has quickly become an important requirement for governance risk and compliance and information security management. Unfortunately most organizations are overwhelmed by both the volume of logs they are examining and data included in them. In order to be an effective tool, an organization has to try to make sense of and derive business and technical value from their logs. If you could only choose five log-based metrics to assess the health of your information security, risk, and compliance posture, what would they be? This session will describe which logs and what log metrics will tell you the most and how to derive knowledge and value from them - even if you look for nothing else. Speaker - Paul Stamp, Senior Product Manager, RSA
Paul Stamp is the Senior Manager of Product Marketing for the Information and Event Management Group at RSA. In this role, Paul is responsible for reinforcing RSA's position as a market leader in the Security Information and Event Management space. Paul has been active in the information security industry for the past 11 years, and is regularly featured in the media, including NPR Marketplace, Wall Street Journal, New York Times, Washington Post and a host of industry publications. Prior to joining RSA, Paul was Principal Analyst for Forrester Research, covering security information and event management and data security, and a security architect with Unisys Corporation. Paul holds an MA (Oxon) in Mathematics from Oxford University. | |||||
|
Using an Emerging Industry Standard (SCAP) to Automate and Accelerate Vulnerability Management (Location: 1E08) Managing, prioritizing, and remediating all the vulnerabilities in an information technology environment traditionally has been a time consuming, manual, laborious and costly ongoing activity. With the emergence of a suite of standards known as SCAP, it is now possible to identify, evaluate, assess, and report on vulnerabilities automatically. Hear a case study from one company that has saved multiple man-years of effort, annually, automating this process using simple tools using with these new standards. Speaker - Elliot Glazer, Director, KPMG
Mr. Glazer has over 25 years of Information Technology experience, including over 20 years of software development and 10 years in information security. He is currently Director of Security Architecture at KPMG. He is responsible for creating and leading new solutions for Vulnerability Management, Threat and Vulnerability Assessment, Software Security, and other solutions. Previously, Elliott was Director of Security Architecture at the Depository Trust and Clearing Corporation, a company which clears and settles over $1.8 quadrillion of value in brokerage, bond and other securities. Elliott was responsible for Threat and Vulnerability Assessment, Security Monitoring, and Software Security programs among other initiatives. Prior, Elliott was responsible for Security Solutions at American Express Corporation including single sign on and SOX compliance, Private Payments, and online customer servicing. He held many roles while their including leading enterprise technical architecture, and distributed operations. Prior to this, Elliott was responsible for the future technology labs at Citigroup. Mr. Glazer is named on or has pending over 15 patents in the areas of internet technology, security and privacy as well. | |||||
|
The Risks and Opportunities of Open Source Security Tools (Location: 1E08) The landscape for open source security tools is constantly changing and covers a myriad of aspects of the security world. We will discuss the current "state of the union" in the world of open source security tools, including the latest-and-greatest advancements, what is coming on the horizon, where there is room for improvement, and proposing some new ideas and concepts to address the greatest weaknesses in the realm of open source security tools. Speaker - Jay Jacobson, CEO, Edgeos
Jay is an innovator, serial-entrepreneur, and seasoned technology business executive with extensive experience in the information security, Internet, software, networking, and telecommunications industries. During Jay's career, he has founded and led more than six technology companies and has held key positions at several Fortune 500 enterprises, including American Express, AT&T, Cox Communications, and Sprint. Presently, Jay is the CEO of Edgeos, Inc., the company that created and leads the private-labeled network security and vulnerability assessment industry. Additionally, Jay is a board member or strategic advisor to several corporations, industry groups, and universities. Some career highlights include: ? Founded and led an information and network security company which has helped customers identify vulnerabilities on thousands of networks spanning across six continents around the world. ? Invented network security industry's first technologies for zero-overhead internal vulnerability assessments. ? Invented technologies to create a new market and industry for private-labeled network security assessments. ? Invented Internet routing intelligence technologies to optimize global telecom backbone networks. Results are 30% decreased costs and 400% performance improvement. ? Invented technologies and business systems to transparently integrate thousands of autonomous ISP backend networks across the country into a unified operations structure. ? Invented MirrorDot, a proof-of-concept system for massive global content distribution. MirrorDot successfully served over 10 million visitors from around the world, in a single day, using only two old 700 MHz servers. ? Instrumental to telecom carrier's growth from startup to the sixth largest national Internet backbone carrier. Annual revenues grew from $0 to over $120 million. Friday, November 20 | | ||||
|
What's Wrong with the WAN Firewall? (Location: 1E07) The traditional WAN firewall makes two flawed assumptions. One assumption is that the information contained in the first packet in a connection is sufficient to identify the application. The second assumption is that the TCP and UDP well-known port numbers are always used as intended. These are just two of the issues that suggest that the traditional WAN firewall cannot effectively support the current environment. In this session the panelists will describe the limitations of the traditional WAN firewall and identify what functionality firewalls need to implement to overcome these limitations. Speaker - Nir Zuk, CTO, Palo Alto Networks
Nir Zuk brings a wealth of network security expertise and industry experience to Palo Alto Networks. Prior to co-founding Palo Alto Networks, Nir was CTO at NetScreen Technologies, which was acquired by Juniper Networks in 2004. Prior to NetScreen, Nir was co-founder and CTO at OneSecure, a pioneer in intrusion prevention and detection appliances. Nir was also a principal engineer at Check Point Software Technologies and was one of the developers of stateful inspection technology. | |||||
