Actionable Information Sharing: Enabling Defenses
Abstract:
Sharing IOCs is necessary but not sufficient. We need to make processing/usage of IOCs as automated as possible, and we need to evolve what is being shared to be something that organizations can use to more appropriately protect and defend the network. This panel will discuss what makes threat information actionable for network defenders and what type of information (e.g., adversary TTPs) would be valuable to share.
Moderator:
Sherri Ramsay, Consultant; Former Director, NSA/CSS Threat Operations Center (NTOC)
Panelists:
Jeff Aboud, Director, Product Marketing, Kenna Security
John Jolly, President and CEO, Syncurity
Shawn Riley, CDO and CISO, DarkLight Cyber
Donnie Wendt, Security Engineer, Mastercard
Integrator COI: Tales from the Trenches: Use of a Cyber Range to Overcome Obstacles to SOAR/IACD Adoption
Abstract:
Cyber Ranges offer features that can be used reduce risk and measure performance of the adoption of SOAR/IACD capabilities. A Cyber Range has the ability to recreate “worst day” scenarios that “stress test” SOAR/IACD platforms beyond the ability of limited production pilots or laboratory testing to minimize risk during production implementation and operation. Cyber ranges have tools to instrument and measure system and human activities to model improvements in SOAR/IACD capabilities. A well-engineered Cyber Range allows for high-quality data collection, which increases confidence in automated decision processes and leads to improved response.
Host:
Cory Hoyssoon, Systems Engineer, JHU/APL
Presenter:
Tim Schaad, Executive Director, Advanced Cyber Range Environment and Cyber Range Services, ManTech
Low-Regret Response Actions
Abstract:
Instead of asking IF we should automate cyber defenses, how about if we asked WHEN we should automate? This talk presents a benefit versus regret matrix and discusses the concept of low-regret response actions.
Presenters:
Kim Watson, IACD Technical Director, JHU/APL
Geoff Hancock, Chief Cybersecurity Executive, Advanced Cybersecurity Group
Aetna Entitlement, Identity, and Risk System (AEIRS)
Abstract:
Many organizations have adopted machine learning and data analytics to help them identify security anomalies. However, mere identification isn’t good enough in a world where Petya and other modern attacks can take down 15,000 servers in a single organization in under two minutes. To combat these new types of malware, organizations need to be looking at Model Driven Security Orchestration where the security responses to emerging threats and attacks are automated and driven at machine speed. In this presentation, Aetna will provide an overview of our security orchestration program, including what worked, what didn’t, and lessons learned.
Presenter:
Jon Backus, Product Manager for AEIRS, Aetna
Panel: Power of Community
Abstract:
Cybersecurity has very few absolutes, almost everything is a best practice, and the sharing of tools and techniques is critical to making best practices a reality. There is a lot of interest in building and participating in practitioner communities where you can find individuals like yourself that you relate to and trust. Such communities allow practitioners to learn from each other, share with one another, and generally advance their expertise. This panel discusses the power of community in improving cybersecurity and defining/advancing best practices.
Moderator:
Geoff Hancock, Chief Cybersecurity Executive, Advanced Cybersecurity Group
Panelists:
Larry Johnson, CEO, CyberSponse
Curt Dukes, Executive Vice President and General Manager, Center for Internet Security
Cody Cornell, Cofounder and CEO, Swimlane
John Pescatore, Director of Emerging Security Trends, SANS Institute
Note: There is no presentation or video recording available for this panel
Reducing Healthcare Cyber Risk Using a Cooperative SOAR-Enabled Healthcare Community H-SOC
Abstract:
Healthcare remains the most exposed CI component and the most under-resourced. Many firms are recognizing the difficulties in keeping pace with the threats to their increasing attack surface (e.g., IoT medical devices, mobile and remote care delivery), meeting regulatory requirements, and finding/retaining qualified security personnel. However, traditional security third-party monitoring models fall short and aren’t optimized to address the volume of alerts that require investigation. In addition, current approaches don’t collectively share the granularity of data necessary to dramatically improve outcomes. As a result, a new, cooperative model is emerging in healthcare, which has been chartered by the State of Michigan and supported by Sequris Group. This session will provide an overview of this new model, highlight the differences from traditional MSS operations, and explain the critical role SOAR technology plays in delivering these services effectively and efficiently.
Presenter:
Eric Eder, Founder and President, Sequris Group
Ryan Winn, CISO and Director of IT, Munson Healthcare
John Jolly, President and CEO, Syncurity
Shareable Workflows: Spreading and Adoption of Cyber Workflows through Reuse and Sharing throughout the Community
Abstract:
Based on Sharable Workflow presentation and demonstration with CyberSponse. A complete life cycle of downloading a workflow, modifying it, exporting it, and importing into a Orchestration Tool will be discussed.
Presenters:
Paul Laskowski, Senior Systems Engineer, JHU/APL
Bharathram Krishnan, Solutions Architect, CyberSponse
Addressing Both Sides of the Equation: Security Automation and Deception
Abstract:
Security automation and intelligence sharing seek to speed the detection of and response to cyberattacks. Meanwhile, deception and moving-target defenses can slow the attacker by disrupting the attacker’s situational awareness. By addressing both sides of the equation—speeding the response and slowing the attack—we can narrow the gap between attackers’ time to compromise and our time to detect and respond. Security automation allows defenders to accelerate their observe–orient–decide–act (OODA) loop through continuous situational awareness and rapid response. Additionally, defenders can operate within the attacker’s OODA loop by using deception to disrupt the attacker’s situational awareness. This discussion will present the conceptual framework underlying research into the use of security automation and adaptive cyber defense in the financial services industry.
Presenter:
Donnie Wendt, Security Engineer, Mastercard
Mary Rahmani, Global Partnership Officer, Global Cyber Alliance - Less Talk and More Action: How the Global Cyber Alliance Is Making a Difference and You Can Too
Less Talk and More Action: How the Global Cyber Alliance Is Making a Difference and You Can Too
Abstract:
Global Cyber Alliance (GCA) is an international nonprofit focused on developing and deploying practical solutions, which we make freely available, that measurably improve our collective cybersecurity.
During this lecture, you’ll learn about GCA’s efforts to bring communities together to provide scalable solutions and how those resources can help you address systemic risk. We’ll discuss GCA’s efforts to tackle security challenges associated with IoT devices and technologies as well as a new initiative to help small and medium businesses confront cyber risk. Attendees will learn how they can access GCA’s trusted and globally available resources and become part of a growing movement to eradicate cyber risk.
Speaker: Mary Rahmani, Global Partnership Officer, Global Cyber Alliance
Implementer Insights
Abstract:
An increasing number of organizations are exploring and integrating Security Automation & Orchestration (SA&O)/ Security Orchestration, Automation & Response (SOAR) strategies and platforms in cyber defense. During this panel, experienced organizations share SA&O, with information sharing, lessons learned, best practices, and recommendations.
Moderator:
Brett Waldman, IACD Adoption, JHU/APL
Panelists:
John Pescatore, Director of Emerging Security Trends, SANS Institute
Matt McFadden, Cyber Director, General Dynamics Information Technology
Matt Rodriguez, Cybersecurity Solutions Architect, Phoenix Cybersecurity
Lior Kolnik, Head of Security Research, Demisto
Piero DePaoli, Senior Director, Security & Risk, ServiceNow
Note: There is no presentation or video recording available for this panel
Adversary Playbooks
Abstract:
When your boss forwards you the latest intelligence report with an urgent flag set and the message reads: “What are we doing about this?” what do you say? To be confident in your answer, you need to understand how that adversary operates, or what’s in their Playbook. In this session, we’ll give you an in-depth report on OilRig, an adversary based in the Middle East that has launched a series of targeted attacks over the past 3 years. We’ll show you how to analyze the threat to build a structured copy of their offensive plays, so you can better prepare your defensive line.
Presenter:
Mike Harbison, Unit 42 Threat Researcher, Palo Alto Networks
David Lemire, Secretary, OASIS OpenC2 Technical Committee - OpenC2 Update
OpenC2 Update
Abstract:
A community update on OpenC2, to include highlights of this week’s face-to-face meeting and information on how you can get involved.
Speaker: David Lemire, Secretary, OASIS OpenC2 Technical Committee
Understanding Resiliency Effects on Adversary Behaviors
Abstract:
This talk will explore the intersection of adversary tactics and techniques and defender resiliency effects to help defenders understand their resilience to attack within the context of the IACD observe–orient–decide–act (OODA) loop. This talk will leverage community knowledge from the NIST SP 800-160 Vol. 2 Cyber Resiliency Engineering Framework, the ODNI Cyber Threat Framework, and MITRE’s ATT&CK to give concrete examples of resiliency techniques and approaches mapped to specific adversary objectives. We’ll explore how defender resiliency effects on adversary behavior impact the defender’s risk. We’ll use the Cyber Effects Matrix to show defenders how to measure gaps, map response actions, and determine whether the desired effect on adversary behavior across the cyberattack life cycle has been achieved.
Presenter:
Shawn Riley, CDO and CISO, DarkLight Cyber
More Situational Awareness for ICS (MOSAICS), Functional Requirements Update
Abstract:
This session will provide an overview of the DoD’s MOSAICS concept demonstration with a focus on the functional requirements definition for the system. MOSAICS will leverage existing commercial technologies and, where applicable, developmental technologies from government laboratories and academia to address gaps in commercial offerings. Integration of these capabilities to automate key aspects of the Advanced Cyber ICS Tactics, Techniques, and Procedures (ACI TTP) will be the primary focus of this concept demonstration. This presentation will provide insights into the technical requirements for the MOSAICS system as decomposed from the ACI TTP and other sources.
Presenters:
Rich Scalco, Engineer, SPAWAR SYSCEN-ATLANTIC
Larry Cox, Engineer, USPACOM (AECOM)
Second Order Benefits of Open Integration
Abstract:
The evolution of the SOAR market has the potential to fundamentally change classic business models because of the open integration of products and services. If companies are opening up their APIs, what other support services and opportunities does this open to small/mid-sized business development approaches and integration approaches? Tools that used to be custom-developed for integration are now commercially available and supported. What is your organization’s perspective on how a market of open integration changes for different business partners and operational activities?
Moderator:
Andy Speirs, Senior Information Security Executive, Booz Allen Hamilton
Panelists:
Christopher Carsey, Senior Solutions Engineer, CyberSponse
Cody Cornell, CEO and Cofounder, Swimlane
Vince Crisler, CEO and Cofounder, Dark3
Matt McFadden, Cyber Director, General Dynamics Information Technology
Note: There is no presentation or video recording available for this panel
Taking a Modern Approach to Security: What You’ve Always Done Isn’t Sufficient Anymore
Abstract:
Security teams are overwhelmed and are increasingly becoming less effective. They’re outnumbered and outgunned, and the problem isn’t getting any better. But it doesn’t have to be that way! Solving the problem and getting the upper hand against the bad guys isn’t a question of how many more resources we need to add— it’s a question of focusing what we already have on what really matters. Taking a modern approach to security means that we need to work smarter, not harder. This session will discuss a modern approach to security to help teams maximize the efficiency of their efforts to maximize their impact on the organization’s risk.
Presenter:
Jeff Aboud, Director, Product Marketing, Kenna Security
Experimenting with C2 Implementations
Abstract:
FIT recently conducted a series of experiments comparing two different implementations of IACD C2 systems: The Systems Behavior Command and Control (SBC2) distributed C2 system based on the MIRA agent framework and a “conventional” C2 system using the Phantom orchestrator and apps connecting to sensors and actuators. The experiments were conducted on an emulated electrical smart grid testbed and focused on the identification and mitigation of attacks targeting the path from the smart meter to the utility data center. The experiments measured:
Effectiveness – whether the C2 framework produces the desired result, and to what level of accuracy
Efficiency – the computational resources (space, time, messages) required to compute the result
Security – the level of security of the orchestration process throughout the communication events
Usability – the degree of difficulty in the installation, deployment, and operation of the C2 system
Each of these measurements included several different experimental conditions that are reported, along with examples of the tests conducted.
Presenters:
Thomas Eskridge, Associate Professor, Florida Institute of Technology
Marco Carvalho, Dean, College of Engineering and Computing, Florida Institute of Technology
Note: Slides will be posted soon.
Power of Communities for the Evolution of Security Capabilities
Abstract:
In today’s threat landscape, the only way to disrupt attackers and protect an organization is to unite systems and people, forming a collective defense. There are many opportunities for collaboration on shared goals, allowing security teams to stretch their resources further. This session will discuss the value in leveraging the power of community for the evolution of security capabilities.
Presenters:
Lior Kolnik, Head of Security Research, Demisto
Financial Sector Pilot Lessons Learned
Abstract:
IACD and the FS ISAC have been partnering with Mastercard, Huntington National Bank, and Regions Bank for the last year on an integrated pilot for enhanced information sharing and decision support. This talk will present the initial results of that pilot.
Presenters:
Charlie Frick, IACD Financial Sector Liaison, JHU/APL
Nam Le, IACD Integration Team Lead, Senior Systems Engineer, JHU/APL
Stop Chasing Indicators
Abstract:
Threat intelligence has grown out of a desire to better defend against known threats. Unfortunately, most threat intelligence today consists of a curated list of known malicious indicators. Using principles extracted from proactive threat-hunting methodologies, we propose a better way forward for threat intelligence.
Presenters:
Josh Day, Senior Threat Hunter, accenture
Brad Rhodes, Senior Threat Hunter, accenture
Engineering Principles for Developing Advanced Cybersecurity Automations
Abstract:
Learn how adopting modular and decentralized design principles for automation scripts can help you keep up with the rapidly changing cyber landscape.
Creating cybersecurity automations that keep up with the rapidly changing cyber landscape is hard. You need to balance the desire to follow a proper development life cycle with the need for rapid turnaround. The solution is adopting modular and decentralized design principles for automation scripts.
Presenters:
Matt Rodriguez, Cybersecurity Solutions Architect, Phoenix Cybersecurity
Tom Goetz, Senior Cybersecurity Engineer, Phoenix Cybersecurity
The Future of Collaborative Security
Abstract:
Industry-wide, security teams are duplicating (and wasting) valuable time and resources to complete similar investigations, workflows, and threat responses. This is costly and unnecessary, especially when considering the ever-expanding threat landscape and global skilled staffing shortage. Imagine the alternative: Multiple organizations have investigation teams who agree to collaborate. One does an in-depth investigation, hunt, or mitigation and is able to share that process in real time with another organization. There are now multiple organizations and teams who are leveraging their skills and expertise to increase the efficacy of their collective SOCs. They are armed with the resources to prevent breaches and hunt for other threats while bolstering the security industry as a whole. Welcome to the future of collaborative security.
Presenters:
Cody Cornell, Cofounder and CEO, Swimlane
Pedro Haworth, Head of Technology, Security Innovation Alliance, McAfee
Note: There is no presentation available for this panel
Integrated Cyber: Automated Information Sharing and the Power of Community
Speaker: Harley Parkes, JHU/APL
