RSAC USA 2015: My Agenda Day 4 Thursday

The RSA Conference USA for 2015 wrapped up last Friday.  I am using this blog to share with you my personal schedule for the five days of the conference, to indicate what interested me and what I experienced. Today I share Thursday’s, complete with session descriptions from the RSAC catalog.

Please write to me if you have any questions about these sessions.

  • MASH-R01 : More Books You Should Have Read by Now: The Cybersecurity Canon Project  – Rick Howard, Chief Security Officer, Palo Alto Networks

Last year, the Palo Alto Networks’ CSO presented 20 books that we all should have read by now. Since then, he has formed the Cyber Security Canon Committee to add more books to the list and to select candidate books to officially induct into the Canon. In this session he discussed how the community can help with the project and presented five new books that are on the candidate list.

  • MASH-R02 : Use of Technology in Preserving and Protecting Humanity – panel

Technology used for humanitarian aims faces some of the toughest security challenges; opportunities seem to be everywhere these days. While security pros say they feel overwhelmed by rate of change, humanitarians grow impatient at the slow pace. This panel discussed why there’s a divide and looked at where information security controls are working, as well as areas needing greater attention.


  • Davi Ottenheimer, Moderator, Senior Director of Trust, EMC
  • Alex Stamos, Chief Information Security Officer, Yahoo
  • Beau Woods, Founder and CEO, Stratigos
  • Bruce Schneier, Chief Technology Officer, Resilient Systems
  • Morgan Marquis-Boire, Senior Researcher, Citizen Lab, University of Toronto
  • CRWD-R03 : Best Practice or Bust? Test Your Approach to Third-Party Risk – James Christiansen, Vice President, Information Risk Management, Accuvant

More than half of all security breaches originate from a third-party breach. This highly interactive whiteboard session focused on participants sharing lessons learned for extending internal security practices to vendors to reduce third-party risk. After suggestions were documented and debated, audience polls determined each idea’s validity if implemented across various industries.

  • EXP-T09R : Security in an Age of Catastrophic Risk – Bruce Schneier, Chief Technology Officer, Resilient Systems

In cyberspace and out, we’re increasingly confronting extremely-low-probability, extremely-high-damage attacks. Protecting against these sorts of risks requires new ways of thinking about security; one that emphasizes agility and resilience, while avoiding worst-case thinking.

  • KEY-R08 : Into the Woods: Protecting Our Youth from the Wolves of Cyberspace  – panel

Today’s headlines are crowded with stories of kids who fall victim to cybercrimes, including online bullying and predatory behavior. We can’t supervise every dark corner of the Internet, so what is the answer? Stricter laws? Aggressive pursuit of offenders? Education of our kids? This keynote panel discussed challenges and offer solutions designed to ensure the safety of our children.


  • Sandra Toms, Moderator, Vice President and Curator, RSA Conference
  • Alicia Kozakiewicz, President, The Alicia Project
  • Lance Spitzner, Research & Community Director, SANS Securing the Human
  • Michael Osborn, Chief of the Violent Crimes Against Children Unit, FBI
  • Sharon W. Cooper, MD, FAAP


RSAC USA 2015: My Agenda Day 3 Wednesday

The RSA Conference USA for 2015 wrapped up last Friday.  I am using this blog to share with you my personal schedule for the five days of the conference, to indicate what interested me and what I experienced.  Today I share Wednesday’s schedule, complete with session descriptions from the RSAC catalog.

Please write to me if you have any questions about these sessions.

  • LAB-W01 : Insider Threat and the Dark Web: Cyber Response Mini-Wargame – facilitators

Companies and organizations are increasingly using wargames to improve cyber response posture. In this session, Booz Allen Hamilton’s wargame team led players through a board game where they will took actions in response to a cyber breach to mitigate damage to the company. This session focused on incident managers who will be called on to make decisions in a crisis scenario. The objective of the game is to identify and successfully mitigate different risk categories following a breach.

Booze Allen Hamilton participants:

  • Mike McConnell, Strategic Advisor and former Vice Chairman, Former Director of National Intelligence
  • Nicole Monteforte, Principal
  • Ronald Sanders, Vice President
  • Thad Allen, Executive Vice President
  • ECO-W03 : Cyber Security for Start-ups: An Affordable 10-Step Plan – David Cowan, Partner, Bessemer Venture Partners

In the past, start-ups could postpone thinking about security threats. But today’s hackers and malware infestations no longer discriminate between the Fortune 50 and the TechCrunch 50. In fact, some increasingly common cyber attacks specifically target smaller, more vulnerable businesses. This session covered an affordable 10-step plan that start-ups can follow to survive in today’s cyberspace.

  • HUM-W04 : What a Relief—It Works! How to Build an Insider Threat Program in One Year  – Dawn Cappelli, Director, Insider Risk Management, Rockwell Automation

A little over a year ago Ms. Cappelli left her job (Director, CERT Insider Threat Center) to build an Insider Risk Program for Rockwell Automation. After 13 years of research, she had to do what she had told everyone else to do. Would it work? She thought it would, and she was right! Ms. Cappelli showed what one can do in 1 year from 60 experts who collaborate monthly. It was shocking to understand what could be leaving an organization.

  • STU-W7 : Stuck in Patterns—How Your Mind Fools You Every Day – Doug Kevilus, Owner, Mentalist Doug Kevilus

Our minds have developed in such a way that it changes and distorts what we see, experience, and remember every day. Some of those distortions we will never recognize. Other times, those distortions create severe consequences in our work and personal relationships.

  • STU-W8 : The Day My Kids Brought Home Malware – Kellman Meghu, Head of Americas Security Architects, Check Point Software

Kids are always texting, streaming shows and surfing the web simultaneously. With all of that Internet activity, what type of malware activity do you think you’d find on your home network? This talk gave an insight from activity on Mr. Meghu’s home network, set up with Enterprise products. Imagine utilizing this technology and finding search patterns of data in your home network – what do you think you’ll find?

  • KEY-W11 The Second Machine Age  – Andrew McAfee, Principal Research Scientist, Center for Digital Business, MIT Sloan School of Management, and Fellow, Harvard Law School Berkman Center for Internet and Society

We are living in a time of brilliant technologies that are bringing us into a second machine age, the greatest era of transformation since the Industrial Revolution.  Dr. McAfee discussed both the great promise and thorny challenges—for organizations, leaders and workers alike—of the world we’re creating as we create and deploy digital technologies that are the stuff of science fiction.


RSAC USA 2015: My Agenda Day 2 Tuesday

The RSA Conference USA for 2015 wrapped up last Friday.  I am using this blog to share with you my personal schedule for the five days of the conference, to indicate what interested me and what I experienced.  Yesterday I shared Monday’s schedule. Today I share Tuesday’s, complete with session descriptions from the RSAC catalog.

Please write to me if you have any questions about these sessions.

  • KEY-T01 : Escaping Security’s Dark Ages – Amit Yoran, President, RSA

We are living in the Dark Ages of security.  We cling to outmoded world views and rely on tools and tactics from the past, and yet we are surprised to find ourselves living in an era of chaos and violence.  We must cast off the past and enter an Age of Enlightenment by pursuing greater visibility into and understanding of our digital world.

  • KEY-T02 : Enhancing Cloud Trust – Scott Charney, Corporate Vice President, Trustworthy Computing, Microsoft

As pressures to accelerate cloud computing climb higher than ever, relationships between vendors, enterprises and governments have evolved to ones comprised of trust and concern in equal measure. How should companies shape their plans? Scott Charney reviewed Microsoft’s cyber security strategy to help leaders innovate aggressively while managing business risk.

  • KEY-T03 : Security on Offense – Christopher Young, Senior Vice President and General Manager, Intel Security Group

In pro sports we avow, “Defense wins championships.” But without offense it’s hard to score the points needed to triumph–cyber security is no different. Chris Young looked at how we change the game, stay relevant, and ensure trust is the foundation of digital life.

  • KEY-T04 : The Cryptographers’ Panel

The founders and leaders of the field join together for an engaging discussion about the latest advances and revelations in cryptography, including research areas to watch in 2015 and insights drawn from lessons learned over the last three decades.


  • Paul Kocher, Moderator, President and Chief Scientist, Cryptography Research
  • Adi Shamir, Professor, Computer Science Department, Weizmann Institute of Science, Israel
  • Ed Giorgio, Cryptographer and Security Expert, KEYW
  • Ronald Rivest, Vannevar Bush Professor, MIT
  • Whitfield Diffie, Cryptographer & Security Expert, Cryptomathic
  • KEY-T05 : Secretary Jeh Johnson, U.S. Department of Homeland Security

The growing number of serious attacks on essential cyber networks is one of the most serious economic and national security threats our nation faces. DHS Secretary Jeh Johnson discussed the evolving cybersecurity threat and Homeland Security’s comprehensive strategy to address it.

  • P2P-T07D : Who’s Invited to Your Party? Minimizing Risk from Outsourced Partners – Facilitator: Kenneth Morrison, Principal, Morrison Consulting

Recent headlines suggest your greatest risk may be from trusted, connected partners and those partners have their own partners; all potentially becoming your “insiders”. Questionnaires and standardized forms don’t suffice for assessment. Layered network defenses must be reevaluated. Attendees shared their experiences, and took away new options for controls to limit risk from the elastic insider network.

  • P2P-T08B : Trimming the Waste from Your Security Portfolio – Facilitator: Wendy Nather, Research Director, Information Security, 451 Research

In this discussion, attendees talked about example product portfolios, budgets and activities to help participants evaluate what they could consolidate, cut back, or eliminate. Some areas considered are activities that can be “outsourced” to other departments, products that require too many people to run, duplicate features, and technologies that aren’t being used.

  • CSV-T07R : Something Awesome on Cloud and Containers – Christofer Hoff, Vice President and Security Chief Technology Officer, Juniper Networks and Rich Mogull, Analyst and Chief Executive Officer, Securosis

Chris and Rich first started talking about the impact of cloud computing way back in the Dark Ages of 2009. This is the seventh installation of their genre-defying roller coaster RSA session. This year’s talk lays out the technical evolution of cloud computing; and how evolving practices and a drive towards containerization are already antiquating nascent cloud security models.

  • CSV-T10 : Security and Privacy in the Cloud: How Far Have We Come?  – panel

Come Snowden or iCloud hackers, nothing will rain on the business cloud. Panelists Eran Feigenbaum, Google for Work Security Director; Microsoft CISO Bret Arsenault; noted security expert Bruce Schneier; and moderator John Pescatore of SANS Institute discussed the evolution of security in the cloud.


  • John Pescatore, Moderator, Director, SANS Institute
  • Bret Arsenault, Chief Information Security Officer and Vice President, Microsoft
  • Bruce Schneier, Chief Technology Officer, Resilient Systems
  • Eran Feigenbaum, Director of Security, Google for Work, Google


RSAC USA 2015: My Agenda Day 1 Monday

The RSA Conference USA for 2015 wrapped up last Friday.  I am using this blog to share with you my personal schedule for the five days of the conference, to indicate what interested me and what I experienced.  I’ll separate each day into a separate blog posting, complete with session descriptions from the RSAC catalog.

Please write to me if you have any questions about these sessions.

  • SEM-M02 : Information Security Leadership Development: Surviving as a Security Leader

In conventional security training, there are few opportunities to learn how to develop and direct a successful information security program. Experienced security leaders delivered a morning seminar focused on bridging this gap.

  • As a New CISO – How to Assess Your Security Program for Success – Gary Hayslip
  • Are you Fighting the Wrong Battles? – Bill Burns
  • Being a CISO – What They Don’t Tell You – Jack Jones, Evan Wheeler, Rick Howard, Julie Fitton, Amy Butler
  • Stepping Inside the Boardroom – Trey Ford
  • SEM-M03 : Advancing Information Risk Practices

Many challenges face today’s Risk Management programs, including how to risk rank security gaps, handling business interactions and forming a qualified resource pool. This half-day seminar was packed with useful information from a series of respected industry leaders. Discussing successes and pitfalls, these leaders have set out to challenge conventional ideas and pursue cutting edge tactics.

  • Practical Quantitative Risk Analysis – David Musselwhite
  • An Inside Look at Cyber Insurance – Jake Kouns
  • Metrics That Matter – Scott Borg, Alex Hutton, Evan Wheeler, Kymberlee Price, Michael Werneburg
  • Leveraging Threat Analysis Techniques – Mark Clancy
  • ISB-001 : Innovation Sandbox

RSAC Innovation Sandbox has been selecting the most innovative information security companies and products for the past 10 years.  Previous RSAC Innovation Sandbox Contest victors have garnered venture capital investment, large company buyout and increased media coverage. RSAC Innovation Sandbox Contest has rewarded a range of information security solutions, including cloud security, mobile and app security, physical security and analytics.

In addition, the Innovation Sandbox Contest program includes valuable content on how to establish a start-up, start-up trends and the future of information security.

  • Introduction – Hugh Thompson
  • Most Innovative Company at RSA Conference 2015 Top 10 Presentations

Three-Minute pitches followed by Q&A with judges.

  • Participating finalist companies:
    • bugcrowd
    • cyberreason
    • Fortscale
    • Nex Defense
    • SecurityDo
    • SentinelOne
    • Trust In Soft
    • Vectra
    • ticto – runner-up
    • waratek – Winner
  • Requirements:
    • Have an awesome product that has been in the market for less than one year; has the potential to make a significant impact on information security; can be demonstrated live and on-site during the event.
    • Have a great company that has a management team track record to successfully deliver products to market; is privately held, with less than $5M in revenue in 2014.
  • Judging panel:
    • Asheem Chandna, Partner at Greylock Partners
    • Asheem Chandna, Vice President of Security Engineering at Google
    • Renee Guttman, Vice President for Information Risk at Accuvant
    • Patrick Heim,Hhead of Trust and Security at Dropbox
    • Paul Kocher, President of Cryptography Research
  • How to Get Funded

Don’t let your groundbreaking idea sink out of sight for lack of funding. Find out where the money is and how to get it. UC Berkeley’s Jesse Goldhammer will guide this discussion between DARPA’s Dr. Angelos Keromytis, Trident Capital’s Alberto Yepez and Kickstarter campaigner Tiffany Spencer to sort out the challenges and benefits of conventional vs. unconventional funding routes to inject capital into nascent start-ups.

  • When to Build or Buy Your Security Solution – Panel

Jason Chan, Engineering Director, Netflix; Anup Ghosh, Ph.D., Founder and CEO, Invincea; Rick Holland, Principal Analyst, Forrester Research; Martin Roesch, Vice President and Chief Architect, Cisco Security Business Group

In today’s threat landscape, companies of all sizes need a technology investment strategy to protect their assets. Firms are often faced with either accepting the current toolsets available in the market, or b building their own tools to address their unmet needs. Rick Holland led a discussion on the tradeoffs of building or buying information security technologies with Anup Gnosh, Marty Roesch and Jason Chan.

  • Future Crimes: Why Cyber Was Only the Beginning – Marc Goodman

As ubiquitous as technology seems today, the scientific progress just over the horizon will leave our heads spinning. Today’s cyber attacks are only the beginning of our technological security risks. The Internet of Things, robotics, 3D printing, artificial intelligence and synthetic biology will provide unprecedented opportunities for entrepreneurs and criminals alike. Marc Goodman explored emerging threats and opportunities in securing the technologies of tomorrow.

  • Award Ceremony and Winner Announcement


Who’s Invited to Your Party: Discussion Framework

Presented at RSA Conference USA 2015
Yesterday I had the great pleasure of hosting, as facilitator, a peer-to-peer (P2P) session at RSA USA Conference in San Francisco.  The topic was information security of the partners with whom we do business.  I’ll write about the session and topic over a few blog posts; my first was posted yesterday, a post that summarized other RSAC USA 2015 sessions that cover security of partners.
The title of my P2P session was: Who’s Invited to Your Party?  Minimizing Risk from Outsourced Partners.  The session description was:
Recent headlines suggest your greatest risk may be from trusted, connected partners.  Let’s get beyond old approaches to share experiences and new control options for your elastic insider network.
Best practice partner security evaluations have typically included questionnaires, standardized forms, log reviews, and audits.  But these are proving insufficient.  If a connected partner supporting core operations is compromised, your internal defenses, such as layered network architecture, may also be insufficient.  Those partners have their own partners, all potentially becoming your “insiders”. We will discuss new ideas and better approaches for managing partner access and limited risk.
In advance of the session I answered a few questions to help prepare those interested in attending the session.  Here are the questions and answers:
 1. Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
  • Attendees whose organizations utilize outsourced partners to do business–partners that connect to internal computing resources and/or have access to proprietary information, forming “the elastic insider network”.
  • Attendees who assess security of organization-partner information exchanges and network connectivity.
  • Attendees whose roles include IT technical, IT security, legal, asset-management, risk-management, insurance.
  • This session will be strategic and tactical, not deeply technical.
2. Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
  • Organizations regularly engage partners to support operations, including core functions; this outsourcing is a well established and increasing trend across many industries.
  • Virtually all of these partner supported operations involve information sensitive or even strategic to the organization.
  • Most of these partner supported operations involve information exchanges between the partner and the organization, and many involve partner access to internal networks.
  • Organizations have limited influence over the operations of their partners, including partners of the partner, which increases information security risk and requires additional, and specialized, controls.
  • Many of the breach reports lately in the news have involved compromised partners as a vector to attack business networks, at great cost and reputational damage.
3. Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
  • Think about the partners engaged by your business, the types of operations they support, and the information and business networks they access, particularly mission critical, sensitive, or regulated.
  • Think about what processes you have in place to assess potential partners, to monitor and audit partner operations that involve your business, and to mitigate IT security incidents involving partner access.
  • Think about the contracts you have with your partners, specifically that language that gives you (1) rights to direct how the partner uses your business information and connects to and uses your internal networks; (2) rights to audit the partner; and (3) rights to direct how the partner engages and uses partners that also have access your sensitive information.
4. What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
  • I anticipate a vibrant, in-depth, inclusive discussion that surfaces a variety of viewpoints and debate between them.
  • Attendees will leave with an understanding of the issues, assessments and controls involving outsourced, connected partners.
  • I expect to spark for participants some of those invaluable RSA “aha!” moments, where they gain new perspectives and insights that they bring back to add immediate value to their work and spark meaningful change in their organization.
Tomorrow I’ll post a summary of the session and anonymized comments shared by participants.

RSAC USA 2015: Partner Security Sessions

Great peer-to-peer session at RSAC this afternoon. Thanks to all who participated.

I promised you I would post a list of sessions at RSAC this week that involve partner security, so here it is. There are seven total, though the first is already finished. Hope to see some of you again in these sessions.

  • Tue 3:30 p – GRC-T09: The Coming Revolution: Industry Groups Defining Vendor Assessment Standards – Panel, including Howard Schmidt, former president of Information Security Forum (ISF), ISSA and (ISC)2, and former Cyber-Security advisor to the Bush and Obama Administrations, former Microsoft CSO/CISO.
  • Wed 8:00 a – CRWD-W01: Combating Cyber Risk in the Supply Chain, Joshua Douglas, CTO Raytheon Cyber Products
  • Wed 9:10 a – ECO-W02: Addressing the Global Supply Chain Threat Challenge: Huawei, a Case Study – Andy Purdy, CSO Huawei Technologies USA
  • Thu 10:20 a – CRWD-R03: Best Practice or Bust? Test Your Approach to Third-Party Risk, James Christiansen, VP, Accuvant
  • Thu 10:20 a – P2P-R038: Third Party Supplier Governance—Secure the Supply Chain, Puneet Kukreja, National Australia Bank
  • Thu 11:30 a – GRC-R04: Is Your Third-Party Service Provider Vendor Management Program Good Enough? – Patrice Coles, Compliance Manager
  • Fri 11:20 a – STR-F03: Supply Chain as an Attack Chain: Key Lessons to Secure Your Business, panel