Gain an essential insight into the power of SABSA, the world’s most prevalent Enterprise Security Architecture framework and method

This optional 1-day training course will run Monday 26th February 2024, the day prior to COSAC 2024.

COSAC delegates can avail of this 1-day training course delivered by SABSA co-author David Lynas, for the reduced price of $500 +gst.

This innovative and condensed one-day course delivers a jump-start to your Enterprise Security Architecture journey. Understand what SABSA is, the essentials of how it works, and why it is important. Evaluate first-hand the value that it can deliver to you, your career, and your wider organisation.

Learn how to change the security conversation and reframe the way we approach our work by transforming information / cyber security, architecture, and risk into Business-enabling, value-driven functions. Understand how to define requirements and articulate solutions value in clear business terms.

Critically and realistically evaluate the limitations of current checklist-based security practices and tactical solutions thinking. Take the first step in elevating your security to a new level and discover a better way to serve your customers in the age of ever-changing, hyper-connected, multi-dimensional complexity. Uncover how to be the difference that contributes to stakeholder success through this short introduction to a new approach of realising the business benefit, innovation, and adaptability demanded by stakeholders.

Outline

The Fundamentals

• - Security and Enterprise Security Architecture
• - Introduction to SABSA
• - Principles, advantages, and benefits
• - The framework for solving complex problems
• - Traceability to enable business and inform solutions

The Conceptual Frameworks

• - Security and Enterprise Security Architecture in Business Context
• - Business-driven requirements
• - SABSA Attributes: a normalised, measureable, common language for what’s important
• - SABSA Domains: a normalised structure for accountability, authority, and ownership of what’s important
• - Business-driven Governance, Risk, Compliance & Policy frameworks

Solutions Architecture

• - Calibrating and scaling the framework in a solutions context
• - Practical traceability to demonstrate solutions value
• - The role of dependency models
• - Integrating and aligning security

Security Strategy

• - The integrated lifecycle
• - Strategic, transformation & operation risk
• - Where to start
• - The security roadmap

Enterprise Security Architecture Essentials is available during COSAC registration as an add-on.

A personal reflection of the key take aways from undertaking several SABSA trainings and how it has allowed for a successful journey from Security Architect to Chief Information Security Officer for a large enterprise organisation.

The discussion will highlight the experiences – pitfalls and wins - whilst developing security strategy, security programs, security catalogue, and security teams across 3 different organisations, a retail & manufacturing organisation, a professional membership organisation, and a large enterprise retail organisation. This will be done with reflection on the various learnings from SABSA that have contributed to successful CISO work.

As this is an experience sharing session, it will also touch on the importance of the need for self-care in our profession and the importance of establishing your tribe, and how this played an important part in keeping the speaker energized during the 2020-2023 period.

Kali Purple was released in March 2023 as a free-to-use platform with an initial installed set of tools across the Identify, Protect, Detect, Respond and Recover categories of cyber defence. The initial set of tools came mostly from the existing tools available in Kali.

Since then, Kali Purple has evolved not only as a cyber defence analyst workstation with an increasing number of tools, but also as a server platform which provides easy installation of a range of cyber defence servers. At this stage the main focus has been the operational aspects of cyber defence covering security monitoring, threat hunting, threat intelligence and incident response. In addition, a new tool has been added to the Kali distribution to support the use of Kali Purple as a workshop platform for training cyber defenders.

This presentation provides an insight into building and experiences in using the ELKStack and Wazuh SIEM solutions, the Malcolm threat hunting platform with its integrated Arkime, Zeek, and Suricata tools, the OpenTAXII threat intelligence sharing platform and the OpenCTI tool, and the Velociraptor incident Response tool. It will also demonstrate the use of Kali Autopilot to generate automated attack scripts.

The presentation will give some insights into the current and upcoming wave of activity on Kali Purple, including a case study of using Archimate for SABSA modelling.

This session describes how a SABSA deployment that initially focused on securing change has evolved into an extensive distributed security controls assessment function, spanning both change and run. We also explore how we intend to take this function into the future, including ongoing/continuous controls assessment and the new frameworks we are building.

We start with the back-story of the ‘Secure by Design’ practice at a large financial services organisation in Australia - a practice that was originally inspired by SABSA but has now been operating for over 15 years. We then explore how this ‘Secure by Design’ has evolved over the years, and how it is now delivering value far beyond its initial scope. This leads to a discussion about what might be possible if we continue to extend SABSA beyond Architecture. Finally, we outline our intent for future experimentation.

The speaker has led this program over fifteen years, embedding SABSA at the core of the security architecture function at this large financial organisation in Australia. This speaker helped create and enable a large cohort of SABSA-certified professionals that operated across architecture and security teams, ensuring the concepts permeated far beyond their security architecture roots.

Large Language Model and Generative AI tools are exploding across the news headlines and discussions and capturing our imaginations. Additionally, the discource is full of debate and discussion about the potential risks and exposures of this technology however as with any new innovation or solution, there are always both risks and rewards to consider.

I have been on a journey exploring Generative AI (GAI) especially to understand its capability and how this can be leveraged to enhance and improve the delivery of security consulting and its usefulness to a security architect and want to use this opportunity to share the outcomes of using prompt engineering techniques to generate the below

This presentation will cover the below:

• What are Large Language Models and what is available?

This section will provide a background of the different types of LLMs available such as GPT, LLaMA, Alpaca and guidance on when to use them.

• What is Prompt Engineering

This section of the presentation will cover a crash course on prompt engineering and cover the various techniques of prompting such a zero-shot prompting where the language model is capable of performing tasks without any instructions, few shot prompting where some examples can be provided to steer the model towards in-context learning, chain of thought prompting, graph prompting etc. We will also cover the typical structure of a prompt and the elements of the prompt such as instruction, context, input data and output structure.

We will also cover settings of an LLM such as temperature and top_p which are parameters that can allow for deterministic results or creative results as a result of prompting.

• Specific Use Cases and Prompts – Rapid Prototyping

This section will present different use cases of Prompt Engineering and show specific examples of prompts that can be used. We will also present how LLM Plugins can be used to generate specific outcomes in security. Following are some of the use cases that we will cover

1. 1. Business Process Engineering: GPT4 can be used to create user journey diagrams as well as create visual representations of various business processes.
2. 2. Rapid Prototyping of Security Architectures: GPT4 can be used to rapidly prototype security architectures based on information provided through the prompt.
3. 3. Developing a Rapid Security Threat Model using a Large Language Model:

This part of the presentation will demonstrate how I used a large language model to generate a threat model for a sample organization using the Architecture, Threats, Attack Surfaces and Mitigations (ATASM) approach. This is a method that I regularly use as a consultant to perform threat modelling for my clients.

This method consists of the below steps

Architecture :- Understand the logical, physical and component views of the architecture. We will leverage the modelling and diagramming capability of the language model to develop various diagrams to help visualize the architecture. The LLM also has a capability for writing mermaid code which is javascript based diagramming and charting tool.

Threats:- Provided context about the organization and trained on the format we are using for the threat model, we will leverage the LLM to generate a list of threat agents, their goals, their risk tolerance, work factor etc as well as the methods they would use.

Attack Surfaces:- Once the architecture is modelled in code, given the context about the location and potential vulnerabilities in the architecture diagram the LLM is able to identify potential Attack Surfaces.

Mitigations:- The last step will cover prompting techniques to help draft countermeasures to the identified attack methods that have a legitimate exposed attack surface. We will leverage the LLM capability to ingest a large amount of controls and recommend specific controls from control libraries such as NIST etc. We will also demonstrate how to leverage an LLM to display the controls leveraging models such as the SABSA Multi-tiered control strategy defense-in-depth model etc.

Once the threat model is complete we will analyse the outputted threat model for weaknesses and certain issues such as accuracy, creativity, credibility etc. and how to mitigate them leveraging prompt engineering techniques.

Increasingly, organisations are beginning to double down their investments in digitalisation in order to compete in an even more interconnected world. Digital transformations monopolise the interest of board members globally, aiming to leverage the latest technological advancements to improve the customer experience, automate the value chain, free up resources, discover new revenue streams and operate with greater agility.

The pressing need for digital transformation constitutes cyber security risk as one of the top non-financial risks for organisations across all sectors. It also acts as the main driver for improving the security fabric and strengthening the cyber security resilience. Due to the consequences cyber security incidents have on critical products and services, cyber security investment soars to $1.75T globally.

This presentation will assess the effectiveness of the current practices organisations rely upon to create cyber security portfolios and allocate investment funds. Emphasis will be given on the challenges security professionals face to demonstrate meaningful return of value and maintain the corporate support.

The presentation will then introduce a novel approach on how to optimise security investment by modelling the security mechanisms, analysing the effectiveness of the proposed activities and demonstrating their relevance to business outcomes. Pivotal to achieving this is the need to establish a clear linkage between cybersecurity services and business objectives to both justify actions across the security posture and assess the completeness of the assurance provided. Most remarkably, bridging the gap between cyber security and business serves as an effective communication mechanism that portrays security as a value provider.

Simulation of platforms and systems provides the basis for many important organisational outcomes, such as individual skills training, training users on the specifics of a system, training teams on operational processes, testing operational concepts and system testing and troubleshooting to name a few. The application of simulation concepts is well established in the development and sustainment of physical platforms and systems.

For cybersecurity, there has been increasing discussion about using of “cyber-ranges” and “red -team exercises” to support various cybersecurity objectives and outcomes. It is noticeable that this discussion often lacks the application of basic simulation concepts - ‘what is being simulated’ and ‘what is the simulation being used for’.

This session will discuss the basic concepts of simulation, its application to systems (especially mission-critical and cyber-physical systems) and will explore how it can be applied to systems to deliver cybersecurity outcomes.

Yes, you can be cyber secure and optimise investments! Here's how....

As cyber security challenges continue to mount, organisations are feeling the pressure to keep investing in order to be secure. However, we cannot spend our way out of the cyber threats and risks that are confronting us. This is especially true in an economically challenged environment that currently exists. There are rising frustrations on both the business executive and cyber security sides. Business executives aren't seeing the right return on their cyber investments while cyber teams are increasingly feeling the pressures of keeping up with the workloads and managing burnout. There needs to be a smarter way to address these issues.

This session will look the challenges facing executives and cyber teams and recommend practical, actionable takeaways in the following areas:

• - Formulating a cyber security strategy that is truly business-centric and enables the organisation to be secure by investing proportionally
• - Giving businesses strategic options on investments and resourcing aligned with levels of cyber protection tied to the right metrics
• - Realising cost optimisation and an improved security posture through a holistic approach to security tooling as part of Enterprise Security Architecture

More human interaction now occurs in the digital realm, than the physical realm.

We are utterly dependent on the digital world for our daily lives to function.

Definition: “Digital Safety = where vulnerabilities and exploits on software, cause harm and damage to the physical world and humans.”

In this 3rd episode in the Digital Safety saga, I’ll be further challenging:

• - How can you possibly know the full stack of code and software that runs in a complex system? (For example a fully autonomous rail network).
• - Even if you do know, how can you possibly know that each and every component is secure and tested, and fit for purpose?
• - Who is then liable for that code and the physical damages caused by exploited vulnerabilities in it? The end provider? The software developer? The pen-tester?
• - Then, what about the AI generated code? Are we making the problem smaller, or larger? Both in regards to the quality and vulnerabilities in code, but also who’s liable for the physical damages the AI’s code may cause?

In short, what insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety”.

My presentation will introduce the concept of integrated business assurance built on a foundation of data driven risk intelligence that supports the hypothesiss of truly adaptable security.

Using anonymised case studies experienced during the pandemic and post-pandemic business change years, I will highlight how three organisations have embraced the ‘Shift Left’ concept. ‘Shift Left’ addresses challenges concerning point in time dipsarate security solutioneering to a place of complete businesses immersion. No longer the business outcast but a true business outcome enabler.

This novel and unique discussion on changing the way we think and enhancing human performance using neuro linguistic programming (NLP) from the perspectives of both neuroscience and information security, presented at COSAC 30 and updated with that audience’s feedback. Debunking current Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

NLP is referenced in Self Help Programs and seminars, and Security Awareness and leadership training. The basic concept is tied to “Reprogramming the nervous system through the use of language” with false concepts and pseudoscience about brain programming to communicate effectively and influence others to change our own thoughts when presenting otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to influence system changes, develop awareness training, and create appropriate defenses for malicious hacking attempts.

The value in this session is providing information from current brain science to use in training. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain.

Risk Management

Risk Management in its very basic form requires identification, assessment (impact and likelihood), current controls assessment, mitigation controls definition, monitoring and reporting of risk over the active lifetime of the risk record. In some instances, and depending on the nature and maturity of risk management disciplines, concepts like inherent risk, control risk, residual risk, risk appetite and tolerances, risk optimisation, etc, can be introduced to enrich the strategic leverage of risk management. All of these have critical dependency on “risk ownership and accountability”. Without an appropriate “risk ownership and accountability” assignment model, risk management can often appear academic, theoretical and highly abstracted, delivering no real value to the organisation. In this unfortunate situation, risk management and its associated records simply become the graveyard or the “too-hard” basket for issues and problems. Managers absolve themselves of any accountability and/or responsibilities once their teething issues and problems make their ways into the too-hard basket, the Risk Register, and never to be talked about ever again.

In many organisations risk accountability assignment is a very complex thorny issue. Several stakeholders have bona-fide interests in specific business resources and would be impacted by plausible risk vectors. However, the differential individual interests are not significant enough for them to voluntarily take-on unequivocal and active accountability for the specific risks. In some other instances, each impacted stakeholder feels strong attachment to specific risks and have different views on how these risks should be managed to the points of passive-aggressive tensions. Both of these situations lead to the same risk graveyard scenario raised above.

SABSA Risk Domain Architecture - One of many solutions

Risk Management could be a strategic foundation for a wide range of management processes – including but not limited to general business, technology governance, security, etc. To enable this strategic capability, there needs to be a sound and objective method of assigning risk ownership and accountability. One such method is the Sherwood Applied Business Security Architecture (“SABSA”) Domain Architecture concept. Domain concepts - single domain, super-domain, sub-domain, peer domain, multi-tiering, inter-domain interactions, complex inter-domains policy associations, etc - can be combined with standard RACI (Responsibility, Accountability, Consult, Inform) model to construct a useful method to resolve the fundamental issues around risk accountability assignment. In the discussion below, I lay out (a) some SABSA Domain Architecture concepts and a simple application construct, (b) a requisite highest ranked lowest common node accountability test, and (c) high level application of the construct.

We embark on the good ship Access Management. We have a clear direction from the captain to move from the fjords of isolated data bays to the sea of open access seeking analytical riches. However, the crew has been working the closed bays of the fjords for aeons and think the captain is not considering the perils the open sea represents. The ship therefore stays in the apparent safe harbour of endless segregation, limitless localised risk scopes and ingrained process all pulling on the tiller while the ripe shoals of opportunity pass them by. Mission success is declared because they couldn't see the sea.

As a crew member on that ship, it has baffled me for some time as to how this occurred. After some soul searching and a pinch of analysis, I came to understand this was a function of a complex set of interplays that generally tie back to the human condition. I will demonstrate how localised risk scopes prevent lateral vision; that access to information is used as a power trip; and that people assume how things work based on how it appears to them. These elements combine to establish a form of human thinking when ownership (maybe accountability) gets lost in process (this is how it's done), inheritance (this is how it was always done) and learned helplessness (what do you mean we can change how it's done). I will share some of the tools and techniques that I used to try and combat this environment, but I will also ultimately show how the bureaucratic tools of; perverted reporting, scope manipulation and waiting until being overtaken by events, mean that success was always guaranteed therefore undermining any lessons learned that might be taken.

Cyber security architects understand the value of an Enterprise Security Architecture to ensure that the business is exploiting positive opportunities and managing negative risks. However, whilst the benefits of a traceable and justified ESA are obvious to security practitioners it is difficult to develop an architecture in the first row and column of the SABSA matrix. Too often, businesses know they need an architectural framework, but stakeholders are discouraged by the time investment of a full ESA. What businesses desire is an appropriately sized and managed approach to applying cyber security solution architecture.

The aim of this presentation is to have a discussion with the audience on what is the “right level” of cyber security architecture. The session also aims to critically analyse the key components of a SABSA ESA and determine how architects can adjust to match the needs and maturity of the target organisation. Ideally, this presentation gives direction for how organisations can invest in a crawl, walk and run approach to developing a flexible “right sized” security architecture for their business needs. Bruce believes the answer lies in the application of the SABSA Fast Track approach …

Mentoring those new to the field or new to our organizations is one of the least emphasized yet most important of our responsibilities But if we’re going to mentor others, we surely better know the details and peculiarities of what we’re trying to have them learn. Okay, principles haven’t changed much since security graybeards were coding access control lists and carrying their card decks to be read into mainframes: Availability, Integrity, Confidentiality. But the actual technology and the specifics of the threats change so fast and so continually that keeping up would be a full-time job if we didn’t already have one. And ChatGPT won’t provide us a guidebook.

Advantages of mentoring include getting some help for ourselves. We encourage “mentees” to take a balanced and nuanced view even when circumstances might indicate that “panic.” In this interactive session, we focus on mentoring others and on keeping ourselves up-to-date. We’ll look at effective ways to guide others and cite some key elements of successful mentoring programs that receive positive feedback from both mentors and mentees. We’ll cover pitfalls to avoid and examine ways of fighting the uphill battle to keep current on techniques, threats and technology. Your own experiences as mentor and/or mentee will be solicited and welcome. Come join us.

This session will present a practical framework for implementation of an Enterprise Security Architecture using SABSA and key points of contact with other standards or frameworks such as ISA/IEC 62443, ISO55000, and the AESCSF v2.

With the pace of digital transformation, security architects are facing challenges to support a coordinated, inter-operable design, and re-usable set of cyber security artefacts across the enterprise. This session will address how to share a common language between IT and OT cyber security practitioners, based on the business context and cyber security risks, and how to inform cyber security requirements and cyber security controls following a systematic process that enables traceability to business requirements (justification) and cyber security solutions (completeness) enterprise wide.

This session will be based on the presenter’s practical experience in Operational Technology environments, and the lessons learnt through the planning, design, and implementation of this approach in an Australian energy utility.

This session will challenge and encourage the audience in working through how security solutions are delivered to assets across the organisation, with a holistic and risk informed view. And will provide some examples of artefacts to address the business security context, compliance demands, and the evolving digital environment.

Barely a day goes by without us hearing of how digital services are changing our lives, typically through new products and services that give us more choice and tailored on-line experiences. Generally, businesses embrace digital capabilities to help reduce their operational costs and, no doubt, this trend will continue.

Working within the tech community we are very likely to consider ourselves as technology aware and, generally, increasingly take advantage of digital services. It is important however that we address the fact that there are substantial sectors of society that are classified as digitally disadvantaged and who struggle to participate in an increasingly digital based and digital dominated society. This needs to be addressed as part of ethical business policy and practice.

Digital disadvantage occurs when one person or group of people receive different, more harmful experiences of digital services when compared to others. It encompasses a range of elements from inclusion to skills and attitudes and is closely linked to broader social disadvantage. Digital exclusion occurs when a person or group of people cannot access digital services for one or more of a variety of reasons from having no physical access to digital services to being unable to validate their identity through a lack of valid digital credentials.

You might think that this could never apply to you … but I believe the pool of digitally disadvantaged people is growing, and not necessarily among those sectors you may expect.

Where businesses are increasingly struggling with unambiguously identifying their users, most of whom they will never have met in person, they rely on digital artefacts to establish and verify identity. The datapoints they use are no longer just date of birth, passport or country ID number and credit history but, for example, now include mobile phone operation as part of the dataset, and this approach of using more and more datapoints can have unexpected consequences, and not in a good way.

In this talk (and debate) I will highlight how AI enabled deception services can produce synthetic identities with sufficient data points to appear genuine and amplify the problem of making more real people outliers because they lack these additional markers.

I expect us also to consider the emerging problem of loss of control of critical biometric identify information as (typically younger) people give away their DNA and retinal scan data in exchange for a service or, in the latter case, crypto coins.

While the use of machine learning (ML) offers a lot of promise to organisations, industry studies suggest that many ML projects are unsuccessful. Part of the problem is often in the operationalisation of ML (MLOps). A lot of attention is paid to getting the right tool set to deliver an ML model into production, but less effort tends to be spent on understanding how ways of working across the organisation need to adapt to ensure security risks are managed. To use a familiar trope - secure MLOps is not just about the technology and tools being used, but also about policies, processes, and people. This presentation will use the results of our research to date to examine organisational security in the context of MLOps, exploring the policy decisions that need to be made about risk, automated decision making, the use of digital twins, legal requirements around data, and the need for people with ‘T’-shaped skills.

In this session, we demonstrate how risk floats exactly like bricks don’t.

Sailors will tell you that you want to sail as close to the wind as possible to maximise your speed and this risk concept, while oft miss-used by the non-nautical, is a great analogy for maximising your performance in a risky environment.

The often-tragic events in humanity’s conquest of the great oceans, demonstrates the severity of negative outcomes in sea of ever changing risks.

In this SABSA presentation we take a deep dive into managing risk with SABSA, demonstrating clearly, using maritime success and disasters, how doing business means taking risk.

We ask how much risk is enough and how much risk is too much? We will get our feet wet answering the question - In the deep blue do we always want to operate in the green?

We will plumb the depths of SABSA attribute performance targets and suggest raft of extensions to buoy our ability to manage risk within appetite, helping us sail closer to the wind to rapidly meet our goals.

Attendees will take away new findings regarding SABSA performance targets, for both positive and negative risk and systemic risk interactions, helping them and their organisations plot a course through the uncertain business risk environment.

This session is recommended for anyone interested in measuring risk and would serve as a ship load of ideas for a SABSA Masters’ thesis, telescoping suggested extensions to the framework to provide additional guidance to captains of change.

“Alright, you primitive screwheads, listen up! You see this? This... is my BOOMSTICK!!!” – Ash Williams, Evil Dead 4

Ahhhhhhhhhhhhhhhhhh, Risk: no other topic bears as sweet a perfume, as intoxicating a character, as entrancing an allure...

... Nor, for some reason, as predisposing an invitation to an uninvited critique from those around you (including, I might add, from yours truly).

That we all do this to each other is a good sign that the way we think about Risk is full of complexity, character and a seemingly bottomless well of nuance from which any amount of pithy insight can be drawn.

‘That’s all well and good, but you should model your opportunities.’

‘I can see your inherent risks, but where are your cascading risks?’

‘That’s a discrete risk, what about the aggregate risk?’

‘There’s too much detail here, roll it up.’

‘This is too abstract, break it down.’

‘That’s not a risk.’

Yet amidst the hoity-toity brouhaha of the Risk enthusiast lies the rock-solid, time-worn lesson:

Suck at Risk and you suck at your job.

That’s why, shoppers, you need the RISK BOOMSTICK™! 25 years of not sucking at Risk is distilled down into an eensy weensy power-packed (like me) 1 hour presentation for your enjoyment, pleasure and 100% money-back-guaranteed satisfaction*. Chock-packed full of nuanced techniques, revitalised ideas and all-weather analysis ammo to get you out of any situation, this baby will eat up ANYTHING you feed it and never fail to deliver whatever is on your sights and on le-plait-de-jour!

That’s right. Shop smart! Shop S-MART!

* 100% money-back-guarantee not included

Trust is an integral part of human nature and society. However, ‘Zero Trust’ is a hot topic among security professionals, vendors, regulators, assurers, and business stakeholders. The immediate impression one gains from ‘zero trust’ is ‘no trust’, though the concepts and principles described by zero trust are about the maintenance and provision of continuous trust.

The presentation uses SABSA frameworks and methodologies to argue the case for a holistic ‘Business Trust Model’ that can be architected to assist the business and its stakeholders in making informed decisions on the business trust strategy they could implement. The ‘Business Trust Model’ explores the entities that play a part in providing business trust and their interactions, the definition of business trust as attributes of value to the business, the risks (opportunities and threats) associated with business trust, the use of attributes of business trust to map the capabilities of tool and processes related to business trust and means for justifying the capabilities required, the type of governance and assurance processes that are required for business trust to be immutable, the use and interplay of logical and physical domains in business trust, and the time dependencies related to trust.

Do we truly think like an adversary when we build threat models? Are we constrained by our own box of rational thought and outcomes, unable to understand the “irrational actor’s” motives, tactics or outcomes? Is our “rational” understanding one of the key reasons we often fail to model the next obvious vulnerability in our systems? We will explore the blind side of how we approach threat modeling and discuss methods we could use to uncover and explore the methods of our adversary!

• - What are the reasons we often discount certain threats, methods, and outcomes as unreasonable, unlikely, or even crazy?
• - Are we working with blinders, unable to understand systemic risk around us which may contribute to the motivation and outcome in our threat model?
• - Are our adversaries using AI to undermine our controls?
• - How do we adapt to rapid changes in our understanding due to observed or experienced events?

In this session we will leverage the work from the 2022/2023 working sessions at both COSACs. We then will build on these ideas with our combined experience and discuss what mechanisms and processes exist to help us unfold this difficult topic and see if we can create a method to address these threats.

‘Words mean things’, as Drill Sergeant once enthusiastically bellowed at me after failing to communicate effectively. I came to understand this was because of the lethal consequences of the profession he was training me for.

When undertaking any work as a risk professional, it behooves us to proceed with caution and choose our words wisely. Business Drivers, Attributes and the careful crafting of their definitions for the Enterprise to which they belong are foundational to the ESA toolbox. With our work, we hope to capture complexity within plain language expressions while remaining flexible and removing ambiguity.

This session is for those who feel that creating meaning from words is both a powerful and dangerous undertaking. These brave persons will want to better harness language for their work. It is also for anyone who enjoys a cheeky bit of wordplay.

Attendees will be exposed to principles and tools from game design, systems engineering and linguistics. These concepts will be connected back to Security Attribute writing and demonstrate their utility for ESA. By the end of the session you will be equipped to define Requirements and Attributes with the decisiveness of James Murray heading the Oxford Scriptorium

As Australia continues to adopt renewable energy resources, virtual power plants (VPPs) are becoming an increasingly popular solution for integrating renewable energy sources into the grid. A VPP is a cyber-physical system that coordinates the operation of distributed energy resources (DERs) such as solar panels, wind turbines, and energy storage devices.

While VPPs offer numerous benefits, such as improved grid stability and flexibility, they also introduce new attack surfaces and opportunities for exploitation. This talk will review recent developments in VPP technologies and their security ramifications, and present a consolidated VPP threat model. As a class of emerging technologies where adoption tends to outpace security practice, the practice of threat modeling and security by design is imperative for VPPs.

Architectural characteristics of VPPs can vary significantly depending on the deployment and operating model. However. a number of key features tend to recur and are worth noting from a security perspective:

• - Centralised command and control to enable efficient management and optimisation of energy flows, often hosted in the public cloud
• - Connectivity between the VPP cloud and onsite equipment such as inverters, solar panels, generators, and batteries, via a ruggedised site controller.
• - Real-time energy trading platforms that leverage telemetry from enrolled DER assets and onboard analytics to enable more intelligent energy economies
• - Digital twins and actor-oriented systems which represent real-life devices and enable dynamic, programmatic management of fleets of DER assets

Each of the above components possess specific attack surfaces each of which merit threat modeling in their own right. For example, compromise of developer access for the central VPP management platform, or via compromise of the software supply chain, may allow an adversary to tamper with energy resource operations at scale or further penetrate into environments where DER devices are deployed. Such tampering may be pursued by direct modification of configuration parameters (e.g., setpoints) in devices themselves, or through abuse of rules that govern the VPP's energy management logic. In the onsite context, the inherently distributed nature of DER equipment may permit fairly liberal physical access of adversaries to such devices, and represent an attractive foothold from which to probe the broader VPP architecture for vulnerabilities. The services supply chain for installation and commissioning of DER equipment, in which multiple sets of general contractors, subcontractors, installers, and other third parties may have custody of a VPP-enrolled device throughout its lifecycle, is a common factor in VPP-related deployments which significantly extends the attack surface of the overall VPP.

In order to correct the typical tendency for security to follow in the path of decisions already made, it is emphasised that critical infrastructure owners and operators that seek to benefit from VPP technologies understand their threat model and leverage the threat model to guide better security decisions for such projects. The resulting consolidated VPP threat model (aligned to the MITRE ATT&CK framework) presented in this talk is offered as a template for the community of critical infrastructure asset owners and operators to utilise as they see fit.

It can be difficult to explain SABSA’s value to folk who have not actively become enmeshed in planning for, implementing, or operating information security controls.

I will present a simple (perhaps simplistic?) framework using graphical constructs of Linear Programming (LP) to convey – from a top-down holistic perspective – the value in business terms of adopting the SABSA framework to inform information security architecture development.

By holistic, I mean that not all of SABSA’s value can be easily communicated – even to a technologically erudite audience – using reductionist perspectives, in which the value propositions are explained in terms of itemised lists of specific components and sub-models.

In contrast, from a business and technology senior leadership perspective, key messages are best communicated verbally and visually in a ‘BLUF’ manner: Bottom Line Up Front.

• - What’s in it for those senior business/technology leaders …
• - … Who have the authority to commit resources to address information security concerns?
• - Why should they care?
• - Where and When is it best to advocate for using SABSA?
• - How can graphical LP constructs be used to communicate the answers to the above?

To expand on the graphical LP construct, further details are best presented in subsidiary artefacts which can then be pored over by éminence grise functionaries.

Major incidents can be described as being a form of organised chaos. As the duration of the incident response extends, the risks to your personnel can become extreme. These risks can and do often compromise the efficacy of the Incident responses. Jack has seen people physically collapse or even suffer heart attacks exacerbated by the evil nexus of exhaustion and stress.

For smaller organisations and teams, fatigue management often becomes an afterthought during their first major incident – usually after someone “loses their shit”. By preparing in advance, you can mitigate the adverse effects on your personnel and help to ensure a more rapid and effective response for the harder incidents that run into days weeks and even months.

In this session, Jack will describe the key artifacts required of which your Incident Response Plans, Disaster Response Plans and Business Continuity Plans should all leverage off. These artefacts and the forethought required to create them will maximise the focus your key personnel can bring to bear on the incident at hand and help to ensure your response is not inhibited by mistakes tired people make whilst also helping to minimise the impact on your most important asset – your people.

The session will illustrate how two key attributes can shape the discussion of the Metaverse, what it is in business context, what it means from an end user perspective, the types of metaverses and a sequenced approach in terms of shaping its delivery strategy. This session will show some insights on how to introduce the concept to the organization as a case study, through to creating awareness and balancing compliance and security requirements.

The Markov chain is a well-known mathematical tool for evaluating the probability of a series of interdependent events. Risk-based domains such as reliability and security can make use of this state-based process model to better assess the likelihood of a given fault scenario, but such analyses typically take place in a fashion that is not integrated with the architectural/design model of the system-of-interest. As systems grow in complexity, our ability to fully understand the holistic nature of risks and how to manage them is increasingly challenged by the absence of established methods that can associate risk evaluations with those systems’ authoritative architecture and design models, especially as the pace of engineering development processes quickens.

This topic explores a method for modeling and analyze system security risk using adaptations of the Risk Analysis and Assessment Modeling Language (RAAML). It provides the means to accurately express Markov processes in the same foundational language used for Model-Based Systems Engineering, thereby inherently improving the integration of security analyses and engineering development processes. This enhanced integration of processes can yield results that are both more timely and of better quality, thus increasing our confidence in the engineered system’s security.

The ability of an Enterprise to collect diverse but inter-connected Risk information, integrate it, align it, view it, and consider it holistically, may be the difference between success and failure.

“This capability is what separated the banks that survived the financial crisis from those that failed. The failed companies had relegated risk management to a compliance function.” Harvard Business Review 2012

A complex system such as today’s modern enterprise is composed of many constituent parts which interact, are inter-dependent, with conflicted and systemic relationships. It is an eco-system, changing organically because of the innovations and behaviours of its parts, each of which has its own objectives, success factors, methods, risks and opportunities. The Enterprise and/or its parts also interact with the ever-changing environment in which it exists. A complex Enterprise cannot be defined by reference to its constituent parts alone because no part is completely independent of the behaviour of the other parts.

And yet an Enterprise can spend huge resources and finances on checklist-based, compliance-driven, highly subjective, non-normalised, isolated, siloed risk assessments and treatment plans.

“Insanity is doing the same thing over and over again but expecting different results.” Albert Einstein

The traditional approach to Risk is fundamentally flawed. We know it is broken and not fit-for-purpose in real world complexity, but we continue to blindly do things the way they have always been done simply because they have always been done that way.

When viewing the Enterprise as a complex system, failure to understand the complex nature of risk is itself the greatest risk of all. We cannot predict all failures and cannot model all successes. Pull one end of the spaghetti and all sorts of interesting things start to unravel and fall off the plate. What is good news for one authority may represent horribly bad news for another. But the question is, how do we approach this challenging subject to achieve the systemic understanding that the Harvard Business Review suggests?

Just as a system depends upon subsystems and processes depend upon subprocesses, so each perspective of SABSA (What, Why, How, Who, Where, and When) can be modelled as a layer-independent dependency chain where each dependent element sets the requirements for each dependency, and each dependency meets the needs of each dependent element. At the same time, we can understand the inter-relationships between the perspectives that often present real-world risk tensions or conflicts.

By using this technique, we can more clearly identify complex relationships to articulate clear risk context, empower accurate, meaningful control and enablement decisions strategically, tactically and operationally, and identify true risk owners and decision-making authorities.

In today's landscape of increasingly sophisticated and persistent cyber threats, it is crucial for organisations to leverage Cyber Threat Intelligence (CTI) and effective effectively integrate CTI in to other business units (downstream consumers) such as risk functions, Internal audit, architecture, engineering, sec-ops, security testing, SOC, to enhance the collective decision-making capabilities of the organisation. This presentation emphasizes the importance of leveraging CTI more directly and efficiently in decision making processes with an organization to achieve the desired business outcomes. Attendees will gain valuable insights into the practical steps and best practices required to strengthen their organisation's defenses by integrating CTI within their existing security infrastructure. The following topics will be explored in the presentations.

• - Understand your organization's business and resulting security objectives
• - Understand your downstream organisational consumers and contextualising CTI
• - Define CTI goals and requirements based on security objectives
• - Identify and integrate CTI sources
• - Establish data collection and processing
• - Develop intelligence analysis capabilities
• - Enable threat intelligence sharing and its integration with risk and technology governance
• - Integrate CTI into security operations / incident response
• - Implement CTI led threat hunting capabilities.
• - Foster collaboration and cross-functional engagement
• - Establish feedback loops and continuous improvement
• - Stay updated and adaptive

The ever increasing reliance on technology has drastically shifted how organisations function. The interconnectedness and convergence of the digital solutions, together with the business opportunities they bring, increase the number of critical failure points. The latter explains why regulators, across the globe, have been particularly active in this topic and consequently resilience has become the latest global hot topic in many sectors.

A key premise of building cyber resilience is to develop an in-depth understanding of ‘what is materially important’ for the business. Analysing the important business services into the processes, technology and people defines the quantitative and qualitative characteristics of those assets which need to be preserved even during a successful cyber attack.

This presentation will demonstrate how SABSA methodology can be leveraged to capture the business context and how the business context in turn becomes a strong foundation to build a robust cyber resilience. Instead of addressing the challenge from a theoretical point of view, real-life use-cases will be presented from the financial services and energy sectors. Emphasis will be given on the operationalisation of SABSA methodology to capture the idiosyncrasy of the organisation, demonstrate the relevance of the security services, model the security posture and become the conduit that brings together the risk management framework, threat scenarios, control library and operational controls.

Over the last two years, Axenic has embarked on a journey to modernise aspects of its Governance, Risk and Compliance (GRC) offerings. Almost one million dollars later, coupled with numerous scars, Axenic became the first Archer IRM customer to multi-tenant a single instance of the platform for small and medium customer. This is not the end of the journey, it is the tip of the iceberg.

This session is an automation vs modernisation discussion exploring what to automate (or not to automate), and how to modernise GRC. Axenic will share successes, failures and expensive lessons learnt throughout the process. Whether you represent an organisation that is trying to automate their GRC tasks, and consolidate their governance, risk, assurance and compliance data, or a provider trying to offer modern services, this session should help save you time and money. Even if you are at an advanced stage of your GRC modernisation journey, discussions could enrich your experience, or you may have some lessons to share.

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your question/problem depends on your situation and what you are trying to achieve. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the “COSAC way” there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

The Victorian Protective Data Security Framework (VPDSF) is a beast. It’s not just a simple moon, it’s a fully operational space station with all the bells and whistles. All Victorian public sector organisations must report to our Information Commissioner, every two years, on its compliance and maturity against the VPDSF.

Across its 12 standards and 95 elements, it really provides a window into an organisation’s internal operating environment and demonstrates clearly how seriously (or otherwise) organisations are taking information security. It’s like a tractor beam, pulling in several disciplines and there’s literally nowhere to hide. As I audit these firms, I walk a fine line between a Darth Vader compliance approach, and a Yoda-like helpfulness in really unpacking how they need to approach the VPDSF, to understand what it could do for them.

This paper will demonstrate how, by taking the VPDSF seriously, organisations can chart a course that protects them from being abandoned on the outer rim of information security governance, and instead could take them to the stratosphere in terms of compliance and maturity.

The COSAC "rump" has for many years been a hugely popular closing session to COSAC. Now, returning to APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

• - Electronic submission: Send email to the rump session chair David Lynas at [email protected]
• - Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 28th February.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

For this iteration of the Forum, we feature a group of experienced, smart, tough, honest, politically savvy, creative, resilient, reality-grounded, and, of course, good looking professionals to address the existing and emerging set of information security problems and issues. Recognize yourself? Always learning, willing to listen to and learn from others who’ve encountered things you might not have, not shy about sharing strategies and techniques, and committed to our strange and but very necessary profession.

With minimal moderating by an ancient security geek, a roomful of you and your peers will analyze current events, trends, publications and situations NOT to admire the problems, but to craft possible solutions based on multiple universes of knowledge and experience. It’s a half-day immersion in the COSAC way. Moderator questions or comments on associated issues might engender wildly divergent reactions from attending professionals who experienced a similar event, but had different constraints or objectives or working tools or eventual outcomes. The moderator tries to avoid getting in the way, allowing participants to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

In past Fora, we solved the information security problems of the world. Unfortunately the world allowed new problems to arise and blossom. And some we stuck stakes into the hearts of didn’t stay down and buried. Join us and help solve the current and maybe future information security problems of the world.

An intriguing session that will attempt to re-orient the mindset required to undergo a Digital Transformation. In an unusual manner (not about just technology or apps) this session will provide real world insight and experiences as it relates to the following:

• - The drivers of why we have to undergo Digital Transformation.
• - The thinking required for a Digital Transformation.
• - The Organizational Shift to a Digital Transformation.
• - New ways of marketing.
• - New ways of Hiring.
• - Technologies at play that enable Digital Transformation.
• - Interactive practical activity on how to digitize something that’s highly physical and manual in nature.

Traditionally Information Security is the department of no while using SABSA focuses on business opportunity risk and transforming it to yes. This presentation looks at how Improv skills for expanding and continuing the scene can be used to increase value in Tabletop exercises.

This material is relevant and timely as cyber risk insurers ask if tabletop exercises are conducted, external audit firms look at scope and reports from tabletop exercises, and the business looks for tangible results from exercises that use many hours of valuable human resources.

This unique presentation will show how to strategically leverage a tabletop exercise scenario and expand upon it using the Improv techniques of “Yes, And” and “No, But” to overcome scenario objections, get participant buy in so that they also expand upon the premise, address unrealistic recovery options, and keep creativity in the solutions proposed. Making tabletop exercises fun and producing more relevant and actionable results is the optimal outcome.

The approach of this session will be interactive with the attendees being called upon to participate in portions of a mock exercise leveraging Improv to show the value of using this novel approach and adding fun to what can otherwise be a compliance ritual.

Returning for a 4th year, this design-off will present a new and engaging set of challenges. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real client scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. This year we have several tweaks planned based on feedback from past attendees that we think will further enhance the experience!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year’s winners proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

A new unique presentation from the viewpoint of two CISOs from different continents. Leveraging and sharing their experiences, their thoughts on the direction that the role of CISOs is taking, and what someone considering the role should be aware of before taking the leap. In addition both of these CISOs will share how they have leveraged SABSA in their roles and why it is critical to the success of the CISO, Information Security, and the Business.

This material is relevant and timely addressing the changing CISO role in light of Solarwinds CISO’s monthly legal fees tied to the 2020 breach, the CISO from Uber being sentenced to prison by a US Federal jury, the CEO from Drizly being held accountable for security failures and similar to how the American Sarbanes Oxley Act changed the face of Financial Governance across the world the U.S. Securities and Exchange Commission finalized cybersecurity Rule has the potential to have seismic impacts to the Cybersecurity profession.

The value of this session is assisting those considering becoming a CISO, new CISOs, or those who work with CISOs understand considerations for success with an approach that is both presentation and a discussion between the CISOs and audience.

Do you want to learn to build a functional incident response exercise?

Perhaps you’d like to have clear and measurable exercise goals and performance reporting. The kind that will endear you to your training team and produce clear and actionable reporting. Good news, we can do that together. After all it’s dangerous to go alone.

The workshop will provide attendees with both support and guidance in developing a plan for a simple incident response exercise. Attendees will be walked through the process of making key decisions and creating usable exercise documents. The workshop will include an introduction to exercise concept development, scenario planning, exercise logistics, communication plans, effective evaluation and post-exercise reporting.

Attendees will leave with a usable exercise plan that will be relevant and usable within their organisation. A selection of video and print resources will be made available for attendees to explore and utilise post-workshop.