Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

For 26 years COSAC has delivered a trusted environment in which to deliver value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Monday 2nd December 2019

COSAC APAC 2019 Welcome Dinner

18:45 Drinks Reception
19:15 Dinner

Tuesday 3rd December 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: Using SABSA to Architect Zero-Trust Networks Part 2 Speaker(s): Chris Blunt

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
 

At COSAC APAC 2017, I presented a session discussing how to apply SABSA to architect a zero-trust network. This session explored the basic concepts of zero trust networks and showed how SABSA was used to deliver an Enterprise Security Architecture (ESA), which included a Conceptual Architecture for a zero-trust network.

But what has happened since then? Is it practical for an organisation without the resources of Microsoft, Amazon Web Service and Google to adopt these concepts? This session seeks to shed some light on this by building on the original sanitised NZ organisation case study.

This session will provide a brief overview of the zero-trust concepts, together with the pertinent details from the ESA and the Conceptual Architecture before exploring how they were used to develop and implement a solution architecture using cloud services, discussing the real-world challenges and how they were overcome.

Finally, if time and the demo gods permit there will be a demonstration of how zero-trust networks can work in the real-world using a replica of the NZ organisation’s implementation.

09:30 1B: Digital Identity -The Core of Digital Transformation Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.
X
 

Objective of the session is to illustrate how Digital Identity is a fundamental enabler for digital business strategies underpinned through customer Identity and Access Management capability. 

Session will cover aspects as it relate to emerging business drivers, customer user stories, a new security stack required for Digital Identity that satisfies business objectives, as well as an architecture model required to synergise the use of identity. 

In addition, session will also provide insight into the future of identity leveraging emerging trends and technologies.

10:30 2A: SABSA in Mission Critical Systems Engineering Projects Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect, Thales (Australia)

Alex is a Senior Security Architect with in Thales Australia Cyber Security team with 20+ years' experience in Information & Communication Technology in the defence (national security), critical infrastructure and financial services sectors. Alex's role is to provide specialist security advice, design decisions and engineering review to enable projects and Thales' customers to devise, develop, acquire and maintain reliable, secure, accreditable and economically viable technology solutions.
X
 

The discussion of architecture frameworks and mission critical systems often misses the ‘elephant in the room’ since it excludes use system engineering practices to deliver large complex solutions. This is counter-intuitive since architecture frameworks were originally conceived to deal with complexities in delivery of systems and outcomes and often derived from system engineering principles.

Although the SABSA training content does highlight the system engineering pedigree of the SABSA framework and methodology, many SABSA trainees and practitioners are unfamiliar with the formal practice of system engineering. This often results in a great deal of misunderstanding when architects from an enterprise ICT background join an engineering organisation.

As a SABSA practitioner working in a System Engineering organisation and on large scale mission critical systems, I have developed a depth of experience and insights into the application of SABSA architectural practices and methods within the framework of system engineering and the challenges of integrating into a system engineering organisation. Often these challenges highlighted that non-technical considerations were just as important (if not more important) than purely technical considerations.

The presentation will familiarise SABSA practitioners with the practice of system engineering and its application to mission critical systems. It will provide guidance in applying SABSA methods in a system engineering context. This presentation is an example of how to apply SABSA security architecture practices even though the engineering / technical organisation has not ‘mandated’ the use of the SABSA framework.

10:30 2B: Understanding Trust for Digital Identity Speaker(s): Andrew Stephen

Andrew Stephen

All of Govt Enterprise Architect, Dept of Internal Affairs (New Zealand)

Over the past three decades Andrew has worked across many aspects of the information and technology industry, from deeply technical to security management and architecture. Today Andrew has a focus on improving security practice and the relationships between security functions and their organisations. His current work contributes to development of New Zealand government digital strategy and nationally significant digital service. 
X
 

In late 2018 New Zealand's government began an ambitious project to develop a trust framework to establish the future environment for the digital identities of New Zealanders. With a list of stakeholders that potentially includes every New Zealander and NZ organisation - as well as off-shore entities which transact with New Zealanders - the task of understanding the outcomes and attributes necessary for a successful and trusted digital identity ecosystem looked overwhelming. As the Enterprise Architect for this programme Andrew Stephen began by formulating an approach to shaping a trust framework that focussed on the diverse outcomes needed for the many stakeholders to confidently participate in the future ecosystem, and determining the dependencies needed to achieve them. In this talk Andrew will explain how he developed this approach and will also give an overview of the findings and how these are being reflected in the trust framework itself.

11:20 - 11:40 Morning Coffee

11:40 3A: The SABSA Minimum Viable Product Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 

One of the most common questions that befalls a newly minted SABSA architect is “Where do I start?” And it’s not just SABSA neophytes faced with this problem ‒ we have all struggled in some way with delivering effective value whilst justifying the lengthy time and breadth needed to develop (often nascent) enterprise security architecture, particularly when first joining a new organisation where the SABSA practitioner has to produce the goods to make it through their probation. So where do you start? And more importantly, where you should be spending your precious time and energy, particularly during those first crucial months in a new role when all eyes are watching you in silent judgement of your level of competency and effectiveness? Taking inspiration from the much-heralded approach by the Australian Signals Directorate (ASD) in producing the Top 4 / Essential 8, this entertaining, thought-provoking and, no doubt, controversial presentation proposes a set of core set of architectural ‘products’ and the minimum criteria they must meet that the Enterprise Security Architect needs to focus on in order for their efforts to be rightly deemed ‘security architecture’ in the eyes of your peers, as well as allow the budding architect to pass probation and keep their job!

11:40 3B: Cyber Enterprise Modelling Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Lavender Bytes Consulting (Belgium)

Steven is a SCP with 10+ years experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018 and authored a paper for the SABSA Institute.
X
 

Scaled Agile methodologies are increasingly turning to Model-Based Systems Engineering (MBSE) as a cost-effective paradigm for maintaining the coherent, up-to-date design documentation necessary to support rapid delivery of software projects.

But as the scale and complexity of these projects increase, these models should expand beyond the logical layer, not only to place software in the wider context of business, technical and in particular, security architecture, but to fully integrate all aspects into the Agile Enterprise.

In this introduction to Cyber Enterprise Modelling, Steven will explain and demonstrate a practical approach to the creation of such models using a security overlay for the ArchiMate notation.

The presentation will go beyond the first base of creating quality holistic documentation, efficiently and at Agile velocity, to show how such models hold out the prospect of automated analysis and validation: CI/CD, in other words, being applied to architecture as well as code.

12:40 4A: Security Architecture in 3 Steps Speaker(s): Ross MacKenzie

Ross MacKenzie

Head of Security Architecture & Design, Westpac (Australia)

Ross MacKenzie is the Head of Security Architecture & Design at Westpac Banking Group, and is responsible Globally for the delivery of security architecture, design and security capabilities. Ross has over 15 years of experience in the information security field, and is based in Sydney, Australia. He is also SCF & SCP certified.
X
 

Security is considered by many to be a blocker, often with accompanying complaints that Security Architecture decisions take too long and don't often align to enterprise business strategies.

WBC decided to transform security architecture practice by adopting Lean and Agile principles of breaking silos,  measuring everything and providing quick and immediate feedback to learn and improve.

  In order to improve our security architecture practice, we decided to take on following ambitious goals:

  • Enable faster and effective decision making by ensuring that all Security architecture decisions and deliverables be completed in 3 days
  • Ensure that the work flows through our structured Security architecture pipeline without interruptions or blockers.
  • Enable continuous compliance and security by continually verifying, correcting and adapting.

  In this talk, we will go through the following 3 step process to build Agile Security Architecture capability in order to reduce process and lead time

  1.   Establish Enterprise Security Architecture Principles, guardrails, patterns and metrics to ensure alignment with enterprise strategy
  2. Build a security architecture pipeline by adopting Lean & agile principles
  • Break silos by building cross-functional teams
  • Divide work into small manageable work-packages
  • Develop quality metrics
  • Improve visibility of work
  • Provide quick and effective feedback
  • Optimise flow of work and remove bottlenecks
  • Automate, monitor and optimise . Enable business and technology to be autonomous
  • Enable reusability and standardization by:
  • Security Patterns & Building blocks 
  • Externalise Security Services e.g EAM, KMS
  • Build an effective Security Governance capability by incorporating continuous security and compliance.

In the end, we will bring all the theory into practice by going over sample case study.

12:40 4B: Vendor Engagement in the Security Ecosystem Speaker(s): Nigel Hedges

Nigel Hedges

CISO, CPA (Australia)

Nigel Hedges has been in the local Australian/New Zealand IT Security industry for 20 years, having spent a lot of time in the information security vendor and customer sectors, across security consulting, analyst and management roles. Nigel is currently the Information Security Manager (CISO) for CPA Australia, but spent several recent years as the Enterprise Security Architect for a large national Australian & New Zealand retail organisation.
X
 

An open-floor panel discussion with an opportunity for delegates to both share opinions and ask questions of some senior Information Security leaders in the market. The session will be facilitated by Nigel Hedges, Head of Information Security and joined by some representation from both the supply side of our industry and CISOs from the industry. It promises to be an interest exploration of the challenges and opportunities for vendors and suppliers to play a more enabling and valuable role in the security ecosystem that Security Architects and leaders are trying to build.

13:30 - 14:30 Lunch

14:30 5A: Architecting Design for Trustworthy Software (DfTS) Speaker(s): Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

The SABSA methodology provides a framework for security design but as with other standards does not specify any specific process to use. This presentation looks at the Design for Trustworthy Software (DfTS) approach to product design, and aligns it to the SABSA Framework. DfTS incorporates the best practices and features from a number of earlier development methodologies to ensure customer-driven design, and provides a context for deploying software quality management schemes. We will conclude with some insights into translating secure design into secure code by using the relevant elements from the Correctness by Construction methodology.

14:30 5B: Penetration Testing for the Grizzled veteran Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

If you’re not doing it, someone else is doing it for you, and they’re not delivering final reports or checklists. Even those innocent souls and naïve managers who haven’t yet been hit (more accurately, who think they haven’t been hit) have heard enough horror stories from us and their contemporaries that they're almost convinced that penetration testing is a necessity. But they truly don’t know what effective penetration testing in 2019 and beyond requires and entails. They’re uneasy about the whole concept, don’t really know where to start, and they have no reality-based ideas about what to expect for an outcome. You, a grizzled veteran and COSAC APAC delegate, know why and how and what to expect. But Ransomware, Spearphishing, nation-state hacking, massive breaches, IoT, GDPR, Big Data Analytics, Cloud computing and BYOD have opened up new avenues for probing defenses. Calling on the experiences of COSAC APAC delegates in the room, we’ll lay out some absolutes rules for pen testing, analyze driving forces, examine realistic testing options, and pinpoint focus areas for testing. We’ll then identify pitfalls to avoid and finish with recommendations to help organizations get maximal return from this complex, expensive, but valuable, probably even mandatory security measure. You’ll be more able to explain the need, concepts and activities of pen testing to those who have final say and budget authority but don’t really understand (or don’t want to know) the why and how.

15:30 6A: Forensic Readiness: Not So Much A Buzzword, More a Set of Attributes Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

Firstly I should own up that our choice of title was a shameless attempt to get this presentation accepted into the SABSA stream at COSAC; if we get to read this in the conference schedule we will all know if I have been successful.

My co-author Nick Spenceley and I have for many years spent much of our time examining digital systems that have been the subject of compromise. In the early 2000’s and together with another colleague Vince Gallo we were among the first in the UK to promote the phrase “Forensic Readiness” as a measure of an organisations capability to preserve, collect, protect and analyse digital evidence to a level of rigour and correctness necessary for it to be presented and used in legal matters ranging from internal security processes to criminal trials in a court of law.

While the terminology was new, the underlying requirements had first been identified and then enshrined in Australian Government mandatory compliance statements for (new) IT systems many years before. We cannot say how effectively those requirements had been implemented over time but we wish that others had followed Australia’s lead earlier.

Typically at that time, the scope and interfaces of most IT systems could be readily identified and mapped and the ownership of relevant domains and associated policies confirmed; as a result it was relatively straightforward to define how the forensic readiness requirements would be complied with.

The environment in which we operate today is clearly very different. Cloud computing, and in particular the provision of Software as a Service is ubiquitous and the practice of digital forensic analysis now has to span a wide variety of elements including, at one extreme, physical devices such as laptops and mobile phones, dedicated servers, networking equipment and at the other virtualised elements owned and operated by third parties that might, at worst, disappear pending an investigation. It is rare now that a commercial client of a cloud services provider can mandate their own forensic readiness requirements, typically at best they get to choose from a variety of levels of audit data that the provider can make available.

So what do these changes mean for us? In this session we would like to explore how Forensic Readiness levels generally, in our opinion, have been eroded in some cases leading to failure of a company’s ability to properly investigate and remediate security compromises; and how we might regain the initiative - maybe we could use SABSA attributes to assist ... it’s all up for grabs in this highly interactive session. Dress to impress.

15:30 6B: Ethics in Social Engineering & Penetration Testing Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions (USA)

Kathleen Mullin CISSP, MLSE, CCSFP is an influential information security practitioner with more than 30 years of experience. She has been a CISO at various publicly traded, private, not-for-profit organizations, and governmental entities including HealthMap Solutions, WageWorks, Healthplan Services, Adventist Health, and Tampa Airport. She has a BSBA from St Joseph’s College Maine and an MBA from Florida Metropolitan University.
X
 

Ethics in social engineering is frequently left up to the individuals involved, sometimes with disastrous results, without ethical boundaries sometimes destroying people’s lives.

This discussion is the best practices and the potential adverse impacts of unethical behavior. Why should the Social Engineer care about the target and why should the client care about the Social Engineers ethical values and approach.

What is the difference between morals, ethics, and culture? Why do those distinctions matter? Let' look at the equivalency of testing on human subjects.

Decision making of the client and how they make those decision. Who should they hire?

Also, the importance of trust. Can or should you terminate an employee based on the information that is garnered during the Social Engineering exercise. If an employee is terminated what is the impact on trust relationships.

Rules of engagement, setting expectations, and outlining ethical behavior. Decision making of the Social Engineer: What to do when OSINT finds sensitive information or when the engagement goes wrong and there is the temptation to cross the line.

What to do when it all goes wrong even with good intentions. What should the outcome of a Social Engineering engagement be after the report is issued?

16:20 - 16:40 Afternoon Coffee

16:40 7A: Using SABSA to Design a Cyber Security Strategy Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Executive Consultant, Envista (Australia)

Michael is a Cyber Security Adviser with Envista providing high level assistance on Cyber Related matters. He was formerly the CIO and CISO at the Australian Department of Finance where he had executive responsibility for ICT as well as physical security within that agency. He has previously held senior roles with government agencies including Department of Foreign Affairs.
X
 

The SABSA architectural methodology has a number of tools, techniques and frameworks that can help IT Security professionals understand the challenges they face, present and discuss with their executive and stakeholders when building and progressing a Cyber Security Program.

Fundamentally, a strategy is a document that sets out how you plan to achieve a series of long-term objectives.

Within Cyber Security our objectives must be closely aligned with those of the ICT group and, just as importantly, with those of the business as a whole.

If our Cyber Security Strategy isn’t helping the Business or ICT meet their objectives, then we will struggle to articulate our relevance and we will find it difficult to get budget. On the other hand, when our strategy clearly aligns and strengthens the business we are viewed more as a partner.

This presentation will cover a few of the basics of SABSA, provide you with a framework for a Cyber Security Strategy and then demonstrate how understanding and applying some key techniques from the SABSA tool kit can assist you in developing and presenting a coherent and aligned Cyber Security Strategy that the business will understand.

16:40 7B: DevSecOps: Enterprise Automation - Challenges & Approaches Speaker(s): Rahul Lobo

Rahul Lobo

Director, Ernst & Young (Australia)

Rahul is an experienced Cybersecurity professional with 15 years of experience including 10 years managing a high performing cyber security team involved in attack and penetration testing. Rahul consults in attack and penetration testing, application security, security controls automation, Devsecops, Cloud Security, vulnerability management, IT security risk management and mitigation, IT security remediation, security architecture and security consulting.
X
 

Digitally disruptive technologies are rapidly converging. These technologies are fundamentally shaping value propositions and operating models.

In order to compete in the digital economy, enterprises are increasingly competing on time-to-market. The pace of change observed in digital solutions necessitates that security be built in instead of bolted on.

New threat landscape

  • Technology disruption is making online services more open and accessible to customers and attackers alike.
  • The advent of the connected world, and the inherent interconnectivity of people, devices and organizations, opens up a whole new playing field of vulnerabilities.
  • Critical information assets of organizations are more exposed to targeted attacks than ever

Quick iterative releases

  • Typical sprint cycle for technology deployment is less than 30 days compared to 6-12 months for Waterfall SDLC
  • Short, time-boxed development iterations of small functional stories
  • Traditional security activities such as manual penetration testing don’t fit short iterative sprints
  • Development team are only focused on changes for that iteration

Automated tools challenge

  • Tools need to be configured and tuned to get adequate coverage of critical application functionality and different testing strategies need to be used
  • Too many different types of tools and approaches available
  • Too many false positives from traditional security tools for the developer to deal with

In response to the challenges facing the inclusion of security testing into Devops Pipelines and the requirement to be able to perform automated security testing early on in the development lifecycle EY developed a platform that can infuse automated security testing into development pipelines. The Team leveraged the SABSA framework to define the business problem as well as drive the business case for development of the platform.

The solution overview will look at various approaches for automated testing as well as their benefits / weaknesses as well as stages where they are appropriate. The presentation will also share case studies of successful integration of these approaches in large enterprises as well as typical challenges and how we overcame them.

Plenary Session

17:40 8P: Moving Security to the Left - Putting the Sec in DevSecOps Speaker(s): Debi Ashenden

Debi Ashenden

Professor, Deakin University (Australia)

Debi is Professor of Cyber Security and Human Behaviour at Deakin University & a Director of Industry Research for Deakin’s Centre for Cyber Security Research and Innovation (CSRI). Debi is also a Professor of Cyber Security at the University of Portsmouth (UK) & a visiting Professor at Royal Holloway, University of London. She is Programme Director for Protective Security & Risk at CREST (the Centre for Research & Evidence for Security Threats.)
X
 

With the move to continuous integration/continuous delivery and agile software development, shorter cycle times have led to initiatives such as DevSecOps that aim to integrate security with software development. While there are now processes and frameworks to support this integration, motivating software developers to develop secure code is a cultural and behavioural problem as much as a process issue. To develop a successful DevSecOps team requires security practitioners to understand the cultural and behavioural aspects of software development in order to successfully ‘shift security to the left’.

This talk starts from an illustration of the problem in a real-world setting before presenting research carried out with software developers to understand software development as a social practice. We look at the barriers and incentives that can hinder or help the integration of security with software development including code analysis, code reviews and the culture of open source development. The final part of the talk will be a facilitated discussion tooutline interventions that are more likely to ensure the successful implementation of DevSecOps and secure software development.

Networking & Dinner

18:45 Drinks Reception
19:15 Dinner

Wednesday 4th December 2019

09:00 - 09:30 Delegate Registration & Coffee

09:30 9A: Architectural Arms in Anger Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 

“Politics! Politics! Politics! Politics! Politics!” – Mel Brooks, History of the World Part I

A wise, pelvic-thrusting sage who possessed the power to render others infirmus ad genua (weak at the knees) once uttered these famous words: “War, woo woo woo, what is it good for?” The same might not only be said for corporate politics, but to also go on to observe that he/she that has a stomach for corporate politics is truly a sick, sick individual. Similarly, a somewhat well-known carpenter once said “where two or more gather in my name, I am there”; in the same way, it might also be said that “where two or more work in an organisation, the potential for corporate politics exist”. But! Hear me, O People of COSAC: I bring you a new euangelion of good news and glad tidings! Rejoice and be glad, for there is a way to emerge from the political quagmires of your corporate sin: that way is called Practical SABSA! In this session, a real-life case study is presented to the forum in detail to demonstrate the practical power of SABSA to defeat evil and win over the people to the cause of righteous bodacity.

09:30 9B: Customer Service, Disservice or Self-Service Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

Information security professionals do not have it easy. Public or private sector, we must serve our internal and external customers well while providing appropriate security. But don’t even think of slowing down crucial business processes or services. And isn’t the customer always right? “Why are you security people so difficult to deal with? Jeez, It’s like an Asperger ward. Don’t you realize we’re trying to run a business … in a competitive environment? And why the heck do we need so many security people? Can’t we automate some of this stuff and let the users take care of their own security setups and changes?” Experienced security professionals (that’s us) have heard this and worse in their careers, and usually admit that there might even be a bit of truth in some of the complaints.

We’ll analyze the situation on both the service provider (that’s us again) and customer sides from a security perspective, emphasizing the need to understand the viewpoints of those we must deal with. We will also analyze complications and particular difficulties inherent in doing anything that provokes as many potential conflicts as information security. Customers want what they want, they want it now, and they don’t want to hear that what they want represents a significant risk to the organization. We have to remember the function of the organization, and we want to serve our customers well, but we also understand that our responsibilities as security professionals are to safeguard organizational assets. COSAC APAC veterans all know that sometimes that means protecting users from themselves. In this session we’ll provide specific recommendations for actions that will help Information Security fit customer service principles and resolve conflicts.

10:30 10A: The Evolving Security Architect Speaker(s): Nigel Hedges

Nigel Hedges

CISO, CPA (Australia)

Nigel Hedges has been in the local Australian/New Zealand IT Security industry for 20 years, having spent a lot of time in the information security vendor and customer sectors, across security consulting, analyst and management roles. Nigel is currently the Information Security Manager (CISO) for CPA Australia, but spent several recent years as the Enterprise Security Architect for a large national Australian & New Zealand retail organisation.
X
 

Security Architecture can have different objectives and function within an Information Security and Risk practice. There are various factors that influence howsecurity architecture is approached including organisational size, industry sector and risk profile.

This session will begin with an opinion on the evolving security architect role in different parts of the world (taken from independent survey), and the typical activities we have come to expect from this function. A retail case study will detail a particular practical approach and perspective to strategy, security programs, frameworks and security service catalogues.

The session will also discuss some of the perceived challenges (from real world experience) such as the disconnect between the CISO, Security Operations, the vendor ecosystem and the business, how that canmanifests itself, and recommendations on how you might improve these relationships.

10:30 10B: Dealing with BS: Adversity and the Security Practitioner Speaker(s): William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
 

Let’s face it, things don’t always go the way we plan. Being a security practitioner is difficult enough with the constant evolution of threats and attackers, and an everchanging IT landscape. It also doesn’t help that there are so many other ways that things can go wrong. Budget cuts, personnel changes, organizational changes, competing agendas, simple miscommunications. Shit happens. We also deal with other challenges like figuring out where to start, getting organizational buy in, training up teams, and working with others who are involved in or control other parts of the process. These are a few examples of adversity that we face, and that as Security professionals we must be prepared and able to deal with if we want to be successful. In this session we will discuss strategies for coping when things don’t go as planned. We will discuss several real scenarios, including what worked and didn’t work, and we will engage as a group to discuss other approaches and experiences.

11:20 - 11:40 Morning Coffee

11:40 11A: Creating a Digital NBN in Bahrain: Solving a Complex Engineering Challenge with SABSA Speaker(s): Abubakar Arshad

Abubakar Arshad

Head of Technology Security, Batelco (Bahrain)

Cyber Security Strategist with 14 years of experience in Cyber Security strategy development, data privacy, and CERT design and implementation. As an Advisor to the Telecommunication Regulatory Authority in Bahrain, he has led the Cyber Security policy and strategy for the Telecom Sector. He has played a leading role in drafting the Telecom Data Privacy Cyber Security Regulation in Bahrain. Abubakar is currently the head of Technology Security in the leading Telecom Operator in Bahrain.
X
 

The separation of the incumbent Telecom Operator in Bahrain and creation of the National Broadband Network is a strategic step towards achieving the vision of a digital society. This also implies that the newly formed NBN will need to build its own ICT infrastructure and have the opportunity to adopt cloud for innovative, efficient and agile operations. This presents a challenge for security to ensure that the governance, management and operations of security is efficient and agile at the same time.

This presentation provides insights into how SABSA continues to help the organization in:

- Designing a SABSA aligned governance framework tailored for the organization’s context

- Developing business aligned security strategy that can help the organization transition into an evolved security state

The presentation also illustrates a case study of how application of SABSA Governance model helped identify significant security gaps in a business critical service that was previously considered as secure.

11:40 11B: Mental Health and Information Security Speaker(s): Simon Harvey

Simon Harvey

Senior Enterprise Security Architect, Bank of Queensland (Australia)

Simon is a Security Professional with 20+ years of Security-related Academic Research, Business & Management experience. He is currently an Enterprise Security Architect at a large financial services organisation; and is trying - slowly - to overcome his natural shyness by becoming more involved within the local InfoSec community. In addition to being extremely late at submitting his SABSA Advanced exam, he has been part of the organising team for AISA's BrisSec Conference since 2017.
X
 

The Consulting, Digital, Information and Technology industries traditionally have attracted a certain “type” of person. Detail-oriented, technically very literate, perfectionist, with stereotypical character traits that give us (un)flattering labels such as nerds and geeks and the reputation of not being “people” people. However, all of us are people. And people go through ups and downs in their lives, and suffer poor mental health. Its normal – anxiety, depression, bipolar disorder, right up to more serious areas of severe mental illness such as psychosis, substance addiction, attempted and actual suicide.

Just like physical health, poor mental health is a disabling condition that affects our own quality of life, as well as of those around us. Men tend to suffer at younger ages, self-medicate with alcohol and drugs and cause themselves permanent disability or death. However further research in this area seems to indicate this affects Women a lot more from the early 40s … and the suffering is longer right through to the end of natural life. Women don’t appear to take the easy way out so suffer long-term with this.

We need to have a conversation within the Information Security Industry of how we can identify, support and help each other through these ups and downs; but also identify what we can practically do to support each other at the community level.

12:40 12A: Understanding the Business of New Business Speaker(s): MZ Omarjee

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.
X
 

A banking case study application of SABSA that will illustrate the application of SABSA that assisted:

  • Interpretation of Business strategy to allow for new business models on new mobile distribution channels
  • Identification of attributes to gain a common understanding of business and security requirements
  • Allow the banking business to achieve more with both a set of control objectives and enablement objectives
  • Operational Challenges as it relates to Risk Management
  • How trends and technologies apply for sustainable and through life vitality of new security stack for digital
  • Lessons Learnt
12:40 12B: Business Service Modelling - A Basis for Strategic Security Investments? Speaker(s): Andreas Dannert

Andreas Dannert

Enterprise Security Architect, NBN Co (Australia)

Andreas is an Enterprise Security Architect for Australia’s national broadband network (NBN Co). At nbn he is responsible for defining Security Strategy and Roadmap across the organisation. Prior to nbn, Andreas has worked for Deloitte and HSBC in the role of Enterprise Security Architect, developing Enterprise Security Architecture Frameworks and solutions. Andreas is currently the Research Director on the ISACA Melbourne Chapter board and an industry advisor to various organisations.
X
 

SABSA is a powerful methodology for problem solving and has been defined as a structured approach to security architecture development. While SABSA is extremely useful for security architects, it is not always accepted as a common basis across other disciplines, like IT architecture for example. Given that security is an integral part of any business, as is IT these days, documenting and designing business change should utilise a common basis for driving strategic change, including security investments. Business process engineering (BPE) and Business Process Management (BPM) can provide such a basis, but usually emphasise processes. Security requires to consider processes and resources. Business services modelling might be useful here. This presentation will explore the question: How can we add business service modelling to our security architecture toolbox and utilise it for strategic security investment planning?

Within this presentation we will explore how we can define business service modelling within the security architecture context and why a business service model is a great way of documenting and driving security change in an organisation. We will also look at how it aligns various disciplines and therefore allows to consolidate strategic business changes with other changes required to support the business as a whole, like security investments. Mature business service modelling can contribute to the success of business process improvement initiatives, understanding resourcing dependencies, be used as a basis for outsourcing initiatives, and be utilised as a basis for strategic security investments. A well-defined business service model for an organisation can highlight the most valuable processes, roles and resources in an organisation. Identifying business critical applications should become a breeze with a mature business service model, given that applications are just another resource of a business service. Protecting core assets should therefore not be hard either, regardless of whether these are processes, roles, or resources.

At the end of this session participants should be able to understand the value of business service modelling and how it can be utilised to transform an existing enterprise security architecture of an organisation through strategic security investments. This will hopefully provide attendees with another tool in their security architecture toolbox.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences concerning the topic or voice their concern of this idea Where appropriate, this session will provide attendees with examples of scenarios that might have benefitted of a mature business service model.

13:30 - 14:30 Lunch

14:30 13A: Have You Ever Considered Modelling? Speaker(s): Chris Blunt,

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
Hugh Walcott

Hugh Walcott

Director & CTO, StrataMap (New Zealand)

Hugh is co-founder and CTO of StrataMap, an online platform for enterprise architecture and system modelling used by the government, enterprises and cybersecurity service providers. Hugh started his career as an electronics engineer before moving to ICT via the start-up labs of Cambridge UK. Highlights include performing the first ever internet e-cash transaction in 1998 and lead architect on the world’s largest real-time system (mega-city adaptive traffic management system).
X
 

All models are wrong; some models are useful.” — George Box

While George Box is correct, models are only useful if they are both accessible and are meaningful to the audience.

We all know that SABSA provides us with a plethora of approaches, methodologies and techniques to develop models that express and capture the business requirements for security. However, it can be challenging to capture all of the information created during the development of the Enterprise Security Architecture (ESA) in a meaningful and useful manner.

The purpose of architecture documentation is to capture decisions. However, the modelling languages that are typically used to express those decisions are not widely understood by the stakeholders that have to use them. Have you ever presented an ArchiMate model to a business owner and seen the blank look on their face? It’s because you’re not speaking their language (i.e. the ArchiMate models may mean something to you, but they don’t mean anything to them.)

Also, when SABSA models are captured in documents, it can be difficult to effectively maintain traceability and reuse them when delivering new services that conform with the ESA. This is because traceability for completeness and justification is usually captured in static diagrams and tables, without the ability to easily visualise the areas that relate to a specific context.

In this session, we will present a platform that enables SABSA practitioners to develop and capture various SABSA models quickly and easily within a web browser. Providing better accessibility of the ESA across the entire organisation, together with two-way traceability and the ability to rapidly filter models to present different security viewpoints by organisational context (e.g. business capability, information systems, etc.).

Finally, we will pray to the demo gods and provide a real-world example of how the platform can be used to capture, present and reuse various SABSA models.

14:30 13B: Threat Intelligence & Threat Hunting Demystified Speaker(s): John Willis

John Willis

CEO, Turnaround Security (USA)

John M. Willis is a Chief Information Security Officer (CISO) for Zermount, currently supporting the United States DHS, and previously for Lockheed Martin supporting The United States Mint. He was also a Principal Information Security and Privacy Consultant for pINFOSEC, supporting U.S. government agencies and private sector companies. Prior to security, as Principal Configuration Management Consultant for Regulus Consulting, John supported numerous Fortune 500 companies for over 10 years.
X
 

Deciding which threat intelligence data to acquire, aggregating that data, prioritizing threats and vulnerabilities, then hunting for adversaries on your systems is a rather complex and fast-changing area to understand and keep up with. First, you must identify which types of threat actors present the greatest risk to your business. Then, you need to identify what the specific risks are to which systems. With this knowledge you can then know the questions you want answered by threat intelligence data. You must balance the need for strategic versus tactical data. Once you know what threats you are looking for you then want to begin looking for adversaries on your systems that are using techniques not identified in the threat intelligence data. Specifically, you want to incorporate MITRE ATT&CK technique data. There are other key considerations such as enriching the data, sharing data, utilizing machine learning, and automated remediation.

Threat intelligence data is now consumed in many different areas of the enterprise, by people, processes and technology. Key use cases include monitoring of the web, brand, social media, and threat actors, vulnerability prioritization, enrichment, phishing detection, investigations and response, and data sharing

15:30 14A: SABSA for SABSA - Using SABSA to Write a Good SABSA Practitioner Exam Answer Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
 

Many SABSA Practitioner candidates look for examples and guides for paper submission, but because the nature of SABSA is to tailor solutions to business needs it is far better to apply a SABSA study to your organisation rather than to try and answer questions from a purely academic perspective.

Rob will cover a SABSA inspired method to extract the critical components of SABSA questions into business attributes. These attributes then naturally lend themselves to quantification through control objectives, performance targets, SABSA assurance and SABSA risk management models to add vitality and verify the answer as you are developing it.

Rob was the winner of the 2018 Matt Whelan award for the best practitioner or master’s paper and in this session, Rob will present advice, tips and tricks from the field, helping you present your SABSA study in a way that will receive the greatest share of marks.

15:30 14B: Can AI be used for Fraud Investigation to Reduce the Insider Threat? Speaker(s): Tanya Harris

Tanya Harris

Director, Harrman Cyber (Australia)

Tanya's experience centres on performance psychology and why people do what they do. She holds certificates in Cybersecurity, Mobility & International Cyber Conflict. She is currently working on a research program with Goldsmiths and Oxford University in London UK, testing how AI can rapidly expedite fraud investigation and identify the risking risk of insider threat in order to mitigate such incidents occurring. Tanya is Non-Executive Director of Universal Data Protection.
X
 

This presentation is not about detecting threats through network analytics, rather, it uses AI machine learning technologies associated with transaction analysis, natural language processing and breakout detection to detect threats through peoples’ behaviors. This technology was developed for fraud investigation at the Centre for Intelligent Data Analytics division of Goldsmith University as development partners of Harrman Cyber. On a small PC we processed 600,000 emails in 2 days, triggering communication of importance to investigators that go unnoticed to the human eye and we worked on patterns rather than sentiment allowing the system to trigger breakouts of importance in multiple languages. This talk with discuss how this technology can be used to prevent insider threat.

At the end of the session participants will be able to:

  • Comprehend the environmental elements that impact insider threat
  • Apply organisational thinking to security
  • Consider the use of artificial intelligence machine learning as a preventative tool to reduce insider threat

16:20 - 16:40 Afternoon Coffee

16:40 15A: A Reference Architecture for Implementing Governance Speaker(s): Malcolm Shore,

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

Achieving good governance of security is a key requirement for the security functions in many organisations, especially where the implementation and operation of security is federated throughout the organisation and extended out into service providers. There are many governance, risk and compliance tools, but the governance capabilities are generally limited to audit and compliance management and none of them are actually architected to the real needs of organisations. Rather than implementing a tool and calling it governance, we would propose architecting governance, starting with the SABSA Governance Model.

This presentation consist of three parts. The first is to instantiate the SABSA Governance Model in a way which brings together the main activities in the business which contribute to governance. This model is presented across the strategic, tactical and operational lifecycle stages.

The second part is a GRC Reference Architecture that can be used to establish the requirements for an effective GRC tool. We will share the overall GRC landscape for any organisation, and zoom in on the key areas for an enhanced governance capability. This will include the ability to deliver a multi-tier risk dashboard capability and allows integration with existing tools and processes. The Reference GRC Architecture will provide an architectural perspective or viewpoint on main components every organisation needs for proper Governance Risk and Compliance to manage and mitigate the risks in all sorts of business domains.

The final part we will present relates to the means of implementing governance in a robust software development model.

16:40 15B: Connections and Reflections Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

Every day we use and depend on technical innovations whose origins and development lifecycles often lie lost in the mists of time. In this session I shall explore some paths through which technological change happened and the social effects of those changes on Western society. We will find out why Admiral of the Fleet Sir Cloudesley Shovell inspired a carpenter to solve a navigational challenge, how a discovery of the electrical characteristics of the most abundant mineral found on the Earth's surface helped James Bond in the bedroom, why an 89 year old African American mathematician was inducted into the United States Air Force Hall of Fame in 2018 and why size does matter.

Reflecting on these and other discoveries illustrates how great innovations happened through multi-disciplinary teams working together, listening to and learning from each other - an approach we should consider carefully in approaching cyber security in the present day.

Plenary Session

17:40 16P: COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular closing session to COSAC and the SABAS World Congress. Now, making its debut in APAC, is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at chair@cosac.net

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 4th December.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Dinner & Networking

18:45 Drinks Reception
19:15 Dinner

Thursday 5th December 2019

09:30 - 10:00 Delegate Registration & Coffee

11:40 Morning Coffee
16:10 Afternoon Coffee

Workshop W1

10:00 The 2nd COSAC APAC Design-Off Speaker(s): William Schultz,

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
Jason Kobes

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
 

After a successful session last year in Sydney we are taking the design-off to Melbourne! In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide an opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Workshop W2

10:00 The 3rd Annual APAC International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

The 3rd International Forum is a deep-end immersion in the COSAC APAC way. There'll be a room full of dedicated, savvy, scar-bearing security professionals analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. These Information security masters offer and rigorously defend their opinions, but are also ever-willing to help others and learn from each other. This leads to reality-based analysis of recent and probable future events and trends from perspectives illuminated by deep and broad information security knowledge and experience. And nobody charges consulting fees.

The moderator describes some actual recent event or prediction of the future or analysis of security-related issues, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants to discuss topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

It was true when we started the Forum back in Ireland 20+ years ago, and it’s true in Australia rapidly approaching 2020 - “the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis.” Ransomware, cryptojacking, social network privacy and security issues, GDPR, nation-state offensive activity, IoT device proliferation and security, finding and keeping competent help … – the 2019 list of real and potential concerns will no doubt continue to grow and bleed into 2020. Even if we could address them all, we have to keep playing whack-a-mole on the classic security gems that never seem to get fully resolved - password discipline, cloud security, access control, end-point security, policy writing and implementation, awareness and training, … ad infinitum. One of the features that make the Forum so valuable is learning from each other (as grizzled veterans) what we can do and what we can’t – where to focus our limited resources. Trying to do everything at once is a sure prescription for failure.

The discussions and analyses started here in the Forum almost always continue throughout COSAC APAC, often beyond that, leading to unique, realistic and workable solutions to seemingly intractable dilemmas. Leading also to building a network of intelligent, experienced, realistic people you can count on for trenchant analysis and real help. Come join us and help solve the information security problems of the world.

13:30 - 14:30 Lunch

Workshop W3

14:30 Ask us Anything - A Q&A with a SABSA Masters Panel Speaker(s): Chris Blunt,

Chris Blunt

Chief Strategy Officer, Axenic (New Zealand)

Chris is the Chief Strategy Officer at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 26 years of experience in the ICT industry, specialising in security and privacy for the last 14 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives.
X
William Schultz,

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards.
X
Malcolm Shore,

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your problem depends on the question you are trying to answer. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the COSAC way there will be plenty of group debate and interaction, and no shortage of other experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:30 Resilience by Design Speaker(s): Perri Nejib,

Perri Nejib

Technical Fellow - Cyber Solutions Architect, Northrop Grumman (USA)

Ms Nejib has 33+ years of system engineering and program protection experience and 27+ years of technical leadership & DoD acquisition management experience. Currently part of the Advanced Cyber Technology Center (ACTC) as one of its senior engineering consultants & is deployed to the Missile Defense & Protective Systems Division (MDPS) as Cyber Solutions Architect. In this role she supports key programs, serves as stakeholder on MDPS IRADs and provides SSE subject matter expertise.
X
Edward Yakabovicz

Edward Yakabovicz

Technical Fellow, Northrop Grumman (USA)

Edward Yakabovicz is an innovative technical leader at Northrop Grumman responsible for advanced technologies for enhancing cybersecurity, resilience, and security engineering throughout enterprise, SCADA, and the Internet of Things. He is a cybersecurity doctorate candidate researching the current human capital crisis and inability to staff cyber related jobs.
X
 

Part 1 - NATO Resilience by Design

Cyber Resilience (as opposed to merely risk-based approaches) is an ever increasing topic of interest in literature and in practice with many nations expressing it in their cyber strategies to apply newer practices in providing system protection from the rapidly changing cyber threat environment. This presentation addresses the engineering-driven actions necessary to develop more resilient systems by integrating Cyber Security/ Systems Security Engineering (SSE) to that of the well known Systems Engineering (SE) process. This concept, shown in Figure 1 (see attachment), infuses systems security engineering techniques, methods, and practices into systems and software engineering system development lifecycle activities, thus becoming part of the core solution/process rather than an isolated and expensive add-on, bolt-on, and separate task/process. The presentation will be based on a position paper developed on this topic area (see attached)-this is intended to be presented and discussed in a forum such as COSAC to allow for audience interaction and feedback on the concept of Cyber Resiliency in the NATO construct. Cyber Resiliency by Design is an important topic area across NATO and the COSAC/SABSA event will be a perfect forum to discuss and examine current standards and methods in this area and possible implementations. Our intention is for this event to be a catalyst of change for cyber resiliency across NATO.

Part 2 - Measuring Cyber Resilience

This session will discuss ne 2019 data on the Igor Linkov cyber resiliency measurement concepts discussed at COSAC 2018. The Linkov concepts discuss the practical methods to measure cyber resiliency both negative and positive. The discussion offers to address changes and new innovative data from the 2019 NATO conference and others. This unique and novel way of measuring cyber resiliency appears to be the only valid method discussed around the global as a novel and practical measurement practice. The outcome of the discussions will lend to the overall attendees taking away better and more practical way to measure resiliency and apply it to their subject matter.

Part 3 - System Security Engineering: Whose Job is it Anyway?

A look at current and evolving policy, guidance, and standards surrounding security activities in the systems engineering life cycle. Emphasis is placed on Systems Security Engineering (SSE) and how application of systems engineering (SE) concepts and processes throughout the life cycle is the way to deal with the dynamic and diverse world of cyber threats to a system. This presentation is a follow-on to a previous COSAC Atlantic (2018) NATO focused brief and will have a focus on the Australian (Pacific) region. The presenters have publications and working group project leadership in this international region on the topic of SSE published in the International Council on Systems Engineering (INCOSE) Insight Journal. The focus of this research was bringing attention to cybersecurity and the importance of other disciplines towards contributing to secure systems. Since that time many of these domains have further developed their own standards, process and guidance in the area of cybersecurity. What is needed now is a way to take these domain-focused concepts and integrate them into and across a systems life cycle. The best way to achieve this is as part of the SE function. Designing and building secure systems requires a seamless integration of security into SE processes adopted to constantly revisit, reevaluate, and re-design as part of a risk management process. The framework that will be discussed in this presentation will focus on taking currently evolving guidance in SSE and breaking that down into products and tools for system engineers to easily determine the relationship and value between SSE and SE. In addition the briefers are now leading the update to the next version of the INCOSE SE Handbook-which will have a chapter dedicated to specialty engineering and sections on SSE/Cybersecurity. This COSAC session will be an opportunity for COSAC attendees to be able to discuss and help shape the content of the next version of the INCOSE SE Handbook Cybersecurity section(s).

Conference Close

18:00 COSAC Chairman's Closing Remarks Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-fifth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X