A personal reflection of the key take aways from undertaking several SABSA trainings and how it has allowed for a successful journey from Security Architect to Chief Information Security Officer for a large enterprise organisation.

The discussion will highlight the experiences – pitfalls and wins - whilst developing security strategy, security programs, security catalogue, and security teams across 3 different organisations, a retail & manufacturing organisation, a professional membership organisation, and a large enterprise retail organisation. This will be done with reflection on the various learnings from SABSA that have contributed to successful CISO work.

As this is an experience sharing session, it will also touch on the importance of the need for self-care in our profession and the importance of establishing your tribe, and how this played an important part in keeping the speaker energized during the 2020-2023 period.

Kali Purple was released in March 2023 as a free-to-use platform with an initial installed set of tools across the Identify, Protect, Detect, Respond and Recover categories of cyber defence. The initial set of tools came mostly from the existing tools available in Kali.

Since then, Kali Purple has evolved not only as a cyber defence analyst workstation with an increasing number of tools, but also as a server platform which provides easy installation of a range of cyber defence servers. At this stage the main focus has been the operational aspects of cyber defence covering security monitoring, threat hunting, threat intelligence and incident response. In addition, a new tool has been added to the Kali distribution to support the use of Kali Purple as a workshop platform for training cyber defenders.

This presentation provides an insight into building and experiences in using the ELKStack and Wazuh SIEM solutions, the Malcolm threat hunting platform with its integrated Arkime, Zeek, and Suricata tools, the OpenTAXII threat intelligence sharing platform and the OpenCTI tool, and the Velociraptor incident Response tool. It will also demonstrate the use of Kali Autopilot to generate automated attack scripts.

The presentation will give some insights into the current and upcoming wave of activity on Kali Purple, including a case study of using Archimate for SABSA modelling.

This session describes how a SABSA deployment that initially focused on securing change has evolved into an extensive distributed security controls assessment function, spanning both change and run. We also explore how we intend to take this function into the future, including ongoing/continuous controls assessment and the new frameworks we are building.

We start with the back-story of the ‘Secure by Design’ practice at a large financial services organisation in Australia - a practice that was originally inspired by SABSA but has now been operating for over 15 years. We then explore how this ‘Secure by Design’ has evolved over the years, and how it is now delivering value far beyond its initial scope. This leads to a discussion about what might be possible if we continue to extend SABSA beyond Architecture. Finally, we outline our intent for future experimentation.

The speaker has led this program over fifteen years, embedding SABSA at the core of the security architecture function at this large financial organisation in Australia. This speaker helped create and enable a large cohort of SABSA-certified professionals that operated across architecture and security teams, ensuring the concepts permeated far beyond their security architecture roots.

Large Language Model and Generative AI tools are exploding across the news headlines and discussions and capturing our imaginations. Additionally, the discource is full of debate and discussion about the potential risks and exposures of this technology however as with any new innovation or solution, there are always both risks and rewards to consider.

I have been on a journey exploring Generative AI (GAI) especially to understand its capability and how this can be leveraged to enhance and improve the delivery of security consulting and its usefulness to a security architect and want to use this opportunity to share the outcomes of using prompt engineering techniques to generate the below

This presentation will cover the below:

• What are Large Language Models and what is available?

This section will provide a background of the different types of LLMs available such as GPT, LLaMA, Alpaca and guidance on when to use them.

• What is Prompt Engineering

This section of the presentation will cover a crash course on prompt engineering and cover the various techniques of prompting such a zero-shot prompting where the language model is capable of performing tasks without any instructions, few shot prompting where some examples can be provided to steer the model towards in-context learning, chain of thought prompting, graph prompting etc. We will also cover the typical structure of a prompt and the elements of the prompt such as instruction, context, input data and output structure.

We will also cover settings of an LLM such as temperature and top_p which are parameters that can allow for deterministic results or creative results as a result of prompting.

• Specific Use Cases and Prompts – Rapid Prototyping

This section will present different use cases of Prompt Engineering and show specific examples of prompts that can be used. We will also present how LLM Plugins can be used to generate specific outcomes in security. Following are some of the use cases that we will cover

1. 1. Business Process Engineering: GPT4 can be used to create user journey diagrams as well as create visual representations of various business processes.
2. 2. Rapid Prototyping of Security Architectures: GPT4 can be used to rapidly prototype security architectures based on information provided through the prompt.
3. 3. Developing a Rapid Security Threat Model using a Large Language Model:

This part of the presentation will demonstrate how I used a large language model to generate a threat model for a sample organization using the Architecture, Threats, Attack Surfaces and Mitigations (ATASM) approach. This is a method that I regularly use as a consultant to perform threat modelling for my clients.

This method consists of the below steps

Architecture :- Understand the logical, physical and component views of the architecture. We will leverage the modelling and diagramming capability of the language model to develop various diagrams to help visualize the architecture. The LLM also has a capability for writing mermaid code which is javascript based diagramming and charting tool.

Threats:- Provided context about the organization and trained on the format we are using for the threat model, we will leverage the LLM to generate a list of threat agents, their goals, their risk tolerance, work factor etc as well as the methods they would use.

Attack Surfaces:- Once the architecture is modelled in code, given the context about the location and potential vulnerabilities in the architecture diagram the LLM is able to identify potential Attack Surfaces.

Mitigations:- The last step will cover prompting techniques to help draft countermeasures to the identified attack methods that have a legitimate exposed attack surface. We will leverage the LLM capability to ingest a large amount of controls and recommend specific controls from control libraries such as NIST etc. We will also demonstrate how to leverage an LLM to display the controls leveraging models such as the SABSA Multi-tiered control strategy defense-in-depth model etc.

Once the threat model is complete we will analyse the outputted threat model for weaknesses and certain issues such as accuracy, creativity, credibility etc. and how to mitigate them leveraging prompt engineering techniques.

Increasingly, organisations are beginning to double down their investments in digitalisation in order to compete in an even more interconnected world. Digital transformations monopolise the interest of board members globally, aiming to leverage the latest technological advancements to improve the customer experience, automate the value chain, free up resources, discover new revenue streams and operate with greater agility.

The pressing need for digital transformation constitutes cyber security risk as one of the top non-financial risks for organisations across all sectors. It also acts as the main driver for improving the security fabric and strengthening the cyber security resilience. Due to the consequences cyber security incidents have on critical products and services, cyber security investment soars to $1.75T globally.

This presentation will assess the effectiveness of the current practices organisations rely upon to create cyber security portfolios and allocate investment funds. Emphasis will be given on the challenges security professionals face to demonstrate meaningful return of value and maintain the corporate support.

The presentation will then introduce a novel approach on how to optimise security investment by modelling the security mechanisms, analysing the effectiveness of the proposed activities and demonstrating their relevance to business outcomes. Pivotal to achieving this is the need to establish a clear linkage between cybersecurity services and business objectives to both justify actions across the security posture and assess the completeness of the assurance provided. Most remarkably, bridging the gap between cyber security and business serves as an effective communication mechanism that portrays security as a value provider.

Simulation of platforms and systems provides the basis for many important organisational outcomes, such as individual skills training, training users on the specifics of a system, training teams on operational processes, testing operational concepts and system testing and troubleshooting to name a few. The application of simulation concepts is well established in the development and sustainment of physical platforms and systems.

For cybersecurity, there has been increasing discussion about using of “cyber-ranges” and “red -team exercises” to support various cybersecurity objectives and outcomes. It is noticeable that this discussion often lacks the application of basic simulation concepts - ‘what is being simulated’ and ‘what is the simulation being used for’.

This session will discuss the basic concepts of simulation, its application to systems (especially mission-critical and cyber-physical systems) and will explore how it can be applied to systems to deliver cybersecurity outcomes.

Yes, you can be cyber secure and optimise investments! Here's how....

As cyber security challenges continue to mount, organisations are feeling the pressure to keep investing in order to be secure. However, we cannot spend our way out of the cyber threats and risks that are confronting us. This is especially true in an economically challenged environment that currently exists. There are rising frustrations on both the business executive and cyber security sides. Business executives aren't seeing the right return on their cyber investments while cyber teams are increasingly feeling the pressures of keeping up with the workloads and managing burnout. There needs to be a smarter way to address these issues.

This session will look the challenges facing executives and cyber teams and recommend practical, actionable takeaways in the following areas:

• - Formulating a cyber security strategy that is truly business-centric and enables the organisation to be secure by investing proportionally
• - Giving businesses strategic options on investments and resourcing aligned with levels of cyber protection tied to the right metrics
• - Realising cost optimisation and an improved security posture through a holistic approach to security tooling as part of Enterprise Security Architecture

More human interaction now occurs in the digital realm, than the physical realm.

We are utterly dependent on the digital world for our daily lives to function.

Definition: “Digital Safety = where vulnerabilities and exploits on software, cause harm and damage to the physical world and humans.”

In this 3rd episode in the Digital Safety saga, I’ll be further challenging:

• - How can you possibly know the full stack of code and software that runs in a complex system? (For example a fully autonomous rail network).
• - Even if you do know, how can you possibly know that each and every component is secure and tested, and fit for purpose?
• - Who is then liable for that code and the physical damages caused by exploited vulnerabilities in it? The end provider? The software developer? The pen-tester?
• - Then, what about the AI generated code? Are we making the problem smaller, or larger? Both in regards to the quality and vulnerabilities in code, but also who’s liable for the physical damages the AI’s code may cause?

In short, what insights and learnings can we get from trying to build a world of “Physical Safety” into how we provide “Digital Safety”.

My presentation will introduce the concept of integrated business assurance built on a foundation of data driven risk intelligence that supports the hypothesiss of truly adaptable security.

Using anonymised case studies experienced during the pandemic and post-pandemic business change years, I will highlight how three organisations have embraced the ‘Shift Left’ concept. ‘Shift Left’ addresses challenges concerning point in time dipsarate security solutioneering to a place of complete businesses immersion. No longer the business outcast but a true business outcome enabler.

This novel and unique discussion on changing the way we think and enhancing human performance using neuro linguistic programming (NLP) from the perspectives of both neuroscience and information security, presented at COSAC 30 and updated with that audience’s feedback. Debunking current Human Resource and Information Security thought leadership and training materials, this presentation addresses how many are adversely impacting the credibility of their presentations, themselves, and the profession by using a misinterpretation and misunderstanding of how the brain works.

NLP is referenced in Self Help Programs and seminars, and Security Awareness and leadership training. The basic concept is tied to “Reprogramming the nervous system through the use of language” with false concepts and pseudoscience about brain programming to communicate effectively and influence others to change our own thoughts when presenting otherwise accurate information and can skew materials to make them entirely incorrect. By establishing a faulty knowledge foundation, this impairs the ability of information security professionals to influence system changes, develop awareness training, and create appropriate defenses for malicious hacking attempts.

The value in this session is providing information from current brain science to use in training. This discussion is timely as social engineering, human resource, and behavior experts are spreading misinformation. The approach of this session provides opportunities to challenge and give input while imparting attainable science on the real brain.

Risk Management

Risk Management in its very basic form requires identification, assessment (impact and likelihood), current controls assessment, mitigation controls definition, monitoring and reporting of risk over the active lifetime of the risk record. In some instances, and depending on the nature and maturity of risk management disciplines, concepts like inherent risk, control risk, residual risk, risk appetite and tolerances, risk optimisation, etc, can be introduced to enrich the strategic leverage of risk management. All of these have critical dependency on “risk ownership and accountability”. Without an appropriate “risk ownership and accountability” assignment model, risk management can often appear academic, theoretical and highly abstracted, delivering no real value to the organisation. In this unfortunate situation, risk management and its associated records simply become the graveyard or the “too-hard” basket for issues and problems. Managers absolve themselves of any accountability and/or responsibilities once their teething issues and problems make their ways into the too-hard basket, the Risk Register, and never to be talked about ever again.

In many organisations risk accountability assignment is a very complex thorny issue. Several stakeholders have bona-fide interests in specific business resources and would be impacted by plausible risk vectors. However, the differential individual interests are not significant enough for them to voluntarily take-on unequivocal and active accountability for the specific risks. In some other instances, each impacted stakeholder feels strong attachment to specific risks and have different views on how these risks should be managed to the points of passive-aggressive tensions. Both of these situations lead to the same risk graveyard scenario raised above.

SABSA Risk Domain Architecture - One of many solutions

Risk Management could be a strategic foundation for a wide range of management processes – including but not limited to general business, technology governance, security, etc. To enable this strategic capability, there needs to be a sound and objective method of assigning risk ownership and accountability. One such method is the Sherwood Applied Business Security Architecture (“SABSA”) Domain Architecture concept. Domain concepts - single domain, super-domain, sub-domain, peer domain, multi-tiering, inter-domain interactions, complex inter-domains policy associations, etc - can be combined with standard RACI (Responsibility, Accountability, Consult, Inform) model to construct a useful method to resolve the fundamental issues around risk accountability assignment. In the discussion below, I lay out (a) some SABSA Domain Architecture concepts and a simple application construct, (b) a requisite highest ranked lowest common node accountability test, and (c) high level application of the construct.

We embark on the good ship Access Management. We have a clear direction from the captain to move from the fjords of isolated data bays to the sea of open access seeking analytical riches. However, the crew has been working the closed bays of the fjords for aeons and think the captain is not considering the perils the open sea represents. The ship therefore stays in the apparent safe harbour of endless segregation, limitless localised risk scopes and ingrained process all pulling on the tiller while the ripe shoals of opportunity pass them by. Mission success is declared because they couldn't see the sea.

As a crew member on that ship, it has baffled me for some time as to how this occurred. After some soul searching and a pinch of analysis, I came to understand this was a function of a complex set of interplays that generally tie back to the human condition. I will demonstrate how localised risk scopes prevent lateral vision; that access to information is used as a power trip; and that people assume how things work based on how it appears to them. These elements combine to establish a form of human thinking when ownership (maybe accountability) gets lost in process (this is how it's done), inheritance (this is how it was always done) and learned helplessness (what do you mean we can change how it's done). I will share some of the tools and techniques that I used to try and combat this environment, but I will also ultimately show how the bureaucratic tools of; perverted reporting, scope manipulation and waiting until being overtaken by events, mean that success was always guaranteed therefore undermining any lessons learned that might be taken.

Cyber security architects understand the value of an Enterprise Security Architecture to ensure that the business is exploiting positive opportunities and managing negative risks. However, whilst the benefits of a traceable and justified ESA are obvious to security practitioners it is difficult to develop an architecture in the first row and column of the SABSA matrix. Too often, businesses know they need an architectural framework, but stakeholders are discouraged by the time investment of a full ESA. What businesses desire is an appropriately sized and managed approach to applying cyber security solution architecture.

The aim of this presentation is to have a discussion with the audience on what is the “right level” of cyber security architecture. The session also aims to critically analyse the key components of a SABSA ESA and determine how architects can adjust to match the needs and maturity of the target organisation. Ideally, this presentation gives direction for how organisations can invest in a crawl, walk and run approach to developing a flexible “right sized” security architecture for their business needs. Bruce believes the answer lies in the application of the SABSA Fast Track approach …

Mentoring those new to the field or new to our organizations is one of the least emphasized yet most important of our responsibilities But if we’re going to mentor others, we surely better know the details and peculiarities of what we’re trying to have them learn. Okay, principles haven’t changed much since security graybeards were coding access control lists and carrying their card decks to be read into mainframes: Availability, Integrity, Confidentiality. But the actual technology and the specifics of the threats change so fast and so continually that keeping up would be a full-time job if we didn’t already have one. And ChatGPT won’t provide us a guidebook.

Advantages of mentoring include getting some help for ourselves. We encourage “mentees” to take a balanced and nuanced view even when circumstances might indicate that “panic.” In this interactive session, we focus on mentoring others and on keeping ourselves up-to-date. We’ll look at effective ways to guide others and cite some key elements of successful mentoring programs that receive positive feedback from both mentors and mentees. We’ll cover pitfalls to avoid and examine ways of fighting the uphill battle to keep current on techniques, threats and technology. Your own experiences as mentor and/or mentee will be solicited and welcome. Come join us.

This session will present a practical framework for implementation of an Enterprise Security Architecture using SABSA and key points of contact with other standards or frameworks such as ISA/IEC 62443, ISO55000, and the AESCSF v2.

With the pace of digital transformation, security architects are facing challenges to support a coordinated, inter-operable design, and re-usable set of cyber security artefacts across the enterprise. This session will address how to share a common language between IT and OT cyber security practitioners, based on the business context and cyber security risks, and how to inform cyber security requirements and cyber security controls following a systematic process that enables traceability to business requirements (justification) and cyber security solutions (completeness) enterprise wide.

This session will be based on the presenter’s practical experience in Operational Technology environments, and the lessons learnt through the planning, design, and implementation of this approach in an Australian energy utility.

This session will challenge and encourage the audience in working through how security solutions are delivered to assets across the organisation, with a holistic and risk informed view. And will provide some examples of artefacts to address the business security context, compliance demands, and the evolving digital environment.

Barely a day goes by without us hearing of how digital services are changing our lives, typically through new products and services that give us more choice and tailored on-line experiences. Generally, businesses embrace digital capabilities to help reduce their operational costs and, no doubt, this trend will continue.

Working within the tech community we are very likely to consider ourselves as technology aware and, generally, increasingly take advantage of digital services. It is important however that we address the fact that there are substantial sectors of society that are classified as digitally disadvantaged and who struggle to participate in an increasingly digital based and digital dominated society. This needs to be addressed as part of ethical business policy and practice.

Digital disadvantage occurs when one person or group of people receive different, more harmful experiences of digital services when compared to others. It encompasses a range of elements from inclusion to skills and attitudes and is closely linked to broader social disadvantage. Digital exclusion occurs when a person or group of people cannot access digital services for one or more of a variety of reasons from having no physical access to digital services to being unable to validate their identity through a lack of valid digital credentials.

You might think that this could never apply to you … but I believe the pool of digitally disadvantaged people is growing, and not necessarily among those sectors you may expect.

Where businesses are increasingly struggling with unambiguously identifying their users, most of whom they will never have met in person, they rely on digital artefacts to establish and verify identity. The datapoints they use are no longer just date of birth, passport or country ID number and credit history but, for example, now include mobile phone operation as part of the dataset, and this approach of using more and more datapoints can have unexpected consequences, and not in a good way.

In this talk (and debate) I will highlight how AI enabled deception services can produce synthetic identities with sufficient data points to appear genuine and amplify the problem of making more real people outliers because they lack these additional markers.

I expect us also to consider the emerging problem of loss of control of critical biometric identify information as (typically younger) people give away their DNA and retinal scan data in exchange for a service or, in the latter case, crypto coins.

While the use of machine learning (ML) offers a lot of promise to organisations, industry studies suggest that many ML projects are unsuccessful. Part of the problem is often in the operationalisation of ML (MLOps). A lot of attention is paid to getting the right tool set to deliver an ML model into production, but less effort tends to be spent on understanding how ways of working across the organisation need to adapt to ensure security risks are managed. To use a familiar trope - secure MLOps is not just about the technology and tools being used, but also about policies, processes, and people. This presentation will use the results of our research to date to examine organisational security in the context of MLOps, exploring the policy decisions that need to be made about risk, automated decision making, the use of digital twins, legal requirements around data, and the need for people with ‘T’-shaped skills.