Ireland COSAC Connect Melbourne

Welcome to COSAC - Conferencing the way it should be!

Due to the ongoing global pandemic, COSAC 2020 in Ireland has been postponed. You can still view an agenda below for a taste of what to expect from a COSAC security event while we continue to plan for 2021.


Sunday 27th September 2020

19:30 Delegate Registration
19:30 Drinks Reception - Sponsored by Killashee Hotel
20:00 COSAC 2020 Welcome Dinner - Sponsored by The SABSA Institute

Monday 28th September 2020

Breaks COSAC Masterclasses are full-day, 09:30 - 17:30
09:00 Registration & Coffee
11:00 Morning Coffee
13:00 Lunch
15:30 Afternoon Tea

Masterclass M1

09:30 The 20th International Roundtable Security Forum Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

Picture a roomful of accomplished, creative information security veterans. They’ve faced unending varieties of threat and omission and mistake and security exposure. They’ve ushered sound security ideas from incubation through implementation. They’ve had brilliant security ideas hamstrung by political machinations. Yet they persist in bringing professionalism and dedication to the tasks of securing organizational assets, detecting and averting threats (old and new), and keeping sensitive information private. And they’re not shy.

Recognize yourself?

The 20th iteration of the COSAC International Forum gives these battle-scarred veteran security professionals (that’s you) a full-day immersion in the COSAC way. They’ll analyzing hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the trenches. They will offer and rigorously defend their opinions, but are also ever-willing to help others and learn from each other. This inevitably leads to using reality as a basis for analysis of recent and probable future events and trends. The perspectives are illuminated by deep and broad information security knowledge and experience. And nobody charges consulting fees.

The moderator, a grizzled if not very knowledgeable security veteran himself, describes some actual recent event or publication or prediction of the future or analysis of security-related activity, then comes up with a question or two about associated issues. He might then prod one or more attendees for their take on the issues in question, but more likely, he’ll try to avoid getting in the way, thus prompting participants who have probably been there and done that to illuminate topics, opinions and actions freely and subject their ideas to the scrutiny and analysis of all the experience in the room.

The basic underlying motivation for the Forum hasn’t changed since it was instituted 20 years ago: "the most significant benefit of attending any conference is the chance to compare notes, strategies and techniques with others who are similarly situated and facing the same types of problems on an everyday basis." Cybercrime evolution, Ransomware as a business model, measuring security effectiveness, Volumes and types of data collected by social networks, Dependence on foreign, even hostile, countries for critical security infrastructure elements, Recovery strategies, Incident management, GDPR, IoT device proliferation and security, Finding and keeping competent help … – the 2020 roster of real and potential concerns will includes some we hashed out in 2019 and will doubtless provide fodder for 2021 and beyond. We certainly can’t successfully address all of them. Some may be complete surprises. And we can’t ignore the security “oldies but goodies” like awareness, access control, policy implementation, password management, and the list goes on. But having experienced corporate security warriors present means we can call upon them to ask how they set priorities to avoid being stretched a mile wide but only an inch deep.

The often unbounded discussions and analyses here on the first day of COSAC continue throughout, often beyond, leading to unique, realistic and workable solutions. Forum attendees take their profession very seriously, but not necessarily themselves. Being helpful, personable and ready to smile at some of the stranger doings that populate our world encourages building a network of intelligent, experienced, realistic people you can count on for truthful analysis and real help. Come join us and help solve the information security problems of the world.

Masterclass M2

09:30 The 6th COSAC Design-Off Speaker(s): Jason Kobes,

Jason Kobes

Principal Cyber Architect, Northrop Grumman (USA)

Jason Kobes works as a Principal Cyber Architect & Research Scientist in Washington, DC for Northrop Grumman Corporation. Jason has over 20 years of experience concentrated in information systems design analytics, business/mission security architecture, enterprise risk management, information assurance research, and business consulting. Jason has a Master's of Science in Information Assurance (MSIA) and a Bachelor's of Science in Computer Science from Iowa State University. 
X
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
 

This year will mark the 6th year of running this interactive and unique competition at COSAC Ireland. In the spirit of hack-a-thons, this competition was born out of a desire to provide a venue for security architects to apply their skills in a safe environment. This is a unique competition format that uses real clients, scenarios and deliverables to see which team will reign supreme! Whether you are a seasoned enterprise architect or security architect, or just looking to try something different to build and enhance your skills, this session will provide a unique opportunity to prove and hone your architecture chops. Many practitioners come out of self-study or training armed with new skills, but struggle with applying them in complex situations and under tight time frames. Not to mention, there may be a limited number of practitioners in their organization (or region for that matter) to learn from. The primary goals for this session are to build relationships with other practitioners, to learn from each other on different ways to apply techniques to solve problems, and setup situations where we can creatively apply and adapt our skills. This is not a session where you will sit and listen to a presenter telling you how to do something.

Past attendees of the Design-Off have marked this as one of the highlights of the conference and we hope you will leave feeling the same way. Each year we feature a unique customer and problem set, so if you have attended in a previous year, be assured that this year will present a new and different challenge. Each year we incorporate feedback from past attendees in order to enhance the experience and keep the scenarios interesting and applicable to real life!

Teams are made of people with different skill sets and skill levels, and team members will be actively engaging each other and trying to find the best way to meet the challenges. This is not a competition in using a specific formal methodology or framework (although they will definitely come in handy), but is meant to be an exercise in applying these techniques in a ways that most effectively meet the client’s needs. Each year winners have proved their mettle through several challenges, demonstrating skills in listening to clients, applying risk management, demonstrating business value, and effectively communicating with the client in order to deliver architectural guidance that will address their problems. There can be only one winning team, however all participants will learn from the experience. Where else can you see how different groups of high level security practitioners apply their skills to address the same problem? That said, you will want to win this! The winning team members not only get bragging rights, but will be announced on the SABSA LinkedIn group, and each member will receive a personal acknowledgment on their LinkedIn Page congratulating them on their achievement! Other spot prizes may be awarded by the moderators in addition to this to recognize outstanding efforts of participants.

A few of the hardest problems SABSA architects face are working alone, and getting started where there are challenges. These design-off workshops not only build teams from people who may have never worked together before, they challenge the groups to quickly overcome challenges to deliver actionable architecture quickly. It can be done; this activity proves it.

Masterclass M3

09:30 Mastering the Art of Design Thinking and Execution Speaker(s): Esther Schagen-van Luit,

Esther Schagen-van Luit

Specialist Security Architecture, Deloitte (Netherlands)

Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.
X
Roland Schagen-van Luit

Roland Schagen-van Luit

Junior Architect, ZJA Architecture (Netherlands)

Roland is a Junior Architect at ZJA Architecture. His focus on parametric design and fascination with 3D-printing has his portfolio span architecture, graphic and jewelry design. A broad interest in systems and mathematics in general has sparked a desire to convey this thinking outside of parametric design, spreading from the design of buildings into the design of boardgames.
X
 

Effectively communicating security, and particularly typically text- and diagram-heavy security architecture, to the stakeholders that are asking/mandating/paying for it, is no small feat. As an industry we have been trained about what is correct, complete and related to one another, but not necessarily on what is relevant, beautiful or intuitive.

As a follow-up to last year’s successful session on visual design, this full-day session brings participants even more insight into the world of design. It allows the participants to develop their design thinking and design execution skills through practical challenges to make them ‘Masters of Design’ in a day. Both security architects and general security practitioners should find the session’s content and exercises equally valuable.

The session is split into five segments:

1.) Design thinking: The session starts by exploring the concepts of design thinking, and how we can apply the process to the way we communicate to our stakeholders that are on the receiving end of our security products. We will go through a number of exercises on target audience determination, needs analysis and perception analysis that participants can tailor to their own context to maximize relevance.

2.) Visual design concepts: The second part of the session focusses on exploring visual design concepts in-depth. Participants are asked to show how they would visualize prepared textual scenarios with pen & paper in groups.

3.) Digital design execution - static: We will dive into the two tools that are most commonly used for visual representation of information by professionals - Powerpoint and Excel. We will investigate ‘advanced’ options in these programs allowing you to create interesting visualizations with minimal effort, including tools & plug-ins to make life easier. We will take into account what design requirements many users have when it comes to interacting with these programs. Lastly, we will venture into the realm of ‘PowerPoint Hacking’. Participants will be invited to apply their skills in both of these programs based on textual scenarios.

4.) Digital design execution – dynamic: We will then explore how make to our visualizations into engaging dynamic content. We will show a number of examples that were simply created in PowerPoint using shapes and animations effectively, and ask participants to recreate some of them on their own computers.

5.) UX & design interaction: We will present on various user experience concepts, inviting participants to reflect on and share examples from which they have used in their security work. We will then present different ways on how to effectively engage your user with your digital design, such as gamification, allowing users to influence the storyline, changing the context of your design in Prezi and integrating user input into your design landscape in a Nureva Span Canvas.

At the end of the session participants will digitally receive the theory and examples presented, so that they may leverage their knowledge and skills learned effectively in their daily jobs.

Participants are advised to bring a laptop with PowerPoint and Excel pre-installed.

Masterclass M4

09:30 That AHA Moment! - The Case for Building Adaptive Hybrid Architectures Speaker(s): Andy Clark,

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
Lynette Hornung,

Lynette Hornung

Principle Security and Privacy Architect, Dell Technologies (USA)

Lynette is a Senior Privacy and Security Architecture Manager leading a privacy program with a federal agency focusing on data protection and security architecture that provides security and privacy by design. She has supported a variety of federal agencies with privacy and security architecture services and solutions. She was CyberCorps and has her MS in Information Assurance from Iowa State University.
X
Diana Kelley,

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.
X
Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Planning a security architecture is a multi-faceted project that typically requires an interdisciplinary effort. The resultant architecture reflects the organizational needs and requirements analysis agreed by all parties and stakeholders. As automation continues to evolve in systems, both traditional architectures and zero trust architectures reveal inflexibilities that make both choices sub-optimal for modern networks.

Traditional security architectures are limited by the abilities of the technologies used. In an attempt to be flexible for users these technologies have to balance security and usability, this results in vulnerabilities which in turn leads to layering and using SDNs. Zero trust architectures have arisen in response to the shortcomings in current security architectures, but they are too restrictive (and possibly cumbersome). What is needed is an adaptive hybrid architecture that flexibly combines strong security with dynamic responses. These responsive behaviors can contain traditional high-assurance components along with newer generation deception technologies. This approach reflects the complex relationships, both internal and external that support organizations where multiple security needs are balanced and administered at a single place.

In this presentation, we will compare the proposed adaptive hybrid architecture against the traditional, zero trust and cloud security options. Because the SABSA method is based on systems engineering methods and well-suited for incorporating diverse viewpoints, we use it as the framework for this endeavor to propose an exemplar that blends traditional and more modern technologies and assumptions to create a hybrid security architecture that is adaptive, intelligent, resilient and capable of growing with the organization.

Dinner

18:30 Drinks Reception - Sponsored by SABSAcourses
19:00 Dinner - Sponsored by Deloitte

Networking Event

21:00 Data Privacy Jeopardy Speaker(s): Lawrence Dietz,

Lawrence Dietz

General Counsel, TAL Global Corporation (USA)

Lawrence Dietz, Attorney has served as General Counsel of TAL Global since April 2010 where he had extensive experience in international contracts. Prior to joining TAL Global Dietz served in senior roles at Symantec Corporation to include Director of Market Intelligence and Global Public Sector Evangelist. He retired as a Colonel in the U.S. Army Reserve and is the author of the authoritative Blog on Psychological Operations (PSYOP).
X
Liz Dietz

Liz Dietz

Professor, University of Phoenix (USA)

Dr Elizabeth “Liz” Dietz began her nursing career as a Lieutenant Junior Grade, Charge Nurse for the US Public Health Service during the Vietnam Conflict. She is a Professor Emeritus of Nursing from San Jose State University after a 29-year career there. She has been a volunteer with American Red Cross in Service to Armed Forces, Disaster Health Service Manager, Expert Instructor in International Humanitarian Law program, as well as Regional Disaster Lead for the Disability Integration program.
X
 

Data privacy can be a pretty dry subject, but you can count on Liz and Larry Dietz to present a lively and informative session.

Jeopardy is a famous television quiz show. Teams of COSAC participants will compete to correctly answer questions about data privacy. They will face a board covering 5 topics. Each topic has 5 questions of escalating difficulty. This lively and entertaining game show will be hosted by Dr. Liz and Colonel Larry Dietz. Prizes will be given to contestants who answer questions correctly. Questions will be derived from the GDPR, the California Consumer Privacy Act as well as the forerunners of these laws such as the 1995 Data Protection Directive (95/46/EC) and the UK Data Protection Act of 1998. Oh, and a bit of common sense and a great deal of humor.

Tuesday 29th September 2020

09:00 - 09:30 Delegate Registration & Coffee

09:30 1S: A Practical Application of SABSA for Humankind Speaker(s): Chris Blunt

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
 

In 2017, Maurice Smit presented his inspirational SABSA Master Thesis “The problem-solving framework applied to the humankind” at COSAC. In it, he set out his theory that SABSA could be used to solve any problem, including the human condition, by using Attribute as a common language for and in every phase of human existence.

In this session, I will explore a real-world application of his work as applied to my life. Presenting a brutally honest case study (would you expect anything less of me?) to explore how some of the key SABSA approaches, methodologies and techniques can truly be applied to our lives in the pursuit of happiness. Who knows it might just change your life for the better; it has mine!

09:30 1A: Reinventing the Global Research Agenda for a Modern World  Speaker(s): Dan Klein

Dan Klein

Chief Data Officer, Valtech / United Nations (UK)

Dan Klein has two roles – lead of Environmental Data for the UN Big Data Working Group and Chief Data Officer for Valtech. At the UN, he is part of the team deploying a global collaboration platform for international datasets, methods and results, to drive improvements in the 17 Sustaianble Developmernt Goals. In Valtech, he looks after all things ‘data’, delivering differentiated value to our clients. He is fascinated by how the use of data can disrupt existing business models.
X
 

The 2030 Agenda for Sustainable Development adopted by all United Nations Member States in 2015, provides a shared blueprint for peace and prosperity for people and the planet, now and into the future. At its heart are the 17 Sustainable Development Goals (SDGs), which are an urgent call for action by all countries - developed and developing - in a global partnership. They recognize that ending poverty and other deprivations must go hand-in-hand with strategies that improve health and education, reduce inequality, and spur economic growth – all while tackling climate change and working to preserve our oceans and forests.

This session looks at leveraging large datasets to deliver the UN’s 17 SDGs, taking a proof of concept with the UN to engage collaborators around the world, and changing the way we undertake science in a revolutionary way with full digital collaboration and peer review, and replacing the ‘scientific journals’ PDF approach.

We will also look at lessons learned from the UN and a review of other players in the market collaborating across datasets, methods, resources and outcomes.

09:30 1B: Santa Claus, the Easter Bunny, and Zero Trust: Are We Living in a Fantasy World? Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
X
 

Zero Trust is over a decade old - but what does it really mean today? Is it any more achievable than when it was first introduced? When every vendor in the enterprise security space is slapping a Zero Trust label on their marketing materials, how do you find the signal in the noise?

The original Zero Trust framework was introduced in a 2009 Forrester whitepaper, and promptly went through the classic Gartner hype cycle: inflated expectations, disillusionment, enlightenment, productivity. Millions of dollars and thousands of hours were spent chasing the Holy Grail of enterprise security - often with very little demonstrable ROI.

Forrester & Gartner resurrected the Zero Trust buzzword a couple years ago, and once again, it's on the marketing collateral of every vendor who offers enterprise security, identity, or access management. New technology offers solutions to some of the original problems; with those problems out of the way, we see additional problems that they were masking. Are we on the same roller coaster?  And if you're in the market for a zero trust solution today, how do you find signal that's relevant to you in all the noise?

This session will be a candid conversation about successes and failures in the Zero Trust arena and whether it's any more achievable today than it was ten years ago, conducted under Chatham House rules.

10:30 - 10:50 Morning Coffee

10:50 2S: SABSA in AXA Group Enterprise Security Architecture Speaker(s): Simon Griffin,

Simon Griffin

Senior Enterprise Security Architect, AXA (UK)

I’ve been working at AXA for nearly 20 years in a number of global roles including security consultancy, engineering and presently as an enterprise security architect within AXA’s Group Operations organisation. I have so far achieved SABSA SCF, attended both the A1 and A3 courses and hope to start work on my paper for Practitioner soon. I spend most of my time taking a business driven approach to security and utilising what I’ve learned from SABSA in developing our security reference model.
X
Bhupesh Rana,

Bhupesh Rana

Global Head of Enterprise Security Architecture and Design, AXA (UK)

X
John Sluiter

John Sluiter

Lead Global Enterprise Security Architect, AXA (UK)

As member of the AXA Group Enterprise Security Architecture team, John leads development of the Enterprise Security Architecture as part of the Global Target Architecture, as well as contributing to various strategic programmes and topics such as global workplace, API management and DLP. Before joining AXA early 2016, John worked as security architect for business and IT consultancies for the most part of his career, working on TOGAF and SABSA integration amongst others.
X
 

AXA Context

Explain the complexity and federated nature of the AXA organisation, the structure of the security organisation (1st and 2nd line), the GESA role and mandate plus challenges.

Describe the foreseen maturity journey of ESA in AXA and which stage we see ourselves today:

- Key reasons for using SABSA is to introduce and establish rigor and structure in strategy development process plus to make security architecture real for the practitioners, operational security teams and our leadership team.

- We have encouraged and trained members in SABSA that are not architects. For example, we have included in the training program people, risk management, security assurance and operational security teams, because we believe that more people outside the architecture teams understand AXA ESA/SABSA approach and methodology the better it is for AXA and for us. That may be a bit different approach other companies take.

Security Capability Reference Model

Describe first key deliverable GESA have produced in 2018/2019 is a Security Capability Reference Model (SCRM). It is a deep dive and security specific view of the Business Capability Reference Model managed by the Business Architecture Working Group and therefore follows the business capability structure and definitions to maximise business alignment. It defines 5 levels of capabilities covering business and IT/security services (services are renamed lower level capabilities), that are mapped to mechanisms and components, used to form a library of the as-is security capability status.

The presentation will describe and show what it is, what the expected benefits will be (supporting analysis, security requirements definition and architecture design) and how much value we have experienced to date (quick turn-around of requests for global cost savings opportunities, consistent strategic IT programme security requirements definition, etc.).

Business Attribute Profiling and SWOT Analysis

Explain how BAP and SWOT are used for security design in global technology / IT strategy development (BI strategy, network strategy, data centre strategy, DLP and EPP position papers, etc.). Explain how risk scoping is incorporated into this work to determine primary and reliance scope in risk assessments, design work, etc.

Future Steps Planned for Further ESA Maturity Improvements

Describe the currently ongoing projects and activities related to ESA:

- Linking SCRM with MITRE att&ck framework to be used for the SOC NG. Aim is to be able to have meaningful discussions with operational security and influence technology choices by talking to them in the language they understand, i.e. threats and security controls that we link with security components in SABSA.

- Improved use of data to support security capability related decision making (control effectiveness, coverage, cost) using sources such as - IS assurance framework self-assessment compliance reports and secondary assurance findings - SOC alert and incident data.

- Increased use of domain modelling for defining governance requirements in particular, but also to explain the relationships plus R&Rs. We have been experimenting with domain models but not used in practice. Early feedback is positive, so we want to expand its use.

10:50 2A: The Regulatory Death of Private Enterprise Speaker(s): G. Mark Hardy,

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Three years ago at COSAC we examined the likely impact of the EU's General Data Protection Regulation (GDPR). Our predictions were borne out -- fines and sanctions in Art. 83 have served as a "stick" to compel -- £183m proposed fine for British Airways, £99m for Marriott International for example -- or, are they really an alternate revenue stream? Those make Google's €50m punishment look like a bargain.

As we slide into a global recession, will cash-hungry governments up the regulatory ante and feed off of industry's missteps? Earlier this year, the California Privacy Protection Act (CPPA) commenced a cascade of a cacophony of conflicting commandments certain to trip up the most careful corporation trying to sort out the tangled web of individual state laws in the United States. It's only going to get worse.

Will governments hold fines and punishments in abeyance to avoid exacerbating the downturn, essentially giving companies a bye, or will they drive businesses into oblivion when they are struggling for their survival. What does this brave new world look like, and when will we have "too much" regulation?

This presentation will provide a legal overview of the framework of what may be the latest generation of privacy laws following in the steps of breach notification laws. We'll look at what security professionally can do to reduce risk and avoid the wrath of the regulators.

10:50 2B: Threat-Based Security Engineering: a Stochastic Framework for Calculating Cybersecurity Risk Speaker(s): John Leach

John Leach

Owner, John Leach Information Security Ltd (UK)

I have been an Information Risk and Security professional for more than 30 years. I have held senior positions in the security teams of a number of organisations, including NatWest Bank, and led the security teams for the UK branches of two US boutique technical consultancies. In late 2002, I formed JLIS to enable me to provide my unique brand of Security Risk Management consultancy services independently.
X
 

Cyber security is a highly technical subject. This disguises the fact that, even today, we still practise it as a craft, not as a science. We have a series of ‘recipes’ (Best Practices and international standards) but they have been compiled over time from common responses to attacks and breaches, not designed analytically using scientific methods, data and results. These recipes provide us with an uncertain level of security no matter how carefully we follow them, we can’t readily optimise them to suit our particular situation, and they limit our ability to adapt and innovate.

It doesn't have to be this way. In this presentation I will describe some of the benefits of treating cyber security as a science, and outline how that could transform the way we conduct cyber security. We would be able to measure the amount of security protection a given practice or product provides and perform cost-benefit analyses for security improvement projects. Directors and regulators could set objective security risk targets and Risk Managers demonstrate that their security arrangements satisfy those targets. And security risk could be managed with no less a level of transparency and objectivity than any other type of business risk.

Using Threat-Based Security Engineering (TBSE) as a candidate method, I will describe what treating cyber security as a science could look like, and outline a number of ways people could give this a try to see what it can do for them.

12:00 3S: Could I Have A Little SALSA With That? A SABSA Fireside Tale Speaker(s): Peter De Gersem,

Peter De Gersem

Principal Security Management Specialist, SWIFT (Belgium)

Peter is a security management specialist at SWIFT, the world’s leading provider of secure financial messaging services. He has over 22 years of experience in information security, having covered a broad spectrum of security domains. His current role is managing the SWIFT security assessment practice, from business objectives over threat landscape to deriving the security painpoints and identifying security requirements that speak to both business as technical stakeholders.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

About two years ago I found myself standing in front of the SWIFT building in La Hulpe, Belgium, for the first time. To say that I was excited is a gross understatement. I was, after all, in the birthplace of something that I hold very dear … SABSA. I was at Genesis!

Imagine my surprise when I started asking about SABSA and everyone looked at me like I was the Mad Hatter who had partaken in way too much of his own special tea. No one there recognized what I was talking about and I could just not understand why …

This is also the day that I met Peter De Gersem, one of SWIFT’s current security architects and where we got talking. The long and short of it is that some SABSA training was attended, and a project was concluded at the beginning of 2020.

In this session, we would like to tell a SABSA story that has been writing itself for 24 years together with a very special introduction by John Sherwood. Where and how it started, where it lost the way a little, and how it found its way back onto the right path in the most unexpected way. We will talk about what has changed, what has remained the same, the lessons learned, and how the method has stood the test of time in delivering innovative outcomes.

12:00 3A: Mind the Gap! GDPR and CCPA Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

The privacy landscape across Europe and the US has seen significant volatility over the last number of years. In 2018 we faced the General Data Protection Regulation (GDPR) and now two years later we face the California Consumer Privacy Act (CCPA). Both laws provide consumers with insight into, and control of, their personal information. The GDPR protects and empowers EU citizens’ data privacy, whilst also impacting every organization that processes or controls EU citizens’ data, regardless of location. CCPA on the other hand applies to California-based businesses with a revenue above $25 million USD or those whose primary business is the sale of personal information.

There is a misplaced belief that if a company is GDPR compliant then it will automatically be CCPA compliant. Although there are many commonalties between these two pieces of legislation - there are also fundamental differences. Simply put, GDPR speaks one language, CCPA another. As practitioners we need to be able to talk and translate the language of both pieces of legislation and understand where the potential gaps are meeting each law. Whilst unclear yet how CCPA will interface with GDPR - it’s important for companies to be in compliance with both sets of laws if they qualify under the scope of both pieces of legislation.

This presentation positions GDPR together with CCPA, with the first half of the presentation outlining the key similarities between the two laws, and the second half outlining the key differences. The aim of the presentation is not to ‘bash’ one law against the other but to explore the strengths and weaknesses of each law and to encourage an understanding of the common denominators across both.

Key learning outcomes from this presentation are:

- Understanding CCPA and GDPR differences

- Understanding CCPA and GDPR similarities

- Knowing how CCPA does not meet GDPR compliance, and knowing how GDPR does not meet CCPA compliance

Audience: Senior roles involved in assessing data protection risk, risk management, compliance or incident response.

12:00 3B: Mission Critical Systems and the Risk Managed Approach – We Need Something Better Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect / Cyber Project Design Authority, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Alex’s qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has over 30 years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.
X
 

This paper looks at the problem of attempting to use current enterprise / IT focused approaches to cybersecurity on mission critical systems.

Most frameworks and policy standards for cybersecurity advocate, or even mandate, the use of a “Risk-Based” or “Risk Managed Approach” to the delivery of security objectives in a system. This has proven very effective in Enterprise ICT environments by forcing organisations to move away from an audit and compliance (i.e. ‘check-box’) approach to security.

Since the “Risk Managed Approach” is the de-facto standard for security policy frameworks, we are now seeing it being applied to securing mission critical systems. But, unlike Enterprise ICT environments, mission critical systems have long ‘Life-of-Type’ (often decades) and are intended to be very stable and reliable in terms of change and operation over this long time period.

A key element in the risk managed approach is understanding the threats to the system. Therefore, current risk assessment is effectively outward focused from the system on factors that change over time. Looking at threats for risk assessment works well when the time horizon being considered is relativity short; consider the rate of application change in an enterprise environment.

For mission critical systems, this means that the risk assessment is focused on factors that are beyond the scope of the system, beyond what can be affected by system architecture and design and is based on threat information that is not definitive and not stable over a time period that is comparable to the life-of-type of system.

The delivery of security outcomes for mission critical systems is therefore compromised by mismatches in time horizon; I.e. the life of type of system vs time horizon of of the threat information used in a security threat and risk assessment vs time period for the implementation of system change.

Based on the key foundational concept in “STPA for Security”, derived for modern safety engineering. This presentation explains the problem “STPA for security” is trying to solve.

13:00 - 14:00 Lunch

14:00 4S: SABSA Amid the Frameworks Hunger Games Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Managing Director, Qiomos (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.
X
 

The ever-increasing attention in the area of information security, cyber security and, as of lately, risk resilience is being followed by significant investments organisations make in an attempt to stay in control and consequently protect their operations. The flux of money, especially evident in the aftermath of a visible security breach in the public domain, usually results in a plethora of technical controls with very little justification and almost non-existent acknowledgment of the business context. Instead of investing time and resources to define the problem space first, security professionals hide behind numerous security frameworks, pre-built lists of controls, and best-practices.

This presentation will analyse the driving forces behind this phenomenon in an attempt to identify the root cause and then explore how SABSA can provide a credible way to alleviate, if not solve, the problem. In doing so the emphasis will be: on the need these frameworks and control repositories aim to address, its relevance to build operational resilience and meet regulatory expectations, and the prioritisation of the investment required to perform active risk management. SABSA principles and logic will be put to the test as we explore the differences between a compliance- and improvement-driven mindset.

14:00 4A: The Great Chief Security Leader Debate – 20 Questions Speaker(s): Todd Fitzgerald

Todd Fitzgerald

CISO, Cybersecurity Leadership, CISO Spotlight (USA)

Todd has built and led multiple Fortune 500/large company information security programs for 20 years across multiple industries. Todd serves as Executive In Residence and Chairman of the Cybersecurity Collaborative Executive Committee, was named 2016-17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, and named Ponemon Institute Fellow. Fitzgerald authored CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.
X
 

The information security leader has evolved much over the past 25 years, or have they? This session takes a look at the evolution of the Chief Information Security Officer (CISO) and then discusses 20 cybersecurity leadership perspectives provided by expert CISOs and security leaders of some of our largest organizations today. We will discuss – are these ideas increasing our maturity or are they moving us backwards? The questions are based upon writeups some of the top CISOs and cybersecurity leaders have provided to the presenter on different topics such as developing strategies, managing MSSPs, hiring talent, privacy, organizational structure, orchestration, use of AI/Machine Learning/Blockchain, etc – from practical experience, not theory.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker (2013-2020) and ISACA top-rated speaker.

14:00 4B: Protecting Citizens Online in The Face of a Global Epidemic Speaker(s): Martin Sivorn

Martin Sivorn

Head of Cybersecurity, Cabinet Office, UK Government (UK)

Martin built and lead the first cyber security capability for prestigious global news organisation The Financial Times for many years, building a team spanning 2 continents that plays a pivotal role in protecting FT systems and data, and the integrity of the FT's journalistic content. Having a dedicated cyber security capability has enabled the business to expand into new ventures like investigative journalism, made possible with a secure whistle-blowing platform.
X
 

The premise of my talk is keeping citizens secure online against the continuous menace of online scams, particularly at a time like this when current events and affairs like a global health crisis are being exploited to fuel new scams and fake news.

We will look at the moral dilemma of who is actually responsible when your brand is being exploited by criminals to rip off citizens, as well as a technical dive into some of the methods that we use to combat this issue.

As cybersecurity for the Cabinet Office I feel that we have a moral obligation to protect all citizens of the UK from online scams, particularly when our website (www.gov.uk) serves as the basis for perpetuating these scams.

I will share details of our approach to combating the problem of phishing, including detection of malicious websites and how we get them taken down from the internet. The talk will cover some of the technical challenges and considerations that we struggle with when trying to action the takedown of malicious sites. I will also give an example of how current events are exploited for malicious purposes with a timeline of the malicious activity that has been detected during the current COVID-19 health situation.

15:10 5S: Deep Behind Enemy Lines with Nuthin’ but SABSA As Your Guide Speaker(s): Harley Aw

Harley Aw

CISO, Phoenix HSL (Australia)

Harley is an Information Security and IT industry veteran based in Sydney Australia with over 20 years in multiple sectors including retail, hospitality, tertiary education, sporting and gaming multi-nationals, as well as consulting in the financial, government and resources sectors. He is a certified digital forensic examiner, cybersecurity incident handler, a member of the GIAC Advisory Board and a Founding Member of the SABSA Institute. He is currently the CISO of the Phoenix Group.
X
 

"They are in front of us, behind us, and we are flanked on both sides by an enemy that outnumbers us 29 to 1 – they can’t get away from us now!” Lt.Gen. Lewis “Chesty” Puller, USMC

The environment is a mess. The security team is proselytizing. IT wants security to go away. Project managers are flogging the IT beast while shutting out distractions from security. The compliance team is screaming at everyone for updates. The audit team is sticking the knife in everywhere around them. The business hates the whole damn lot of you.

And there you are, the Security Architect, right in the centre of it all, with nothing more than being handed your rifle, pointed at the direction of the enemy and told to start running!

All too often, we are faced with the unenviable circumstance of being dropped into a swirling maelstrom of conflicting priorities, challenges, objectives, goals, approaches, ideas, personalities, relationships, successes and failures, and expected to start pulling rabbits out of the hat and perform miracles.

And all while the Board is watching!

If all that sounds like it’s enough to make you curl up into a foetal position wrapped in a Dettol-soaked blanket* mumbling random prose in haiku form rather than rub your hands together in mad delight at the opportunity to ply your trade, then this presentation is for you!

In this riveting and thoroughly entertaining presentation, we will show you how to dive headlong into the chaos of a real corporate environment and establish a secure beachhead that will one day become your operational theatre of war in battling the bad guys, vanquishing your foes and leading the way with security architecture! 20 years of real life experience is brought to bear to provide you with the know-how of how to face an enormously complex and challenging environment, win allies and set-up yourself up to succeed in defining and achieving your security architecture objectives. The presentation will even debut a unique capability maturity model (CMM) never seen before – the CMM of you, the Security Architect!

*Based on a true story! All will be explained if you come to the presentation…

15:10 5A: The Big Bang: Creating A Greenfield Security Program and an IT Infrastructure at the Same Time Speaker(s): Timothy Sewell,

Timothy Sewell

CIO / CISO, Reveal Risk (USA)

Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space.
X
Todd Wilkinson

Todd Wilkinson

Chief Information Security Architect, Elanco Animal Health (USA)

Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.
X
 

What if I said you could build an entirely new security program from scratch in a greenfield environment? How about when that environment is a 64 year old international company going through an IPO split from it's parent? Also, you have to stand up the entire IT infrastructure at the same time, all while meeting the aggressive cost savings promised to the market? Let’s discuss the beginnings of a security program while restarting from scratch on everything.

This talk will cover every aspect of security from architecture to governance to detection and onto response, share the wins, the losses and the lessons learned along the way.

How to start small, prioritize and increase the security of your company’s future.

15:10 5B: Differences and Similarities: The Infection – The Outbreak – The Cure Speaker(s): Martin De Vries

Martin De Vries

Senior Information Security Offic, Rabobank (Netherlands)

Martin is an experienced Information Security Professional with a background in Project Management and Service Management. Recent years his focus is on innovation, both security innovation and secure innovation. In this role he scouts for security innovations, trends and technologies, and provides security advice to startups and scale-ups helping them to properly address their cyber security risks.
X
 

There is no way around the current situation. The world is under the spell of the COVID-19 virus aka Corona-virus. In parts of the world daily lives have come to a halt, social distancing is the new adage and people have died too soon.

Not long ago, we have seen a ‘Citrix – outbreak’ and we see malware and cryptoware infections on a daily basis. The Citrix vulnerability hindered critical business functions as remote access into an organizations network was no longer possible. Malware and similar viruses spread as viruses in real life.

What are the differences and similarities to the infection, the outbreak and cure of viruses in virtual and real life? This I want to address and answer in this COSAC session. With the input of the experienced COSAC audience we can all learn from each other.

16:10 - 16:30 Afternoon Tea

16:30 6S: Are Our Politicians Taking Us for A Ride? Speaker(s): Michael Hirschfeld

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
X
 

SABSA says...........?

This presentation provides a SABSA interpretation of the success of our current political system and approach.

SABSA techniques allow us to analyse any situation utilising a series of interesting tools and techniques. As it was developed as a tool to understand Information Security, we often think of it as an IT specific, technical architectural methodology and utilise it in a relatively narrow field of endeavours.

In this presentation I will present the use of SABSA as a tool to analyse what the electorate really wants against what the electorate really gets and through this determine the current usefulness of the current political system.

Whilst the presentation will be focused on the Australian Electoral System, throughout the presentation participants will be called on to run a parallel analysis of their own countries systems utilising similar techniques, or indeed, through inventing their own!

16:30 6A: Institutionalizing Trust – How do we “Build” Trustworthy Organizations? Speaker(s): Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 45 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations.
X
Nick Galletto

Nick Galletto

Global Cyber Risk Lead, Deloitte (Canada)

Nick Galletto has over 30 years of experience in information technology, networking, systems management and information security management. He has accumulated extensive experience in the management, design, development and implementation of cyber risk management programs. Over the last several years Nick’s primary focus has been helping clients with the development and implementation of cyber risk management solutions both for IT and OT, making these organizations more cyber resilient.
X
 

Trust in relationships with organizations is an essential element for effective business but is becoming increasingly more difficult to maintain and support - especially in the face of increasingly sophisticated threats from a variety of forces. We are seeing a shift in business from a shareholder value only priority to a broader emphasis on: societal impact; value for customers; investing in employees; dealing fairly and ethically with suppliers; and supporting our communities, which in turn will deliver long term value to the shareholders. In speaking to clients about trust, we consistently hear that trust is an essential outcome to driving the brand promise.

The session will focus on answering, how do we operationalize trust in this era of digital complexities? What are the drivers for trust in support of the brand promise, ethics and integrity? And how do we measure trust? We will outline our research and findings on what it takes to have a trustworthy organization and the impact that adverse events have had on major organizations. We will provide methods and insight on how to move trust from a functional capability with stakeholders to building relationship trust through an integrated trust framework and supporting maturity model.

The better the impact of trust is understood and how to achieve and maintain it, the more trustworthy the organization will be.

16:30 6B: Cloud Forensic Challenges Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

In 2019, one of the biggest concerns we hear from our customers’ security teams is the lack of expertise when it comes to cloud and forensic investigations.  We’ll first cover the differences between investigating in an incident to that of a forensic investigation and then cover forensic concepts and methodologies and how we have adapted them to the cloud.  We’ll answer questions such as “How do you forensically acquire a SAN?”; “What does court worthy methodologies mean?” (that myth debunked!), “What does GDPR mean for forensic investigations?” and other esoteric questions that investigators are concerned about.

Plenary Session

17:45 7P: Stopping Houses Attacking People Speaker(s): Nick Spenceley

Nick Spenceley

Director, Primary Key Associates (UK)

Nick is an experienced technical specialist with particular subject matter expertise in the application of technology to solve complex problems in secure environments. He consults on business change, system architecture and design, legal disputes, security accreditation and engineering processes. He has over 30 years’ experience in managing significant project portfolios and programmes for BAE Systems Applied Intelligence, Detica and Logica (now CGI).
X
 

In the COSAC 2019 presentation “Did my house just attack me?” we learned of the first conviction in the UK (in May 2018) for harassment using IoT devices. An estranged husband used remote access to a smart home hub to access the video and audio from an iPad used as a wall mounted system display, as well as other compromises of the victim’s online accounts. He was sentenced to 11 months in prison.

The subsequent discussion provided some further insight into the problem of a “purposeful pattern of behaviour which takes place over time in order for one individual to exert power, control or coercion over another”, in particular where smart home installations are built into the fabric of the premises and one partner in a relationship is the single sysadmin.

Is there a suitable architecture for such devices that enable a more balanced approach to managing smart home devices in which, for example?

- A resilient and irrefutable chain of evidence is created when devices are configured and operated;

- That evidence remains protected against unauthorised access, but can be reviewed by any authorised party in the event of a pre-defined set of circumstances;

- A trust model exists that allows shared authority for managing the system;

- A mechanism exists for dispute resolution by a trusted third party.

In this talk we will outline a framework that covers these requirements and, in discussion with the delegates expand or change it as necessary to produce something that may be considered a ‘trust mark’ that manufacturers may consider worthwhile to differentiate their products in this ever-expanding market.

Networking & Dinner

19:30 Drinks Reception - Sponsored by Killashee Hotel
20:00 onwards 27th COSAC Gala Dinner & Networking - Sponsored by SABSAcourses

Wednesday 30th September 2020

09:00 - 09:30 Delegate Registration & Coffee

09:30 8S: Reorganizing Security Architecture for Agile Organizations Speaker(s): Ilker Sertler

Ilker Sertler

Enterprise Security Architect, Capgemini UK (UK)

Ilker helps organisations to build the modern practice of Cyber Security and Enterprise Architecture for the agile business of the digital era. He continuously researches, develops and exercises pragmatic practices for enterprise organizations to improve cyber security initiatives are effectively embedded in the system delivery life cycle. He is a blogger with articles discussing cyber security architecture models adapting modern delivery approaches such as Agile.
X
 

Agile principles have been widely adapted by software development communities for decades. The digital era compels to deploy these principles across the organization for process and business agility. Many established enterprises attempt to transform their structures and processes to build the culture of agility and flexibility so that they can defend their market place. While traditional architecture and governance functions are eroded during transformation journeys, cyber security is still considered as one of the top concerns and usually manifests as a constraint for agility.

This session discusses the implications of Agile principles for traditional Enterprise Architecture and Cyber Security practices, then proposes a new approach to balance the dynamism ambitions of the Agile organization with stability needs of the large enterprise. A simplified content model for security architecture is tailored from the SABSA abstraction layers to promote a common and integrated model for collaborative development and articulation of architecture. A cyber security reference model is also presented to encapsulate security services with a new taxonomy that is better aligned to technology and process constructs of the modern enterprise. Finally, guidance is provided to organize cyber security in the agile enterprise, clarifying security functions, roles, responsibilities, core activities and interactions.

09:30 8A: Hey SyRI, Who’s Committing Fraud? Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

In 2013 the Dutch parliament passed a law called ‘Fraud prevention through coupling of data files’, without a vote. This led to the development and implementation of the ‘System Risk Indication’ also known as SyRi, which combines data from several governmental data sources with the sole purpose of detecting of potential social benefit fraud.

This does not sound threatening for a normal law-abiding citizen such as myself. Any fraud must be battled, and for us Dutch, economic fraud is on top of the list. However, this system caught the eye of privacy activists and the UN rapporteur on extreme poverty and human rights. They found it to be in breach of human rights, discriminatory, dangerous and flawed. Our government was taken to court and the system was ultimately banned in February 2020.

A case like this in a developed country is both intriguing and scary and I feel there are lessons to be learned from it. Therefore, during this talk we will dive into this case and we will explore:

- How such a surveillance system came to be in a functioning democracy?

- Is the intent of the system ethical and just?

- What issues where found in the design and operation of the system?

- Could it have been designed in an ethical way?

- Where there warning signs?

- Do we need new safeguards to keep this from happening again, or are current laws and safeguards sufficient?

09:30 8B: IIoT – End to End Security Model for Industrial internet of Things Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 30 years IT experience, the last 23 in Security. I have been trained in security consultancy & architecture methodologies. These include Togaf (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and 10+ years experience in the Government sector. In that time I have performed security strategy, risk assessment and compliance roles as well as designed, developed & implemented solutions compliant with industry standards.
X
 

IIoT devices have long been considered reasonably safe from tampering because they have tended to be isolated with limited, localised (or specialised - Zigbee/Bluetooth) connectivity with no real need to be connected to the internet at all. Firmware and software is rarely updated because why fix something that is difficult or considered impossible to get to! Today however with an ever changing threat landscape and examples of compromised IIoT devices (air gapped or not), becoming commonplace industry has started to apply common sense and address the issues.

Managing the vulnerabilities is difficult because the reasons these devices were deemed safe are the same reasons keeping them up to date is challenging. If you can’t easily get to them how do you what vulnerabilities might be present and then get updates on them? The way we manage vulnerabilities in the connected world won’t work in the IIoT space so I have had to think outside the box to try and solve these challenges.

This session will present a model based loosely on SecDevOps and Containers to present answers to the above problems. I would like to get feedback and suggestions from the attendees to further develop the model and help kickstart peoples thoughts beyond simply securing the IIoT device itself.

10:30 - 10:50 Morning Coffee

10:50 9S: I See Fields Are Green - Architecting the Smart Hospital of the Future Speaker(s): Dennis van den Berg,

Dennis van den Berg

Security Principal, Accenture (Netherlands)

Dennis is a Security Innovation Principal within the Cyber Defence Services domain of Accenture Security in the Netherlands. Dennis joined Accenture in 2013, after he completed his MSc in Network & Information Security. Since, he worked on a multitude of cybersecurity strategy, architecture, and transformation engagements helping clients in the Netherlands and abroad become cyber resilient businesses.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Greenfields opportunities are far and few between, and most of us, if we are really lucky, get to be part of one Greenfields ESA project in our careers. If it is in support of something greater than us, the proverbial good cause, so much better.

In this session, we will explore the ESA created for Galactic Inc. Healthcare (GIH), a relatively young healthcare institution, specialising in children's oncology, and the first to bring together healthcare, research, and education under one roof.

We will focus on the architecture elements that set them on their way to:

- Increase the cure-rate to 90% by 2030 through better treatments and reduction of side-effects

- Reduce collateral health damage from treatment to less than 50% of patients effected by 2030

- Be the #1 children’s oncology centre in Europe by 2025

- Be a first-class internationally accredited education institution for children’s oncologists and other oncological specialisations by 2025

- Be amongst the most innovative and attractive employers within the healthcare industry by 2025

- Go about business in a socially responsible, efficient, and risk driven manner

10:50 9A: Babe Ruth, Hank Aaron or Barry Bonds:  How Sabremetrics May Influence Cyber Resiliency Speaker(s): Rob Hale

Rob Hale

Fellow, Lockhead Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.
X
 

This presentation is focused on describing a possible approach to measuring cyber resiliency in the future. Sabremetrics is a statistical approach to evaluating and comparing baseball players, teams and achievements from disparate eras in order to answer difficult opinion questions about the sport. For example, there is a classic argument about whether the 1927 New York Yankees are the greatest baseball team to play the game. To address this question requires not just simple measurements, such as, the team’s winning percentage, or batting average, but more complex and data intensive analysis about park factors, dead ball versus live ball, impact of expanding the leagues, etc. Sabremetrics is a system for defining, measuring and evaluating such questions, where metrics are complicated and data is massive. Evaluating the resiliency of a mission and its systems to cyber effects is a quickly emerging goal for government and defense industries.

It is my hope to engage in discussion of the viability of the methodology and to strengthen the approach. It took baseball 11 years to identify most of the data points needed to improve the statistical analysis and instrument collection of the data. Metrics in cyber security have been marginalized since the beginning of the cyber security industry. It is time to address them in a meaningful and systematic manner. The proposed methodology is a starting point, not a 100% solution, but I believe it is the best place to start.

This presentation seeks to begin a greater dialog on measuring and evaluating cyber resiliency by doing the following:

  1. 1.) Briefly describing and demonstrating how Sabremetrics is applied to baseball.
  2. 2.) Describing the cyber resiliency measurement problem.
  3. 3.) Proposing a methodology to measure cyber resiliency.
  4. 4.) Identifying gap areas in the measurement process and discussing next steps.
10:50 9B: Security Automation: Rise of the Machines Speaker(s): Chris Blunt,

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

"The Skynet Funding Bill is passed. The system goes on-line August 4th, 1997. Human decisions are removed from strategic defence. Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. In a panic, they try to pull the plug." - The Terminator

In November 2019, (ISC)2 stated that 4.07 million professionals are now required to close the cybersecurity skills gap. The reality is that it is not possible to close the gap by training more infosec professional alone.

Many of the vacant cybersecurity roles require the people who will perform them to complete routine and repetitive tasks. Unfortunately, these tasks are often prone to human error, which can lead to serious cybersecurity incidents.

Security Automation promises to help solve these two challenges (and many others) by reducing the amount of work that needs to be done by security teams allowing them to focus on higher-value activities.

One critical element where the use of Security Automation should be mandatory is in DevSecOps. Agile development processes are built around being able to completely automate testing for each code update. Where code changes are security enforcing or security relevant the scope of this testing must include automated testing of the security functionality. Security Automation in this context effectively provides continuous penetration testing.

However, many security professionals are resisting automation and orchestration even when it has clear benefits for both them and their organisations.

In this session, we will explore the following:

- What is Security Automation?

- What problems might be addressed by Security Automation?

- What are the benefits of Security Automation for you and your organisation?

- What cybersecurity task are good candidates for Automation?

- What can go wrong when implementing Security Automation?

- How does Security Automation and Orchestration relate to DevOps?

- Who is doing Security Automation in the real-world, and how are they doing it?

The mechanisation of the weaving industry during the industrial revolution led to the Luddite movement, which ultimately failed to halt progress. The information age is entering a new phase, one where security engineering and operations will largely be automated. Yet, many security professionals are as resistant change as the textile workers of the 19th century. If we ignore these advances and continue to take an artisan’s approach, we face being left behind or worse replaced by the machines!

12:00 10S: Architecting National Telecommunications Infrastructure Security Speaker(s): Manal al Sarraf,

Manal al Sarraf

Head of Risk Management & Compliance, Batelco (Bahrain)

"Manal has a wealth of over 20 years of experience in the field of audit risk and compliance, where she had leadership roles within those areas leading teams to creating value and effective control frameworks. Manal has the business acumen within telecom to provide a balanced approach in achieving business objectives while striking a balance with risks and controls within her expertise in assurance. She has worked with well-reputed organizations such as KPMG, BIBF and is currently serving...
X
Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

Cybersecurity is a key risk for national infrastructure, particularly in the area of telecommunications. However, many telecommunications infrastructures are privately owned and operated and the relationship with government tends to be via regulatory instruments. This leaves nations potentially at an unknown level of risk. In this paper, we look develop a SABSA model of security architecture for national infrastructure, and determine how individual infrastructure components should integrate into a cohesive national infrastructure risk dashboard. A governance approach is proposed to enable an effective inter-domain relationship between the national security authority and infrastructure providers and consider the way in which regulatory compliance and risk management should interact. Challenges to its adoption in the Gulf Region are discussed.

12:00 10A: Techniques to Achieve Effective Real-time Risk Aggregation Speaker(s): Hugh Walcott,

Hugh Walcott

Director & CTO, StrataMap (New Zealand)

Hugh is co-founder and CTO of StrataMap, an online platform for enterprise architecture and system modelling used by the government, enterprises and cybersecurity service providers. Hugh started his career as an electronics engineer before moving to ICT via the start-up labs of Cambridge UK. Highlights include performing the first ever internet e-cash transaction in 1998 and lead architect on the world’s largest real-time system (mega-city adaptive traffic management system).
X
Paul Tuck

Paul Tuck

Director, Help4Security Limited (UK)

Paul is a cyber security and risk consultant with over 22 years in security leadership positions managing both operational and programme teams across cyber security and network functions. Paul started his career in IT operations before specialising in IT security and business resilience. Paul has worked on and managed large cyber security transformation programmes within financial services, travel and real estate sectors.
X
 

Security is the #1 issue facing CIOs in 2020*, yet the approach to security governance is based on incomplete data, uses outdated methods and is not keeping up with the volume, pace, and complexity of change.

In this session we will be discussing the different approaches to reporting aggregated risks for executives, starting off with a traditional enterprise risk management approach using spreadsheets.

Not helped by the fact that all security teams world-wide are under resourced, we will demonstrate that any attempt to use traditional enterprise risk management practices at scale quickly becomes overloaded stalling strategic investments.

By exploring the inefficiencies of the traditional approach, we next demonstrate how to model an organisation’s risk context to create a common enterprise risk ontology. Knowing that every service, supplier and system will have its own risk profile, the ontology ensures risks are captured and rated in a consistent and robust manner.

The challenge comes when you are required to report aggregated risks for the purpose of guiding strategic investment decisions. In this case several systems, vendors or services may be impacted by a proposed change. To complicate things further the landscape is in a constant state of change, requiring comparative analysis of both current and target state risks from multiple sources.

Fortunately, once the risk landscape is modelled there are several ways to automate the aggregation of risks in real-time. We will present a few risk algorithms available and discuss the pros and cons of each from both the executive and security practitioner perspectives.

Finally we provide a real-world example (and live demonstration) of an enterprise risk ontology, showing how it can be used to aggregate risks and update an executive level risk reports in real-time.

12:00 10B: Internet of Intelligent Things: Preventing the Attack of the Refrigerators Speaker(s): Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Diana Kelley

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.
X
 

If IoT and Operational Technology (OT) are combining in Industrial IoT and OT is the hardware and software that control the processes of much of our critical national infrastructure, then how do we protect our families and our societies from attackers that do not have our best interests at heart?  In the light of the recent Ekans malware attack (https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/ Feb 2020), how do we begin to broach the great divide – that between IT and OT system operators – in a world of internet connected everything, deep fake videos, massive disinformation campaigns and the potential catastrophic outcomes of compromise of safety systems? This talk will delve into some of the case studies of OT compromise, their key lessons and how we can potentially use the lessons from responding to attacks in the IT world in a way that makes sense in the OT. During the discussion, we’ll outline the 7 properties of highly secure devices (https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf) and discuss the pros and cons of moving from preventative to reactive systems.

13:00 - 14:00 Lunch

14:00 11S: Quantifying Risk in Security Models Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a SCP with 10+ years’ experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018, COSAC 2019 and COSAC APAC 2019. Steven has authored a paper for The SABSA Institute on the topic of security modelling with ArchiMate which is now being developed via a joint SABSA Institute / Open Group Working Group.
X
 

Since introducing a practical security overlay for ArchiMate at COSAC 2018, we have made good progress in developing this approach, documenting it as a SABSA Institute White Paper and establishing it as SABSA community-contributed resource, endorsed by The Open Group.

Of the many possible analyses that this approach appears to make possible, the automation of context-aware quantitative risk analysis is perhaps the most exciting.

For COSAC 2020, we will take a deep dive into how this might be made possible. Going beyond the brief treatment of risk that was possible in the aforementioned paper, this session will introduce to Open FAIR, (an emerging quantitative risk calculation method that is receiving a lot of attention) and show how FAIR calculations can be embedded in ArchiMate security models.

The value to the conference, especially those already familiar with the approach from COSAC 18/19 or the White Paper, will be a renewed interest in quantitative methods of risk calculation and a practical means of building them into security models.

As always, this will be original content, being presented for the first time.

14:00 11A: The Demise of the Cybersecurity Workforce (!?) Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
 

Our career has been growing like crazy with an estimated 3.5 million unfilled cyber security jobs within the next few years. More certs, more quals, more money, right? But what if we’re wrong? AI, outsourcing, and visa programs may put a huge downward pressure on future job opportunities (and pay) in Europe and North America. Of course, we don’t WANT this but shouldn’t a wise professional prepare for possibilities? We’ll look at facts, figures, industry trends, and possible futures that might have us thinking that 2020 was “the good old days.” No gloom-and-doom here; just a risk-based look at what happens if we really can NOT get the talent regardless of price, and why financial incentives haven't effectively raised the ability level of our cybersecurity workforce. Not just speculation but tons of research.

14:00 11B: Critical Destructive Cyber Incidents Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
X
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...
X
 

Cyberwar is Pervasive: We are all potentially ‘collateral damage’ in the on-going cyberwar/influence operations of nation state actors (Maersk incident) in a hyperconnected world everyone is ‘within reach’.

Cybercrime is Industrialised: Crypto-extortion has proven itself a viable and sustainable business model (Multiple Municipalities, Coveware.

Lessons drawn from world-class professional incident and extortion handling techniques in police, nation-state, NGO and with a humanistic perspective (book reference: Anja Shortland’s “Kidnap: Inside the Ransom Business”). No-one never wishes to enrich criminals and always wish them to be placed well behind bars.

Inspired by our Financial Sector Major Client's (>4Bio turnover) Experiences: Corporates experience significant hardship when hit with a cyber-extortion attempts. Every indication is this will grow worse. Client’s inability to gain support and ‘sympathy’ from their usual partners (Banks, IT Service Providers, Police, Government CSIRT and Consultancies) are endemic and toxic. The typical response “Never Pay Ransom” does not support clients in their time of need. We invited three gentlemen recently retired from Global Police forces (Canada, Netherlands/United Nations, Israel) to Brussels, Luxembourg and London to explore this.

Here we examine thorny issues:

- Critically Destructive Cyber Incident Response

- Seeing this Empathetically from the Attacker and Business Executive and Personal Role.

- False Ransom / Dead Body Exchanges

- What About Insurance?

- Fraudulent Decrypter Services!

- Not Only Enabling Criminals to Profit from Crime, but Potentially Funding Terrorism

- Banks and FS, Anti-Money Laundering, KYC, ATF

- Corporate vs Personal Incidents

We end this exploration in the Luxembourg Cyber Incident Simulator Room 42, when faced with a multi-pronged live immersive simulation, an inexperienced team under the tutelage of master Incident Handlers and Negotiators: “No-one has ever handled the scenarios like your team did. No matter what I did, you did not respond the way anyone else ever did. I could not control the situation. No-one, ever, did what you did…” Former French Military Lieutenant, Cyber Incident Simulator ‘Attacker’.

We did not pay the ransom (but we may have lost a person).

Look Where You Are Going: We may not wish to be going here. Cyber Extortion is bad. Cyber-induced Critical Incidents as a Business-Halting experience is not what our ‘exciting digital future’ promised us. But in the near and mid-term ransomware, cyber extortion and Critical Cyber Incidents are going to become the new norm. To ignore or simply wait is insupportable and invites the worst-case scenario. To prepare our individual Operational Security, to build our Vauban Citadel a little bit higher and thicker is the conventional response. Some argue we can build our walls a little bit ‘smarter.’ Those with larger budgets are already buildng Smarter, Higher and Thicker, and it is still not enough. But perhaps most importantly, the lesson from our new friends and very interesting gentleman: “Be Prepared and Engage. And have friends!

15:10 12S: Feed me More, Seymour – Freeing Your Risk Appetite Speaker(s): Martin Hopkins,

Martin Hopkins

, (UK)

Martin is a Vice President at Aon's Cyber Solutions Group. He has over 25 years experience in technology, primarily in security related fields. In between delivering consultancy he leads security research and solutions innovation with a current focus on security architecture and advisory. He is a strong advocate of business driven security, security architecture and secure software development practices.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Last year we talked about how and where to find your risk appetite. Now we’re back to go full immersion and explore risk appetite throughout the SABSA risk management framework. Can we define any reusable patterns or models? How can we reassess the organization’s appetite, apply a changing risk appetite to our existing risks, use our appetite to drive tactics and business decisions?

Join us to ask, and answer, the difficult questions of transforming your risk management into something more dynamic and business enabling than managing a risk register.

15:10 12A: Building Diverse Security Teams? Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

Everyone should learn how to program because it teaches us a new way to think about the world” - Steve Jobs

We find ourselves in a global environment, with a tightly connected global workforce, and a shortage of diverse talent in the tech sector. Teams with a diverse set of backgrounds, cultures, life experiences, skills and talents improves the quality of business decisions and helps protect organisations from group-think. Having a diverse workforce also reflects the diversity of the marketplace, making it easier to engage more effectively with a wider talent base and extended customer base.

The term ‘diversity’ is often used when the term ‘inequality’ is intended, and we therefore risk sanitizing ‘inequality’ with ‘diversity’ as a result. It is easy to see why the two terms are used interchangeably, given that the grounds for discrimination are similar to the characteristics of diversity. Where equality is about fairness and transparency, diversity is about embracing and valuing difference.

To address historical inequality in the past, ‘quotas’ were often applied. However, quotas can damage meritocracy and omit addressing the issue of implicit bias - where committees/individuals charged with the role of recruitment, promotion and performance evaluation typically tended to select people that looked like them, acted like them, talked like them, had similar backgrounds etc. These biases are different from known biases that individuals may choose to conceal for the purposes of social and/or political correctness. Implicit biases are not accessible through introspection and we rarely recognise our own implicit bias - thus the rules for ‘equality’ can lack transparency for work recognition, recruitment and promotion etc.

This is where diversity programs have the potential to bridge a gap.

To encourage diversity in the workforce, we need to consider a starting point. The key to diversity is to understand how different types of diversity and different demographic characteristics can impact human behaviour. This presentation explores some key characteristics of diversity, and outlines several positive and constructive steps that organisations (and society) can take to encourage diversity and equality in the workforce and outlines the potential benefits of such steps. We pay particular attention to gender diversity and explore recent pan-European studies that identified factors that influence different genders into selecting tech as a career.

Key learning outcomes from this presentation are:

- Understanding the differences between diversity and equality

- Understanding the impact of diversity on employees, products, services etc

- Understanding the challenges of building diversity into our teams

- Understanding strategies to address implicit/unconscious bias

Audience: Senior roles involved in managing security and/or privacy teams: CIOs, CISOs, CROs, CPOs, Team Leaders and anyone involved in the recruitment of security or privacy teams.

15:10 12B: Automatically Identifying System Vulnerabilities, Weaknesses & Common Attack Patterns Speaker(s): Phil Bridgham

Phil Bridgham

Principal Investigator, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.
X
 

This session demonstrates and explains, to a non-technical audience, how three complementary data management techniques help to automatically identify system vulnerabilities, weaknesses, and common attack patterns. A comparison of the trade-offs of using relational, graph, and semantic ontological data stores is presented as real-working examples. These complementary technologies are demonstrated and explained in non-technical terms to provide a broad audience with the opportunity to learn about the value propositions and trade-offs of each technique.

A relational database demonstration will highlight achieving the speed and performance required for querying and retrieving large and complex data sets. A graph database is then demonstrated to showcase the power of specifying graph structures and relationships to quickly and intuitively extract patterns of interest, such as vulnerabilities and weaknesses related to system elements. Finally, a semantic ontology is demonstrated as state-of-the-art knowledge generation through inference, where system elements are automatically classified into technology domains.

16:10 - 16:30 Afternoon Tea

16:30 13S: Zero Trust Architecture Speaker(s): John Sherwood

John Sherwood

Chief Architect, The SABSA Institute (UK)

John Sherwood is the Chief Architect at The SABSA Institute. He is the originator of the SABSA methodology, and the lead author of the SABSA Blue Book. He has published many articles on the emerging art and science of cyber security and is a provocative and outspoken thought leader in this area. John has 48 years of experience as an information-systems professional. John was recently honoured by ISC2 with the Harold F. Tipton award for lifetime achievement in the industry.
X
 

ZTA is an old concept, although its wide adoption as a design pattern of choice is relatively recent. Back in the 1990’s the network vendor community corrupted security architecture thinking by offering technologies such as IPSec as the solution to application security architecture. It has taken until now for that corrupted thinking to be shifted, driven by the emergence of native cloud services, SOA and bundles of microservices as the architecture for applications infrastructure.

The vendor community has been trying hard to catch up with this shift, inventing and reinventing solution approaches to reuse their existing technology, but with little success. Meanwhile there is a community of forward thinking CSOs that have been developing ZTA patterns to fit their corporate infrastructure and deliver the benefits of ZTA in the real world. It has not been without its challenges, and many challenges remain to be met in this fast-changing area of business IT. Above all, solutions have to be practical and manageable and the while the vendors struggle to develop off-the-shelf products, these are so far not meeting many of the business needs.

This presentation will offer a unique up-to-date review of ZTA, its art and science and the current thinking on how to achieve the concept. It will be of great value to anyone working on developing ZTA in their corporate environment, with an opportunity to share experiences under Chatham House rules. This is an advanced architecture session, suitable for both experienced architects and those new to the area – something for all levels. The approach will be to present advanced materials and encourage debate. It is timely in that the industry is finally coming to some consensus on how to achieve ZTA after a couple of years of research and development. You will take away a clear understanding of the issues and the solution approaches, with a road map of where this important architectural stream is going into the future.

16:30 13A: Where is My Mind? (unabridged) Speaker(s): Chris Blunt,

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
Simon Harvey

Simon Harvey

Enterprise Architect – Information Security, UnitingCare Queensland (Australia)

Simon is a Security Professional with 20+ years of Security-related Academic Research, Business & Management experience. He is currently an Enterprise Security Architect at a large financial services organisation; and is trying - slowly - to overcome his natural shyness by becoming more involved within the local InfoSec community. In addition to being extremely late at submitting his SABSA Advanced exam, he has been part of the organising team for AISA's BrisSec Conference since 2017.
X
 

Mental health is becoming one of the most significant issues in our society, and the information security industry is no exception. Our industry often attracts people with certain personality traits or attributes, including technical, analytical, obsessive, dedicated, perfectionist, curious, dogmatic, unempathetic. This can lead to us being labelled nerds and geeks, which are used to dehumanise us by others.

But we are all human. We work in high stressed environments and pressures are placed upon us by ourselves, colleagues and our employers to perform with unrealistic budgets, team members and timeframes. This can be unhealthy at best, but downright dangerous at worst. Mix this with the regular ups and downs we all experience in life and it is no wonder that many people in our industry suffer from poor mental health.

In this session, will shed light on this taboo topic to raise awareness and help end the stigma that is often attached to conditions such as anxiety, depression, and bipolar. We will use a combination of medical facts and our personal stories to humanise a topic that is still treated in a very inhumane way.

We will also present and discuss some of the:

- most common mental health conditions

- early warning signs that someone is not okay

- some basic approaches you can take when dealing with someone who is not okay

- resources available to help you and your organisation help people that are suffering from poor mental health

Our objective is to have a conversation about how we can identify, support and help each other when our mental health is compromised and to determine how we can practically support each other at the community level.

16:30 13B: The Kill-chain in Practice: 2020 and Stories from the Trenches Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

Microsoft – the worlds’ second most attacked entity on the planet or a victim of ego and paranoia?  Let’s look at some numbers: We analyse 8.2trillion signals for signs of malicious activity per day; we see 300 million fraudulent sign-in attempts targeting Microsoft cloud services per day and we block more than 5 billion distinct malware threats per month.  Industry wide, hackers attack every 39 seconds, on average 2,244 times a day and the average time to identify a breach in 2019 was 206 days.  Is sleep an option for security professionals?  Come along to this session to hear about attackers in the wild and how Microsoft protect ourselves and our customers while getting in much needed beauty sleep.

Plenary Session

17:45 14P: The COSAC Rump Session Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

The COSAC "rump" has for many years been a hugely popular plenary session at COSAC. The Rump is an informal rapid-fire session in which participants give very short presentations on recent results, work in progress, and any other topic of interest to the COSAC community.

Presentations may be purely technical, entirely management oriented in nature, or of any combination of approaches or perspectives. Those wishing to give a talk at the rump session must submit a short abstract, no more than one page long, according to one of the following procedures:

-Electronic submission: Send email to the rump session chair David Lynas at [email protected]

-Hardcopy submission at conference: Hand the submission to David Lynas at the conference before noon on Wednesday 30th September.

Submissions should include a requested amount of time for the presentation. An anticipated absolute maximum of four minutes will be allocated for each presentation.

Networking & Dinner

19:30 Drinks Reception
20:00 Dinner

Thursday 1st October 2020

09:00 - 09:30 Delegate Registration & Coffee

09:30 15S: From an Inside-out View to an Outside only View: the Security Architect Profession after 2 years of Sabbatical. Speaker(s): Marc Verboven

Marc Verboven

Security Architect, ING (Belgium)

Marc Verboven is an experienced IT Security Architect with over 30 years of experience. After working for Dow Chemical, IBM and startups in Belgium, always in the area of IT Security, he joined ING Belgium in 2003. Since then he mainly worked on projects in the area of Retail & Commercial Banking Channels, acting both as a security & application architect. Since 2006 Marc is member of the Enterprise Architecture group of ING with continued focus on the area of Risk & Security.
X
 

This talk is about the experience and lessons learned of a seasoned and highly qualified enterprise security architect after being put on hold by the organization that you have devoted so much of your creative energy to.

In the spirit of Cosac the talk will be highly interactive, challenging both the audience and the speaker, by giving the rollercoaster of emotions and ideas that you go through when you are more or less forced into ‘early retirement’. The goal is not to tell a negative story but give valuable insight and reflections on what happens to you when you have no longer an outlet for your professional creativity as a security professional.

Some of the topics that will be put forward are:

- What is your real value for the company, why did the company hired you in the first place?

- Should you try to find a comparable function in another company or try to reuse your experience in a complete other domain; maybe really make the world more secure & safe?

09:30 15A: Dealing with BS: Adversity and the Security Practitioner Speaker(s): William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
 

Let’s face it, things don’t always go the way we plan. Being a security practitioner is difficult enough with the constant evolution of threats and attackers, and an everchanging IT landscape. It also doesn’t help that there are so many other ways that things can go wrong. Budget cuts, personnel changes, organizational changes, competing agendas, simple miscommunications. Shit happens. We also deal with other challenges like figuring out where to start, getting organizational buy in, training up teams, and working with others who are involved in or control other parts of the process. These are a few examples of adversity that we face, and that as Security professionals we must be prepared and able to deal with if we want to be successful. In this session we will discuss strategies for coping when things don’t go as planned. We will discuss several real scenarios, including what worked and didn’t work, and we will engage as a group to discuss other approaches and experiences.

09:30 15B: Digital Twins – Architecture and Security Implications Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the CISSP. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).
X
 

The concept of creating a digital twin of a cyber-physical entity is gaining considerable coverage, with significant hype regarding the potential benefits a digital twin can offer. This session will explore the concept and history of digital “twins”. They are not as new or novel as the media coverage suggests. However, Gartner reports that leading digital governments are exploring the concept of digital twins at the whole-of-government level.

This session will examine the information and architecture issues relating to the creation of a digital twin and the prerequisites for ensuring that in implementing the digital twin there is close alignment the reality of the physical twin’s behaviour. It will also discuss the privacy and security implications that arise from the creation and use of digital twins that are connected to operational assets. The session will conclude by identifying a set of criteria for establishing the trustworthiness of a digital twin in comparison with the real thing.

10:20 16S: The Challenges of Cybersecurity Challenges Speaker(s): Andrew S. Townley

Andrew S. Townley

Founder & CEO, Archistry (South Africa)

Andrew is an international speaker, published author and thought leader on business execution, security, risk and technology who has extensive practical, hands-on experience working in the US, Europe, Middle East, Africa and Brazil. His Enterprise and Security Architecture experience includes leading SABSA adoption organizational change initiatives for Fortune Global 300 customers and is built on not only SABSA certification but personal mentoring by two of SABSA’s principal authors.
X
 

Every year, everyone in the cybersecurity industry goes crazy postulating the “next big issues” everyone needs to look out for in the coming year. And it’s all backed by survey data…

…and it’s all presented with sexy materials, charts and graphs...

…and it basically ends us telling us exactly the same thing. Year. After. Year.

What I want to explore in this session is why this happens. What is it that we’re doing (or not doing) that causes “the basics” like Identity & Access, Data Loss and Cybersecurity skills/Awareness to top the list for YEARS.

Either we’re a) fundamentally incompetent as an industry, or b) we just haven’t figured out the right way to look at the problem.

What we’ll do in this hybrid session is the following:

Part 1 will frame the issues, looking at some “top trends” over the last few years to highlight the fundamental drivers of what we’re worried about.

Part 2 will be an open discussion on what might be causing this, what we’re doing wrong, and some ways we might fix it.

Part 3 will be some SABSA-based ideas, grounded in the fundamental theory of domains, that will possibly give us a new perspective to actually solve these problems instead of just hand-wringing about them on surveys year after year…after year…after year.

10:20 16A: Wisdom of Insecurity – Thinking out of the Box of Security – a Way to Do Security Better? Speaker(s): Helvi Salminen

Helvi Salminen

Security Advisor, (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

We are used to looking at security through the lenses of rules and discipline. This is often useful – even necessary – and we find solutions of many problems in this way. However, purely rule-based security is no longer sufficient in the business which operates in an increasingly complex technical reality and rapidly changing society.

Our methods, standards, guidebooks and countless rules prepare us to resolve known problems – answer questions to which they are designed to answer. But if we rigidly stick to the predefined rules we don’t develop the capability to understand issues which are not included in our recipe books.

This session is designed to discuss the limits of the applicability of standard and rule based way of doing security. What do we miss when limiting our thinking to this type of approach? What we can learn from other areas of knowledge – e.g. social psychology and philosophy - and apply this knowledge in our security work? How can for instance the principles of creative idleness and reversed effort help us to resolve complex problems better?

Welcome to the adventurous journey which is inspired by thinkers whom we usually don’t see in the context of security. Alan Watts says that it is only by acknowledging what we do not—and cannot—know that we can learn anything truly worth knowing. Aldous Huxley states that the harder we try with our conscious will to do something, the less we shall succeed. Proficiency and results come only to those who have learned the paradoxical art of doing and not doing, or combining relaxation with activity. With the concept of creative idleness Domenico De Masi embeds elements of pleasure to the hardness of duty. And many others help us to get out of the box.

Also in security.

10:20 16B: Anchoring the Software Supply Chain: A Case Study Speaker(s): Mike Broome

Mike Broome

Senior Software Engineer, Tanium (USA)

Mike is a Senior Software Engineer at Tanium, developing large-scale enterprise IT security and IT operations software. He spent two decades in networking and low-level embedded software, including writing code for the fastest-ramping mid-range router at Cisco. After a stint in embedded industrial control systems, he has spent the past 5 years working on threat response and business application mapping solutions to help with visibility across enterprise solutions.
X
 

Last year, we discussed software supply chain vulnerabilities. This year, let’s go a step further and look at how one software company has tried to implement a software supply chain strategy.

It's not one size fits all, but by unpacking and examining this example from one specific company, we can find concepts that can be applied by anyone who is managing and trying to secure a software supply chain – and lessons for anyone who consumes software.

Questions for review will include:

- What was the motivation for this strategy?

- What are the tradeoffs?

- What has worked well vs. not so well?

- What impact has this had on the software developers?

- What impact has this had on the customers?

We will also talk about possible alternative strategies, as well as what steps your companies may have taken – either as creators or consumers of software.

This talk will be under Chatham House Rule.

11:05 - 11:25 Morning Coffee

11:25 17S: SABSA Open Forum - Part 1 Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

This open session covers SABSA, The SABSA Institute and the latest goings on in the Enterprise Security Architecture world. If you want to support a SABSA Institute project or the Institute itself, this is the session to join. Meet the Board of Trustees and ask them anything. The Institute will also present an overview of current activities and initiatives.

We would like to discuss what you believe the future of SABSA and the SABSA Institute should be. Let us know what areas the SABSA Institute should focus on.

We propose the following agenda, and are completely open to adjust this to the needs of the SABSA Institute Members:

- Meet the Board of Trustees

- Current Projects

- The future of TSI

- The future of SABSA

- Emerging topics for projects

11:25 17A: Entering the Friend Zone Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

Within every corporation, no matter how small or big you will find people or departments that are outright hostile towards Infosec. They oppose, challenge, criticize and will frustrate anything that infosec requires them to do. They tend to advocate that infosec does not understand the business, that our cyber security controls and policies are only there to entertain the auditors, and that they don’t need our help in securing their systems / departments, they know better than us.

Issues with these departments and people can be escalated through management and you may gain proper enforcement by having marching orders distributed from the top. However, this approach impacts your ability to execute quickly. It also has you relying on management for support and the successful execution of your agenda, while management would like to rely on you for this.

How do you win these people and departments over and gain their trust?

In this talk I will share proven tactics I use to overcome this very situation and I hope you can share your experience as well. How do our teams go from animosity to the friendzone, building a partnership that enables us to support these departments, help them achieve their business objectives, while they support us in securing the enterprise?

11:25 17B: Penetration Testing: Doing the Job and Staying Out of Jail Speaker(s): John O'Leary

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
 

If you’re not doing it, someone else is doing it for you, and they’re not delivering final reports or checklists (though the final cost might be much higher). Even those innocent souls and naïve managers who haven’t yet been hit (or think they haven't been it) have heard enough horror stories from us and their contemporaries that they're almost convinced that penetration testing is a necessity. But they don’t know what effective penetration testing in 2020 requires and entails. They're uneasy about the concept, don’t really know where to start, and have no reality-based ideas about what to expect for an outcome. You, a grizzled veteran and COSAC delegate, know why and how and what to expect. But Ransomware, Spear phishing, nation-state hacking, massive breaches, IoT, GDPR, Big Data Analytics, Cloud computing and BYOD, even Corona virus scams, have opened up new avenues for probing defenses. Calling on the experiences of COSAC delegates in the room, we’ll lay out some absolutes rules for pen testing, analyze driving forces, examine realistic testing options, and pinpoint focus areas for testing. We’ll then identify pitfalls to avoid (e.g., going to jail) and finish with recommendations to help organizations get maximal return from this complex, expensive, but valuable, probably even mandatory security measure.

12:15 18S: SABSA Open Forum - Part 2 Speaker(s): Maurice Smit

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

This open session covers SABSA, The SABSA Institute and the latest goings on in the Enterprise Security Architecture world. If you want to support a SABSA Institute project or the Institute itself, this is the session to join. Meet the Board of Trustees and ask them anything. The Institute will also present an overview of current activities and initiatives.

We would like to discuss what you believe the future of SABSA and the SABSA Institute should be. Let us know what areas the SABSA Institute should focus on.

We propose the following agenda, and are completely open to adjust this to the needs of the SABSA Institute Members:

- Meet the Board of Trustees

- Current Projects

- The future of TSI

- The future of SABSA

- Emerging topics for projects

12:15 18A: Social Engineering in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions, Inc. (USA)

Kathleen Mullin CISSP, MLSE, CCSFP is an influential information security practitioner with more than 30 years of experience. She has been a CISO at various publicly traded, private, not-for-profit organizations, and governmental entities including HealthMap Solutions, WageWorks, Healthplan Services, Adventist Health, and Tampa Airport. She has a BSBA from St Joseph’s College Maine and an MBA from Florida Metropolitan University.
X
 

This original presentation was supposed to be given at HIMSS2020 which was canceled due to COVID-19. This discussion provides a perspective that looks for other security professionals to assist in a better framework for healthcare.

Malicious hacking using social engineering against healthcare has multiple goals; the most obvious ones are to steal money, data, or deliver ransomware. Healthcare systems are particularly susceptible because basic critical security controls are not in place within highly integrated systems. This presentation discusses how targets are selected, the delivery methods, and why social engineering is effective. Let’s discuss the effective methods to protect organizations and the options when social engineers succeed.

Seasoned professionals recognize hackers’ motivations, why they are a threat and why they use social engineering, but this needs to be communicated to those in Healthcare

Detect the common methods used by social engineers to victimize healthcare organizations

How do we assist those in healthcare to prepare for the impacts of malware including ransomware when they have limited funds and the manufacturers of their equipment provide it on obsolete operating systems?

How do we construct a plan to reduce the likelihood of social engineers being successful using training, testing and technical controls?

12:15 18B: Ransomware Response - A Lawyer’s Perspective Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Your company is hit with a ransomware attack. You have to decide whether to try to decode the bitlocker, rebuild the database, or pay the ransom. Who makes the decision? IT? CISO? Legal? Your insurance company? If you decide to pay, how do you do this as a practical matter? Are the costs of paying ransomware covered by insurance? What about the costs of NOT paying ransomware? Are you subject to criminal prosecution for the mere act of paying to release your funds? This session will focus on the legal and practical aspects of ransomware including violations of international sanctions, aiding and abetting terrorists or other criminals, operating as an unlicensed money transfer agent, money laundering and other KYC regulations, providing material support to criminal activities, and other potential liability sticking points.

13:00 - 14:00 Lunch

Workshop W1

14:00 Gamifying Security Architecture – A Board Game Perspective Speaker(s): Esther Schagen-van Luit,

Esther Schagen-van Luit

Specialist Security Architecture, Deloitte (Netherlands)

Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.
X
Roland Schagen-van Luit

Roland Schagen-van Luit

Junior Architect, ZJA Architecture (Netherlands)

Roland is a Junior Architect at ZJA Architecture. His focus on parametric design and fascination with 3D-printing has his portfolio span architecture, graphic and jewelry design. A broad interest in systems and mathematics in general has sparked a desire to convey this thinking outside of parametric design, spreading from the design of buildings into the design of boardgames.
X
 

Security Architecture is a complex topic, yet we depend on being able to explain it simply, elegantly and effectively to our stakeholders. In the vein of gamifying many aspects of our life to make them more appealing, we believe that building a security architecture game may be an effective way of communicating the value and working of security architecture to a variety of audiences.

The session starts of by explaining the benefits of a security architecture game and gamification in general. We will discuss the characteristics of what makes a good game and how these have informed us in designing a security architecture game. We then explain the rules of the game and participants will have the majority of the session to play test the game. At the close of the session we retrieve observations and feedback from the participants to improve the game. After the conference all the game component printable files will be shared so COSAC attendees can reproduce the game and play it with their community and organizations.

Thursday afternoon workshop sessions tend to be challenging for both hosts and participants, as they already have 3.5 intensive days of COSAC behind them. The inspiration for this session was taken from the success of Chris Blunt’s COSACopoly game some years ago, where we once again seek to combine the informative (how to design a good game) with the pleasant (connecting through the power of play). This should make for an appropriately balanced and entertaining session to close the COSAC conference on a positive note.

Workshop W2

14:00 An Immersion in Securing the Digitally Transformed World Speaker(s): MZ Omarjee,

MZ Omarjee

Enterprise Security Architect, Standard Bank (South Africa)

Muhammed Zubair (Mz) Omarjee is an Enterprise Security Architect within the Group IT Plan function of Standard Bank Group South Africa. He is instrumental in defining the security technology strategy and plays a pivotal role in shaping the information security practice as a transformative business driven and risk oriented discipline.
X
Siân John MBE,

Siân John MBE

Chief Security Advisor, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Diana Kelley,

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.
X
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

Part 1 - A Digital Transformation Immersion

The digital transformation immersion session is a aimed to address both the shift in thinking and provide a cursory overview of concepts and competencies required to be relevant in the Digital Transformation age.

A synopsis of what the session will entail:

- The rationale as to why are we doing Digital

- The thinking required for a Digital Transformation

- The disruptive business models at play for a Digital Transformation

- The organizational shift required for a Digital Transformation (some SABSA applied here)

- The technologies at play that enable a Digital Transformation

- Interactive practical activities and case studies on how to digitize something that’s highly physical and manual in nature.

Part 2 - Securing the Digital Transformed World

As organisations go through digital transformation Cybersecurity practices need to evolve to keep up. This half day session will explore some of the challenges and approaches to evolving security risk management to unlock the opportunity of digital transformation by managing and mitigating some of the threats.

Topics will include:

- Changing control and risk frameworks – and reporting on risk to support digital transformation

- Identity as a perimeter and Zero Trust Networks

- Forensics and threat hunting in the hybrid cloud world

- Incident response, triage and remediation.

- Securing the intelligent cloud and the intelligent edge – IoT, machine learning and hybrid cloud solutions

Workshop W3

14:00 Ask us anything: A Q&A session with a SABSA Master’s panel Speaker(s): Chris Blunt,

Chris Blunt

Security Architect, Aflac NI

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
Maurice Smit,

Maurice Smit

Principal Security Architect, David Lynas Consulting (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
William Schultz

William Schultz

Associate Director, Vanderbilt University Medical Centre (USA)

Bill Schultz is a practicing security architect who has worked in the Information Technology field for over 16 years, with the past 12 focused on Enterprise Architecture, Security Architecture, Risk Management, and Compliance. Bill has built security programs, risk management programs, and developed strategic organizational architectures and technical system architectures. Bill has led multiple risk management and security architecture initiatives.
X
 

In your security architecture quest have you come across a question about how to use SABSA that seems to have no answer, or a challenge that seems insurmountable? Welcome to the club! Many good practical questions often have an answer that ultimately resolves to the response, “it depends”. This is because most of the time it is true, the answer to your problem depends on the question you are trying to answer. However, there are often simple answers to complex questions that can be reached by simply following the methodology. The challenge is often in knowing which part of the methodology to use, and where to start with the situation you are in.

In this session attendees will be able to pose questions and challenges to a panel of people who have spent a significant amount of time and energy learning, teaching, and applying the SABSA methodology. Last year this session ran at COSAC and COSAC APAC and we covered a wide range of topics with a group that ranged a wide spectrum of experience and proved useful for all. Any SABSA Master’s in attendance at COSAC will be welcome and encouraged to participate as they are available. Input from attendees will essentially build the agenda for the conversation and we will attempt to cover as many topics and questions as possible. Of course in the COSAC way there will be plenty of group debate and interaction, and no shortage of experts in the room. While we may not solve every problem, perhaps as a group we can find ways to overcome some of the challenges and questions that we face, and possibly begin to look at some of the new challenges heading our way.

Workshop W4

14:00 Sorting Through Artificial Intelligence Hype Speaker(s): Diana Kelley,

Diana Kelley

Field CTO, Microsoft (USA)

Diana Kelley is the Cybersecurity Field Chief Technology Officer for Microsoft where she provides guidance to C-level executives at large, global companies. She is a Faculty Member with IANS Research, an Industry Mentor at the CyberSecurity Factory and a Guest Lecturer at Boston College’s Master of Science in Cybersecurity program. Previously, she was the Global Executive Security Advisor at IBM Security and a GM at Symantec.
X
Lori Murray,

Lori Murray

Systems Engineer, Lowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Security professionals are confronting the emergence of artificial intelligence (AI) in the security industry. There are many different topics within AI that intersect with security and most discussions are either too high-level or so detail-oriented that they security professional has to determine the applicability to their own environment. This discussion opens with the general discussion of AI and machine learning (ML) along with defining the differences between the two. Next a discussion of how to spot vendor deception (snake oil) and questions to ask vendors that will assist in architectural decision-making and planning.

The second section of the talk discusses the gaps between human learning and decision-making and machine learning and decision-making. This section describes the importance of data, classifiers, and the AI algorithms. In this section of the talk we will discuss ways in which manipulation can occur.

The third sections shows examples using datasets that will illustrate how the manipulations discussed in section 2 can be applied to some real-world examples that are frequently encountered. We will examine threat intelligence data and insider threat data. Both will be mapped showing the differences that can occur when the data manipulation occurs.

Plenary Session

17:15 19P: Tony Sale Lecture: Living in a World of Covert Channels Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

On 24 February 2020 Terence Michael Whall was found guilty by a unanimous verdict of the murder of 74-year-old pensioner Gerald Corrigan, who was shot outside his rural home in Anglesey on Good Friday 2019.

Whall thought he had committed the perfect murder, there was no forensic evidence, no direct eye witness to the shooting and no one saw him travelling to and from the murder scene.

During the trial the jury heard evidence of telematics data provided by Jaguar Land Rover showing the location of a suspect vehicle the day before when Whall was reconnoitring the scene of the crime, the boot being opened at 23:11:04 and closed 39 seconds later when he removed the murder weapon.

Evidence provided by Sky proved that Mr Corrigan’s satellite TV system was present at 00:08 at his home on the night he was murdered, at 00:28 he stopped a pre-recorded programme and the satellite signal was no longer present. When he went outside to investigate the problem, he was shot dead.

Again, telematics provided valuable evidence of vehicle movement, the opening and closing of the boot following the murder and Whall making his escape from the scene.

It is a credit to the hard work of those prosecuting this case that they were able to retrieve a body of critical evidence and present it clearly to the jury during the five-week trial.

To many people it was a revelation that such levels of technical data were transmitted to third party companies routinely and without their understanding of the full scale of the activity.

In this talk we will focus on how this example is only one of many instances of such data transfers. In new work we will detail how malicious actors might take advantage of an emerging standardised environment for vehicle to vehicle and vehicle to infrastructure communications to undermine efforts to monitor their activities.

THIS SESSION WILL REQUIRE DELEGATES TO COMPLETE A FULL NDA.

Conference Close

18:15 Conference Close - COSAC Chairman Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X