Ireland COSAC Connect Melbourne

Welcome to COSAC - Conferencing the way it should be!

Due to the ongoing global pandemic, COSAC 2021 will be held virtually. View the agenda for all three days below to gain an insight into the value COSAC provides for experienced information security practitioners.


Tuesday 28th September 2021

(ALL TIMES BST)

Chairman's Welcome

09:00 COSAC 2021 Welcome & Introduction Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X

09:20 - 09:40 BREAK

09:40 A1: The Quantum Conundrum Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

Quantum technology is coming. It is expected, or even know that it will break several security technologies that are currently essential to securing our business operations.

The threat hasn’t materialized yet, but when it does, it might not leave us a lot of time to respond. So how do you prepare for something that:

  1. That you do not fully understand.
  1. You do not know the full impact of.
  1. You do not know when it becomes reality.

If you wait for the risk to materialize you might be too late to the party.

This talk will not be on how quantum works, but on its predicted impact and how you can start planning mitigation now. In this interactive session we will discuss several quantum scenarios, analyse them and discuss which preparations will give you a head start when the threat materializes. We will discuss what can be done when and how your current cyber risk posture will benefit from these measures. Starting our very own quantum playbook now, and in doing so solving current day issues, whilst preparing for the future.

09:40 B1: Cloud Governance Turf Wars Speaker(s): Jim de Haas

Jim de Haas

Cloud Security Wizard, ABN AMRO Bank – Global Security Office (Netherlands)

With 15+ years in information security Jim de Haas has experience in a wide range of security topics like physical security and IT security. For the past eight years I worked for ABN AMRO in the global security office. He is specialised in cloud computing security and former secretary of the ABN AMRO cloud governance body. Currently engaged as security engineer in the banks AWS team.
X
 

When a large organisation adopts cloud computing it goes through several learning curves. Especially when during this journey a transformation towards a devops way of working is implemented. It goes through multiple growth stages. The latest stage can be characterised as one with turf wars. Not sure what will happen after that, because that is something the future will bring. A true story that reads like an Asterix and Obelix comic book.

I will tell a story of an organisation adopting both AWS and Azure cloud and while doing so drastically changes its IT strategy. As the years go by, more managers learn about cloud computing and consider themselves to be responsible for governing it. Imposing their (non cloud native) way of working on others. Leading to a debate and strong difference of opinion on going cloud native or not. Going back to Asterix and Obelix, as you turn the pages in a book, our main characters struggle with the ‘give trust’ concept of devops and how it relates to the organisations culture. Culture, as an aspect, that has a huge influence on how security is adopted within organisations. The battle continues as the address topics like secrets management, HPA management, security monitoring and release of services to devops teams. More characters from Asterix and Obelix are mentioned because the perfectly fit the story.

Is sticking to a more theoretical model for cloud governance (Arcitura) a way forward? How to move on beyond the turf wars of cloud computing governance? Does looking at it from an Organisation Sociology background add anything (my University education)?

After attending this session participants will probably recognise part of the story when they work for large organisations that are busy adopting cloud computing. It will give some pointers and ideas to bringing this forward (beyond the turf wars phase), taking into account the organisations IT strategy and culture. We will probably explore a few options for improving cloud governance models (audience participation required, that will not be a problem at Cosac).

09:40 C1: Architecting National Telecommunications Infrastructure Security Speaker(s): Malcolm Shore

Malcolm Shore

Chief Security Architect, David Lynas Consulting (New Zealand)

Dr Shore completed a BSc in Computer Science at the University of London before emigrating to New Zealand where he held positions with RNZAF & Government Communications Security Bureau before completing his PhD at Otago University. He has held Head of Security positions in both Telecom New Zealand, and in NBN Co, where he was responsible for satisfying compliance with the Australian Protective Security Policy Framework. Malcolm was also the Technical Director for BAE Systems Australia.
X
 

Cybersecurity is a key risk for national infrastructure, particularly in the area of telecommunications. However, many telecommunications infrastructures are privately owned and operated and the relationship with government tends to be via regulatory instruments. This leaves nations potentially at an unknown level of risk. In this paper, we look develop a SABSA model of security architecture for national infrastructure, and determine how individual infrastructure components should integrate into a cohesive national infrastructure risk dashboard. A governance approach is proposed to enable an effective inter-domain relationship between the national security authority and infrastructure providers and consider the way in which regulatory compliance and risk management should interact. Challenges to its adoption in the Gulf Region are discussed.

09:40 D1: Reinventing the Global Research Agenda for a Modern World Speaker(s): Dan Klein

Dan Klein

Chief Data Officer, Valtech / United Nations (UK)

Dan Klein has two roles – lead of Environmental Data for the UN Big Data Working Group and Chief Data Officer for Valtech. At the UN, he is part of the team deploying a global collaboration platform for international datasets, methods and results, to drive improvements in the 17 Sustaianble Developmernt Goals. In Valtech, he looks after all things ‘data’, delivering differentiated value to our clients. He is fascinated by how the use of data can disrupt existing business models and revels in...
X
 

Reinventing the global research agenda for a modern world with large datasets to deliver the United Nations 17 Sustainable Development Goals https://sustainabledevelopment...

Taking a proof of concept with the UN to engage collaborators around the world, in undertaking science in a revolutionary way – full digital collaboration and peer review; replacing the ‘scientific journals’ PDF and data as appendices.

See https://marketplace.officialst...

Lessons from the UN and a review of other players in the market – how to collaborate across datasets, methods, resources and outcomes.

10:25 - 10:45 Break

10:45 A2: Is 1999 2000 2001…2021 The Year Decade Century of PKI? Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

The Public Key Infrastructure (PKI) had had an enduring, if variable, impact on security the universe of computing for almost 50 years. Is it now settling into its role as journeyman support to secure the world just as it is being threatened by the advancement of quantum computing? Lately many organizations have come to discover a bit to late that they in fact use PKI when their processing infrastructure quits working due to expired certificates. PKI used to be represented as 25% technology and 75% policies, standards and processes. Is this still true? How many organizations really understand how PKI works? Is that important?

The promise of PKI – to have the ability to establish dynamic trust between two entities without an established prior trust relationship has endured for decades. It has invaded the business processing systems, sometimes by design, mostly under the covers. Why did IBM invest many millions in technology, processes, infrastructure and data centres the early 1990s to become the world certificate authority and then quietly drop those plans and walk away? The technologies supporting PKI have continuously evolved while the foundational principles over past decades have endured. We will have a look at the evolution of PKI and why it became pervasive in most organization whether they realize it or not. Will it survive the onslaught of quantum computing that will be able to “break” the foundational encryption algorithms that currently will take many years’ worth of computing power in a few hours and maybe minutes or seconds. We will outline what is being done to continue to support PKI in a post quantum computing (PQC) world. Are there more answers than questions? Note: No physicists’ are involved in this session.

10:45 B2: Cloud Forensic Challenges Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

In 2019, one of the biggest concerns we hear from our customers’ security teams is the lack of expertise when it comes to cloud and forensic investigations.  We’ll first cover the differences between investigating in an incident to that of a forensic investigation and then cover forensic concepts and methodologies and how we have adapted them to the cloud.  We’ll answer questions such as “How do you forensically acquire a SAN?”; “What does court worthy methodologies mean?” That myth debunked!), “What does GDPR mean for forensic investigations?” and other esoteric questions that investigators are concerned about.

10:45 C2: Mission Critical Systems and the Risk Managed Approach – We Need Something Better Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect / Cyber Project Design Authority, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.
X
 

This paper looks at the problem of attempting to use current enterprise / IT focused approaches to cybersecurity on mission critical systems.

Most frameworks and policy standards for cybersecurity advocate, or even mandate, the use of a “Risk-Based” or “Risk Managed Approach” to the delivery of security objectives in a system. This has proven very effective in Enterprise ICT environments by forcing organisations to move away from an audit and compliance (i.e. ‘check-box’) approach to security.

Since the “Risk Managed Approach” is the de-facto standard for security policy frameworks, we are now seeing it being applied to securing mission critical systems. But, unlike Enterprise ICT environments, mission critical systems have long ‘Life-of-Type’ (often decades) and are intended to be very stable and reliable in terms of change and operation over this long time period.

A key element in the risk managed approach is understanding the threats to the system. Therefore, current risk assessment is effectively outward focused from the system on factors that change over time. Looking at threats for risk assessment works well when the time horizon being considered is relativity short; consider the rate of application change in an enterprise environment.

For mission critical systems, this means that the risk assessment is focused on factors that are beyond the scope of the system, beyond what can be affected by system architecture and design and is based on threat information that is not definitive and not stable over a time period that is comparable to the life-of-type of system.

The delivery of security outcomes for mission critical systems is therefore compromised by mismatches in time horizon; I.e. the life of type of system vs time horizon of the threat information used in a security threat and risk assessment vs time period for the implementation of system change.

Notes:

Based on the key foundational concept in “STPA for Security”, derived for modern safety engineering. This presentation explains the problem “STPA for security” is trying to solve.

References work by Prof Nancy G. Leveson in her book “Engineering a Safer World: Systems Thinking Applied to Safety”

10:45 D2: Establishing An Ethical Imperative for Enterprise Security Architecture Speaker(s): Andrew S. Townley

Andrew S. Townley

Chief Executive, Archistry (South Africa)

Andrew S. Townley helps information and cyber security leaders build more effective security programs by applying 25 years of hard-won lessons across a diverse career from starting as a Software Engineer to building Archistry from the ground-up starting in 2006. Andrew is an international speaker, published author and thought leader on Information Security, Security Architecture, SABSA, Risk Management, Enterprise Architecture, SOA and Technology Strategy, and he has extensive practical,...
X
 

If you ask most people about security architecture, they’re probably going to assume you want to talk about technology. You see, to most people, security architecture is about firewalls, identity and access management, endpoint protection and the way these are all connected together in some sort of circuit diagram you might put on your wall – framed of course – so that you could walk past it every day, confident that you’re safe from cyber attacks. Except it’s not like that at all—well, at least the ones that truly add value to your organization aren’t like that. Your organization’s security program has one job. I call it the mission and purpose of security, and that job is to enable and protect the organization to deliver its mission as quickly as possible. But it’s a job you can’t do if you limit your view of security architecture to the land of technology and security control frameworks. To be successful, security architecture must be a lot more than that. Now, as someone who believes in the value proposition of security architecture – and especially SABSA® – in making a difference in our organizations, we already know this. The problem is…we’re not the ones who need convincing. The people who need convincing are the very people who have the misguided assumptions above about security architecture lodged in their brains. And it can often end up being pretty hard to change their minds—or to demonstrate how the security architectures we want to build will actually make a difference. To be successful, security architecture must reflect the objectives and the priorities of the organization’s reason for being. It must be created as a function of understanding and responding to the risks the organization may encounter while pursuing those objectives. And your security architecture must enable the members of your executive team to make risk-based decisions about the way they choose to deliver those objectives. To be successful, your security architecture must be the backbone of your entire security program, connecting your organization’s strategy to the selection of the controls in your operational environment and the way you use the information those controls collect to drive learning and adaptation everywhere. However, there’s a problem. It’s a problem that far too many security teams face every day. A problem that erodes and undermines their credibility and trust with the organizations they’re meant to protect. That problem is an approach, a mindset and a set of behaviors that leads an otherwise well-meaning and highly motivated security team to be seen as… The Department of NO. The business says, “I’d use this application.” Security says, “No.” The business says, “I need to make this information available to our customers via the Internet.” Security says, “No.” The business says, “I need to deploy this software in production.” Security says, “No.” The reasons seem sound: it doesn’t comply with policy; we can’t be sure the information won’t be stolen; and the software has major security bugs. But to the business, it’s getting in the way of doing business. It’s delaying projects. It’s increasing the cost of deliver…and, let’s face it: It’s the business who pays the bills. If we want to build a truly business-driven and responsive security program, security needs to move beyond technology. It needs to move beyond “checklist” security control deployment. And it needs to ditch arbitrary security maturity targets that aren’t related to the real risks and business environment the organization faces. But how? How can we do that? In this session, I’ll be presenting the role of security architecture as a key enabler of organization success and digital transformation. But, more importantly, I’m going to talk about the fundamental psychological drivers within most organizations that must be identified and overcome before an enterprise security architecture program can be created. Based on 15 years of focused security architecture work around the world, I’ve discovered that there is a fundamental value clash between “the business” and “security” that invariably leads to the situation where security is seen as essentially, “the business prevention department.” This value clash is actually the result of the very ethical and moral foundations on which our whole understanding of security is based, and it’s shaped not only what we do, but the expectations of the business and those we serve—sometimes in surprising and unexpected ways. To counter this, I’ll demonstrate why security needs to adopt a different set of ethics and moral values than it often has today. I’ll also highlight the 8 values your security team will need to adopt before it can truly enable and protect your organization to the best of its ability. At the end of this session, you’ll come away with a very different view of not only the critical nature of security architecture in delivering your core business strategy, but you’ll also have a much deeper insight into the historical divide between business and security that may well be holding you back today. Using these insights, you’ll be able to begin thinking about some concrete changes you might want to make to better align your security program with the business and some thoughts on how to get started building a truly business-driven security architecture program.

11:30 - 11:50 BREAK

11:50 A3: Digital Twins - Architecture & Security Implications Speaker(s): Hugh Boyes

Hugh Boyes

Principal Engineer, University of Warwick (UK)

Hugh Boyes is a Chartered Engineer, a Fellow of the Institution of Engineering and Technology (IET) and holds the CISSP. He divides his time between working as a Principal Engineer at the University of Warwick and undertaking cyber security consultancy assignments. Hugh is a Member of the Register of Security Engineers and Specialists (RSES).
X
 

The concept of creating a digital twin of a cyber-physical entity is gaining considerable coverage, with significant hype regarding the potential benefits a digital twin can offer. This session will explore the concept and history of digital “twins”. They are not as new or novel as the media coverage suggests. However, Gartner reports that leading digital governments are exploring the concept of digital twins at the whole-of-government level.

This session will examine the information and architecture issues relating to the creation of a digital twin and the prerequisites for ensuring that in implementing the digital twin there is close alignment the reality of the physical twin’s behaviour. It will also discuss the privacy and security implications that arise from the creation and use of digital twins that are connected to operational assets. The session will conclude by identifying a set of criteria for establishing the trustworthiness of a digital twin in comparison with the real thing.

11:50 B3: Does Your Cloud Have A Toxic Lining? Speaker(s): Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
X
 

We've all heard the old joke that "the cloud is just other people's computers" - but when it comes to cybersecurity, this is no laughing matter. Enterprises are moving internal applications and data to the cloud faster and faster, but the security models involved are often poorly understood and inadequately applied. AWS alone offers hundreds of tools and features to help customers meet their security objectives - an often overwhelming assortment.

One main challenge is that security OF the cloud is not the same as security IN the cloud, and there’s broad potential for a gap in between. Applications in the cloud are still subject to many of the same vulnerabilities we've been battling for years in the datacenter - and the proliferation of cloud environments adds a layer of complexity... Additionally, organizations running workloads in more than one cloud provider - as well as in the datacenter - are forced to translate a single business policy into multiple security models. The inevitable result is increased attack surface, as well as more opportunities for human error.

We'll review some of the pitfalls of the shared responsibility model and explore a few of the high-profile leaks and breaches that have resulted from poor understanding or implementation of necessary security controls in cloud environments, discuss examples from personal experience, then review what resources and tools are truly helpful - as well as what hasn't worked! - in approaching this expanded playing field for enterprise security.

11:50 C3: Feed me More, Seymour - Freeing Your Risk Appetite Speaker(s): Martin Hopkins,

Martin Hopkins

Consultant, Attributive Security (UK)

Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

In 2019 we talked about how and where to find your risk appetite. Now we’re back to go full immersion and explore risk appetite throughout the SABSA risk management framework. Can we define any reusable patterns or models? How can we reassess the organization’s appetite, apply a changing risk appetite to our existing risks, use our appetite to drive tactics and business decisions..?

Join us to ask, and answer, the difficult questions of transforming your risk management into something more dynamic and business enabling than managing a risk register.

11:50 D3: Architecting Highly Resilient Open Collaborative Systems Speaker(s): Timothy Parsons

Timothy Parsons

Cyber Security Consultant, QinetiQ (UK)

Working predominantly in the Defence and Security sectors, Tim’s career has focused on advanced information technology delivery, consultancy and strategy, especially aspects of Cyber security. His career has spanned the spectrum from research scientist, the management of innovative technology demonstrators, to providing strategic options to Board for Companies positioning to enter adjacent security markets.
X
 

Driven by cost reduction and the need to improve the availability and delivery of services, information systems underpinning business processes and societal organisations have evolved significantly over the last ten years. These changes include the rapid evolution of cloud services, the adoption of data-centric architectures, virtualisation, edge computing and increasing interconnectivity with a huge diversity of endpoint sensors and actuators – the so-called cyber-physical ‘Internet of Things’ (IoT).

Significant economic benefits now depend upon such systems, examples being the transport and logistics sectors and the increasing interconnectivity of ‘smart’ cities. These systems form part of an ever developing and widening Critical National Infrastructure (CNI), with the characteristic that key processes often cross more than one domain of authority. Such systems may be termed ‘open collaborative systems’, and an overarching question therefore is, “How can highly resilient critical systems be architected when key aspects of that system are open and collaborative in nature, often crossing more than one domain of authority and ownership?”

This paper argues that 'extended enterprise' resilience is emergent from a set of principles and design approaches which span organisational and process issues, enterprise architecture, technical and supply chain management. The paper identifies and discusses these principles.

12:40 - 13:25 Lunch & Networking Session

13:25 A4: Stopping Houses Attacking People Speaker(s): Nick Spenceley

Nick Spenceley

Director, Primary Key Associates (UK)

Nick is an experienced technical specialist with particular subject matter expertise in the application of technology to solve complex problems in secure environments. He consults on business change, system architecture and design, legal disputes, security accreditation and engineering processes. He has over 30 years’ experience in managing significant project portfolios and programmes for BAE Systems Applied Intelligence, Detica and Logica (now CGI).
X
 

In the COSAC 2019 presentation “Did my house just attack me?” we learned of the first conviction in the UK (in May 2018) for harassment using IoT devices. An estranged husband used remote access to a smart home hub to access the video and audio from an iPad used as a wall mounted system display, as well as other compromises of the victim’s online accounts. He was sentenced to 11 months in prison.

The subsequent discussion provided some further insight into the problem of a “purposeful pattern of behaviour which takes place over time in order for one individual to exert power, control or coercion over another”, in particular where smart home installations are built into the fabric of the premises and one partner in a relationship is the single sysadmin.

Is there a suitable architecture for such devices that enable a more balanced approach to managing smart home devices in which, for example?

  • A resilient and irrefutable chain of evidence is created when devices are configured and operated;
  • That evidence remains protected against unauthorised access, but can be reviewed by any authorised party in the event of a pre-defined set of circumstances;
  • A trust model exists that allows shared authority for managing the system;
  • A mechanism exists for dispute resolution by a trusted third party.

In this talk we will outline a framework that covers these requirements and, in discussion with the delegates expand or change it as necessary to produce something that may be considered a ‘trust mark’ that manufacturers may consider worthwhile to differentiate their products in this ever-expanding market.

13:25 B4: Application of Zero Trust Security Architecture on Amazon Web Services Speaker(s): Ernest Ngassam,

Ernest Ngassam

General Manager: Information Security Architecture and Technical Excellence, MTN Group (South Africa)

Prof. Dr. Ernest Ketcha Ngassam is currently the General Manager: Information Security Architecture & Technical Excellence at MTN Group. He is also Professor Extraordinaire of Computer Science at the School of Computing, UNISA, and holds a PhD in Computer Science from the University of Pretoria. He was the Chief Architect (Research Expert) at the SAP Innovation Centre in Pretoria and recently spent some times at Cell C as a Senior consultant in Technical Programme Management for MVNOs. He...
X
Frans Sauermann

Frans Sauermann

Security Architect, MTN Group (South Africa)

Frans Sauermann is currently the Senior manager: Information Systems Security Architecture at MTN Group. He holds 29 certifications related to information security architecture from The Open Group, SABSA, ISACA, ISC^2, AXELOS, PMI, EC-Council, Cloud security alliance and others, as well as a master’s in cyber security at CSU. He has over 15 years’ experience with information security, 12 of which spent with MTN and has been involved in multiple projects related to information security during...
X
 

This paper provides an architecture for zero trust networks and continuous adaptive risk and trust assessment mechanisms on Amazon Web Services (AWS). We take a pragmatic approach to ensure that we link the theoretical components to implementation candidates. This relies on application of graph theory to establish traceability, which we can subsequently use to verify the logical integrity of the architecture. Our literature review indicates that the first imperative is to establish a reference model that describes zero trust networking. The zero trust reference model is subsequently mapped to relevant AWS services that realizes the components. We see as part of this review that AWS is mature in its development of zero trust capabilities and that we can realize all aspects of zero trust using off-the-shelf AWS services. The correct configuration of these services however is crucial. The research is useful in providing solution architects with the logical components that can drive further stages in architecture definition.

13:25 C4: What Good Looks Like - Using KPI's and KRI's Effectively Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 30 years IT experience, the last 23 in Information Security. I have been formally trained in security consultancy and architecture methodologies. These include Togaf Enterprise Architecture methodology (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and another 10+ years experience in the Government sector. In that time I have developed security strategy, performed risk assessment and compliance roles as well as designed,...
X
 

In 20 plus years of working in information security for many different organisations I have yet to see control decisions based on real data using sensible metrics. Controversial maybe but it’s a real issue. A lot of money is wasted replacing perceived underperforming security technology when the reality is that the operational environment is underperforming, the technology is under-utilised or a lack of control coverage is the real culprit.

“A bad tradesman blames his tools” comes to mind. Often organisations replace controls technology because the existing product is perceived to be inadequate.

Data availability, time pressures, cost and resources with the right sort of experience all factor in to this issue but these can be overcome if you start with defining properly what good looks like. This is achieved with KRI’s and KPI’s.

SABSA itself provides a framework for KRI’s and KPI’s, but too date I have seen little evidence of successful implementation in organisations I have worked in or in conversations with industry.

This interactive session explores the importance of metrics in the decision making process, gives examples of KRI’s and KPI’s that support those decisions and attempts to challenge attendees views regarding where to start from when selecting security services and mechanisms.

13:25 D4: Cyber Resilience: Expecting the Unexpected! Speaker(s): John Budenske,

John Budenske

Cyber Security & Systems Engineering Architect, General Dynamics Mission Systems (USA)

Dr. John Budenske is a life-long renaissance technologist and entrepreneur with an interest in autonomy, cyber resiliency, robotics, & intelligent agents. He has 30+ years of R&D experience in robotics, autonomous systems, cyber security, IoT, and human-robot interactions. His M.S. and Ph.D. were accomplished at the University of Minnesota, and he holds the Certified Ethical Hacker (CEH) accreditation. He is currently employed at General Dynamics Mission Systems in Bloomington, MN, as a...
X
Lori Murray

Lori Murray

Systems Engineer, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
 

Incorporating resilience into security architecture must consider how a system provides resilience to complete mission objectives. Ever evolving adversaries drive the need for system architectures to protect cyber resources, but still enable operations during an attack to achieve mission objectives. According to MITRE, cyber resilience is derived on the practices of system security engineering, security operations and management, and systems engineering for performance and management. Exploring the commonality with the Sherwood Applied Business Security Architecture (SABSA) approach (that has a basis in systems engineering),and using both approaches may lead to defining an architecture that offers both security and resilience. During this talk we explore systems engineering as an approach for defining an architecture that is both secure and resilient.

14:10 - 14:30 BREAK

14:30 A5: Internet of Intelligent Things, Preventing the Attack of the Refrigerators Speaker(s): Siân John MBE,

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

If IoT and Operational Technology (OT) are combining in Industrial IoT and OT is the hardware and software that control the processes of much of our critical national infrastructure, then how do we protect our families and our societies from attackers that do not have our best interests at heart? In the light of the recent Ekans malware attack (https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/ Feb 2020), how do we begin to broach the great divide – that between IT and OT system operators – in a world of internet connected everything, deep fake videos, massive disinformation campaigns and the potential catastrophic outcomes of compromise of safety systems? This talk will delve into some of the case studies of OT compromise, their key lessons and how we can potentially use the lessons from responding to attacks in the IT world in a way that makes sense in the OT.  During the discussion, we’ll outline the 7 properties of highly secure devices (https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf) and discuss the pros and cons of moving from preventative to reactive systems.

14:30 B5: Hey SyRI Who’s Committing Fraud? Speaker(s): Karel Koster

Karel Koster

Manager IT - Information Security, FedEx Express Int (Netherlands)

Karel Koster is an information security professional with over 15 years of experience is various information security roles. He currently manages an international team of security analyst for FedEx Express, owning and executing various GRC process for FedEx international. Prior to FedEx Karel fulfilled positions as Head of information security, information security officer, security architect and operational risk manager within financial services companies.
X
 

In 2013 the Dutch parliament passed a law called ‘Fraud prevention through coupling of data files’, without a vote. This led to the development and implementation of the ‘System Risk Indication’ also known as SyRi, which combines data from several governmental data sources with the sole purpose of detecting of potential social benefit fraud.

This does not sound threatening for a normal law-abiding citizen such as myself. Any fraud must be battled, and for us Dutch, economic fraud is on top of the list. However, this system caught the eye of privacy activists and the UN rapporteur on extreme poverty and human rights. They found it to be in breach of human rights, discriminatory, dangerous and flawed. Our government was taken to court and the system was ultimately banned in February 2020.

A case like this in a developed country is both intriguing and scary and I feel there are lessons to be learned from it. Therefore, during this talk we will dive into this case and we will explore:

  • How such a surveillance system came to be in a functioning democracy?
  • Is the intent of the system ethical and just?
  • What issues where found in the design and operation of the system?
  • Could it have been designed in an ethical way?
  • Were there warning signs?
  • Do we need new safeguards to keep this from happening again, or are current laws and safeguards sufficient?
14:30 C5: Jumpstart into Security Modelling Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a SCP with 10+ years’ experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018, COSAC 2019 and COSAC APAC 2019. Steven has authored a paper for The SABSA Institute on the topic of security modelling with ArchiMate which is now being developed via a joint SABSA Institute / Open Group Working Group.
X
 

Since the idea of a Security Overlay for ArchiMate was first introduced at COSAC 2018, a great deal of progress has been made - principally via the formation of a Joint SABSA / Open Group Working Group dedicated to the modelling of SABSA in ArchiMate (MSA).

In the course of the past year, the Working Group has updated the T100 White Paper and created a series of reference models, popular control frameworks & risk methodologies1 and proposed security enhancements to the ArchiMate language specification itself.

This presentation will provide an overview of the new Overlay and the shareable resources and show delegates how these can be used to incorporate security into their own ArchiMate models.

The value to the conference conference, especially those already familiar with the approach from previous COSAC sessions, will be an overview of how the Security Overlay has progressed from a ‘Proof of Concept’ to practical reference models that can quickly & easily be incorporated into EA models.

14:30 D5: How Sabremetrics May Influence Cyber Resiliency Speaker(s): Rob Hale

Rob Hale

Fellow, Lockheed Martin (USA)

Rob is a Lockheed Martin Fellow with over 25 years of experience in information systems and security. During his career he has been responsible for conducting and supporting information assurance and cyber security activities for federal, state and commercial organisations in the defense, law enforcement, financial services, utility and healthcare industries. Additionally, he has designed and implemented secure networks to support nuclear emergency response teams and top US banks.
X
 

This presentation is focused on describing a possible approach to measuring cyber resiliency in the future. Sabremetrics is a statistical approach to evaluating and comparing baseball players, teams and achievements from disparate eras in order to answer difficult opinion questions about the sport. For example, there is a classic argument about whether the 1927 New York Yankees are the greatest baseball team to play the game. To address this question requires not just simple measurements, such as, the team’s winning percentage, or batting average, but more complex and data intensive analysis about park factors, dead ball versus live ball, impact of expanding the leagues, etc. Sabremetrics is a system for defining, measuring and evaluating such questions, where metrics are complicated and data is massive. Evaluating the resiliency of a mission and its systems to cyber effects is a quickly emerging goal for government and defense industries.

This presentation seeks to begin a greater dialog on measuring and evaluating cyber resiliency by doing the following:

  1. Briefly describing and demonstrating how Sabremetrics is applied to baseball.
  1. Describing the cyber resiliency measurement problem.
  1. Proposing a methodology to measure cyber resiiency.
  1. Identifying gap areas in the measurement process and discussing next steps

It is my hope to engage in discussion of the viability of the methodology and to strengthen the approach. It took baseball 11 years to identify most of the data points needed to improve the statistical analysis and instrument collection of the data. Metrics in cyber security have been marginalized since the beginning of the cyber security industry. It is time to address them in a meaningful and systematic manner. The proposed methodology is a starting point, not a 100% solution, but I believe it is the best place to start.

15:15 - 15:35 BREAK

15:35 A6: A Hard Look at the Black Box of AI/ML Speaker(s): Char Sample

Char Sample

Chief Scientist Cybersecurity Cybercore, Idaho National Laboratory (USA)

Dr. Char Sample is Chief Scientist Cybersecurity at the Idaho National Laboratory and a research fellow with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Artificial intelligence (AI) powered by machine learning (ML) algorithms is a disruptive technology that promises greater efficiency and accuracy in many workflows. The rush is on and organizations are applying AI/ML solutions without considering the security implications. These data and algorithmic dependent "black box" solutions require a hard look by cybersecurity researchers. This talk breaks down some of the known vulnerable areas of AI/ML, discussing attacks and proposed countering techniques or research areas that will be needed in order to make AI/ML Trustworthy.

15:35 B6: Reflections on Not Trusting Trust: How Complexity Obscures Security Speaker(s): Mike Broome,

Mike Broome

Senior Software Engineer, Tanium (USA)

Mike is a senior software engineer with a background that runs the gamut from developing large-scale enterprise IT security and IT operations software at Tanium to working on low-level embedded networking software at Cisco and IBM to wrangling industrial control systems at a startup. Throughout his career, he's been passionate about software security.
X
Lisa Lorenzin

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
X
 

Modern software development and modern enterprise security are focused on agility, speed, and minimizing time to delivery. Pressure to innovate results in a focus on leveraging existing frameworks and not re-inventing the wheel for basic building blocks. But when those building blocks are compromised, the whole house falls down.

Using high-profile, real-world examples from both the software development world and the enterprise security space, we will explore unrecognized trust relationships, how they can fail, and the consequences of these oversights. We will examine – from both top down and bottom up — how complexity and system interdependencies lead to the inability to accurately evaluate the security of software and solutions, resulting in unexpected threat vectors ranging from authentication bypasses to software supply chain vulnerabilities and beyond. Finally, we will review related mitigations, tools, and practices (such as DevSecOps) and discuss whether they help to solve the problem and how feasible they are in the real world.

15:35 C6: Your Enterprise Security Architecture Might be Acceptable, but its Governance is a Mess Speaker(s): Andreas Dannert

Andreas Dannert

Head of Security Architecture, Standard Chartered Bank (Singapore)

Andreas is currently the interim Head of Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of...
X
 

While security architecture as a field is maturing, and medium to large organisations start to appreciate the value of hiring experienced security architects, the way security architecture artefacts are governed is often less than desirable. In many cases one could argue is is to the detriment of any security architecture investments made in the organisation. In appears counterproductive to produce great plans to only let them get lost when they are needed most, which could be compared to having building plans being commissioned and losing them before the construction of the building commences.

After working for multiple organisations as a security architect in different roles, I have made some worrying observations. Some of these are: Organizations having little or no understanding of the dependencies between security policies, security controls, and business processes; The lack of appreciation for the right tools to maintain security architecture related artefacts in an efficient way; And the development of governing processes to effectively control and align potentially conflicting interests in an organisation when it comes to security architecture.

In this session I want to provide ideas and approaches for dealing with these issues, based on the experience build of utilising different tools and strategies in achieving a more sustainable way of governing enterprise security architecture.

At the end of this session participants should be able to understand the value of establishing a robust governance for enterprise security architecture through a combination of a good enterprise security architecture delivery approach, relevant processes to govern the delivery of security architecture artefacts and tools to efficiently and effectively maintain relevant information and deliverables.

In the spirit of COSAC, this session is designed to be interactive and it will allow participants to share their experiences concerning the topic or voice their concern of this idea Where appropriate, this session will provide attendees with examples of scenarios that have benefitted medium to large enterprises in maturing their enterprise security architecture function.

15:35 D6: The Regulatory Death of Private Enterprise Speaker(s): G. Mark Hardy,

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Three years ago at COSAC we examined the likely impact of the EU's General Data Protection Regulation (GDPR). Our predictions were borne out -- fines and sanctions in Art. 83 have served as a "stick" to compel -- £183m proposed fine for British Airways, £99m for Marriott International for example -- or, are they really an alternate revenue stream? Those make Google's €50m punishment look like a bargain.

As we slide into a global recession, will cash-hungry governments up the regulatory ante and feed off of industry's missteps? Earlier this year, the California Privacy Protection Act (CPPA) commenced a cascade of a cacophony of conflicting commandments certain to trip up the most careful corporation trying to sort out the tangled web of individual state laws in the United States. It's only going to get worse.

Will governments hold fines and punishments in abeyance to avoid exacerbating the downturn, essentially giving companies a bye, or will they drive businesses into oblivion when they are struggling for their survival. What does this brave new world look like, and when will we have "too much" regulation?

This presentation will provide a legal overview of the framework of what may be the latest generation of privacy laws following in the steps of breach notification laws. We'll look at what security professionally can do to reduce risk and avoid the wrath of the regulators.

16:20 - 16:40 BREAK

16:40 A7: AI in Information Security - Beyond the Hype Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Artificial Intelligence is the current buzzword in all areas related to computers, and computer security is no exception. This session will try to get beyond the hype and discuss the genuine applications of AI and data analytics to information security, and the limitations of the use of AI. It will discuss some of the current AI related tools, the drawbacks and advantages of AI based threat analytics, the use of AI in access control, authentication, personnel security, user behavioral analytics, automated threat detection and response, SOC automation, dDOS mitigation, and data breach impact analysis. It will also discuss the different types of AI and the drawbacks of the massive data collection and sharing requirements necessary to make AI programs effective.

16:40 B7: Institutionalizing Trust – How do we “Build” Trustworthy Organizations? Speaker(s): Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
Nick Galletto

Nick Galletto

Global Cyber Risk Lead, Deloitte (Canada)

Nick Galletto has over 30 years of experience in information technology, networking, systems management and information security management. He has accumulated extensive experience in the management, design, development and implementation of cyber risk management programs. Over the last several years Nick’s primary focus has been helping clients with the development and implementation of cyber risk management solutions both for IT and OT, making these organizations more cyber resilient.
X
 

Trust in relationships with organizations is an essential element for effective business but is becoming increasingly more difficult to maintain and support - especially in the face of increasingly sophisticated threats from a variety of forces. We are seeing a shift in business from a shareholder value only priority to a broader emphasis on: societal impact; value for customers; investing in employees; dealing fairly and ethically with suppliers; and supporting our communities, which in turn will deliver long term value to the shareholders. In speaking to clients about trust, we consistently hear that trust is an essential outcome to driving the brand promise.

The session will focus on answering, how do we operationalize trust in this era of digital complexities? What are the drivers for trust in support of the brand promise, ethics and integrity? And how do we measure trust? We will outline our research and findings on what it takes to have a trustworthy organization and the impact that adverse events have had on major organizations. We will provide methods and insight on how to move trust from a functional capability with stakeholders to building relationship trust through an integrated trust framework and supporting maturity model.

The better the impact of trust is understood and how to achieve and maintain it, the more trustworthy the organization will be.

16:40 C7: For FUD sakes, just give it a rest already... Speaker(s): Martin Hopkins,

Martin Hopkins

Consultant, Attributive Security (UK)

Martin is an independent information security consultant with a current focus on security advisory to small businesses in the UK. He has over 25 years’ experience in technology, primarily in security related fields. A regular speaker on cyber security topics, he is a strong advocate of business driven security, security architecture and secure software development practices.
X
Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Almost everyone has a vulnerability management program, in name at least. When it does actually exist, it is usually made up of the “security police” with their policies and checklists, scream-preaching their outdated FUD approaches to everyone, even those who don’t want to listen. This inevitably leads to the creation of a half-baked and followed program being put in place that poses more questions than it gives answers. Is it fit for purpose? How much of what your vulnerability assessments discover are control gaps or deficiencies against some best practice controls list that may, or may not, be what your business needs?

In a SABSA environment we have our:

  • —business attributes so we know what matters to us;
  • —control objectives and performance thresholds so we can accurately assess business impacts;
  • —domain model so we know who the risk owner is.

During this session we will explore how we can take the output from our vulnerability scanners and penetration testing, translate from controls and compliance-based reporting to risk-based reporting and work with vendors and partners to do this.

16:40 D7: Where is My Mind? (unabridged version) Speaker(s): Chris Blunt,

Chris Blunt

Enterprise Security Architect, Aflac NI (Northern Ireland)

Chris is a seasoned cybersecurity professional. He has recently moved to Belfast from New Zealand where he co-founded and ran a highly successful information security and privacy consultancy. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables organisations to achieve their business objectives.
X
Simon Harvey

Simon Harvey

Platform Manager - Identity, Suncorp Group (Australia)

Simon is a Security Professional with 25 years of Security-related Research, Business & Management experience. He is currently manages Identity at a large financial services organisation; In addition to being extremely late at submitting his SABSA Advanced exam (sorry David!), he is an accredited instructor for Mental Health First Aid Australia; and speaks widely about Mental Health in IT/InfoSec.
X
 

Mental health is becoming one of the most significant issues in our society, and the information security industry is no exception. Our industry often attracts people with certain personality traits or attributes, including technical, analytical, obsessive, dedicated, perfectionist, curious, dogmatic, unempathetic. This can lead to us being labelled nerds and geeks, which are used to dehumanise us by others.

But we are all human. We work in high stressed environments and pressures are placed upon us by ourselves, colleagues and our employers to perform with unrealistic budgets, team members and timeframes. This can be unhealthy at best, but downright dangerous at worst. Mix this with the regular ups and downs we all experience in life and it is no wonder that many people in our industry suffer from poor mental health.

In this session, will shed light on this taboo topic to raise awareness and help end the stigma that is often attached to conditions such as anxiety, depression, and bipolar. We will use a combination of medical facts and our personal stories to humanise a topic that is still treated in a very inhumane way.

We will also present and discuss some of the:

  • most common mental health conditions
  • early warning signs that someone is not okay
  • some basic approaches you can take when dealing with someone who is not okay
  • resources available to help you and your organisation help people that are suffering from poor mental health

Our objective is to have a conversation about how we can identify, support and help each other when our mental health is compromised and to determine how we can practically support each other at the community level.

17:25 - 17:45 BREAK

Day 1 Keynote

17:45 Something Sinister Below the Horizon Speaker(s): Andy Clark

Andy Clark

Director, Primary Key Associates (UK)

Prof Clark is an acknowledged expert in Cryptography, I.S. Security, Systems Engineering, Information Forensics & Cyber Security. He has worked in the field of Computer and Information Systems Security and Cryptology since 1984 and is a registered expert witness with 20+ years’ experience of presenting computer and information systems evidence in a wide range of criminal & civil cases. He is a co-author of the SABSA Blue Book & was the first recipient of the COSAC award.
X
 

In April 2021, judges in the UK Court of Appeal quashed the criminal convictions of 39 former postmasters in what has been described as “the UK's most widespread miscarriage of justice”. Each had been convicted of theft, fraud and/or false accounting.

Some had been imprisoned, all had their lives turned upside down through no fault of their own. Some lost their homes, were forced to pay back large sums from their own pocket and were unable to get work because of their convictions. Some were forced into bankruptcy.

Those convictions relied on evidence derived from a computer system used by the UK Post Office known as Horizon. Introduced in 1999 it was rapidly rolled out to Post Office branches and by 2013 was operating in over 11,500 branches and processing some six million transactions per day.

Problems with Horizon were first reported in 2000 but were dismissed by the Post Office who consistently said that Horizon was “robust and reliable”,

I have personal experience of Horizon, having been retained by a firm of solicitors as an expert witness in a criminal case relating to accusations made against a sub-postmaster based on Horizon evidence.

I accompanied the instructing solicitor on a visit to see the Horizon system in action at a Post Office Training Centre. Within a matter of one hour, it was clear to me that there were sufficient significant issues with the design and implementation of that system to bring the integrity and quality of digital evidence into question, for example the accuracy of timestamping and the potential for undetected modification of transaction data.

The solicitor made our observations known to the prosecution and the case was dropped. Sadly, many others proceeded using unreliable evidence from Horizon that was not challenged successfully.

More than ten years after I made that visit, speaking after announcing the Appeal Court’s ruling Lord Justice Holroyde said the Post Office "knew there were serious issues about the reliability of Horizon" and had a "clear duty to investigate" the system's defects.

But the Post Office "consistently asserted that Horizon was robust and reliable" and "effectively steamrolled over any sub-postmaster who sought to challenge its accuracy", the judge added.

This talk:

The Horizon scandal is a shocking example of failures of design, implementation, management and governance. The impact on the sub postmasters convicted based solely on unreliable evidence is horrendous.

In this talk I will unpick some of the details of the Horizon system that led to its technical failures. I won’t explore the behaviours of individuals who, despite knowing of the failures, proceeded with prosecution of potentially innocent people, but I will encourage the audience to reflect on our responsibilities as designers, implementers or operators of information systems.

I will explore how we might ensure that they capture all the system business requirements and, in the digitally dependent age in which we live, how those may well include system data being of sufficient evidential quality to be used in the investigation of crime.

Two matters are clear:

  • Relying solely on digital evidence in any prosecution means that system design, implementation, operation and maintenance will come under scrutiny - how many systems have adequate through life documentation, and how many have been designed with the expectation that their data will be used in evidence?
  • Evidential quality must be tested rigorously if we are to avoid miscarriages of justice - where individuals have not had the proper resources available to them to question such evidential quality they may have been improperly convicted - and that is inexcusable.

Networking

18:30 Day 1 - Networking Session

Wednesday 29th September 2021

(ALL TIMES BST)

09:00 A8: Kill Chain in Practice Speaker(s): Lesley Kipling

Lesley Kipling

Chief Security Advisor, Microsoft (UK)

Previously lead investigator for Microsoft’s detection and response team (DaRT), Lesley has spent 16+ years responding to Microsoft customers’ largest and most impactful cybersecurity incidents. As Chief Security Advisor, she now provides customers, partners and agencies around the globe with deep insights into how and why security incidents happen, how to harden defences and more importantly, how to automate response and contain attacks with the power of the cloud and machine learning.
X
 

Microsoft – the worlds’ second most attacked entity on the planet or a victim of ego and paranoia?  Let’s look at some numbers: We analyse 8.2trillion signals for signs of malicious activity per day; we see 300 million fraudulent sign-in attempts targeting Microsoft cloud services per day and we block more than 5 billion distinct malware threats per month.  Industry wide, hackers attack every 39 seconds, on average 2,244 times a day and the average time to identify a breach in 2019 was 206 days.  Is sleep an option for security professionals?  Come along to this session to hear about attackers in the wild and how Microsoft protect ourselves and our customers while getting in much needed beauty sleep.

09:00 B8: Starting the Cyber Security Conversation; Introducing Cyber Security to Very Young Children Speaker(s): Wendy Goucher

Wendy Goucher

Cyber Security, Risk & Awareness Consultant, Goucher Consulting (UK)

Wendy Goucher is a Cyber Security, Risk and Awareness Consultant at Goucher Consulting. Her current range of work includes reviewing and revising incident response and risk management for an organisation within Scottish Government as well as looking at making security awareness messages relevant to staff working from home. Wendy also writes, mostly books at the moment. She is the author of the successful ‘Nettie in Cyberland’ series of books which use stories to start the conversation about...
X
 

By the time of COSAC 2021 Nettie will have published the second in a series of story books that aim to open the conversation around cyber security with children of between 4 to 7 years old and their parents and carers. This project has taken 6 years from first concept to publication of the first book by the University of Buckingham Press in July 2020.

Beneath the pictures of cute bunnies and a girl with her happy robot enjoying their adventures in ‘Cyberland’ there has been, and continues to be, a lot of research. From the before the start of the creation of the second book I have become involved in academic research with Professor Karen Renaud of University of Strathclyde and am in discussions with members of the Research Institute of Socio Technical Security, which is associated with NCSC.

The way research and discussion has played such a vital part in the existing books and going forward will help to identify areas that may be covered in future books, is something I can only really touch on in other conferences as delegates generally want spoon-fed information then move on to the next presenter.

COSAC would give me opportunity to discuss the development of Nettie and thoughts to area of cyber security for an ever-younger end user. I know that COSAC delegates will not only appreciate a deeper background view but would also be keen to join in the discussion of where Nettie needs to go in further books.

09:00 C8: I See Fields are Green …. Architecting the Smart Hospital of the Future Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

Greenfields opportunities are far and few between, and most of us, if we are really lucky, get to be part of one Greenfields ESA project in our careers. If it is in support of something greater than us, the proverbial good cause, so much better.

In this session, we will explore the ESA created for Galactic Inc. Healthcare (GIH), a relatively young healthcare institution, specialising in children's oncology, and the first to bring together healthcare, research, and education under one roof.

We will focus on the architecture elements that set them on their way to:

  • Increase the cure-rate to 90% by 2030 through better treatments
    and reduction of side-effects
  • Reduce collateral health damage from treatment to less than 50%
    of patients effected by 2030
  • Be the #1 children’s oncology centre in Europe by 2025
  • Be a first-class internationally accredited education institution for
    children’s oncologists and other oncological specialisations by 2025
  • Be amongst the most innovative and attractive employers within the healthcare industry by 2025
  • Go about business in a socially responsible, efficient, and risk driven manner
09:00 D8: Help! I()AM reporting to a SABSA-certified CISO Speaker(s): Marten Gerssen

Marten Gerssen

Freelance Security Consultant, unConceptual (Belgium)

After graduating in Control Engineering, Marten started his professional career in Telecom Network Management at Alcatel in 1996, holding various pre-sales and marketing positions. In 2010, Marten founded unConceptual as an independent consulting company, growing from IT project management into IT Security. Customers include energy, telecom, government and banking sector. In those 10 years, the focus evolved to Identity and Access Management with projects in IAM overhaul, Privileged Access...
X
 

On an IAM project, my CISO had a SABSA Security Architecture background. We had differences in understanding. So I dove into the SABSA framework. SABSA 2018 does capture IAM completely, but in an implicit way.

Value:

Enrich insight on the interaction between Security Architecture and IAM Naturally, the value of both SABSA and IAM is undisputed.

Talking points:

  1. IAM usually appears as “some boxes” in design (business enabler).
  1. IAM is in one SABSA Cell. IAM people recognize IAM matter in every cell.
    As SABSA rightfully notes, Identities are components. However, identities spring into existence on every layer, while needing one (meta)store.

Similarly, all entitlements end up in the same IAM platform(s). A user needs an entitlement concatenation for access. Per layer, access needs vary.

  1. Different “pace” between Architecture and IAM and the consequences
  1. Identity lifecycle specifics
  1. Remediations:
  1. RBAC, but pragmatically
  1. Birth rights
  1. Delegates fine grained access to service platforms
  1. Advices for Enterprise architecture

How can Architecture help IAM?

  1. Deliver explicit input in design already identified SABSA concepts: Domain Authorities, Entity Schema, Privilege Profiles, Trust Relationship Models, Envisioned users, new/affected roles
  1. Deliver a look from the asset perspective, to pro-actively define technical/privileged roles.
  1. Co-monitor the use of scripts and other Machine to Machine integrations

09:45 - 10:05 BREAK

10:05 A9: Cyber Espionage Reloaded Speaker(s): Derek Middlemiss

Derek Middlemiss

Head of Security Solutions - EMEA, Check Point Software Technologies (UK)

Starting out as a hardware engineer for Texas Instruments more than 30 years ago, I have the honor of spending my entire career at the high end of IT. From cutting my teeth on Xenix System V and SCO Unix systems to managing an elite team of EMEA wide Security Experts for Check Point Software Technologies Derek have had an interesting career to thus far. His current role covers a wide range of integrated security infrastructure including Hybrid Datacenters, Cloud Native, Remote Office...
X
 

Recently Check Point Research discovered new evidence of an ongoing cyber espionage operation against several national government entities in the Asia Pacific (APAC) region. This operation, which we were able to attribute to the Naikon APT group, used a new backdoor named Aria-body, in order to take control of the victims’ networks. In this talk, I will describe the tactics, techniques, procedures and infrastructure used by the Naikon APT group over the 5 years since the last report, and offer some insight into how they were able to remain under the radar. I will also shed light on countries that are being targeted by this threat actor.

10:05 B9: Protecting Citizens Online in the Face of a Global Epidemic Speaker(s): Martin Sivorn

Martin Sivorn

Head of Cybersecurity, Cabinet Office, UK Government (UK)

Martin built and lead the first cyber security capability for prestigious global news organisation The Financial Times for many years, building a team spanning 2 continents that plays a pivotal role in protecting FT systems and data, and the integrity of the FT's journalistic content. Having a dedicated cyber security capability has enabled the business to expand into new ventures like investigative journalism, made possible with a secure whistle-blowing platform.
X
 

The premise of my talk is keeping citizens secure online against the continuous menace of online scams, particularly at a time like this when current events and affairs like a global health crisis are being exploited to fuel new scams and fake news.

We will look at the moral dilemma of who is actually responsible when your brand is being exploited by criminals to rip off citizens, as well as a technical dive into some of the methods that we use to combat this issue.

As cybersecurity for the Cabinet Office I feel that we have a moral obligation to protect all citizens of the UK from online scams, particularly when our website (www.gov.uk) serves as the basis for perpetuating these scams.

I will share details of our approach to combating the problem of phishing, including  detection of malicious websites and how we get them taken down from the internet. The talk will cover some of the technical challenges and considerations that we struggle with when trying to action the takedown of malicious sites. I will also give an example of how current events are exploited for malicious purposes with a timeline of the malicious activity that has been detected during the current COVID-19 health situation.

10:05 C9: Use of SABSA in AXA Group Enterprise Security Architecture to date Speaker(s): Simon Griffin,

Simon Griffin

Senior Enterprise Security Architect, AXA (UK)

I’ve been working at AXA for nearly 20 years in a number of global roles including security consultancy, engineering and presently as an enterprise security architect within AXA’s Group Operations organisation. I have so far achieved SABSA SCF, attended both the A1 and A3 courses and hope to start work on my paper for Practitioner soon. I spend most of my time taking a business driven approach to security and utilising what I’ve learned from SABSA in developing our security reference model.
X
Bhupesh Rana,

Bhupesh Rana

Security Advisory and Standards - Information Security, AXA Group Operations (UK)

X
John Sluiter

John Sluiter

Lead Global Enterprise Security Architect, AXA (UK)

As member of the AXA Group Enterprise Security Architecture team, John leads development of the Enterprise Security Architecture as part of the Global Target Architecture, as well as contributing to various strategic programmes and topics such as global workplace, API management and DLP. Before joining AXA early 2016, John worked as security architect for business and IT consultancies for the most part of his career, working on TOGAF and SABSA integration amongst others.
X
 

AXA Group Enterprise Security Architecture (GESA) has embarked on a journey in 2017 to introduce SABSA to the security design activities in AXA Group and promoting its use in AXA entities. GESA have presented early progress to SABSA World in London on this topic and presented our status of progress in 2018 at I-4.

This presentation provides an overview of the subsequent step in our journey. It will contain 4 sections as below.

  1. AXA Context

Explain the complexity and federated nature of the AXA organisation, the structure of the security organisation (1st and 2nd line), the GESA role and mandate plus challenges.

Describe the foreseen maturity journey of ESA in AXA and which stage we see ourselves today:

  • Key reasons for using SABSA is to introduce and establish rigor and structure in strategy development process plus to make security architecture real for the practitioners, operational security teams and our leadership team.
  • We have encouraged and trained members in SABSA that are not architects. For example, we have included in the training program people, risk management, security assurance and operational security teams, because we believe that more people outside the architecture teams understand AXA ESA/SABSA approach and methodology the better it is for AXA and for us. That may be a bit different approach other companies take.
  1. Security Capability Reference Model

Describe first key deliverable GESA have produced in 2018/2019 is a Security Capability Reference Model (SCRM). It is a deep dive and security specific view of the Business Capability Reference Model managed by the Business Architecture Working Group and therefore follows the business capability structure and definitions to maximise business alignment. It defines 5 levels of capabilities covering business and IT/security services (services are renamed lower level capabilities), that are mapped to mechanisms and components, used to form a library of the as-is security capability status.

The presentation will describe and show what it is, what the expected benefits will be (supporting analysis, security requirements definition and architecture design) and how much value we have experienced to date (quick turn-around of requests for global cost savings opportunities, consistent strategic IT programme security requirements definition, etc.).

  1. Business Attribute Profiling and SWOT analysis

Explain how BAP and SWOT are used for security design in global technology / IT strategy development (BI strategy, network strategy, data centre strategy, DLP and EPP position papers, etc.). Explain how risk scoping is incorporated into this work to determine primary and reliance scope in risk assessments, design work, etc.

  1. Future steps planned for further ESA maturity improvements

Describe the currently ongoing projects and activities related to ESA:

  1. Linking SCRM with MITRE att&ck framework to be used for the SOC NG. Aim is to be able to have meaningful discussions with operational security and influence technology choices by talking to them in the language they understand, i.e. threats and security controls that we link with security components in SABSA.
  1. Improved use of data to support security capability related decision making (control effectiveness, coverage, cost) using sources such as
  • IS assurance framework self-assessment compliance reports and secondary assurance findings
  • SOC alert and incident data
  1. Increased use of domain modelling for defining governance requirements in particular, but also to explain the relationships plus R&Rs. We have been experimenting with domain models but not used in practice. Early feedback is positive, so we want to expand its use.
10:05 D9: Automating Security Compliance Speaker(s): Steven Bradley

Steven Bradley

Consulting Security Architect, Cyber Enterprise Modelling (Belgium)

Steven is a SCP with 10+ years’ experience in the SABSA methodology. He works as an independent Security Architect and develops a research interest in model-driven approaches to security architecture - a topic on which he has presented at COSAC 2018, COSAC 2019 and COSAC APAC 2019. Steven has authored a paper for The SABSA Institute on the topic of security modelling with ArchiMate which is now being developed via a joint SABSA Institute / Open Group Working Group.
X
 

Organisations increasingly operate in a multi-regulatory environment where audits are more frequent, more numerous, more stringent and subject to higher levels of scrutiny with each passing year.

Staying on top of continual compliance cycle proves to be extremely onerous. Organizations typically respond by first streamlining their operations into a single, enterprise-wide capability but still find that despite the efficiency savings, they are still left with a task of formidable scope and complexity that remains a costly, largely manual operation.

Perhaps the most significant development in this field for decades is NIST’s Open Security Controls Assessment Language (OSCAL), version 1.0 of which was published at the end of 2020. OSCAL defines a series of inter-locking data schema that progressively apply a control framework to a target system via pipeline of compliance “transforms”.

In this presentation, the speaker will present an introduction to OSCAL based on first-hand experience of using it since the early pre-release versions. The session will include practical demonstration of how OSCAL artefacts can be created and consumed, holding out the promise of end-to-end automation.

The value to the conference, will be an early awareness of an emerging technology that is set to have a major impact in highly-regulated or infrastructure-critical sectors for whom multi-regulatory compliance is a primary concern.

10:50 - 11:10 - BREAK

11:10 A10: Critical Destructive Cyber Incidents Speaker(s): Patrick Wheeler,

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...
X
Rosanna Kurrer

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
X
 

Cyberwar is Pervasive: We are all potentially ‘collateral damage’ in the on-going cyberwar/influence operations of nation state actors (Maersk incident) in a hyperconnected world everyone is ‘within reach’.

Cybercrime is Industrialised: Crypto-extortion has proven itself a viable and sustainable business model (Multiple Municipalities, Coveware.

Lessons drawn from world-class professional incident and extortion handling techniques in police, nation-state, NGO and with a humanistic perspective (book reference: Anja Shortland’s “Kidnap: Inside the Ransom Business”). No-one never wishes to enrich criminals and always wish them to be placed well behind bars.

Inspired by our Financial Sector Major Client’s (>4Bio turnover) Experiences: Corporates experience significant hardship when hit with a cyber-extortion attempts. Every indication is this will grow worse. Client’s inability to gain support and ‘sympathy’ from their usual partners (Banks, IT Service Providers, Police, Government CSIRT and Consultancies) are endemic and toxic. The typical esponse “Never Pay Ransom” does not support clients in their time of need. We invited three gentlemen recently retired from Global Police forces (Canada, Netherlands/United Nations, Israel) to Brussels, Luxembourg and London to explore this.

Here we examine thorny issues:

  • Critically Destructive Cyber Incident Response:
  • Seeing this Empathetically from the Attacker and Business Executive and Personal Role
  • False Ransom / Dead Body Exchanges
  • What about insurance?
  • Fraudulent Decrypter Services!
  • Not Only Enabling Criminals to Profit from Crime, but Potentially Funding Terrorism
  • Banks and FS, Anti-Money Laundering, KYC, ATF
  • Corporate vs Personal Incidents

We end this exploration in the Luxembourg Cyber Incident Simulator Room 42, when faced with a multi-pronged live immersive simulation, an inexperienced team under the tutelage of master Incident Handlers and Negotiators: “No-one has ever handled the scenarios like your team did. No matter what I did, you did not respond the way anyone else ever did. I could not control the situation. No-one, ever, did what you did…” Former French Military Lieutenant, Cyber Incident Simulator ‘Attacker’. We did not pay the ransom (but we may have lost a person).

Look Where You Are Going: We may not wish to be going here. Cyber Extortion is bad. Cyber-induced Critical Incidents as a Business-Halting experience is not what our ‘exciting digital future’ promised us. But in the near and mid-term ransomware, cyber extortion and Critical Cyber Incidents are going to become the new norm. To ignore or simply wait is insupportable and invites the worst-case scenario. To prepare our individual Operational Security, to build our Vauban Citadel a little bit higher and thicker is the conventional response. Some argue we can build our walls a little bit ‘smarter.’ Those with larger budgets are already building Smarter, Higher and Thicker, and it is still not enough. But perhaps most importantly, the lesson from our new friends and very interesting gentleman: “Be Prepared and Engage.” And have friends!

11:10 B10: Zero Rust Speaker(s): Raymond van Dijk

Raymond van Dijk

Enterprise Security Architect, Alliander (Netherlands)

Raymond is an Enterprise Security Architect at Alliander. He believes that in today's complex (cloud, agile and (partly) outsourced) environments it is imperative that security is built-in and strives for business enablement. He is using the digital transformation to improve the usability of security and push for security innovation.
X
 

How to get Security moving in a digital transformation

There is a huge difference in speed and ways how Enterprises go through digital transformation, but in most cases security departments are the last ones to join the change.

After years within several traditional utility companies going through different stages of digital transformation I have more questions then answers. Hence the perfect COSAC talk.

During the next COSAC I would like to have an open discussion on:

Why are security professionals so hesitant of change?

What are the root causes of this?

Is this caused by rigged regulations / compliance demands?

Is it inherent to the type of persons who become security professional?

Is it a problem?

What are the benefits?

What are the disadvantages?

If we think it is a problem (as I do), how can we change it?

How do we combine agility, new technologies and ensure the information security risks are in control! (curiosity, continuous learning, automate, automate, automate)

How do we trigger behavioral change within security professionals without losing them or making them unhappy?

In short, how do we get from “Zero Trust” to “Zero Rust”

11:10 C10: Cyber Security at E.ON is Having the BLUES Speaker(s): Roland Schad

Roland Schad

Senior Cyber Security Architect, E.ON (Germany)

Roland Schad started his career in the area of border security at Siemens, creating automatism to effectively control Internet Access Services globally and establishing worldwide functionalities like Corporate Spam-protection, designing a high security data center and much more. During his time at BWI, the full-service provider for the German Armed Forces, he created the Enterprise Architecture Management based on several Frameworks such as ITIL, IREB, TOGAF, Archimate, SABSA. At innogy (now...
X
 

Core components of modern utility business nowadays are treated as critical infrastructure. As energy company we have an exceptional responsibility to deliver our services in a stable and resilient way, independently to environmental changes of any kind. Today, as almost every other business segment, the utility business is strongly influenced by increasing digitalization and connectivity of crucial assets for the provided services. Moreover, due to the great variety of exciting digital business opportunities, most utility organizations cannot be seen as pure utility businesses anymore. Topics such as eMobility, power transmission and distribution in the context of highly distributed power generation are pushing us to position ourselves as technology vendors, early adopters, and innovators. On this challenging journey, cyber security becomes even more existential topic on the broad utility agenda.

Couple of years ago, innogy founded a team of cyber security architects to do the right things with appropriate effort and to make cyber security tangible for the organization. This team consists of a wild mixture of people experienced in software development, system integration and useable security, coming from security vendors, mobile providers, IT service providers, and more. With the merger of innogy and E.ON the cyber security architects created a unique composition of selected methods derived from frameworks such as ITIL, IREB, TOGAF, ArchiMate, SABSA and visits at COSAC named the Security by Design BLUES (Business Led Unified Enterprise Security).

Security by Design BLUES offers modular architectural and design security methods seeking the optimal balance between business needs and customer expectations, potential cyber risks and threats, risk appetite and appropriate countermeasures thus enabling the business to explore emerging opportunities. The approach was applied in more than 70 projects in theinnogy and E.ON contexts, clearly showing the desired value.

In this session I share details on the Security by Design BLUES and how SABSA inspired E.ON’s BLUES.

11:10 D10: Herding Cats in a DevSecOps World Speaker(s): Rob Campbell

Rob Campbell

Enterprise Security Architect, Secure Constitution Ltd (UK)

A Security Architect with 30 years IT experience, the last 23 in Information Security. I have been formally trained in security consultancy and architecture methodologies. These include Togaf Enterprise Architecture methodology (including Archimate) and of course SABSA. I have 10+ years in the financial/insurance sectors and another 10+ years experience in the Government sector. In that time I have developed security strategy, performed risk assessment and compliance roles as well as designed,...
X
 

DevSecOps has moved on as has the adoption of Container based deployments. With Agile working, design, development and deployment of software at pace has relegated the traditional waterfall methods of testing to the bin. We can no longer spend time testing software when it is ready to go into production. Instead we need to manage vulnerabilities and perform testing at every stage of the development and deployment if we are to stand a chance minimising vulnerabilities in production. Even beyond deployment we need to keep track of what components and libraries are used and get them updated as the need arrives. By inserting Policy based Code Firewalls, SAST, DAST and Composition Analysis into the Development and CICD environments we can reduce attack surfaces dramatically and respond to issues at pace.

This session will present a model for managing threats at every stage of the development and deployment lifecycle. This particular model focuses on the use of containers and delves into trust and public code repositories such as GitHub etc. I hope to help participants rethink their approach to security testing in todays fast paced development environments.

11:55 - 12:15 BREAK

12:15 A11: Threat-Based Security Engineering: A Stochastic Framework for Calculating Cyber Security Risk Speaker(s): John Leach

John Leach

Owner, John Leach Information Security Ltd (UK)

I have been an Information Risk and Security professional for more than 30 years. I have held senior positions in the security teams of a number of organisations, including NatWest Bank, and led the security teams for the UK branches of two US boutique technical consultancies. In late 2002, I formed JLIS to enable me to provide my unique brand of Security Risk Management consultancy services independently.
X
 

Cyber security is a highly technical subject. This disguises the fact that, even today, we still practise it as a craft, not as a science. We have a series of ‘recipes’ (Best Practices and international standards) but they have been compiled over time from common responses to attacks and breaches, not designed analytically using scientific methods, data and results. These recipes provide us with an uncertain level of security no matter how carefully we follow them, we can’t readily optimise them to suit our particular situation, and they limit our ability to adapt and innovate.

It doesn’t have to be this way. In this presentation I will describe some of the benefits of treating cyber security as a science, and outline how that could transform the way we conduct cyber security. We would be able to measure the amount of security protection a given practice or product provides and perform cost-benefit analyses for security improvement projects. Directors and regulators could set objective security risk targets and Risk Managers demonstrate that their security arrangements satisfy those targets. And security risk could be managed with no less a level of transparency and objectivity than any other type of business risk.

Using Threat-Based Security Engineering (TBSE) as a candidate method, I will describe what treating cyber security as a science could look like, and outline a number of ways people could give this a try to see what it can do for them.

12:15 B11: The Big Bang: What Creating a Greenfield Security Program and an IT Infrastructure at the Same Time Looks Like Speaker(s): Timothy Sewell,

Timothy Sewell

CIO / CISO, Reveal Risk (USA)

Tim is a lifelong technology and security enthusiast with broad experience in multiple industries. He spent over a decade at Lockheed Martin designing and deploying solutions to some of the hardest cybersecurity problems in the national security space: Cryptography, weapon systems, aircraft, satellites, critical networks, APTs, hardware security, supply chain and third-party security, anti-tamper and industrial control systems using a blend of best-of-breed from the commercial space, coupled...
X
Todd Wilkinson

Todd Wilkinson

Chief Information Security Architect, Elanco Animal Health (USA)

Todd Wilkinson has been in the technology Industry for 23 years and most recently is serving as the Chief Information Security Architect for Elanco Animal building their new security program as part of a divestiture and IPO. He has advised and was accountable for the technology direction and product development of solutions that Elanco offers to our animal health customers, developed innovation in disease detection, wearables, implantable and mobile imaging capabilities with Elanco.
X
 

What if I said you could build an entirely new security program from scratch in a greenfield environment? How about when that environment is a 64 year old international company going through an IPO split from it's parent? Also, you have to stand up the entire IT infrastructure at the same time, all while meeting the aggressive cost savings promised to the market? Let’s discuss the beginnings of a security program while restarting from scratch on everything.

This talk will cover every aspect of security from architecture to governance to detection and onto response, share the wins, the losses and the lessons learned along the way.

How to start small, prioritize and increase the security of your company’s future.

12:15 C11: Converging IT, OT and Cloud – Creating an ESA for an Oil and Gas company Speaker(s): Jaco Jacobs

Jaco Jacobs

Senior Security Principal, Accenture (Netherlands)

Jaco is Cyber Operations and Resilience offering lead for Europe at Accenture Security based out of the Netherlands. He has been a “security guy” for around 19 years during which time he has provided security services to several companies in Africa, Europe, the Middle East and the US. He has spent a large part of his career developing security IP and services and co-authoring security publications.
X
 

In 2018, I was asked to lead a project that would establish the beginnings of Enterprise Security Architecture for an oil and gas company. It was a great opportunity to build an ESA capability from scratch that I grabbed with both hands.

As we started the project, I realized that I was caught in the middle of a massive turf-war between the IT and OT teams who very firmly believed that there was no reason for them to even talk to one another about anything seeing that they are responsible for entirely different worlds. And on top of that, there was the “Cloud First” strategy of the company.

At the beginning of 2020, the project ended, and we had concluded 3 phases of architecture work with artefacts that are being used by the business, IT and OT. So, what changed? How did we settle the turf war and include cloud?

In this session I will talk about the initial struggles, how I used SABSA methods to bring the three worlds together, aligned and integrated with the policy and risk management frameworks, creating and applying a zoning model to create consistent patterns used in high- and low-level designs.

12:15 D11: Redefining the Modern Digital Security Enterprise Architect Speaker(s): Rosanna Kurrer,

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
X
Patrick Wheeler

Patrick Wheeler

Mentor / Director, CyberWayFinder (Belgium)

Leader of Transformative Security Initiatives: Patrick Wheeler is a specialist in combatting cybercrime and has been involved in IT consulting, business and security for over 20 years. Originally from California’s Silicon Valley and San Francisco, and now as a naturalized Belgian he focuses on the European Financial sector (e.g. SWIFT, Euroclear, BNP Paribas) specializing in security, compliance and innovation with rubric of ‘Cybrepreneurship’ which he defines as including opportunistic...
X
 

Defining the Modern Architect: There has been much discussion since Vitruvius’ days about what architecture is in the context of the built environment, but how do we define the role of the modern architect in a security context in a fast-paced digital world? In building architecture we have the Pritzker Prize. In the arts we have endless awards. Where are the Olympics, Oscars or the Pritzkers in digital architecture and security? Is it really just about the technical certifications?

Democratisation of Architecture: Security Architecture, arguably, is currently practiced as a first-world solution to first digital-world problems. Why should enterprise security architecture be restricted to major enterprises? Stereotypes of architects and engineers should not be exclusive. What can we learn from the other architecture professions about democratising knowledge and making it available to everyone.

How to Educate an Architect: As if writing for today, Vitruvius could have been about what the modern digital enterprise security architect needs to be, whether conversant in history, business, mathematics, medicine, music and legal - and add a big dose of creativity and design. Fundamentally we are all solving human-needs problems - with more complexity to it than solely engineering challenge. We need a wide range of skillsets to come up with innovative solutions: business, legal, technology , history … the analogy works … not the attributes of architecture itself, but the attributes of the architect … some wise words from Vitruvius … and how to build ourselves to enable the building of the next generation of Enterprise Security Architects.

History of Technology: Know your history, how we architect early systems and languages and interactions remain in place today, ‘legacy ‘ is the legacy of our digital founders and their (civil libertarian?) mindset…   as we ‘cloud’ is it still ‘just someone else’s computer’ at a different scale?

Philosophy of High-Trust Security:  In social psychology high-trust societies advance more using the “truth-default” mindset, distrustful - and we remain tribal - and we might not have advanced to building cities. Our goal needs to enable ‘trust’ and relieve our digital citizens of the needs to be ‘worried’ about their systems at all times …

As taken from: Becoming an Architect by Janelle Zara

We might find comfort in knowing that building architects have similar challenges - and yet we get to admire structurally-safe, useful and inspiring structures in our cities.

An architect’s work is hard. A single project takes years to complete, and not at a slow and steady pace. The years are labor-intensive; high-level precision is paramount; and compromise is inevitable. Architects’ ideas undergo a stream of revisions based on the review of endless collaborators, pit against the whims of difficult clients, disputes with contractors, the red tape of bureaucracy, and the ordinary constraints of physics. Before construction begins, there’s a mountain of paperwork. And once construction does break ground, it’s bound for delays and budget shortages, miscommunications and incorrect shipments of door handles.”

13:00 - 13:45 LUNCH & NETWORKING SESSION

13:45 A12: A "Theory of Vulnerability" for Cybersecurity Speaker(s): Alex Parkinson

Alex Parkinson

Senior Security Architect / Cyber Project Design Authority, Thales (Australia)

Alex Parkinson is a senior cybersecurity architect at Thales Australia. Qualifications include a Master of Science (Internetworking), a Graduate Diploma in Applied Finance and CISSP, CRISC and SABSA Practitioner (SCP) professional certifications. Alex has 30+ years of experience in understanding and dealing with complex systems and organisations in multiple sectors, including Defence and National Security, Trading and Financial Services and Mission Critical Engineering projects.
X
 

In security there is a large body of knowledge on how to find vulnerabilities in existing systems. This is matched to a great deal of research activity, both commercial and academic, to find vulnerabilities in existing systems. Thus, security finds vulnerabilities by the application of trial and error searching on existing built systems – we effective go prospecting for vulnerabilities out in the real world.

As useful as this is, it contrasts with other fields of engineering endeavour that use accepted scientific theories to analyse and model possible outcomes and to predict and therefore avoid problems with the solution. Note that is before real resources are expended on building / creating the actual solution.

The problem is that there is no theory that describes where security vulnerabilities come from, what are the root causes of them and how they can be modelled. This means that security engineers and architects are unable to do cost-effective prior analysis to prevent / design out vulnerabilities. It is also not possible reliably fix existing vulnerabilities in a manner that guarantees to not create other vulnerabilities.

The field of Safety Engineering does have a “Theory of Hazard” that describes how hazards are caused and therefore how they can be prevented, thus providing a reliable way for modelling a solution, predicting hazards and removing the risk of accidents at the system design stage.

Therefore the field of security needs a “Theory of Vulnerability” that can explain how vulnerabilities come into existence and can be used to model and predict the existence of vulnerabilities. This is critical for systems that must provide users with real certainty about their safe and secure operation prior to the systems being implemented or operated.

13:45 B12: The Nature of Security Speaker(s): John Ceraolo

John Ceraolo

CISO, Sentry Data Systems (USA)

Mr. Ceraolo has been an information security professional for over 25 years in industries ranging from publishing, software, automotive, mobile technology and now healthcare analytics. He has frequently spoken at COSAC and other US-based security conferences. He holds his CISM, CISSP, and CISA as well as his Masters in Information Assurance from Norwich University.
X
 

This session takes a step back from the traditional technical approach and explores what we have and have not learned from the many non-human life forms around us. Defense mechanisms of camouflage, distraction and evasion have been perfected to the point of species survival. What are humans doing wrong when we fall for the same phishing attacks, social engineering and poor security hygiene after all that we know today? By looking at how “nature finds a way”, this session explores that evolution and how as security practitioners, we need to project a “virtual instinct” into the people and companies we protect. What can we gain from thousands of years of evolutionary defenses that we aren’t exploring today? We’ll delve into the parallels of predator vs prey and threat vs defense. Which side are you on?

13:45 C12: Reorganising Cybersecurity for Business Agility Speaker(s): Ilker Sertler

Ilker Sertler

Enterprise Security Architect,

Ilker helps organisations build modern practices and capabilities delivering cybersecurity and enterprise agility in harmony. He is a researcher and practitioner with 20+ years of diverse professional experience within large enterprises. His research and work practice focus on architecting cybersecurity for modern delivery models and practices such as Agile, DevOps and the cloud. Previously, Ilker assumed various consultative roles for leading technology solution providers and he is currently...
X
 

Agile principles have been widely adapted by software development communities for decades. Presently, the digital era and increasing uncertainty of business environment compels to extend these principles across the whole organization. Many established enterprises attempt to transform their structures and processes to build the culture of agility and flexibility so that they can defend their market place. While traditional architecture and governance functions are eroded during transformation journeys, cybersecurity is still considered as one of the top concerns and usually manifests as a constraint for agility.

Business leaders often lack understanding of business value within the cybersecurity initiatives and just choose to delegate responsibility to exclusive teams. SABSA Business Attribute Profiling has been an effective technique to connect security and business; however, tailored approaches are required to organize and represent cybersecurity services within the agile delivery models and emerging value streams of uncertain business environments. This session proposes a new approach to organize and present cybersecurity services with meaningful abstractions for all stakeholder groups. A simplified model for security architecture is introduced to promote a common taxonomy and integrated practice for collaborative development and articulation of architecture, also offering better alignment with technology and process constructs of the agile enterprise. Finally, guidance is provided to build the modern cybersecurity organisation, outlining cybersecurity functions, roles, responsibilities, core activities and interactions.

13:45 D12: The Demise of the Cybersecurity Workforce (!?) Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military, and commercial clients for over 30 years, and is the author of over 100 articles and presentations on security, privacy, and leadership. A graduate of Northwestern University and Loyola University, he holds a BS in Computer Science, a BA in Mathematics, a Masters in Business Administration.
X
 

Our career has been growing like crazy with an estimated 3.5 million unfilled cyber security jobs within the next few years. More certs, more quals, more money, right? But what if we’re wrong? AI, outsourcing, and visa programs may put a huge downward pressure on future job opportunities (and pay) in Europe and North America. Of course, we don’t WANT this, but shouldn’t a wise professional prepare for possibilities? We’ll look at facts, figures, industry trends, and possible futures that might have us thinking that 2021 represents “the good old days.” No gloom-and-doom here; just a risk-based look at what happens if we really can NOT get the talent regardless of price, and why financial incentives haven't effectively raised the ability level of our cybersecurity workforce. Not just speculation but tons of research.

14:30 - 14:50 BREAK

14:50 A13: Learn Techniques to Automatically Identify System Vulnerabilities, Weaknesses, and Common Attack Patterns Speaker(s): Phil Bridgham

Phil Bridgham

Principal Investigator, Northrop Grumman (USA)

Dr. Phillip Bridgham is a Cyber Architect and researcher for Northrop Grumman and applies AI, Machine Learning, and Information Fusion techniques to achieve advanced automation and risk management. Dr. Bridgham brings 25 years of software engineering and technical leadership experience across a wide range of industries, including: Aerospace, Industrial Controls, Robotics, Banking and Finance, Medical Devices, Fraud Detection, Risk Analysis, and more.
X
 

This session demonstrates and explains, to a non-technical audience, how three complementary data management techniques help to automatically identify system vulnerabilities, weaknesses, and common attack patterns. A comparison of the trade-offs of using relational, graph, and semantic ontological data stores is presented as real-working examples. These complementary technologies are demonstrated and explained in non-technical terms to provide a broad audience with the opportunity to learn about the value propositions and trade-offs of each technique.

A relational database demonstration will highlight achieving the speed and performance required for querying and retrieving large and complex data sets. A graph database is then demonstrated to showcase the power of specifying graph structures and relationships to quickly and intuitively extract patterns of interest, such as vulnerabilities and weaknesses related to system elements. Finally, a semantic ontology is demonstrated as state-of-the-art knowledge generation through inference, where system elements are automatically classified into technology domains.

14:50 B13: Security is for Humans, Not Lizards Social Engineering Brain Science Speaker(s): Ashling Lupiani,

Ashling Lupiani

Recent Graduate, (USA)

Ashling is a neuroscientist & biomedical engineer with experience in speech and motor research. She has spent 5 years running neurorehabilitation studies with human participants. As part of this work, she co-authored 5 papers and presented at international conferences in Toronto & Boston. She also has an interest in hacking & social engineering, attending conferences such as DEFCON for 8 years. She earned a BA in Neuroscience from Boston University in 2017, and a MS in Biomedical...
X
Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions, Inc. (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

This novel and unique discussion on how we decide and react comes from the perspectives of both neuroscience and information security. This presentation addresses how many information technology and security thought leaders are adversely impacting the credibility of their presentations, themselves and the profession by using the thoroughly debunked triune theory. Utilizing the false concept of an amphibian, reptilian, or lizard brain to explain how we decide and react detracts from otherwise accurate information at best and at worst can skew materials to make them entirely incorrect. This also impairs the ability of information technology and security professionals to create appropriate defenses for social engineering attempts by establishing a faulty knowledge foundation.

The value in this session is providing real tools from current brain science to use in identifying potential weaknesses, attacks, and defenses for the human system. This discussion is timely as social engineering, body language, and behaviour experts are spreading misinformation in life-coaching sessions, public speaking events, YouTube, Twitter, Instagram, books, and magazines. The approach of this session is to provide opportunities to challenge and give input while imparting attainable science on the real brain doing information security - a human one. 

14:50 C13: Shapeshifting Enterprise Security Architecture Speaker(s): Andreas Dannert

Andreas Dannert

Head of Security Architecture, Standard Chartered Bank (Singapore)

Andreas is currently the interim Head of Security Architecture at Standard Chartered Bank in Singapore. At SCB he is responsible for a core Security Architecture team that is delivering the organization’s Security Architecture Framework, Strategy, and relevant Security Capabilities. Before this he was a Principal Enterprise Security Architect at Australia’s national broadband network (nbn), which is a government owned enterprise, providing critical infrastructure services to millions of...
X
 

SABSA is a powerful methodology for problem solving and has been defined as a structured approach to security architecture development. While SABSA can be extremely useful for security architects, it is not answering all questions, especially not the aspect of continues delivery and transformation that large organizations heavily depend on. Having a well-defined and robust security architecture is one thing, but continuously adjusting it to meet the requirements of new technologies, like bot IDs and machine learning, shift to cloud or changing regulations, are another problem. Organizations that want to drive security in a structured way, supporting continuously delivery and do it fast, need to have mechanisms and processes in place that support the continued transformation of their security capabilities. Their security architecture needs to have the ability of “shapeshifting”. Can yours do this and can you do it fast and efficient?

In this presentation we will explore the challenges of continuous security transformation and ways of addressing them in a structured and repeatable way. The benefit of applying methods to the agile madness here is that the idea of a well-engineered security architecture, as described in SABSA, can be made easily repeatable and governable. This leads to a more mature way of delivering the right security outcomes consistently and to a defined level of quality. The presentation will describe the organizational drivers for continued change, like legal and regulatory requirements and shift to cloud platforms, their impact on a security architecture, and how to change security architecture delivery to better address these challenges. Ideas presented in this session are based on real world scenarios in the financial and other industries. Some of the approaches have or are to be implemented and others are still currently in development. Nevertheless, all the ideas presented are real and not of theoretical nature.

At the end of this session participants should be able to understand what challenges need to be addressed when continuously transforming and pro-actively driving the delivery of security capabilities. It is not just a rinse and repeat approach, but intrinsically build into the Security Architecture Framework of an organization.

In the spirit of COSAC, this session will hopefully provoke lots of questions and discussions due to the fact that shapeshifting Security Architecture is really not a thing, but more an idea and concept that the presenter feels needs to be explored further and developed. Only then can we enable security capability in organizations that want to go faster and be more flexible.

14:50 D13: Security Frictions in Digital Healthcare Speaker(s): Matthew Gerry

Matthew Gerry

Postgraduate - MSc Information Security, Royal Holloway University of London (UK)

Matthew is a postgraduate student at Royal Holloway, reading MSc Information Security. Having graduated from the University of Bradford with a degree in Business Economics, he has spent the last 5 years working within treasury for organisations in office space, oil & gas, and the finance sector. He has always had a passion for computing and is a big believer that digital security has become a defining issue of our time. This has prompted him to pursue a career in security. He has a keen...
X
 

The digitalisation of the classic healthcare system model between the (UK) NHS and the patient has been a widely debated topic in the security community for several years. Now, “Big Tech” has made an overt entry into the healthcare sector, presumably in search of the valuable, and relatively unexploited, ocean of patient medical data. More recently, there has also been a huge drive to collect more and more data to aid our understanding of the spread of COVID-19. This has led to a proliferation of data gathering IoT tools, which are being rapidly developed and pushed to the public to meet this demand.

Telemedical brokers are keen to be the first to collect, analyse, and profit from the healthcare data of consumers – incentivising commercially-driven decisions over security concerns. In the same vein, healthcare providers such as the NHS are economically incentivised to partner with such organisations. Given this momentum, consumer requirements often come second, creating an asymmetrical power dynamic, and increasing the tension surrounding the use of personal data.

The rising fears over the use and misuse of personal data have led patients to row back consent to share medical information, presenting an obstacle to academic research and the overall potential of big data to improve healthcare outcomes. It is therefore vital then that we “start afresh”, that we learn from last decade’s experience of data security and evolving attitudes towards security, and that we consider information security at the core of this new system.

In this presentation I present my research that:

  • identifies the objectives of stakeholders involved in the development of a digital healthcare system and determine what security frictions are generated by conflicting objectives;
  • explores how these frictions would manifest in the design decisions of a future digital healthcare system;
  • maps where identified security frictions occur in the defined digital healthcare systems and consider how they might be resolved.

I look forward to engaging with a COSAC audience that I hope will provide me with further insight into where security weaknesses are already being built into a future digital healthcare system, and how best to address them.

15:35 - 15:55 BREAK

15:55 A14: Ransomware - Pay Up or the Data Gets It! Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
 

It would be a real shame if something happened to your data. Ransomware is increasingly a commodity malware service generating significant returns for cyber criminals in the order of multi-billions per year. Ransomware attacks have morphed from: hostile encryption of data to be released for a fee; to copying data and threatening exposure unless a fee is paid; to mounting attacks to inhibit business operation (DDoS) unless a fee is paid to stop; to a protection racket by merely threatening to do any or all of this unless a fee is paid without actually actively engaging the intended victim. Is it possible to keep avoiding this quickly evolving threat?

The DearCry ransomware, enabled by mass exploit of the ProxyLogon vulnerability, highlights how pervasive the ransomware threat has become. We will examine the evolution of the ransomware threats and the risks and challenges that they continue to present to business. What is needed to combat this type of threat? Is prevention possible? What is available to help organizations combat the impact of ransomware? What do you do if you are a victim? What avenues have been effective and what hasn’t worked? We will explore several approaches to combat this menace including advice from several organizations including Carnegie Mellon University, NIST and the US National Cybersecurity Centre of Excellence (NCCoE). We will describe various approaches to defend against ransomware attacks and tips to limit the impact if an attack is successful. Have you have experience with Ransomware? We look forward to an interactive session to share the secrets to success and what to avoid doing.

15:55 B14: Zero nation Speaker(s): Robert Laurie

Robert Laurie

Enterprise Security Architect, David Lynas Consulting (Australia)

Rob is an Enterprise Security Architect with 17+ years’ experience in the IT, Application and Security industries and holds several security designations within the sector. He is a committee member for the Australian Information Security Associates (AISA) and is a member of the GIAC Advisory Board.
X
 

In 1986 Ph.D. student Fred Cohen coined the phrase "computer virus" borrowing from what we knew about biological viruses to describe "a program that can infect other programs by modifying them to include a, possibly evolved, version of itself."

It was only when Robert T. Morris released the Morris Worm in 1988, that the population grew fascinated with a piece of code that could attack the very mainframe servers that maintained the balance of "mutually assured destruction" throughout the cold war.

It's clear that our understanding of new technology has been somewhat underpinned by the medical industry in this regard, but are there any concepts that the medical fraternity can learn from cyber security?

In this session we will examine some of the take-aways from the onslaught of technology and covid that we have witnessed over the last two years.

15:55 C14: SABSA and the Framework Hunger Games Speaker(s): Dimitrios Delivasilis

Dimitrios Delivasilis

Managing Director, Qiomos (UK)

Strong technology executive, specializing in business-driven security architectures and business risk control management. I have more than 16 years of extensive experience gained within information security consultancy firms as well as financial services and telecom organizations. During the last eight years I have been offering enterprise security strategy services to C-Level executives across Europe due to my ability to simplify complex technological issues.
X
 

The ever-increasing attention in the area of information security, cyber security and, as of lately, risk resilience is being followed by significant investments organisations make in an attempt to stay in control and consequently protect their operations. The flux of money, especially evident in the aftermath of a visible security breach in the public domain, usually results in a plethora of technical controls with very little justification and almost non-existent acknowledgment of the business context. Instead of investing time and resources to define the problem space first, security professionals hide behind numerous security frameworks, pre-built lists of controls, and best-practices.

This presentation will analyse the driving forces behind this phenomenon in an attempt to identify the root cause and then explore how SABSA can provide a credible way to alleviate, if not solve, the problem. In doing so the emphasis will be: on the need these frameworks and control repositories aim to address, its relevance to build operational resilience and meet regulatory expectations, and the prioritisation of the investment required to perform active risk management. SABSA principles and logic will be put to the test as we explore the differences between a compliance- and improvement-driven mindset.

15:55 D14: Social Engineering in Healthcare Speaker(s): Kathleen Mullin

Kathleen Mullin

CISO, Healthmap Solutions, Inc. (USA)

Kate Mullin CISSP, CCSFP is CISO at Healthmap Solutions, Inc. & an influential information security practitioner with 30+ years of experience. Kate has been a VCISO and was CISO at various organizations, including publicly traded (WageWorks), private equity (HealthPlan Services, HPS), not-for-profit (Adventist Health), and governmental entities (Tampa Airport, TIA); establishing the role at TIA and HPS. Throughout her career, Kathleen has volunteered and participated in maturing information...
X
 

Built on a COSAC presentation that never was, due to COVID-19, this unique presentation is framed by a healthcare security professional. This is timely since healthcare has seen an escalation in social engineering attacks.

Malicious hacking against healthcare has multiple goals, including stealing money (often ransomware), research, or data. Healthcare systems are particularly susceptible because basic security controls are not in place within highly integrated systems with limited funds and manufacturers still selling systems with obsolete operating systems. This discussion analyses how targets are selected, and attempts are delivered, why social engineering is effective, and how to protect and the options if they fail.

Seasoned professionals recognize hacker motivations and threats to vulnerabilities. These need to be communicated to lay persons, whose backgrounds are especially varied in healthcare.

The value in this discussion is a prebuilt response to protect against social engineering in general and for healthcare in specific. Proposed is a non-technical checklist for use by laypersons to start addressing risks.

The approach is the discussion of a plan to reduce the likelihood of social engineer’s success using training, testing, and technical controls based on the risks from common methods used to victimize healthcare organizations.

16:40 - 17:00 - BREAK

17:00 A15: Ransomware Response - A Lawyer's Perspective Speaker(s): Mark Rasch

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
 

Your company is hit with a ransomware attack. You have to decide whether to try to decode the bitlocker, rebuild the database, or pay the ransom. Who makes the decision? IT? CISO? Legal? Your insurance company? If you decide to pay, how do you do this as a practical matter? Are the costs of paying ransomware covered by insurance? What about the costs of NOT paying ransomware? Are you subject to criminal prosecution for the mere act of paying to release your funds? This session will focus on the legal and practical aspects of ransomware including violations of international sanctions, aiding and abetting terrorists or other criminals, operating as an unlicensed money transfer agent, money laundering and other KYC regulations, providing material support to criminal activities, and other potential liability sticking points.

17:00 B15: The Wisdom of Insecurity Speaker(s): Helvi Salminen

Helvi Salminen

Security Advisor, (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

We are used to looking at security through the lenses of rules and discipline. This is often useful – even necessary – and we find solutions of many problems in this way. However, purely rule-based security is no longer sufficient in the business which operates in an increasingly complex technical reality and rapidly changing society.

Our methods, standards, guidebooks and countless rules prepare us to resolve known problems by answering predefined questions. But if we rigidly stick to the predefined rules we don’t develop the capability to understand issues which are not included in our recipe books. How can we be sure that we have asked all the important questions?

This session is designed to discuss the limits of the applicability of standard and rule based way of doing security. What do we miss when limiting our thinking to this type of approach? What we can learn from other areas of knowledge – e.g. social psychology and philosophy - and apply this knowledge in our security work? How can for instance the principles of creative idleness and reversed effort help us to resolve complex problems better?

Welcome to the adventurous journey which is inspired by thinkers whom we usually don’t see in the context of security. Alan Watts says that it is only by acknowledging what we do not—and cannot—know that we can learn anything truly worth knowing. Aldous Huxley states that the harder we try with our conscious will to do something, the less we shall succeed. Proficiency and results come only to those who have learned the paradoxical art of doing and not doing, or combining relaxation with activity. With the concept of creative idleness Domenico De Masi embeds elements of pleasure to the hardness of duty. And many others help us to get out of the box.

Also in security.

17:00 C15: SABSA for Humankind
 

When I started my career working in a hospital as a nurse, I was always interested in the terminals/computers.

Long story short, I switched career are some point and got in IT Security. When I met SABSA I instantly connected the methodology to the work I did in the hospital. Working on properties to help patients achieve a balance between physical , social and psychological elements.

Therefore I decided in the Foundation course already I would pursue becoming a master, and would probably take it outside the IT Security field.

In this session I will present to you my approach towards SABSA as a problem-solving framework applied to Humankind.

17:00 D15: The Great Security Leadership Debate - 20 Questions Speaker(s): Todd Fitzgerald

Todd Fitzgerald

CISO & Cybersecurity Leadership, CISO Spotlight (USA)

Todd has built and led multiple Fortune 500/large company information security programs for 20 years across multiple industries. Todd serves as Executive In Residence and Chairman of the Cybersecurity Collaborative Executive Committee, was named 2016-17 Chicago CISO of the Year, ranked Top 50 Information Security Executive, and named Ponemon Institute Fellow. Fitzgerald authored CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.
X
 

The information security leader has evolved much over the past 25 years, or have they? This session takes a look at the evolution of the Chief Information Security Officer (CISO) and then discusses 20 cybersecurity leadership perspectives provided by expert CISOs and security leaders of some of our largest organizations today. We will discuss – are these ideas increasing our maturity or are they moving us backwards? The questions are based upon writeups some of the top CISOs and cybersecurity leaders have provided to the presenter on different topics such as developing strategies, managing MSSPs, hiring talent, privacy, organizational structure, orchestration, use of AI/Machine Learning/Blockchain, etc – from practical experience, not theory.

For several decades, the presenter has used an innovative approach to delivering content - props, videos, sound, and audience participation to create a memorable entertaining and informative experience with actionable material. The speaker is a top-rated RSA speaker (2013-2020) and ISACA top-rated speaker.

17:45 - 18:00 BREAK

DAY 2 KEYNOTE

18:00 Building Digital Empathy into Cybersecurity Speaker(s): Siân John MBE

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
 

The last year brought home the importance of the need for helping people to be both productive and secure. As everyone moved to be more agile and digital transformation then securing access to data became more critical. Cybersecurity is the underpinning to protecting data, helping organizations remain compliant and maintaining business continuity while organizations adapt to this new world.

When billions of people formed the largest remote workforce in history, overnight, we learned much more than how to securely scale Virtual Private Networks. We were reminded that security technology is fundamentally about improving productivity and collaboration through inclusive end-user experiences.

Cybersecurity needs to focus on “digital empathy.”  How do we truly understand how people engage with technology and build protection into that rather than blaming them for unexpected behaviour? Being empathetic to the end user experience is something we must consider during times of constant disruption and change. As Cybersecurity professionals we need to put ourselves in others shoes and consider how they engage with technology.

This session will look at how we can build security architectures that are empathetic of someone’s situation - and forgiving of mistakes - to ensure people are protected, and blockers to productivity are removed.

Networking

18:45 Day 2 - Networking Session

Thursday 30th September 2021

(ALL TIMES BST)

COSAC Immersion - Deep Dive into Diversity

09:30 Introduction
 

For many years COSAC has been proud to support a truly global community and present an agenda of interest and value to people with a rich tapestry of backgrounds, cultures, life experiences, skills and talents. We believe that the diversity of our participating community enriches us all and improves the quality and effectiveness of our security decisions.

The COSAC Immersion session is modeled on our traditional COSAC Masterclasses which explore an important topic from multiple perspectives and follow the narrative from introduction of the issues through future solution strategies.

We have had sessions on diversity for many years but for 2021 we have chosen the subject for our deep-dive immersion led appropriately by some of the subject’s most enduring advocates: Valerie Lyons, Rosanna Kurrer and Esther Schagen -van Luit. The diversity immersion will cover:

  • What is diversity?
  • What role does it play?
  • How does it affect behaviour?
  • What is bias and how can it be overcome?
  • How can diversity be measured?
  • What is the role of diversity in managing complex Enterprise problems?
  • When and how can a cognitively diverse team perform measurably better in a security domain, how can ‘better’ be demonstrated, and what are the steps to achieving it?
  • How can we replace historical uniformity and embed valuable fresh perspectives within our teams?
  • How can we scout, onboard and mentor candidates from non-traditional security recruitment pathways?
  • How can we adapt recruitment processes and build tools to remove bias from the recruitment process?
09:30 Part 1 - Building Diverse Security Teams Speaker(s): Valerie Lyons

Valerie Lyons

COO & PhD Scholar, BH Consulting & DCU (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

“Everyone should learn how to program because it teaches us a new way to think about the world” Steve Jobs

We find ourselves in a global environment, with a tightly connected global workforce, and a shortage of diverse talent in the tech sector. Having people with a diverse set of backgrounds, cultures, life experiences, skills and talents improves the quality of business decisions and helps protect organisations from group-think. Having a diverse workforce also reflects the diversity of the marketplace, making it easier to engage more effectively with a wider talent base and extended customer base.

But what is diversity and how does it differ from equality? Diversity is defined as “recognising, valuing and taking account of people's different backgrounds, knowledge, skills, and experiences, and encouraging and using those differences to create a productive and effective workforce”. The current dialog regarding diversity tends to focus on gender diversity, however diversity extends beyond gender to many other attributes such as neurodiversity, political leanings, culture, religion, nationality, ethnicity, race, colour, education, age, disability, introversion/extroversion etc. Th term 'diversity' however is often used when the term ‘inequality’ is intended, and we therefore risk sanitizing ‘inequality’ with ‘diversity’ as a result. Unlike diversity, equality is a legal requirement. Under the Equality Act people are protected from discrimination on the following grounds: Ethnicity, Sex/Gender, Disability, Religion and belief, Age, Sexual orientation, Family status (e.g. pregnancy and maternity), Marriage and civil partnerships. It is easy to see why the two terms are used interchangeably, given that the grounds for discrimination are similar to the characteristics of diversity. Where equality is about fairness and transparency, diversity is about embracing and valuing difference.

To address historical inequality in many organisations in the past (particularly in public sector organisations) ‘quotas’ were often applied. However, quotas can damage meritocracy, where those recruited under a quota system are judged as nominated under a quota system rather than nominated on merit, thereby possibly increasing the risk of excluding the best candidate or undermining the credibility of the selected candidate. Quotas also omit addressing the issue of implicit bias - where committees/individuals charged with the role of recruitment, promotion and performance evaluation typically tended to select people that looked like them, acted like them, talked like them, had similar backgrounds etc. Implicit bias refers to the attitudes or stereotypes that affect our understanding, actions, and decisions in an unconscious manner.  These biases, which encompass both favourable and unfavourable assessments, are activated involuntarily and without an individual’s awareness or intentional control.  Residing deep in the subconscious, these biases are different from known biases that individuals may choose to conceal for the purposes of social and/or political correctness. The implicit associations we harbour in our subconscious cause us to have feelings and attitudes about other people based on characteristics such as race, gender, education, ethnicity, age, and appearance etc.  Implicit biases are not accessible through introspection. We rarely recognise our own implicit bias, and therefore the rules for ‘equality’ can lack transparency for work recognition, recruitment and promotion etc.

This is where Diversity programs have the potential to bridge a gap.

To encourage Diversity in the workforce, we need to consider a starting point. Publishing a diversity policy for your organisation is about as effective as publishing a privacy policy is for data protection effectiveness – on its own it is meaningless. The key to diversity is to understand how different types of diversity and different demographic characteristics can impact human behaviour. This presentation explores some key characteristics of diversity, and outlines several positive and constructive steps that organisations (and society) can take to encourage diversity and equality in the workforce and outlines the potential benefits of such steps. We pay attention to gender diversity and explore recent pan-European studies that identified factors that influence different genders into selecting tech as a career.

Key learning outcomes from this presentation are:

  • Understanding the differences between diversity and equality
  • Understanding the impact and role that diversity has on both employees and on products, services and revenue.
  • Understanding the challenges of building diversity into our teams
  • Understanding implicit bias/unconscious bias, and strategies to determine and address such bias.
  • Understanding the importance of the role of mentorship in teams

Audience: Senior roles involved in managing security and/or privacy teams: CIOs, CISOs, CROs, CPOs, Team Leaders and anyone involved in the recruitment of security or privacy teams.

10:30 Part 2 - Measuring the Power of Diversity in Cybersecurity Teams Speaker(s): Rosanna Kurrer

Rosanna Kurrer

Managing Director, CyberWayFinder (Belgium)

Rosanna runs a rapidly expanding European platform growing next-generation diverse cyber security professionals. She consults and leads design think, corporate innovation and coding seminars to corporates and individuals (e.g. BNP Paribas, Salesforce.com, the 27 EU Director Generals as individuals). An accomplished public speaker, she emphasizes the doing of things. A native of the Philippines, via formal architecture education in Japan she now identifies as German and Belgian.
X
 

How strong is the business case for cognitive diverse teams in cybersecurity? Applying the research of several diversity academics including that of social scientist Scott E. Page, known for modelling diversity and complexity, how can we apply these models on different security teams to quantify the benefits diversity brings to performance on specific tasks needed to reach a team’s objectives?

Perspectives on Corporate Diversity Initiatives: Identifying three approaches to managing the issue of diversity in the corporate workplace: discrimination-and-fairness paradigm, access-and-legitimacy paradigm and the learning-and-effectiveness paradigm [1]. How do these three approaches differ in leveraging diversity? How are they relevant to cybersecurity teams?

Significance of Proportions: Proportional representation of any demographic can affect behaviour, performance and perceived performance in a group [2]. Four group types are identified according to the relative proportion of a certain population, and the resulting social categories of their membership:, and:

  • uniform group (100:0, homogeneous team),
  • skewed group (85:15, dominants:tokens),
  • tilted group (65:35, majority:minority),
  • balanced group (60:40 to 50:50, potential subgroups).

How might these social categories affect performance in specific security teams?

Toolbox Framework vs Measuring Stick: Measuring, comparing and ranking individual intelligence or ability has traditionally been done using the measuring stick of IQ scores. The toolbox framework (of cognitive tools) - reframes how we think of intelligence [3] - especially in the context of collaborative tasks. It allows us to compare effectiveness of teams according to the number of unique of tools (acquired through training and/or experience) each member brings into the team and the combinations of relevant tools between members to tackle complex problems or situations - such as responding to an incident. Tools can be categorised in frameworks of perspectives, heuristics, interpretations and predictive models. This refers to the knowledge base, experiences, rules of thumb and problem-solving approaches that represent unique contributions of each member.

Complexity and Diversity: Complexity is in the nature of the problem (challenges in securing an organisation), in the complex tasks needed to address them (high-dimensionality and difficult to decompose), as well as in the tools of the team and the combination of tools between members of a team (cognitive repertoire). The challenges facing security teams change at an incredible pace and increase in complexity as new information and technologies are created, i.e., there is a need to be agile, flexible and adaptive, and a need for both broad and deep knowledge base of various domains. How do we face complex challenges with a limited team budget for human resources and the seemingly small talent pool? Could diversity be one of the answers to address these complexities?

Diversity Bonus - When Diverse Teams Trump Homogeneous Groups: Diversity bonuses depend on the team and the tasks at hand (routine vs non routine, manual vs cognitive) [4]. A team with a minimum overlap of relevant tools among its members, or with the number of unique, relevant tools (from each member) may result in a diversity bonus. This bonus enables a team to perform better on complex tasks, frequently required in a knowledge economy. What do ideal teams look like considering: (1) the tasks needed to achieve targets and objectives, (2) the task-relevant cognitive repertoire of the team, and (3) the culture that enables productive interaction within the team? When and how can a cognitive diverse team perform measurably better in a security domain, and what are the steps to achieving this?

11:30 Part 3 - Inclusive Cybersecurity Recruitment Speaker(s): Esther Schagen-van Luit

Esther Schagen-van Luit

CISO, Deloitte (Netherlands)

Esther is a Specialist in Security Architecture at Deloitte Cyber Risk Services. Her ambition is to be a Leading Lady In Cyber, who is the best in her craft (security architecture) and makes societal impact as a role model through making girls & women feel they (could) belong in world of cybersecurity. For her work on getting more women into Cyber, Esther has been awarded prizes and nominations such as the Cybersecurity Award, Techionista Award, VIVA400 and Change in Business Award.
X
 

Working with people from diverse backgrounds is key in cybersecurity. How else can you combat the creativity of a black-hat hacker? The reality is that many cybersecurity teams consist of people with similar backgrounds. They have taken similar paths throughout their careers before ending up in this team. So how do you get those fresh perspectives in? Recruiting diverse profiles is easier said than done.

Cybersecurity recruitment is a challenge anyway. You'd like to hire a security unicorn. Just like everybody else, except they pay more. Your recruiter doesn't understand the nuts and bolts of cybersecurity. The people in your security team are not trained in recruitment interviews. You read about the Cybersecurity Skills Gap on a frequent basis and weep. What can you do to get the people you need?

This session should be of interest to security team leaders and those participating in the recruitment process. The speaker has been the business counterpart of the cybersecurity recruiter for a multinational. They have scouted, guided and onboarded candidates from a non-traditional pathways. They have adapted processes and built tools to remove bias from the recruitment process. The audience will leave this session with practical tips on what changes they can make to diversify their security teams.

12:30 - 13:30 LUNCH & NETWORKING SESSION

COSAC Interactive - International Security Roundtable

13:30 International Security Roundtable Speaker(s): John O'Leary,

John O'Leary

President, O'Leary Management Education (USA)

John O'Leary, CISSP, is President of O’Leary Management Education. His background spans four decades as an active practitioner in information systems, IT Security and contingency planning. He has designed, implemented and managed security and recovery for networks ranging from single site to multinational. John has trained tens of thousands of practitioners, and conducted on-site programs at major corporations and government facilities worldwide. John was the recipient of the 2004 COSAC award.
X
Glen Bruce,

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures, PKI and Governance supporting business and governments in their approach to managing information security risk. He has over 47 years of in-depth experience in IT consulting, systems management and technical positions. He has led many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies, PKI and infrastructure implementations in support of both business and...
X
Simon Devlin,

Simon Devlin

Head of Security Architecture, Tesco (UK)

I currently lead the Security Architecture and Application Security teams at the UK’s largest retailer. My career path is probably typical for someone of my age. I started on a technical helpdesk before Ethernet became the de-facto network connectivity standard and progressed into Unix ops, where on my second ever nightshift, the UPS exploded. Not quite a trial by fire, but pretty close. A decade or more of Cisco, Firewall-1 and IDS fun led me into what’s now called application security, and...
X
Michael Hirschfeld,

Michael Hirschfeld

Director, David Lynas Consulting (Australia)

Michael has 20 years’ experience in Information Security and is a Director of David Lynas Consulting and the Chair of the SABSA Founders Bursary. He has provided high level assistance on information security related matters to a range of clients within Australia and internationally. He was formerly the Chief Information Officer and CISO at the Australian Commonwealth Department of Finance where he had executive responsibility for ICT as well as physical security.
X
Siân John MBE,

Siân John MBE

Director SCI Business Development, Microsoft (UK)

Siân John MBE is EMEA/APJ Director of Cybersecurity Strategy at Microsoft. She leads a team of chief security advisors in EMEA and APJ who work with Microsoft’s customers as they evolve their security strategy to support digital transformation and cloud adoption. Siân has worked in Cybersecurity for nearly 25 years across strategy, business risk, privacy, and technology. Siân is a recognised thought leader in the industry. She is Chair of both techUK’s CyberSecurity Management committee and...
X
Lisa Lorenzin,

Lisa Lorenzin

Director, Transformation Strategy, Zscaler (USA)

Lisa is Director of Transformation Strategy at Zscaler, specializing in secure application access and digital transformation. For more than 20 years, she has worked in a variety of network and information security roles and has contributed to open standards for endpoint integrity and network security from the Trusted Computing Group (TCG) and Internet Engineering Task Force (IETF). Lisa is currently focused on helping customers achieve their security goals and create a seamless user experience...
X
Helvi Salminen

Helvi Salminen

Security Advisor, (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014.
X
 

The COSAC Interactive session is modelled on our traditional International Security Forum which for each of the last 20 years has consistently been one of the most valued sessions of the entire COSAC event. We have made a few adaptions for the online virtual format: we cannot reasonably conduct the session under its normal full NDA but we will bring a flavour of the highly-cherished COSAC Trust Culture to the session and reduce its length from our traditional full-day to 3 hours.

COSAC Interactive will be led as always by our brilliant facilitator John O’Leary, supported by long-standing, highly-respected members of the COSAC community with a huge depth of experience across the breadth of the security spectrum:

  • Glen Bruce (Deloitte, Canada)
  • Simon Devlin (Tesco, UK)
  • Michael Hirschfeld (David Lynas Consulting, Australia)
  • Sian John (Microsoft, UK)
  • Lisa Lorenzin (Zscaler, USA)
  • Helvi Salminen (Consultant, Finland)

John and the COSAC panel will analyse hypothetical scenarios and actual events from widely different perspectives based on widely different experiences and perceptions of success and failure learned in the real-world. All participants in the Interactive session will be encouraged to offer and rigorously defend their own opinions and experiences. Collectively, embracing the COSAC ethos that all of us have an experience worth sharing and an idea with developing, we will help and learn from each other.

16:30 - 17:00 BREAK

COSAC Instant - COSAC Rump Session

17:00 Conference in an Hour Speaker(s): David Lynas

David Lynas

Chairman, COSAC (Northern Ireland)

David Lynas is currently enjoying his thirty-eighth year of experience in Information Security, during which he has been invited to provide strategic advice to governments and industry clients on every continent. A globally renowned Enterprise Security Architect, Security Strategist, and Thought-Leader, he is the co-author of SABSA (the world’s leading free-use, open-source Security Architecture Methodology), CEO of the SABSA Institute CEO of David Lynas Consulting.
X
 

An in-person COSAC conference always ends with the hugely popular “COSAC Rump Session” which is the inspiration for this virtual adaptation - COSAC Instant. The intent is to deliver a conference in an hour. The audience’s expectations of presenters are: get on stage, make your point, interest us, provoke our thoughts, inspire us to action, give us value, but omit the boring basics, delete all padding and remove the fluff.

The COSAC Instant session, facilitated by COSAC Chair David Lynas, will consist of 10 presentations of 5 minutes duration that will collectively deliver the Conference-in-an-hour concept.

Networking

18:00 Day 3 - Networking Session