Ireland Melbourne

Welcome to COSAC - Conferencing the way it should be!

For almost 25 years COSAC has delivered a trusted environment in which to deliver information security value from shared experience and intensive, productive, participative debate and development. Sales content is strictly prohibited and there is no vendor exhibition to distract from opportunities, allowing delegates to focus on professional innovation.

Tuesday 3rd October 2017

09:00 - 09:30 Delegate Registration & Coffee

09:30 1A: The Potential of Artificial Intelligence for the Security Industry Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

Considering a serious need for skilled people in technical security roles, AI in security (also termed ‘Cognitive Security’) seems to be at hand just in time. The speaker has investigated the implementation of IBM Watson, other upcoming cognitive security products and the DARPA CGC outcomes for the last half year to discover AI’s current added value in a security operations context and its broader potential in the security world. We will be looking at some typical roles in the security world and how they can be aided or even replaced by cognitive security technologies.

The audience will be invited to engage in a discussion on whether this is a desirable trend, whether AI will actually lessen the cybersecurity skills gap or whether many more new jobs will be created because of the implementation and security needs of AI, and lastly what qualitative impact this will have on the people working in the security industry.

09:30 1B: A Common Scale for Cyber Risk: Can it be Done? Speaker(s): Glen Bruce

Glen Bruce

Director, Deloitte (Canada)

Glen Bruce is focused on Security Strategies, Architectures and Policies supporting business and governments in their approach to managing information security risk. He has over 42 years of in-depth experience in information security consulting, systems management and technical positions. He has lead many information security engagements, where he has helped clients establish effective strategies, governance, architectures, policies and infrastructure implementations.
X
 

How do you provide a meaningful answer the Board or senior executives when they ask “are we at risk” from the latest cyber threat in the news? How do you provide easy-to-understand information about the actual risk to the organization? Can there be a “Securiton” (TM John O’Leary) to provide an indication of risk much like the Beaufort scale does for wind, the Saffir-Simpson scale for hurricanes or the Fujita scale for tornadoes?

There are many cyber threat level definitions but there isn’t a consistent cyber risk index that will provide insight into the relative risk of a newly discovered vulnerability and threat. When a new threat is identified (usually accompanied with a catchy name and logo), often a vague or misleading analysis of the risk is published in the press, copied and re-reported compounding the panic. How do you leverage your organization’s security dashboard to summarize risk? We will review and discuss the components of risk reporting how we can get to an effective way of defining risk that is quickly understood.

We will examine the Board’s and C-Suite’s evolving requirement to be knowledgeable and involved in cyber risk involving their organization. We will look at the available methods for defining vulnerabilities and exposures that result in risk and the available repositories of this information. We will examine the factors for defining and categorizing cyber risk and what contributes to making it meaningful to all levels of the organization. We will describe a set of risk reporting principles that will help guide how cyber risk can be defined and reported. We will also describe a method and process that can be leveraged to categorize risks into a more easily understood form. The goal is to make the risk of cyber threats easily understandable across the organization and be better positioned to effectively deal with the risks. If we can arrive at a globally applied cyber risk.

09:30 1S: Aligning SABSA with FAIR Speaker(s): William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

The activity of conducting risk assessments in the information technology domain can often be tricky business. The results of the assessments can be used to drive long term strategy, with a great deal of investment in strategic and tactical plans are based on the findings. However, most risk assessments involve making assumptions about the organization, as well as the assets, threats, vulnerabilities, and the levels of risk that the organization is facing. The quality of these assumptions will have a significant impact on the success or failure of the resulting security strategy and plans to appropriately address the organizations risk.

In this session, we will discuss how the FAIR (Factor Analysis of Information Risk) risk analysis methods can be integrated with SABSA to enhance risk posture knowledge and improve the understanding of the assumptions being made. FAIR has implemented a risk ontology to help organizations quantify risk in a way which is less about assumptions and more about traceability. FAIR takes a unique approach to defining and tackling some the more difficult aspects of risk analysis which haunt our profession. We will look at how FAIR can help us enhance our architectural approach to assessing and analyzing risk.

10:30 - 10:50 Morning Coffee

10:50 2A: Smarter Toys: Next-Level Social Engineering Malicious Insiders Speaker(s): Esther van Luit

Esther van Luit

Senior Security Consultant, Deloitte (Netherlands)

Esther van Luit is a young and driven security advisor for Deloitte Netherlands. She specializes in security skill gaps, cyber risk quantification and security maturity assessments and has worked for many international clients. She was short listed for woman of the year 2015 for the British Cybersecurity Awards and is actively involved in getting more girls and women into the security industry. She is determined to advance the state of security knowledge management and education in her career.
X
 

Connecting toys to the internet has led to a revolution of interactivity between toy and child, with sensors taking a child’s queries as a starting point for analysis and response to deliver a customized playing experience. The next wave of innovation in playmates is already on the rise with toys that go beyond static responses selected from a database, and tailor answers to the personal needs of its user through artificial intelligence. This new level of interactivity is expected to create a different relationship between the toy and the child that could potentially be abused by those that gain access and possess the right knowledge to adapt the AI functionality in such a way that a toy can be seen as a malicious insider with social engineering capabilities.

The question on how artificial intelligence-enabled toys can be abused by hackers as an attack vector is a valid one when we consider the vulnerable target audience of children, the intransparency on whether an AI-enabled toy is functioning within the parameters of its design and the heightened intimacy between the toy and the child, opening up avenues for social engineering. The security vulnerabilities in smart toys are currently being covered from a privacy perspective and the lack of secure information transfer. This study looks ahead to the more advanced security issues associated with Artificial Intelligence and the implications that a breach of the integrity of AI might have on the cognitive action of its users.

The speaker will present a three-part argument on the changing nature of playing with toys, the lack of security controls regarding toys at the moment and the potential for increased danger when these toys are enabled by Artificial Intelligence. The audience will be invited to share their interaction with these Internet of Things-toys so far and speculate about how to improve the security on these items so dear to our children.

10:50 2B: Cyber Insurance: The Wrong Product for the Wrong Problem Speaker(s): Mark Rasch,

Mark Rasch

Chief Counsel, National Security Corporation (USA)

Mark Rasch is an internationally recognized cyber attorney and technology risk executive, with a distinguished record establishing and leading world-class data privacy and resiliency, security consulting, incident response and investigations practices for commercial and government organizations. More than 30 years’ in information security, and high-technology litigation and advisory across the critical infrastructure. Highly sought as one of the world’s leading legal (cyber) experts.
X
G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military and commercial clients for over 30 years and is the author of over 100 articles and presentations on security, privacy and leadership. He serves on the US National Science Foundation’s CyberWATCH Advisory Board and is a retired US Navy Captain.
X
 

One answer to cyber-risk is to insure against it. Many companies purchase cyber-insurance, including data breach insurance, ransomware insurance, e-commerce insurance, or other insurance products to guard against risk, but these products do not typically cover the kinds of risks associated with conducting business online, and many insurance companies are reluctant to pay claims after a company suffers a loss. Cybersecurity professionals are rarely consulted in the risk mitigation process, and when the business purchases such cyberinsurance, leading to significant gaps in coverage. For example, if a policy covers "loss" of data, a ransomware attack may not be covered because the data is not "lost." A policy which excludes from coverage damages resulting from employee misconduct may not cover harm resulting from a successful phishing attack where an employee is deceived into clicking a link to install the malicious code. Harms to customers may not be covered under so-called "first party" policies. GCL and professional liability policies may or may not cover things like damage to reputation, loss of privacy, or publicity. This session will focus on recent cases in which coverage was denied or challenged from cyberattacks, and ways cybersecurity professionals can read these policies and help mitigate risk.

10:50 2S: Using SABSA to Architect Zero Trust Networks Speaker(s): Chris Blunt

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
 

In 2014, Google threw away its traditional approach to securing its services and reimagined what a security should look like to be truly effective in today's world of distributed teams, systems, and applications.

They developed BeyondCorp, a perimeterless architecture that does away with the idea of trusted networks and treats all applications as if they are Internet connected, thereby creating an environment that is zero-trust by default. Every request is authenticated and authorised in real-time based on a set of dynamic conditions that considers changes in user status and device state.

This interactive session will explore how to apply SABSA to architect a zero-trust network through the layers of the SABSA matrix. This will be supported by a sanitised case study to highlight and discuss the real-world challenges and how they were overcome when a zero-trust network for a New Zealand organisation.

12:00 3A: The Newest Frontier in Cyber Research: The Human-Machine Interface Speaker(s): Char Sample

Char Sample

Research Fellow, ICF Army Research Labs (USA)

Dr. Char Sample is research fellow employed for ICF at the US Army Research Laboratory in Adelphi, Maryland and with the University of Warwick, UK. Dr. Sample has over 20 years experience in the information security industry. Most recently Dr. Sample has been advancing the research into the role of national culture in cyber security events. Presently Dr. Sample is continuing research on modeling cyber behaviors by culture, other areas of research are information weaponization and complexity.
X
 

Much has happened in the cyber + culture research area since this topic first appeared in the 2011 COSAC rump session. The human-machine interface is now widely recognized as the newest frontier in cyber research and cultural values are seen as setting the norms in nation-state behaviors on the virtual battlefield.

This interactive discussion covers the various studies that have been performed, along with the studies in progress as well as future studies planned. The session will provide details on the studies performed to date and the relevance of the study findings that allow for extrapolation to more comprehensive rules that can be applied over a larger set of users. Also discussed will be the emerging models for attackers, defenders and other actors. Other discussion areas include the planned and potential uses for this research in defending, attacking, deception and counter-deception.

The findings have questioned the assumption of a single hacker culture, and supported Nisbett’s observation that people “think the way they do because of the nature of the societies they live in”. By using the six dimensions of culture evidence-based research provides a compelling explanation for the online activities of various actors. The behavioral traits that associate with the cultural values are behavioral traits that are consistent with cyber behaviors.

12:00 3B: Cyber Insurance: A Reason to Up Our Game Speaker(s): Ross Spelman

Ross Spelman

Manager Cyber Risk Services, Deloitte (Ireland)

Role: Manager - Deloitte Advisory - Cyber Risk Services 10 years+ IT Technical and Service Delivery Management 5 years in Information Security specialising in information governance and cloud security Qualifications: MSc in Cloud Computing MSc in Software Engineering Numerous industry qualifications (CISM, ISO 27001, Prince2, ITIL, CCSK, SSCP etc.)
X
 

Companies generally implement a wide array of controls and techniques in an effort to prevent cyber attacks. However, not all of these controls and techniques are effective, and not all companies implement these techniques in a manner that achieves the best results. Even when a company has a strong risk management programme, most insurers do not have an objective, evidence-based method to assess its risk profile.

This uncertainty and lack of objective intelligence can result in policies with high premiums, low coverage, and broad exclusions. Most cyber insurance providers only use questionnaires to gather information for cyber insurance underwriting as part of the application. This process is far to broad and subjective for such an important risk.

Insurance companies and their customers need an objective, evidence-based cyber risk metric to measure security effectiveness, not simply policies and procedures.

A contextualised, risk-based approach for measuring the strength of cyber security in an organisation can offer underwriters a uniquely distinctive way to help assess the potential for cyber loss at a particular company.

My talk will explore a method of effectively scoring a company's cyber security profile and the benefits for all by carrying out this process.

12:00 3S: Architecting a Modern Authentication Service in the Cloud Speaker(s): Michael Price

Michael Price

Senior Security Consultant, Axenic (New Zealand)

Michael is a Senior Consultant at Axenic Ltd. He is enthusiastic about security architecture and exploring how different methodologies and techniques can be used to achieve business outcomes. Michael has a Postgraduate Diploma in Computer Security and Forensics from the University of Canterbury and holds SCPA, SCPR, SCF, CCSK and ISO/IEC 27001:2013 Lead Auditor certifications.
X
 

Every organisation needs to appropriately authenticate users before granting them access to resources. It should be reasonably straightforward for any organisation to architect, design, implement and manage an Authentication Service but it appears that this couldn’t be further from the truth.

We often hear of organisations struggling with some pretty common issues; implementing and enforcing strong passwords, implementing ‘same sign-on' solutions rather than a true ‘single sign-on', and ensuring that user accounts are removed when the user no longer require access.

But we live in a modern world, and there are new and emerging services, methods, and technologies that make user authentication more effective and easier to manage than ever before. Identity Federation, access tokens, and universal authentication (U2F/UAF) are just some of the technologies that have the potential to create an effective and efficient authentication service that makes life easier for the end-user, while ensuring that an organisations resources are securely accessed.

This session will provide an overview of how SABSA was used to architect and design a modern Authentication Service for an organisation adopting cloud services. It will present a sanitised case study and will show how SABSA was applied to deliver a service based on popular cloud services platform.

13:00 - 14:00 Lunch

14:00 4A: Blockchain: The New Digital Swiss Army Knife Speaker(s): G. Mark Hardy

G. Mark Hardy

President, National Security Corporation (USA)

G. Mark Hardy serves as President of National Security Corporation, an information security management consulting firm he founded in 1988. He has been providing cyber security expertise to government, military and commercial clients for over 30 years and is the author of over 100 articles and presentations on security, privacy and leadership. He serves on the US National Science Foundation’s CyberWATCH Advisory Board and is a retired US Navy Captain.
X
 

Now that the price of a single Bitcoin has surpassed the price of an ounce of gold, is blockchain becoming a runaway train with businesses scrambling to hop on? If so, will the mistakes be minor or catastrophic?

Blockchain as a technology has been proposed as a solution to everything from frictionless currency transfer to tracking cargo on ships. With over €1bn in venture funds invested and several hundred patents filed, every security professional must know the impact on organizations in terms of risk, volatility, and competitiveness.

This discussion started in 2014 when we explored weaponising digital currency, and continued in 2016 with the end of banking as we know it. However, the most powerful blockchain applications may not be as electronic money. We'll look beyond the security risks of blockchain (covered brilliantly last year by Rahul Lobo) to discerning where blockchain is truly the best business choice, and situations "when all you have is a hammer, everything looks like a nail."

This interactive session will review some of the patent filings to gain an insight into the direction of blockchain; look at VC investment portfolios to anticipate the most promising applications, and apply our collective knowledge to predict the winners and losers for 2018 and beyond.

14:00 4B: Privacy by Design: What Do You Mean? Speaker(s): Marc Verboven

Marc Verboven

Security Architect, ING (Belgium)

Marc Verboven is an experienced IT Security Architect with over 30 years of experience. After working for Dow Chemical, IBM and startups in Belgium, always in the area of IT Security, he joined ING Belgium in 2003. Since then he mainly worked on projects in the area of Retail & Commercial Banking Channels, acting both as a security & application architect. Since 2006 Marc is member of the Enterprise Architecture group of ING with continued focus on the area of Risk & Security.
X
 

Subtitle: Practical experience @ ING in developing a framework to implement Privacy by Design on an enterprise scale.

One of the key elements in the EU General Data Protection Regulation (GDPR) is 'Privacy by Design'. In this session we will tell the story how ING discovered GDPR, how we approach GDPR in general and, more in detail, how we are making sure 'Privacy by Design' is understood and applied in the organization.

Policies, regulation and GDPR use cases are input for the development of a Reference Architecture (RA). This RA then ensures Privacy by Design by:

  • Providing architectural guidance on privacy aspects.
  • Providing a basis (framework) for building specific guidance for applications like Audit Trail, Legal Archive, Data Inventory, ...
  • Providing guidance for current systems, where the RA is the reference to determine the technical gaps to be mitigated depending on cost and risk

The intended audience for the RA are IT Architects and other IT stakeholders when they need to ensure compliance with GDPR.

As usual at COSAC, the session is intended to be highly interactive.

14:00 4S: Show Me the Controls! Cuba Gooding Jr & a SABSA/TOGAF Alignment Speaker(s): Peter Nikitser

Peter Nikitser

Director, ALC Cyber Security (Australia)

Peter Nikitser is in his 30th year of IT, most of which has been spent in information security. He is a co-founding member of both AusCERT and SL-CERT. When he is not travelling teaching students or consulting, Peter spends time renovating his acreage, and can tell you all about lantana.
X
 

As security professionals, we have most likely experienced client engagements where we have had to manage both scope and expectations. Whilst working for one of the big four consulting firms, we responded to an open tender asking for help with designing a security architecture framework based on SABSA for a Queensland state government agency, the duration of which was not to exceed six weeks.

Fair enough, sounds reasonable and straight-forward, and we were more than happy to help them spend their end-of-year budget.

The response was sent to the client outlining the approach, highlighting any constraints and assumptions in our response and expectations of the client in arranging timely meetings with key stakeholders.

During the first week of the engagement, I asked for access to key stakeholders or their delegates, and was told that was not possible. It soon became apparent that I had stumbled across a long-standing cultural and political issue, and that I was not going to get an audience with key stakeholders or their delegates. Furthermore, the intent of the engagement started off with a desire to apply SABSA to the entire organisation, yet I uncovered they had already made an investment in TOGAF, which they neglected to mention in their RFP.

Where this engagement led to next, and the approach I had to take in order to manage their expectations, is what you will have to hear for yourself.

The presentation will demonstrate examples of the artefacts I produced, the adjustments that had to be made in order to accommodate the scope creep, and how I turned the engagement around to deliver a top-down meets bottom-up approach. And yes, I showed them some controls too …

15:10 5A: Blockchain: The Best Thing Since Sliced Bread Speaker(s): Lex Borger

Lex Borger

Security Consultant, i-to-i (Netherlands)

Lex Borger is security consultant at I-to-I and advises large enterprises on the application of security in their environment. Lex has more than 20 years of experience in information security and system security. He was involved in the development of operating systems, where he learned how to apply security from the inside out. He broadened his view on information security to all aspects of business automation. Lex gathered most of his experience in the United States of America. 
X
 

Blockchain is the bookkeeping technology behind Bitcoin. It is named as the technology to solve any administration and registration challenge. It is going to push out regular banking.

  • How much of this true?
  • Is it such a revolutionary idea?
  • Is it so universally applicable?
  • Is it scalable enough?
  • Is it secure?

In this presentation, we are going to uncover the elements that make up blockchain and go in search of the applicability of this technology in today’s society. This is not a definitive story. The audience will need to participate and contribute insights and ideas.

The ultimate questions to be answered are:

  • What is blockchain good for?
  • What are the risks of depending on blockchain?
15:10 5B: Information Privacy as CSR: Benevolent or Malevolent Speaker(s): Valerie Lyons

Valerie Lyons

Information Privacy Researcher & PhD Scholar, (Ireland)

I am an accomplished Information Security Risk Manager for the last two decades, with extensive experience at senior management level. I am also a fully qualified executive coach, with a Masters in Business and Leadership. I became aware that industry was becoming hugely focussed on addressing security and privacy through the compliance lens. Seeking to find a more sustainable and effective way to address these risks, I traded my senior management position for the opportunity to undertake a PhD.
X
 

Since the 1990s, it has become a de-facto standard for larger organisations to publish social reports documenting how they address issues such as pollution, energy use, waste production, child-labour, workforce-diversi ty etc. These reports are referred to as Corporate Social Responsibility {CSR) reports. Traditional arguments in support of CSR underscore the benefits a socially responsible organisation should reap from key stakeholder groups. Several research findings suggest a positive correlation between an organisation's CSR program and consumer trust and behaviour. Additionally, socially oriented organisations can distinguish themselves from competitors, enhance customer satisfaction and improve their reputation through positive stakeholder response to their actions.

So what does CSR have to do with Information Privacy? In 2010 the Global Reporting Initiative (GRI is an international organisation who develop the CSR reporting standards) included Information Privacy and Data protection in its core standards. Since 2010, several large financial institutions and technology companies report information privacy within their CSR reports. CSR reports provide a channel for an organisation to promote and demonstrate a strong sense of responsibility and accountability for privacy protection, which in turn acts as a core element in building trust with key stakeholders. On the face of it, this seems like a positive step for Information Privacy, however there is a more 'heated' view that CSR is merely a channel for organisations to repair a reputation which has been damaged by its sectors historical irresponsible behaviour and that CSR is simply tokenistic compliance 're­ packaged'.

This presentation explores the many facets of CSR, using case studies from several recent CSR reports and explores CSR's relationship with Information Privacy/Data Protection. The presentation aims to encourage the audience to consider that as Information Privacy Protection matures in capabilities, it may not as traditionally expected, report into Legal and Risk Departments, but into the Marketing Department's CSR program office. Rather than resist this progression, this presentation arms the audience with an informed overview of the growing relationship between CSR and Information Privacy, so that they can leverage this knowledge to increase resources and budget allocations for Privacy Protection initiatives in the future.

15:10 5S: Selecting, Aligning & Effectively Using Compliance & Control Frameworks Speaker(s): Andrew Hutchinson,

Andrew Hutchinson

Executive Director, Vanderbilt University Medical Center (USA)

Andrew Hutchinson is the Executive Director of the Vanderbilt University Medical Center Information Technology (VUMC IT) Architecture and Portfolio Services groups. In this role, he oversees IT strategy, information security strategy, IT resource management (including service and portfolio strategy), and customer relationship management for VUMC IT Services delivered to Vanderbilt University Medical Center.
X
William Schultz

William Schultz

Principal Security Architect, Vanderbilt University Medical Centre (USA)

Bill Schultz is security architect who has worked in the Information Technology field for over 14 years, with s focus on Enterprise Architecture, Security Architecture, Risk Management & Compliance. Bill has built security programs, risk management programs, and developed strategic architectures and technical system architectures. Bill has led risk management & security architecture initiatives to build secure systems that comply with Federal, Healthcare, or PCI Standards. 
X
 

Security Programs are constantly challenged to flexibly adapt to organizational change and maintain compliance with regulatory requirements, while actively defending against an ever changing array of IT threats. Leveraging existing frameworks or methodologies such as NIST, or HITRUST allows organizations to take advantage of work already done to address common security concerns but need to be integrated in a way that allows the organization to effectively customize information security frameworks to their risk appetite. It can be challenging to identify which frameworks are most appropriate and where and when to apply them, however this is a key and important component of a security architect’s role.

This session will look at an organization that is leveraging SABSA architecture to do this and how they are addressing compliance requirements applicable to healthcare organizations (HIPAA, FISMA, and PCI), will review some common security control frameworks, models, and methodologies that are being leveraged (NIST, HITRUST), and look at the risk management frameworks (SABSA, NIST, FAIR) that can be leveraged to efficiently address compliance challenges. We will explore how these frameworks, models, and methodologies overlap and complement each other, and how they can be practically integrated. Since there is a drastic difference between understanding a model and applying it, we will present several use cases and practical examples explaining how we have used these models, the lessons we have learned, and the challenges that remain.

16:10 - 16:30 Afternoon Tea

16:30 6A: CyberSecurity & Analytics: Rise of the CyberHunter Speaker(s): Lynette Hornung,

Lynette Hornung

Senior Enterprise Security Architecture & Privacy Manager , TCG (USA)

Lynette Hornung is a Senior Enterprise Security Architecture and Privacy Manager with TCG, Inc. She has her SABSA Foundation and SCPR and SCPA and her CIPP-US. She has over 20 years of experience in information security and privacy. She has worked with a variety of federal agencies providing various enterprise security architecture, computer security and privacy solutions and services working with a variety of stakeholders.
X
Lori Murray

Lori Murray

PhD Student, Iowa State University (USA)

Lori Murray is a Senior Advanced 3 Information Assurance Systems Engineer, currently enrolled at Iowa State University as a PhD student studying Computer Engineering. She has her Masters of Science degrees in Information Assurance and Business Analytics from Iowa State University, along with her CISSP. Lori has 15 years of experience between Systems Engineering as a Cyber Security SME building security architecture from requirements definition to design.
X
 

The buzz in cyber today includes machine learning and big data. What are some of the challenges that come along with "big data" promises, and how can you effectively use data analytics and machine learning to bring some real value? Data Analytics and machine learning allow you to drill down to gather the data, analyze it, and find the answers to the questions you seek. It is likely you are using it more often than you think! Let's talk about some use cases for applied data analytics and machine learning in cyber security.

This presentation will present a use case for anomaly detection through analytics, and the processes required to make it effective in different environments. Understanding how to mine through the data, clean out the noise, and focus on the relevant data for cyber hunting is where the value is.

16:30 6B: We See What We Want to See: Pitfalls of Perception & Decision Making Speaker(s): Helvi Salminen

Helvi Salminen

Information Security Manager, Gemalto (Finland)

Helvi Salminen has worked in information security since June 1990, first as security analyst and since April 2000 as information security manager. Before starting information security tasks she has 12 years experience in systems development. Helvi is founder member of Finnish Information Security Association which celebrated its 10th anniversary in 2007. Helvi is qualified CISA, CISSP & SABSA & was awarded as CISO of the year in Finland 2014. 
X
 

We are often convinced that we have a clear picture of the reality and are throughly rational in our thinking and decision making.

However, our perception of the reality is limited and prone to errors. We often jump to conclusions based on partial or erroneous information, and eloquently justify our decisions with apparently rational arguments.

Is many areas of human activities, including security management, limits of perception and errors in decision making can have disastrous consequences.

The phenomenon of cognitive biases - systematic errors in thinking affecting decisions and judgments - has been studied in various contexts, and the results have been applied to improve decision making processes. In the compliance dominated world of security management cognitive biases have not, however, got sufficient attention. So an important risk factor is regularly underestimated.

This presentation gives an overview of the concept of cognitive bias and describes in more detail some of the biases which can be particularly harmful in security management. This introduction is followed by presentation of scenarios where erroneous perception and decision making of security actors leads to disasters - and by discussion how these biases can be identified an their impact limited.

16:30 6S: How to Write a Great SABSA Advanced Exam Answer Speaker(s): Chris Blunt,

Chris Blunt

Director, Consulting Partner, Axenic (New Zealand)

Chris is a Consulting Partner at Axenic Ltd, a specialist independent information security and privacy consultancy he co-founded in 2009. He has over 22 years of experience in the ICT industry, specialising in security and privacy for the last 11 years. He is an exponent of business-driven security and is passionate about delivering pragmatic advice that enables his clients to achieve their business goals and objectives. He is also a committee member for BSides Wellington.
X
Michael Price

Michael Price

Senior Security Consultant, Axenic (New Zealand)

Michael is a Senior Consultant at Axenic Ltd. He is enthusiastic about security architecture and exploring how different methodologies and techniques can be used to achieve business outcomes. Michael has a Postgraduate Diploma in Computer Security and Forensics from the University of Canterbury and holds SCPA, SCPR, SCF, CCSK and ISO/IEC 27001:2013 Lead Auditor certifications.
X
 

Are you planning to sit a SABSA Advanced course? Or have you recently attended a course but haven’t yet written and submitted your exam answers? Then this is a session you can’t afford to miss!

During this interactive session we will explore and discuss a range of strategies for writing a great SABSA Advanced exam answer using model exam questions to show how to:

  • evaluate the question to ensure you know what is being asked of you;
  • use a hypothetical or real-world case study to frame your answer;
  • plan and structure your answer to ensure that you cover each area of the question;
  • assess the competency verbs in the question to ensure that you understand them and can meet them; and
  • effectively present the application of your chosen combination of SABSA methodologies, techniques and approaches.

The presenters have scored between 91% and 100% in their Advanced exams, with the average being 96.25% between them. One of them is a SABSA Chartered Architect Master (SCM) and a marker of Advanced exam papers.

The goal of the session is to provide the participants with a set of tools they can use to write great answers for their SABSA Advanced exams!

Plenary Session

17:45 7P: SABSA and Human Kind Speaker(s): Maurice Smit

Maurice Smit

Trustee, The SABSA Institute (Netherlands)

Maurice is a Principal Security Consultant and SABSA Instructor at David Lynas Consulting, with over 15 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India and the Middle East and is a founding member of the SABSA Institute Board of Trustees.
X
 

Even though the SABSA methodology has mainly been used in the IT (EA) landscape, the usage of this methodology can help to create a more complete picture in any sector, industry or area. To solve any problem. And even so for human needs, thanks to all methods, models and frameworks in the SABSA methodology. The Attributes Profiling delivers a unified common language for and in every phase of human existence. The SABSA methodology is based on a holistic approach towards security as the property of something else. So this even accounts for humans and the accomplishments in our lives, this will be presented in this session.

Networking & Dinner

19:30-20:00 Drinks Reception
20:00 onwards Dinner