Getting Your Security Budget Approved Without FUD
•
0 likes•1,561 views
Getting a security budget approved is a challenge, but it is arguably the single most important task a security leader can accomplish. This session reveals the six common factors that successful CISO’s use to quantify needs and justify security budget with non-technical executive leaders. Research and data gleaned from over 40 interviews with high-profile CISO’s provide some interesting results.
Report
Share
Report
Share
Download to read offline
Recommended
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...
Security pros love quoting Sun Tzu, but war-based metaphors fail with dev teams because, HONEY BADGER. Instead, security teams must understand how dev teams work. Accordingly, security managers should immerse themselves in the Dalai Lama's lessons. Understanding how developers manage themselves, tools they use and their rewards is crucial to building an effective application security program.
Building a Highly Secure S3 Bucket
Amazon S3 probably gets a lot of use at your company—the object storage service was one of the first cloud services offered by AWS way back in 2006. Its ease of use, reliability, and scalability have proven incredibly popular over the years.
But S3 security isn’t so simple—it’s easy to get wrong and think you got it right. Recent high-profile cloud-based data breaches that involved S3 cannot be chalked up to simple customer mistakes. Rather, advanced cloud misconfiguration attacks exploit S3 buckets that otherwise appear to be configured securely.
In this talk, Fugue CTO Josh Stella will dig into the complex layers of S3 security to help you think critically about security for your unique AWS use cases. You’ll understand how other AWS services such as IAM and EC2 can create S3 vulnerabilities you may not be seeing—and how malicious actors exploit them.
CrowdCast Monthly: Operationalizing Intelligence
In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors.
While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy?
View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure.
Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.
Web hacking using Cyber range
Bring out the hacker in you by trying out Security Innovation’s Hacking CyberRange – specially designed web applications with real world vulnerabilities. A parallel class session will also teach novices about how to uncover simple vulnerabilities and evolve into uncovering more complex vulnerabilities. You can simply sit and learn or get straight to hacking our application or follow along and do both. Live scores of participants will be displayed.
Transitioning Government Technology
Keynote that Ely Kahn gave at the DHS S&T event on technology transfer.
SOCIAL MEDIA AS A CYBER WEAPON
In this presentation we look at how much data could be easily gathered from social media and how it could be applied as part of a cyber attack.
Avkash_lesser known threat intel implementations
In current scenario there are many myths exist about the Threat Intelligence in cyber security. In this session we will cover the lesser known and practical implementation of threat intelligence along with thinking beyond the "IOC Way" to make the threat intelligence more effective.
Recommended
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...
Security pros love quoting Sun Tzu, but war-based metaphors fail with dev teams because, HONEY BADGER. Instead, security teams must understand how dev teams work. Accordingly, security managers should immerse themselves in the Dalai Lama's lessons. Understanding how developers manage themselves, tools they use and their rewards is crucial to building an effective application security program.
Building a Highly Secure S3 Bucket
Amazon S3 probably gets a lot of use at your company—the object storage service was one of the first cloud services offered by AWS way back in 2006. Its ease of use, reliability, and scalability have proven incredibly popular over the years.
But S3 security isn’t so simple—it’s easy to get wrong and think you got it right. Recent high-profile cloud-based data breaches that involved S3 cannot be chalked up to simple customer mistakes. Rather, advanced cloud misconfiguration attacks exploit S3 buckets that otherwise appear to be configured securely.
In this talk, Fugue CTO Josh Stella will dig into the complex layers of S3 security to help you think critically about security for your unique AWS use cases. You’ll understand how other AWS services such as IAM and EC2 can create S3 vulnerabilities you may not be seeing—and how malicious actors exploit them.
CrowdCast Monthly: Operationalizing Intelligence
In today’s threat environment, adversaries are constantly profiling and attacking your corporate infrastructure to access and collect your intellectual property, proprietary data, and trade secrets. Now, more than ever, Threat Intelligence is increasingly important for organizations who want to proactively defend against advanced threat actors.
While many organizations today are collecting massive amount of threat intelligence, are they able to translate the information into an effective defense strategy?
View the slides now to learn about threat intelligence for operational purposes, including real-world demonstrations of how to consume intelligence and integrate it with existing security infrastructure.
Learn how to prioritize response by differentiating between commodity and targeted attacks and develop a defense that responds to specific methods used by advanced attackers.
Web hacking using Cyber range
Bring out the hacker in you by trying out Security Innovation’s Hacking CyberRange – specially designed web applications with real world vulnerabilities. A parallel class session will also teach novices about how to uncover simple vulnerabilities and evolve into uncovering more complex vulnerabilities. You can simply sit and learn or get straight to hacking our application or follow along and do both. Live scores of participants will be displayed.
Transitioning Government Technology
Keynote that Ely Kahn gave at the DHS S&T event on technology transfer.
SOCIAL MEDIA AS A CYBER WEAPON
In this presentation we look at how much data could be easily gathered from social media and how it could be applied as part of a cyber attack.
Avkash_lesser known threat intel implementations
In current scenario there are many myths exist about the Threat Intelligence in cyber security. In this session we will cover the lesser known and practical implementation of threat intelligence along with thinking beyond the "IOC Way" to make the threat intelligence more effective.
Sqrrl 2.0 Launch Webinar
Evolution in cybersecurity is the norm. As computer threats evolve, so have defenses. The debilitating effect of viruses borne by email gave rise to the what is now a vast anti-virus infrastructure. The rise of network-based attacks created the incrementalism of constant updates to IDS and IPS. The inability to make sense of millions of IDS alerts gave rise to SIEM solutions.
Redefining Defense - HITB2017AMS Keynote
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
NTXISSACSC4 - Cyber Insurance – Did You Know?
Cyber Insurance – Did You Know?
We present a brief discussion of risk and the ways that risk can be handled by an organization, one of which mechanisms is the transfer of risk via insurance.
We describe key terms and concepts related to business insurance generally and cyber insurance specifically.
These concepts will include brief descriptions of duties to indemnify, duties to defend, limits, sublimits, exclusions, and retentions, as well as different types of insurance, including CGL policies, Crime policies, E&O, D&O, PGL, and cyber policies.
We present an introduction to the domain of cyber insurance, discussing how cyber events may or may not be covered by traditional insurance products as well as by cyber insurance products.
We will talk about the role of “standardized” contracts supplied by the ISO (Insurance Services Office), how these are changing in the cyber age, and the need for customized contracts.
We will also present a general discussion of the cost of cyber insurance, the market penetration of cyber insurance in the US, and the cost of cyber events, citing data from public sources as well as reports from NetDiligence®
Heather Goodnight-Hoffmann
Over 20 years as Global Sales and Business Development Consultant
Cofounder and President, Risk Centric Security, Inc.
Ponemon Institute RIM Council (Responsible Information Council)
Business Development Manager at Navilogic, Inc.
Cofounder and Partner, Cyber Breach Response Partners, LLC
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
Patrick Florer
37 years in Information Technology
17 year parallel career in evidence-based medicine
Cofounder and CTO, Risk Centric Security, Inc.
Member, Ponemon Institute RIM council
Distinguished Fellow, Ponemon Institute.
Cofounder and Partner, Cyber Breach Response Partners, LLC.
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
The Seven Axioms of Security - ITWeb 2017
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
The Seven Axioms Of Security
"Today’s attacks succeed because the defense is reactive". I have been researching attacks and offensive techniques since the past 17 years. Defense boils down to reacting to new attacks and then playing catch-up.
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
Cross Border Cyber Attacks: Impact on Digital Sovereignty
My presentation at the 24th All India Forensics Sciences Conference, February 10, 2018, Ahmedabad
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar ran: Thu, May 31st, 2018 at 11 am PST
During this webinar, we explained how many of the PCI compliance standards for safe handling of payment card data are closely aligned with the data retention policies of the new GDPR regulations – from managing personal data, potential breach implications, and properly logging your systems.
Also, we shared some best practices and what to expect moving forward as it relates to data security.
Bear Hunting: History and Attribution of Russian Intelligence Operations
Learn about the history of Russian intelligence influence operations and the cyber actors implementing them today.
In June 2016, CrowdStrike exposed unprecedented efforts by Russian intelligence services to interfere in the U.S. election via the hacking and subsequent leaking of information from political organizations and individuals. Election manipulation was not a new activity for the Russians - they have engaged in these influence operations consistently for the better part of the last two decades inside and outside of Russia.
In this CrowdCast, CrowdStrike experts Adam Meyers, VP of Intelligence, and Dmitri Alperovitch, Co-Founder & CTO, will provide a detailed overview of the history of Russian intelligence influence operations going back decades and provide a deep dive overview of various BEAR (including FANCY BEAR AND COZY BEAR) intrusion sets and their tactics, techniques and procedures (TTPs). They will also discuss the considerable attribution evidence that CrowdStrike has collected from a variety of investigations into their operations and lay out the case for the Russian government connection to these hacks.
CrowdCasts Monthly: You Have an Adversary Problem
You Have an Adversary Problem. Who's Targeting You and Why?
Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy.
During this CrowdCast, you will learn how to:
Incorporate Actionable Intelligence into your existing enterprise security infrastructure
Quickly understand the capabilities and artifacts of targeted attacked tradecraft
Gain insight into the motivations and intentions of targeted attackers
Make informed decisions based off of specific threat intelligence
Mastering Next Gen SIEM Use Cases (Part 1)
Part 1 of 3 part series of "Mastering Next-Gen SIEM Use Cases"
The following presentation talks about the mindset which next-gen threat hunters need to have in order to detect and respond to next-gen threats.
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
This presentation discusses why and how security programs are dying. The fragmentation of people, processes, and technology. How to defrag people, processes, and technology. Then what your organization can do to resolve this.
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chris Thayer, Mastercard
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
Mitigating Security Risks in Vendor Agreements
Providers of software, software-as-a-service, managed services, and professional services have varying degrees of sophistication in addressing security in their form contracts. Learn from an experienced technology attorney how to understand key clauses, or discover when they are missing, to ensure that the company's vendors are compliant with the appropriate security measures before signing the deal.
Brian Kirkpatrick is the founding shareholder of Kirkpatrick Law PC and a business attorney with a technology focus. He also serves as Of Counsel to Mullin Law PC for matters involving technology and information security.
His practice revolves around clients needing assistance in technology transactions, data privacy, cyber security, software compliance and audits, and general counsel related to business matters. Brian was voted 2015 Top Technology Attorney in Tarrant County by his peers as published in Fort Worth Texas Magazine.
Brian has published numerous articles and lectured nationally on legal topics such as software as a service, software licensing, contract negotiation, cyber security and legal considerations when starting a business. He is also featured in radio news interviews, as a conference panelist, a featured speaker, and is featured in an instructional video series about conducting negotiations. Before entering the legal profession, Brian was a Vice President commercial banker.
Brian is a graduate of Texas A&M University School of Law where he was inducted into the National Order of Barristers. He also has a Masters of Arts in Applied Economics from Southern Methodist University and a Bachelors of Science in Economics from Texas A&M University - Commerce where he was inducted into the Omicron Delta Epsilon International Economics Honor Society.
Hack.LU - The Infosec Crossroads
"Today’s attacks succeed because the defense is reactive". It is time to transition defense from being reactive to proactive. This is a keynote level talk, which discusses my seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
Skeptics in the Church of Data: Getting Evangelical
Presented by Cage Data's Aaron Aldrich, DevOps Consultant and Evangelist.
Access the full presentation recordings for GalaxZ17 here: http://ow.ly/WyBu30cakk0
Tiger swan Expert Security Services for Prominent Individuals
TigerSwan offers a variety of risk management and mitigation services to organizations, individuals and operations.
The Infosec Crossroads - 44CON 2016
From Reactive to Proactive Defense - My presentation at 44CON 2016
Mastering Next Gen SIEM Use Cases (Part 2)
Part 2 of 3 part series of "Mastering Next Gen SIEM Use Cases"
The following presentation talks about building use cases to detect anomalies pertaining to endpoints.
Discover use cases for Credential Theft and Endpoint compromise.
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
Red, Amber, Green Status: The Human Dashboard
This session will outline the importance of presenting actionable metrics for the Security Awareness program. Oftentimes security programs are presented while omitting the most constant threat to Information Systems: the human. From a security awareness perspective, we will review analytics that include key performance indicators that may already be available to you; they just need to be added to the new human dashboard.
Laurianna Callaghan currently serves as a security consultant for Ana Academy, a Dallas based security training company. Previously, Laurianna worked with Dell where she was the creator of security analytics for a major healthcare customer which were presented at the 2016 IASAP conference. In addition, Laurianna has more than 21 years experience in various IT domains. She has served as the Director of Systems Engineering for a telemarketing firm, the UNIX/MVS Manager for a major airline and has IT experience in the healthcare, communications, transportation, education, retail, and other industry sectors. Laurianna holds both the CCNA Security and CISSP designations.
NTXISSACSC4 - The Art of Evading Anti-Virus
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
If you’ve ever had your security budget eviscerated, this is your session! CEOs have become more wary of scare tactics. What are the tricks to get more security dollars? Discover how to get inside the CEO’s head to get exec support and how to use pet projects to pry scarce resources from budgets. I will share common data points from interviews with over 40 CISOs that have been there and done that.
NUS-ISS Learning Day 2019-Architecting security in the digital age
Presented by Mr Tan Eng Tsze, Principal Lecturer & Consultant, Digital Strategy & Leadership Practice ,NUS-ISS, at NUS-ISS Learning Day 2019
More Related Content
What's hot
Sqrrl 2.0 Launch Webinar
Evolution in cybersecurity is the norm. As computer threats evolve, so have defenses. The debilitating effect of viruses borne by email gave rise to the what is now a vast anti-virus infrastructure. The rise of network-based attacks created the incrementalism of constant updates to IDS and IPS. The inability to make sense of millions of IDS alerts gave rise to SIEM solutions.
Redefining Defense - HITB2017AMS Keynote
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
NTXISSACSC4 - Cyber Insurance – Did You Know?
Cyber Insurance – Did You Know?
We present a brief discussion of risk and the ways that risk can be handled by an organization, one of which mechanisms is the transfer of risk via insurance.
We describe key terms and concepts related to business insurance generally and cyber insurance specifically.
These concepts will include brief descriptions of duties to indemnify, duties to defend, limits, sublimits, exclusions, and retentions, as well as different types of insurance, including CGL policies, Crime policies, E&O, D&O, PGL, and cyber policies.
We present an introduction to the domain of cyber insurance, discussing how cyber events may or may not be covered by traditional insurance products as well as by cyber insurance products.
We will talk about the role of “standardized” contracts supplied by the ISO (Insurance Services Office), how these are changing in the cyber age, and the need for customized contracts.
We will also present a general discussion of the cost of cyber insurance, the market penetration of cyber insurance in the US, and the cost of cyber events, citing data from public sources as well as reports from NetDiligence®
Heather Goodnight-Hoffmann
Over 20 years as Global Sales and Business Development Consultant
Cofounder and President, Risk Centric Security, Inc.
Ponemon Institute RIM Council (Responsible Information Council)
Business Development Manager at Navilogic, Inc.
Cofounder and Partner, Cyber Breach Response Partners, LLC
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
Patrick Florer
37 years in Information Technology
17 year parallel career in evidence-based medicine
Cofounder and CTO, Risk Centric Security, Inc.
Member, Ponemon Institute RIM council
Distinguished Fellow, Ponemon Institute.
Cofounder and Partner, Cyber Breach Response Partners, LLC.
Co-author & co-analyst, NetDiligence® 2016 Cyber Claims Study
The Seven Axioms of Security - ITWeb 2017
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
The Seven Axioms Of Security
"Today’s attacks succeed because the defense is reactive". I have been researching attacks and offensive techniques since the past 17 years. Defense boils down to reacting to new attacks and then playing catch-up.
It is time to transition defense from being reactive to proactive. This talk discusses seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
Cross Border Cyber Attacks: Impact on Digital Sovereignty
My presentation at the 24th All India Forensics Sciences Conference, February 10, 2018, Ahmedabad
Webinar: eCommerce Compliance - PCI meets GDPR
Webinar ran: Thu, May 31st, 2018 at 11 am PST
During this webinar, we explained how many of the PCI compliance standards for safe handling of payment card data are closely aligned with the data retention policies of the new GDPR regulations – from managing personal data, potential breach implications, and properly logging your systems.
Also, we shared some best practices and what to expect moving forward as it relates to data security.
Bear Hunting: History and Attribution of Russian Intelligence Operations
Learn about the history of Russian intelligence influence operations and the cyber actors implementing them today.
In June 2016, CrowdStrike exposed unprecedented efforts by Russian intelligence services to interfere in the U.S. election via the hacking and subsequent leaking of information from political organizations and individuals. Election manipulation was not a new activity for the Russians - they have engaged in these influence operations consistently for the better part of the last two decades inside and outside of Russia.
In this CrowdCast, CrowdStrike experts Adam Meyers, VP of Intelligence, and Dmitri Alperovitch, Co-Founder & CTO, will provide a detailed overview of the history of Russian intelligence influence operations going back decades and provide a deep dive overview of various BEAR (including FANCY BEAR AND COZY BEAR) intrusion sets and their tactics, techniques and procedures (TTPs). They will also discuss the considerable attribution evidence that CrowdStrike has collected from a variety of investigations into their operations and lay out the case for the Russian government connection to these hacks.
CrowdCasts Monthly: You Have an Adversary Problem
You Have an Adversary Problem. Who's Targeting You and Why?
Nation-States, Hacktivists, Industrial Spies, and Organized Criminal Groups are attacking your enterprise on a daily basis. Their goals range from espionage for technology advancement and disruption of critical infrastructure to for-profit theft of trade secrets and supporting a political agenda. You no longer have a malware problem, you have an adversary problem, and you must incorporate an intelligence-driven approach to your security strategy.
During this CrowdCast, you will learn how to:
Incorporate Actionable Intelligence into your existing enterprise security infrastructure
Quickly understand the capabilities and artifacts of targeted attacked tradecraft
Gain insight into the motivations and intentions of targeted attackers
Make informed decisions based off of specific threat intelligence
Mastering Next Gen SIEM Use Cases (Part 1)
Part 1 of 3 part series of "Mastering Next-Gen SIEM Use Cases"
The following presentation talks about the mindset which next-gen threat hunters need to have in order to detect and respond to next-gen threats.
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
This presentation discusses why and how security programs are dying. The fragmentation of people, processes, and technology. How to defrag people, processes, and technology. Then what your organization can do to resolve this.
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chris Thayer, Mastercard
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
Mitigating Security Risks in Vendor Agreements
Providers of software, software-as-a-service, managed services, and professional services have varying degrees of sophistication in addressing security in their form contracts. Learn from an experienced technology attorney how to understand key clauses, or discover when they are missing, to ensure that the company's vendors are compliant with the appropriate security measures before signing the deal.
Brian Kirkpatrick is the founding shareholder of Kirkpatrick Law PC and a business attorney with a technology focus. He also serves as Of Counsel to Mullin Law PC for matters involving technology and information security.
His practice revolves around clients needing assistance in technology transactions, data privacy, cyber security, software compliance and audits, and general counsel related to business matters. Brian was voted 2015 Top Technology Attorney in Tarrant County by his peers as published in Fort Worth Texas Magazine.
Brian has published numerous articles and lectured nationally on legal topics such as software as a service, software licensing, contract negotiation, cyber security and legal considerations when starting a business. He is also featured in radio news interviews, as a conference panelist, a featured speaker, and is featured in an instructional video series about conducting negotiations. Before entering the legal profession, Brian was a Vice President commercial banker.
Brian is a graduate of Texas A&M University School of Law where he was inducted into the National Order of Barristers. He also has a Masters of Arts in Applied Economics from Southern Methodist University and a Bachelors of Science in Economics from Texas A&M University - Commerce where he was inducted into the Omicron Delta Epsilon International Economics Honor Society.
Hack.LU - The Infosec Crossroads
"Today’s attacks succeed because the defense is reactive". It is time to transition defense from being reactive to proactive. This is a keynote level talk, which discusses my seven axioms for implementing proactive defense strategy and measures for the future, concluding with a blueprint of the next evolution of pro-active defense architecture.
Skeptics in the Church of Data: Getting Evangelical
Presented by Cage Data's Aaron Aldrich, DevOps Consultant and Evangelist.
Access the full presentation recordings for GalaxZ17 here: http://ow.ly/WyBu30cakk0
Tiger swan Expert Security Services for Prominent Individuals
TigerSwan offers a variety of risk management and mitigation services to organizations, individuals and operations.
The Infosec Crossroads - 44CON 2016
From Reactive to Proactive Defense - My presentation at 44CON 2016
Mastering Next Gen SIEM Use Cases (Part 2)
Part 2 of 3 part series of "Mastering Next Gen SIEM Use Cases"
The following presentation talks about building use cases to detect anomalies pertaining to endpoints.
Discover use cases for Credential Theft and Endpoint compromise.
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
Red, Amber, Green Status: The Human Dashboard
This session will outline the importance of presenting actionable metrics for the Security Awareness program. Oftentimes security programs are presented while omitting the most constant threat to Information Systems: the human. From a security awareness perspective, we will review analytics that include key performance indicators that may already be available to you; they just need to be added to the new human dashboard.
Laurianna Callaghan currently serves as a security consultant for Ana Academy, a Dallas based security training company. Previously, Laurianna worked with Dell where she was the creator of security analytics for a major healthcare customer which were presented at the 2016 IASAP conference. In addition, Laurianna has more than 21 years experience in various IT domains. She has served as the Director of Systems Engineering for a telemarketing firm, the UNIX/MVS Manager for a major airline and has IT experience in the healthcare, communications, transportation, education, retail, and other industry sectors. Laurianna holds both the CCNA Security and CISSP designations.
NTXISSACSC4 - The Art of Evading Anti-Virus
The Art of Evading Anti-Virus
There are estimates that security analysts, to include penetration testers, are approximately 5 years behind malicious actors. Anti-virus by itself isn’t enough to stop a malicious individual from gaining access to your servers or computers anymore. In fact many of them have devised ways to evade anti-viruses. We as security professionals should understand how these individuals are doing this, and what tools are available for us to replicate these attacks. Tools such as veil-framework assist us with this. This talk will go over this tool, and how malicious individuals evade anti-viruses with ease.
Quentin Rhoads-Herrera is a security analyst for State Farm. In this position he is responsible for risk analysis and application security assessments. He is accountable for ensuring risks are identified and properly mitigated throughout the organization.
He previously served as the Information Security Director for Clearview Energy and Solarview. In this position he oversaw all information security activities. These included development of company-wide cyber security standards, development of layered defense approaches and the hardening and defense of all company systems.
Mr. Rhoads-Herrera has worked in the Information Security space for a total of seven years serving in roles ranging from Security Consultant to Information Security Director.
What's hot (20)
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Cross Border Cyber Attacks: Impact on Digital Sovereignty
Bear Hunting: History and Attribution of Russian Intelligence Operations
Bear Hunting: History and Attribution of Russian Intelligence Operations
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
The Security Industry is Suffering from Fragmentation, What Can Your Organiza...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
Skeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting Evangelical
Tiger swan Expert Security Services for Prominent Individuals
Tiger swan Expert Security Services for Prominent Individuals
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
NTXISSACSC4 - Red, Amber, Green Status: The Human Dashboard
Similar to Getting Your Security Budget Approved Without FUD
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
If you’ve ever had your security budget eviscerated, this is your session! CEOs have become more wary of scare tactics. What are the tricks to get more security dollars? Discover how to get inside the CEO’s head to get exec support and how to use pet projects to pry scarce resources from budgets. I will share common data points from interviews with over 40 CISOs that have been there and done that.
NUS-ISS Learning Day 2019-Architecting security in the digital age
Presented by Mr Tan Eng Tsze, Principal Lecturer & Consultant, Digital Strategy & Leadership Practice ,NUS-ISS, at NUS-ISS Learning Day 2019
The 7 Factors of CISO Impact at RSA 2015
Slides from the IANS presentation, "The 7 Factors of CISO Impact," the capabilities that CISOs and InfoSec teams need to drive greater business impact. Based on over 200 interviews and quantitative diagnostic results, the IANS research findings deliver actionable insights that attendees can take away and use to advance their own sophistication and effectiveness within their organizations.
IANS 2015 RSA Presentation
Slides from the IANS presentation, "The 7 Factors of CISO Impact," the capabilities that CISOs and InfoSec teams need to drive greater business impact. Based on over 200 interviews and quantitative diagnostic results, the IANS research findings deliver actionable insights that attendees can take away and use to advance their own sophistication and effectiveness within their organizations.
How to Boost your Cyber Risk Management Program and Capabilities?
The webinar explores how understanding your organization in crisis due to an exploitation of risk can develop the organization’s resilience and team in the drive for a stronger level of compliance maturity.
Main points covered:
• Information Security maturity
• ROPI
• Risk Management
• Incident Response
• Forensic Readiness
• Table Top Exercises
• Training
• Legislation
Presenter:
Our presenter for this webinar is Peter Jones, an experienced management professional, digital forensic analyst, cybersecurity professional, ISO 27001 and ISO 17025 auditor and University Lecturer. Peter has a wealth of experience and expertise which incorporates knowledge from being an academic and a practitioner in relation to best practice, data management, cyber security, digital system security and digital forensics, where he has conducted thousands of examinations on behalf of law enforcement and the private sector. Peter has extensive information technology and telecommunications experience which ranges from retail to enterprise environments including supporting the BBC with their hit drama series, ‘Silent Witness’.
Link the the YouTube video: https://youtu.be/aREo4l-pDgc
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum
Anthony Dupree "Evolving Role of the CISO: Reshaping the Cybersecurity Battlespace"
Briefing the board lessons learned from cisos and directors
Communicating effectively with the board of directors can make or break a security program. Across 2016, John Pescatore and Alan Paller of SANS talked with dozens of CISOs and several members of corporate boards and distilled down a set of best practices and lessons learned. This session will present the findings from that effort, with lessons learned from real-world board sessions.
(Source : RSA Conference USA 2017)
Build A Business Case For IT Security - Dhananjay Rokde (Hotel_Digital_Securi...
By Dhananjay Rokde, CISO, Cox & Kings Group
Dhananjay has an enhanced ability at managing global information security programs for large enterprises, with experience of Governance Risk & Compliance (GRC) unification & implementation programmes.
He has received the ‘Top 100 CISO Award’, ‘Future CIO Award’ and the ‘CIO Masters Award for excellence in Information Security’.
He is presently in-charge of the overall information & infrastructure security operations, risk management and compliance of the entire group.
He also has an advanced diploma in IT Cyber Laws & Data Privacy from the Asian School of Cyber Laws.
Fortinet: The New CISO – From Technology to Business Focused Leadership
https://mightyguides.com/fortinet-the-new-ciso-from-technology-to-business-focused-leadership/
Information Security - Back to Basics - Own Your Vulnerabilities
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
The 7 Factors of CISO Impact
Here are seven factors which IANS' research has proven critical to the effectiveness of information security leadership.
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
https://mightyguides.com/trustwave-7-experts-on-transforming-your-threat-detection-response-strategy
Internet Security - Protecting your critical assets
101 Business Insights is the first business networking site that rewards members for their time and input. As a member you get real, asset-backed rewards for commenting, posting or even simply hanging out at the site. It’s our way of thanking you for engaging with and growing the network, and for being part of the most vibrant business community on the net.
Carbon Black: Justifying the Value of Endpoint Security
https://mightyguides.com/carbon-black-justifying-the-value-of-endpoint-security/
What Small Business Can Do To Protect Themselves Now in Cybersecurity
On October 16, Daniel Cherrin spoke at the Wall Street Journal PRO Cybersecurity Small Business Academy at the Monarch Beach Resort in Dana Park, California. You can find an excerpt from his remarks on Incident Response on a Budget at http://www.northcoaststrategies.com/blog/steps-you-can-take-now-to-prepare-for-the-next-data-breach-that-wont-cost-a-lot-of-money.
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Extended version of Shannon Lietz talk on Culture Hacking at RSAC 2017
CSCSS / DEFENCE INTELLIGENCE GROUP
C/DIG offers a spectrum of Intelligence products. At the strategic level we track national players to determine their policies, and intentions. At the operational level C/DIG documents their Tactics, Techniques and Procedures (TTP).
At the tactical level we provide threat analysis, identification and forensic analysis. All of this data is used for awareness, education, prevention and defence from cyber-attacks and in support of contingency operations to protect your organization.
Similar to Getting Your Security Budget Approved Without FUD (20)
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
Hacking the CEO: Ninja Mind Tricks and Other Ruses to get Security Dollars
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Global CCISO Forum 2018 | Anthony Dupree "Evolving Role of the CISO: Reshapin...
Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directors
Build A Business Case For IT Security - Dhananjay Rokde (Hotel_Digital_Securi...
Build A Business Case For IT Security - Dhananjay Rokde (Hotel_Digital_Securi...
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused Leadership
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Internet Security - Protecting your critical assets
Internet Security - Protecting your critical assets
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint Security
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in Cybersecurity
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
More from Denim Group
Long-term Impact of Log4J
In its aftermath, Log4j vulnerabilities put the spotlight on vendor management and supply chain security practices. Now that the dust has settled and the worst of the fallout has passed, this talk presents perspectives on likely mid- and long-term changes that the security industry will see as a result of dealing with the Log4j issue as the latest in an escalating series of open source and software supply chain incidents.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Businesses are driving development teams to build, test and deliver app innovations faster and faster, while attackers continue to grow in sophistication and complexity. To protect the business, dev and security teams are deploying multiple app/network/OSS security testing tools, internal & 3rd party manual assessments, and other processes which in turn drives an exponential spike in volume of issues to analyze, correlate, triage, route and repair. Facing this data deluge, DevSecOps teams are turning to automation of mobile app security testing and orchestration of vulnerability management for speed and scale. Join Brian Reed, Chief Mobility Officer of NowSecure and Dan Cornell, Co-Founder and CTO of Denim Group in this best practices session to learn how to drive efficiencies in team and pipeline performance at scale.
Application Asset Management with ThreadFix
Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.
OWASP San Antonio Meeting 10/2/20
Title:
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Abstract:
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Speaker:
Dan Cornell
Bio:
A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
With all the focus on DevSecOps and integrating security into Continuous Integration/Continuous Delivery (CI/CD) pipelines, some teams may be lured into thinking that the entirety of a Software Security Assurance (SSA) program can be baked into these pipelines. While integrating security into CI/CD offers many benefits, it is critical to understand that a full SSA program encompasses a variety of activities – many of which are incompatible with run time restrictions and other constraints imposed by these pipelines. This webinar looks at the breadth of activities involved in a mature SSA program and steps through the aspects of a program that can be realistically included in a pipeline, as well as those that cannot. It also reviews how these activities and related tooling have evolved over time as the application security discipline has matured and as development teams started to focus on cloud-native development techniques and technologies.
Using Collaboration to Make Application Vulnerability Management a Team Sport
Vulnerability management - especially application vulnerability management - is a challenging business function because it crosses disciplinary boundaries. Security teams find and adjudicate vulnerabilities, DevOps and server ops teams have to fix them, and GRC teams need to be kept apprised of status and progress. As has always been the case - but especially in a necessarily remote work environment - collaboration is key to making these business functions operate efficiently and effectively. This webinar looks at common bottlenecks that snarl vulnerability remediation workflows and discusses strategies to address these issues via collaboration. Examples are given of implementing these via the ThreadFix platform, but the strategies are universally-applicable for vulnerability management professionals looking to streamline their vulnerability remediation workflows.
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
This webinar takes a dive into the biggest features and benefits in the latest ThreadFix release and the evolving feature set. We will focus on ThreadFix’s new capabilities, including - managing internal penetration testing teams with ThreadFix, tracking vulnerability time to live policies, as well as a host of additional enhancements.
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Application security teams are outnumbered. Even in security-conscious environments, application developers often exceed application security professionals by a ratio of 100:1. In addition, the push for digital transformation is accelerating the pace of development – exacerbating these challenges. One technique forward-looking security teams have adopted to stay afloat is to deploy security champions into development teams throughout the organization. This webinar looks at different models for standing up security champion initiatives and relates Denim Group’s experiences helping organizations craft and staff these programs.
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.
An Updated Take: Threat Modeling for IoT Systems
The Internet of Things (IoT) is an exciting and emerging area of technology allowing individuals and businesses to make radical changes to how they live their lives and conduct commerce. The challenge with this trend is that IoT devices are just computers with sensors running applications. Because IoT devices interact with our personal lives, the proliferation of these devices exposes an unprecedented amount of personal sensitive data to significant risk. In addition, IoT security is not only about the code running on the device, these devices are connected to systems that include supporting web services as well as other client applications that allow for management and reporting.
A critical step to understanding the security of any system is building a threat model. This helps to enumerate the components of the system as well as the paths that data takes as it flows through the system. Combining this information with an understanding of trust boundaries helps provide system designers with critical information to mitigate systemic risks to the technology and architecture.
This webinar looks at how Threat Modeling can be applied to IoT systems to help build more security systems during the design process, as well as how to use Threat Modeling when testing the security of IoT systems.
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
The tempo for software delivery to the warfighter continues to accelerate to meet the goals and demands of their missions. Pressures to rapidly build and deploy mission software drive the need to deliver new capabilities via DevSecOps pipelines. Many of the latest leading-edge DevSecOps practices draw heavily from commercial tech companies and innovative programs across DoD like Kessel Run. What are these latest trends, and how do you take advantage of them? How do you quantify the risk of microservices, new languages and frameworks, and cloud environments and still obtain authority to operate (ATO)?
The ThreadFix platform has built-in automation and orchestration capabilities to enable your teams to provide immediate feedback in the form of policy evaluation, notifications in the form of emails and automated developer defect creation, and decision-making on your CI program as scan results are generated. In addition to built-in automation, plugins and the ThreadFix API enable CI programs to seamlessly integrate security testing into existing build/release pipelines to provide evaluation of code changes directly to your development tools.
These key issue items and other trends will be discussed in this highly interactive briefing, providing critical insights on how to inject agility and responsiveness into environments that have traditionally struggled to keep pace with modern development approaches.
A New View of Your Application Security Program with Snyk and ThreadFix
Snyk continuously monitors your application’s dependencies and lets you quickly respond when new vulnerabilities are disclosed. Threadfix allows organizations to gain true visibility into a your project’s security posture by cross referencing results on an app from multiple sources (SCA, SAST, DAST, etc.), ultimately enabling better prioritization, while Snyk focuses on remediation at the source with the automated fix pull requests. Join us to see how, together, Snyk and ThreadFix can enhance application security and prevent risks, while preserving development scale and speed.
Enabling Developers in Your Application Security Program With Coverity and Th...
Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.
AppSec in a World of Digital Transformation
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.
Enabling Developers in Your Application Security Program With Coverity and Th...
Developers need to move quickly and efficiently. Coverity’s speed, accuracy, ease of use, and scalability meet the needs of even the largest, most complex environments. ThreadFix allows you to centralize all test and vulnerability data in one place so your software security team can spend less time on manually correlating results and more time focusing on higher-level risk decisions. Join us to get a firsthand look at how Coverity and ThreadFix arm development teams with the tools they need to advance security programs in real time.
AppSec in a World of Digital Transformation
The mandate for digital transformation is forcing companies to innovate faster in order to provide more value to customers and bring products and services to the market more quickly. Technological innovations such as the cloud, microservice architectures, and CI/CD pipelines are being adopted to support the increased pace of development and more easily address scaling requirements. This upheaval presents both risks and opportunities for security leaders. The successful leaders view this transition as a clean-slate opportunity to “get security right” and will restructure their teams and technologies to deeply-embed security throughout the new tech stack. This session will cover emerging strategies that security leaders are using to ensure they keep up with this massive industry change.
Enumerating Enterprise Attack Surface
Many organizations have only a passing understanding of the scope of their application portfolios and how these assets are exposed to the Internet and other potentially dangerous networks. This puts them in a risky situation where they have an attack surface that is unknown and unmanaged, often resulting in serious vulnerabilities being exposed indefinitely. This presentation looks at several tools and methods that can be used to enumerate enterprise application assets – including web applications, mobile applications, and web services. The discussion covers several open source application asset identification tools and compares their effectiveness. Finally, a framework for ongoing application asset discovery and enumeration is presented so that security managers can embark on a structured program to characterize their risk exposure due to their enterprise attack surface.
More from Denim Group (20)
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
Optimizing Security Velocity in Your DevSecOps Pipeline at Scale
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
Using Collaboration to Make Application Vulnerability Management a Team Sport
Using Collaboration to Make Application Vulnerability Management a Team Sport
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Managing Penetration Testing Programs and Vulnerability Time to Live with Thr...
Security Champions: Pushing Security Expertise to the Edges of Your Organization
Security Champions: Pushing Security Expertise to the Edges of Your Organization
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
Continuous Authority to Operate (ATO) with ThreadFix – Bringing Commercial In...
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
The As, Bs, and Four Cs of Testing Cloud-Native Applications
The As, Bs, and Four Cs of Testing Cloud-Native Applications
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
Recently uploaded
UiPath Test Automation using UiPath Test Suite series, part 4
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Climate Impact of Software Testing at Nordic Testing Days
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Epistemic Interaction - tuning interfaces to provide information for AI support
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Communications Mining Series - Zero to Hero - Session 1
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
20240605 QFM017 Machine Intelligence Reading List May 2024
Everything I found interesting about machines behaving intelligently during May 2024
The Art of the Pitch: WordPress Relationships and Sales
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
By Design, not by Accident - Agile Venture Bolzano 2024
As presented at the Agile Venture Bolzano, 4.06.2024
Securing your Kubernetes cluster_ a step-by-step guide to success !
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
National Security Agency - NSA mobile device best practices
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FME
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar
Recently uploaded (20)
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
Getting Your Security Budget Approved Without FUD
- 1. SESSION ID: Getting Your Security Budget Approved Without FUD CISO-W04A John B. Dickson, CISSP Principal Denim Group @johnbdickson
- 2. #RSAC Why Is Selling Fear So Compelling? u Is it like selling insurance? u The security industry is struggling for parallel models and metaphors u FUD Distorts the Process 2
- 3. #RSAC CEO CFO CIO VP Development Development CISO Security Leaders Are at A Structural Disadvantage u They have a staff advisory role and not a “line” operator role u They have different world views that drive their perspective u They talk differently u They have less power 3
- 4. #RSAC The Key Principles of Selling Security 1) Exploit Pet Projects 2) Account for Culture 3) Tailor to Your Specific Vertical 4) Consciously Cultivate Credibility & Relationships 5) Capitalize on Timely Events 6) Capture Successes & Over-Communicate 4
- 5. #RSAC 1) Exploit Pet Projects Always bundle security into CAPEX or other critical projects as defined by the CEO 5
- 6. #RSAC 2) Account for Business Environment Radically adapt your “Request for Resources” to your organization’s culture and risk appetite 6
- 7. #RSAC 3) Tailor to Your Specific Vertical 7 Tailor security requests to your specific vertical, sub-vertical, & sub- sub vertical
- 8. #RSAC 4) Capitalize on Timely Events Use near-death experiences of others to justify security spend 8 “You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before.” -‐ Rahm Emanuel
- 9. #RSAC 5) Consciously Cultivate Credibility & Relationships Credibility and relationships must be established prior to “Making A Security Ask” 9
- 10. #RSAC 6) Capture Successes & Over-Communicate Document security wins and communicate these successes so they become the new operating norm 10
- 11. #RSAC Conclusion Successful security leaders exhibit certain consistent approaches to get their security budgets approved – without using FUD! 1) Exploit Pet Projects 2) Account for Culture 3) Tailor to Your Specific Vertical 4) Consciously Cultivate Credibility & Relationships 5) Capitalize on Timely Events 6) Capture Successes & Over-Communicate 11
- 12. Q&A John B. Dickson, CISSP john@denimgroup.com @johnbdickson