Agenda

TIME TALK SPEAKER LOCATION
8:00 AM Registration Room 1
9:00 AM Ride the Pendulum: Bringing Security Back to Its Roots Kyle Bubp Room 1
How to make your Security Team SOAR with automation Kevin Sistrunk Room 2
How we reverse-engineered multiple industrial radio remote-control systems Stephen Hilt Room 3
10:00 AM Training the IT Security Staff on a Shoestring Budget Steven Kirby Room 1
Cloud Security Operations with AWS AWS Room 2
Software Defined Radio: A Fireside Chat Randy Upchurch Room 3
11:00 AM Don’t Be THAT Geek – How NOT to speak to users and the C Suite Gigi Gridley Room 1
Climbing App Sec Mountains (and how to summit) Adam Schaal Room 2
CIS Benchmarks: Building a strong foundation Hooper Kincannon Room 3
12:00 LUNCH ATRIUM
1:00 PM OWASP SAMM, Benchmarking, and You! Brian Glas Room 1
Flex Seal your CI/CD Pipeline Ochaun Marshall Room 2
Cops and Robbers: Simulating Adversary Techniques for Detection Validation Tim Frazier Room 3
2:00 PM BREAK
2:30 PM What I Wish I’d Taught My Students in My College Security Course Nadine Wondem Room 1
Fragile to Agile: The Journey from Low-Participation to High Velocity for your Security Team Leonard Wall Room 2
Complete OverTheWire’s Natas Wargame using only a browser Alex McCormack Room 3
3:30 PM Closing ATRIUM

Training the IT Security Staff on a Shoestring Budget

Steven Kirby

This presentation will discuss various options for training IT security staff at a low cost. It will enumerate various means of establishing professional credentials and provide an overview of inexpensive training that will support those credentials.

Don’t Be THAT Geek – How NOT to speak to users and the C Suite

Gigi Gridley

Users don’t want to talk to “the IT department” unless they absolutely have to, because they’ve all had at least one bad experience of being “talked down” to. Senior managers don’t want to talk to “the IT department” because those guys ask for a lot of money and can’t explain the benefits of spending it. Here’s the thing – the IT department exists to help business users get their jobs done, and the IT department can’t get money for upgrades and improvements without convincing management that it’s good for the enterprise. Those of us in technical roles don’t usually get much training in soft skills like interdepartmental communication. Knowing how to talk to users and management is crucial to getting your own work done, so let’s talk about how to make that happen.

Cloud Security Operations with AWS

AWS Architect

More to come soon!

CIS Benchmarks: Building a strong foundation

Hooper Kincannon

This presentation will give attendees a general overview of some of the benchmarks CIS publishes and how enterprises can utilize them to establish strong security foundations.

Climbing App Sec Mountains (and how to summit)

Adam Schaal

Application Security teams are often told to “shift left”, or to be involved earlier in the software development life cycle. The aim of this practice is to prevent vulnerabilities or defects as soon as possible in order to quickly provide high-quality software. It is a lofty goal; however, it is often one that companies make difficult and sometimes impossible on their corporate application security teams. This talk will detail the ways that companies create their own roadblocks and how to help their application security team succeed. Some of the challenges that an in-house Application Security team face are:
• Old Tooling
• Mergers and Acquisitions
• New Products and New Technologies
• Workplace shift (i.e. Layoffs and hiring Overseas)
• Inflexible Developers

Frequently, challenges such as these, actually make the App Sec team’s work grow and add to their ever-increasing backlog. In our discussion, we will cover each of these topics thoroughly, detailing why they fail today, and discuss ways to improve each situation for your in-house Application Security team. As a part of our solution, we will discuss how App Sec teams can utilize a “shift out” approach to level out their work. Utilizing both “shift left” and “shift right” methods, this talk will examine how a “shift out” perspective can actually solve many of the issues that are adding work to your team. If you work as a part of a corporate Application Security team, this is one session that you won’t want to miss!

How to make your Security Team SOAR with automation

Kevin Sistrunk

This will be a.high overview on my every infosec team should be using a SOAR platform with specific use cases ranging from SOC initial triaging to phishing to remediation.

Ride the Pendulum: Bringing Security Back to Its Roots

Kyle Bubp

Are separate security teams necessary? How can we measure their efficacy and what are they really supposed to be doing in our organizations? As an industry, we’ve convinced the world that security is super important, that the next big hack is just around the corner, and “it’s not a matter of if but when.” Budgets are rising, spend is increasing, and the number of products brought to market to keep us safe increases every year. So then… shouldn’t the good guys be winning? Perhaps the separation of the responsibility of ‘security’ of the code and tech in our organizations should have never happened. This talk will explore how pushing the onus of security to a specific team has worked to our detriment (and sometimes to our advantage), and looking forward how we reign this back in, do away with the old, and focus on what really works.

Complete OverTheWire’s Natas wargame using only a browser

Alex McCormack

We’ll walk through the classic web security wargame at https://overthewire.org/wargames/natas/. We will solve the challenges using only a browser and our brains.

OWASP SAMM, Benchmarking, and You!

Brian Glas

OWASP Software Assurance Maturity Model (SAMM) [https://owaspsamm.org] is the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. Building security into the software development and management practices of a company can be a daunting task. There are many elements to the equation: company structure, different stakeholders, technology stacks, tools and processes, and so forth. Implementing software assurance will have a significant impact on the organization. Yet, trying to achieve this without a good model is most likely leading to just marginal and unsustainable improvements. SAMM gives you a structural and measurable model to do just that. It enables you to formulate and implement a strategy for software security that is tailored to the risk profile of your organization. In this talk, we give an overview of the new release of the SAMM v2 model. After 10 years since its first conception, it was important to align it with today’s development practices. We will cover a number of topics in the talk: (i) the core structure of the model, which was redesigned and extended to align with modern development practices, (ii) the measurement model which was set up to cover both coverage and quality and (iii) the new security practice streams where the SAMM activities are grouped in maturity levels. We will also discuss the SAMM Benchmark sub-project that is trying to help answer the question “How do I compare?” and “What is working for others in a similar situation?”

Flex Seal your CI/CD Pipeline

Ochaun Marshall

Continuous Delivery is the heart of DevOps. Web applications, APIs and Microservices are now designed to have the latest version deployed as quickly as possible. This revolution has empowered organizations to develop highly available products and platforms. However, most of the traditional security checks are often bypassed since code can be sent from a repository to a production environment in seconds. This talk lays down some strategies on how to continue having an operationally efficient DevOps pipeline while incorporating security throughout the entire process. Security is a growing concern in this field, not only because the pipeline is a critical component in many cloud native application and service deployments, but also due to the level of access these systems have to all the infrastructure around it. Most of that access is required for the level of automation organizations are striving to build towards, but forgoing security in this area exposes them in ways they may not know or understand.

How we reverse-engineered multiple industrial radio remote-control systems

Stephen Hilt

I will be demoing how we attacked our SAGA crane, I will have the crane controller and people will need to bring their own RF equipment if they want to try.

Software Defined Radio: A Fireside Chat

Randy Upchurch

More to come soon!

Fragile to Agile: The Journey from Low-Participation to High Velocity for your Security Team

Leonard Wall

Agile teams are rapidly growing throughout organizations due to their ability to lower the cost of development and deliver products faster than other traditional development teams. However, traditional security teams do not operate at the speed of Agile teams and increase the cost of development. Due to Security’s lack of speed and additional cost, Agile teams resist outside requests for the concern of getting in the way of delivery and increasing costs. Security teams can enable Agile teams without slowing delivery through automation and setting expectations. This presentation will discuss areas of opportunity Security teams can leverage to enable Agile teams to maintain their respective delivery speed while achieving desired results. I will present how Security teams can add value to Agile teams and remove the perception of getting in the way without increasing the cost.

What I Wish I’d Taught My Students in My College Security Course

Nadine Wondem

I worked in academia for several years. More recently, in the last 6+ years, I’ve been working as a security engineer at various companies around Nashville. The experience I’ve gained during working as a security engineer makes me realize that there are several things lacking from college computer security courses. I will explore some of those foundational security principles in this talk. How much socket programming is really needed? Do I really need to learn the Internet stack? How much cryptography should be included? Time will be allotted during this talk for audience participation at the end of the talk as a form of crowd-sourcing based on users’ experiences.

Cops and Robbers: Simulating Adversary Techniques for Detection Validation

Tim Frazier

Your organization spends a lot of time and money on your security program. Shouldn’t you be able to show that all of that investment is paying off? Many vendors are offering customers high-quality analytics, but how can you ensure that they are working correctly? What if you had a way to repeatedly emulate common and known adversary tactics, techniques, and procedures in your environment with no formal penetration test required? This presentation will showcase a tactical method for adversary emulation and detection using free tools and open-source projects, including Atomic Red Team from Red Canary, DetectionLab from Chris Long, ThreatHunting from Olaf Hartong, Splunk (Enterprise Trial), and Phantom (Community Edition). We’ll show how this framework can simulate techniques, review the events that result, and test your detection capabilities against many techniques in the MITRE ATT&CK framework. The framework even has detailed instructions to spin it up in Amazon Web Services or locally in your environment so that you can start using it as soon as you return to the office.