Pre-Conference Workshops

W1 DevSecOps Symposium

Saturday, April 1, 2017
9:00 AM – 5:00 PM
One-Day, 8 CPEs

Alan Shimel, Editor-in-Chief,
Ben Tomhave, Security Architect, New Context

9:00 AM – 10:00 AM
Keynote - Our First 6 Months: Lessons Learned Forming a DevSecOps Program
Bill Burns, Mahesh Kandru
Integrating security into DevOps is the next level of maturity for information security, but how do you get started, and what are the pitfalls and tar pits to avoid along the way? Hear from one team who was given the opportunity to integrate security into their new cloud product line and development lifecycle. We’ll share results so far, lessons learned, and various technical and non-technical war stories.

Key takeaways:
• How building DevSecOps differs from traditional AppSec programs
• Metrics and measures to enforce the right outcomes
• Common pushback and countermeasures
• Maturing the program and accountability

10:00 AM – 10: 45 AM
Session 1 Culture Hacking with DevSecOps
Shannon Lietz
Now is the time for great transformation. Working together, learning from one another, and developing great solutions to end the world’s vast number of problems is becoming the greatest challenge of our generation. This means we must all be part of the conversation, respect our differences and seek out the knowledge necessary to build better, safer software sooner. With these ingredients, the possibilities are endless and yet we must find a way to not get too focused on speed when quality is also important.

Software is indeed eating the world and we stand to benefit phenomenally or drown in the mistakes we make by being uninformed. With software becoming part of our lives and the lives of our children there is a lot to lose if we don’t find a way to work together.

This talk will focus on what we have come to learn through DevSecOps transformation by bringing DevOps and security together, and the important culture hacking lessons we all need to succeed in building safer, software sooner.

10:00 AM – 11:45 AM
Workshop 2.1: Shifting Left: An Introduction to Security and DevOps
Jayne Groll
This session provides an introduction to DevOps including how security teams are engaging in DevOps transformations by
• Ensuring that security is built into the deployment pipeline architecture
• Creating “rugged” software that adds security to the software development process to improve testing and code quality
• Improving security operations by leveraging orchestration, automation and DevOps practices

11:00 AM – 11:45 AM
Session 1.2: TBD 

12:45 PM – 1:30 PM
Session 3 SecDevOps in the Public Sector
Lawrence Embil
Cybersecurity resources at State and Local governments can be scarce if not non-existent. Getting buy-in for SecDevOps can be a force multiplier in even the most change resistant organizations.

This talk will cover some methods and tools that can be applied to growing security maturity by demonstrating the value of DevOps. We’ll also cover quick win methods for configuration management, audit and assessment readiness, as well as navigating cultural minefields.

Key Takeaways:
• Building a SecDevOps program to help with the shortage of available cybersecurity resources at State and Local governments
• Breaking through silos in change resistant organizations as well as navigating cultural minefields
• Methods and tools that can be applied to growing security maturity
• Quantifying the value of SecDevOps
• Quick win methods for automation, configuration management, audit and assessment readiness.

12:45 PM – 4:15 PM
Workshop 2.2 Incident Management for DevOps
Rob Schnepp, Chris Hawley, Ron Vidal
Without question, the future of computing promises more scale, more complexity, and certainly more change—all at greater velocity. However, scale, complexity, and change, especially when occurring at an ever-increasing velocity, are the natural enemies of stability, performance, availability, and reliability.

Many companies have experienced the fear, pain, and embarrassment of handling a technology failure so significant it shook the core of the business. Without a standardized way to organize the people responding to incidents and solving technology problems, the time to restore services gets longer and longer.

The Incident Management System (IMS) has been battle tested by the American Fire Service for over 40 years across fires, rescues, hazardous materials incidents, and every other type of emergency. Rob Schnepp, Chris Hawley, and Ron Vidal explain how they adapted IMS for IT and offer an early look at content from Incident Management for IT Operations, their upcoming book from O’Reilly Media.

Rob, Chris, and Ron dive into the nuts and bolts of the Incident Management System, which is in use by a number of site reliability teams, and demonstrate how to not let a good crisis go to waste by learning from each response in productive after-action reviews (AAR). You’ll leave knowing what the Incident Management System is and why it’s the best framework to organize the people responding to an incident, how an incident commander (IC) works with subject-matter experts (SMEs) to solve high-severity problems and how to implement after-action-review (AAR) findings into production to prevent future incidents.

1:30 PM – 2:15 PM
Session 4 Firestarter Unconference

2:30 PM – 3:15 PM
Session 5 AppSec in a DevOps World
Peter Chestna

3:15 PM – 4:15 PM
Session 6 Panel: DevOps: It Takes a Village

4:15 PM – 5:00 PM
Closing Keynote - The Heart of DevOps is Cooperation
Ben Tomhave
If you’ve ever performed a root cause analysis on security incidents, then you’ll have readily seen that human factors are often at play. However, have you ever done a root cause analysis on why security programs fail? If you take a look, you’ll often find the same thing: human factors. It’s time that we look to change human behavior and organizational culture to better account for security, and to better align those human factors to be with us rather than against us. DevOps provides a great roadmap for doing just that by revamping organizational culture to be more cooperative and collaborative, and to set the groundwork for a generative culture that acquires and grows optimal principles to benefit individuals and the business. 


W2 Mainframe Security: Hands-On Audit and Compliance Hands-On

Saturday, April 1 – Sunday, April 2, 2017 
9:00 AM – 5:00 PM
Two-Days, 16 CPEs 

Philip Young, Founder, Level 6 Security

Mainframes, specifically z/OS, make up the workhorse operating system of almost all large enterprises and yet are underserved by the IT security community. More importantly the people tasked with reviewing the security of this platform may lack the requisite knowledge and language to appropriately audit it. This workshop is targeted to those who may be curious about the platform, tasked with conducting a security audit, or have been auditing the platform for years and would like a refresher. This workshop and its supplemental materials provides a solid baseline to aid and develop this niche skillset required by the top employers in the world.

The majority of the course will be spent performing instructor-led hands-on mainframe testing with the available tools. Goals for each segment will be prepared to provide students with the ability to gain a deep understanding of how a test could and should be performed. Exercises will be based on real-world attack scenarios.

Topics to be covered:
• Z/OS Operating System Basics
• Understanding z/OS operating system paradigms
• Mainframe Security Auditing
• RACF/Top Secret/ACF2 Security Review
• TSO and UNIX Security
• VTAM Hardening
• CICS Security and exploitation
• System Enumeration

Day 1 – Mainframe Basics

• Mainframe History
• Operating System introduction
• z/OS Basics
    o Logging on
    o User interaction
    o ISPF
    o TSO
    o REXX
    o CLIST
    o UNIX
    o Dataset Concatenation
    o JCL
    o Hands On: Creating JCL and submitting it
• System Startup
    o Walk through IPL Parms
    o TCP/IP Startup/Config
• Security
    o RACF
    o Decision Tree
    o Profiles
    o Facilities
    o Dataset Profiles
    o ACEE
    o APF Authorized

Day 2 - Networking/Patch Management

• Networking
    o SSL Configuration
    o TN3270 setup
    o SNA
    o Hands On: SSH to the mainframe
    o Hands On: FTP to the mainframe
• Patching/Patch Management
    o SMP/E Walkthrough
    o Walkthrough CICS transactions
    o Hands On: Access a CICS transaction
    o Logging
• Auditing
    o Challenges
        Example
        Location
        Loading
        Reading
o Creating Audit Guide
o Key areas
        SETROPS Gotchyas
        Dataset security (concatenation)
        Startup Libs
        TCPIP Configuration
        Patching
        Logging and Monitoring
o Hands On: Given multiple configuration files ascertain system health based on audit/compliance requirements.
• Questions/Review

Participants must bring a laptop capable of running a virtual machine. Virtual machine images will be provided prior to the course along with all required tools and course materials.

W3 Red Team vs. Blue Team Techniques with Hunt Teaming Hands-On

Saturday, April 1 – Sunday, April 2, 2017  
9:00 AM – 5:00 PM
Two-Days, 16 CPEs 
Larry Spohn, Senior Principal Security Consultant, TrustedSec
Ben Mauch, Senior Security Consultant, TrustedSec

This course focuses on the latest attack techniques, as well as how to best defend against the attacks. This course will cover both red and blue team efforts and provide methods for understanding how to best detect threats in an enterprise. It will give penetration testers the ability to learn the new techniques as well as teach blue team how to defend against them.

This course is completely hands on!

By the end of day 1, students will be attacking our simulated network while the trainers defend against the attacks. By the end of day two, the students will be defending the network against the trainers who will be attacking!

This course applies real-world offense and defense capabilities to truly paint the full picture of understanding how attacks happen today and how to best prevent them. This is a new course and is completely fresh. It contains all of the latest pentester methods as well as unreleased methods for detecting attacks. Students can have a penetration testing background or a focus on defense. We recommend having basic systems administration experience – this will help you with the hands-on exercises.

Course Outline Day 1 Outline
• Introduction to Attacker Techniques
• Common Methods for Exploitation
• Methods for Persistence and Evasion
• Lateral Movement and Pivoting
• Circumventing Security Defenses
• Understanding Attacker Mindsets
• Performing an adversarial simulation
• Simulated Attack Scenario on Live Network

Day 2 Outline
• Developing a Common Defense
• Introduction to Hunt Teaming
• Performing a hunt team exercise
• Tools, tricks, and free scripts!
• Identifying threats on the network
• Identifying threats on the endpoint
• Using existing technology in the network
• Special goodies
• Defending the Network – Live Network Defense

1. Students must bring their own laptop (Mac, Linux, or Windows) with a minimum of 4GB of RAM. Students will need administrative rights.
2. Prior to the workshop, students will need to download and install a virtual image. (An easy step-by-step guide will be sent prior to the workshop. Installation only takes a few minutes.)

W4 How to Prepare For, Respond to, and Recover From a Security Incident

Sunday, April 2, 2017
9:00 AM – 5:00 PM
One Day, 8 CPEs

John Pironti, President, IP Architects, LLP

The concept of “if” has been replaced with “when and how bad” when it comes to the reality of cyber-attacks and business disruptions for many organizations. The constant changing and evolving landscape of attacks, adversaries, regulations, and compliance requirements has forced many organizations to aggressively implement best effort approaches to information risk management and security to meet immediate defensive needs. This often leads to operating at a less than adequate and reactive basis.

A risk-based and business-aligned approach to design, implementation, and operation of comprehensive and proactive defensive programs and capabilities can be easily introduced, sustained, and matured within organizations of any size or complexity. This workshop will explore a risk-based and pragmatic approach to defending information infrastructure and data assets. Both proactive capabilities to manage risk and reactive capabilities to minimize realized risks will be explored. Interactive discussions, examples, and cross-industry case studies will be presented throughout the workshop.

Module 1: Key Elements of an Information Risk Profile

  • What is an Information Risk Profile?
  • Establishing Standards of Due Care for Information and Data Assets
  • Allowing Decision Makers to Make Decisions
  • Linkage to Enterprise Risk Management
  • Information Risk Profile StructureMaterial Business Impact Considerations – When Does it Hurt?
  • Identification of Key Information Risks and Mitigation Capabilities
  • Endorsement and Updates

Module 2: Threat and Vulnerability Analysis

  • Overview of Threat and Vulnerability Analysis
  • Asset Identification and VisualizationThreat and Vulnerability Analysis - OSI+ Methodology
  • Who, What, When, Where, and How
  • Intelligence Gathering and Assessment

Module 3: Key Elements of a Vulnerability Management Program

  • What is Vulnerability Management?
  • Governance or direct control?
  • Vulnerability management program functions
  • Key processes and activities
  • Common vulnerability management technologies and vendors

Module 4: Pay Me or You Lose Your Data! – Five Key Considerations When Preparing for a Ransomware Incident

  • What is Ransomware and why is it so painful to deal with?
  • Examples of Ransomware incidents, tools, and their impacts
  • Five Key Considerations to be considered when preparing for a ransomware incident:

1. Managing the risk – To Pay or Not to Pay?
2. Negotiation
3. Recognizing is this the beginning or end of the attack?
4. Are your backups good enough and should you use them?
5. Identifying when you should segment and disable networks and systems

  • Final Thoughts

Module 5: Key Considerations for Business Resiliency

  • Introduction to Business Resiliency
  • Crisis Management
  • Command and Control
  • Leadership Identification and Availability
  • Communication Plans
  • Legal Considerations
  • Information Infrastructure Requirements
  • Grab and Go Books
  • Incident Response
  • Business Continuance
  • Business Impact Analysis
  • Competency Models and Staff Availability
  • Financial Planning and Reserves
  • Remote Workforce/Pandemic Preparation
  • Disaster RecoveryRecover Remote or Recover in Place
  • Overlooked Threat Scenarios
  • Access and Availability of Facilities
  • Backup of Backup Facilities
  • Table Top vs. Actual Tests
  • Return to Normal Considerations

Post Conference Workshops

W5 Malware Analysis 101 - Malware detected, now what? Hands-On

Wednesday, April 5, 2017
1:00 PM – 5:00 PM
Half Day, 5 CPEs

Paul Lewis, VP Technology Risk, T&M Protection Services
Kyle Poppenwimer, Senior Digital Forensic Examiner, T&M Protection Services

We all know that malware continues to spread and evolve at an alarming rate, but what exactly is malware and how does it work? With organizations under constant attack, it is imperative that information security personnel have the ability to analyze malware in order to understand its capabilities as well as the threat(s) posed to the organization.

Through basic malware analysis, learn how to identify business critical threat intelligence, respond to security incidents, and strengthen security defense systems. The Malware Analysis 101 workshop will teach attendees the basics of both static and behavioral malware analysis utilizing real-world malware samples.

• Learn how to configure an isolated virtual environment to safely dissect and analyze malware
• Learn what makes malware malicious, how it spreads, and what it does behind the scenes
• Analyze actual malware embedded in Microsoft Office files and Adobe PDF files
• Analyze real malicious portable executable files
• Perform behavioral analysis of real-world malware samples
• Identify and document indicators of compromise (IOCs) and drive threat intelligence

This is an entry level malware analysis course. Attendees will need to be comfortable navigating Microsoft Windows. A very basic understanding of a Linux environment is a plus.

1. Students must bring their own laptop (either Mac or Windows) with a minimum of 4GB of RAM and a USB port. Students will need administrative rights.
2. Prior to the workshop, students will need to download and install VMware Workstation Pro (Windows) or VMware Fusion (Mac OS X). VMware offers a 30-day free trial for both programs. (An easy step-by-step guide will be sent prior to the workshop. Installation only takes a few minutes.)
3. The instructor will provide each student with a USB drive containing all course materials and malware samples.

W6 Leveraging CASB to Tame Your Cloud

Wednesday, April 5, 2017
1:00 PM – 5:00 PM
Half Day, 5 CPEs

Andrew Hay, CISO, Data Gravity

The Cloud Access Security Broker (CASB) market is the hottest market in security tools today, and for good reason.

Many organizations are deploying CASBs in an effort to improve visibility into their cloud applications. CASBs offer full visibility into the cloud, tracking data usage and helping measure risk. In some cases, they also do encryption management. CASBs are unique in that they deliver a central point of monitoring and control across network services for cloud services, enabling organizations to find discover in the cloud, monitor their usage, and prevent further activity.

In this interactive workshop, we will cover deployment details, specific use cases and requirements to consider when choosing a CASB, and provide recommendations for ensuring the proper controls are in place for SaaS-based business applications.

Be prepared to:
• Learn about the CASB landscape
• Discuss what CASBs really do, i.e., *Cut through the FUD*
• Look at deployment models and architecture
• Walk through SaaS-based application use cases
• Deploy a CASB solution

W8 Keys to Creating an Effective Cybersecurity Culture

Wednesday, April 5, 2017
1:00 PM – 5:00 PM
Half Day, 5 CPEs

Jane LeClair, President, Washington Center for Cybersecurity Research and Development 

This workshop will provide participants with an understanding of the key components in establishing an effective cybersecurity culture within their organizations. Cybersecurity is more than independently functioning hardware and the people that operate it; rather, it is about the synergy that must be created within an organization that combines people, processes, and technology into a capable, high-functioning operation.
This triad of key elements can lead to an effective cybersecurity culture that is essential in the troubling cyber times in which we live. The workshop will include an overview of cybersecurity, open discussions, graphic presentation, interactive activities, and informational takeaways that participants can transfer to their respective workplaces.

Among the topics discussed will be:
• The role of technology
• Policies and processes that serve as guidelines
• New learning opportunities to offer
• Identifying key roles in the organization’s culture

W9 Crafting an Exciting & Effective Security Training & Awareness Program

Thursday, April 6, 2017
9:00 AM – 5:00 PM

One-Day, 8 CPEs
James McQuiggan, Product & Solutions Security Officer, Siemens Wind

In this full-day workshop you will learn about key factors to successfully develop and deploy a balanced information security program unique to your own company: a program that will increase compliance within your particular regulatory environment, and result in improved employee behaviors that are more resistant to both internal and external attacks. Drawing on the experience of rolling out award-winning training and awareness programs in two global companies for over 30,000 employees in 80 different countries and cultures you will understand the competing forces that impact security training programs; become familiar with available resources, guidelines, and standards; and free your creative side.
Working in small groups, you will learn about and gain practice in:
• Identifying and meeting the individual training needs of your varied audience
• Evolving your message as your organization evolves and matures
• Separating arcane topics from the things everybody needs to know
• Delivering messages in stand-up, PowerPoints, posters, video s, and publications
• Turning good sources of ideas, hints, tips, and guidance in to quality programs
• Developing programs on a shoestring. (Shoestrings are included in the workshop)
• Making the message memorable
This full-day workshop will involve all participants in brainstorming ideas, picking one that fit their environment, developing presentations and materials, and delivering the outcome. Creativity and a good imagination are helpful. Not recommended for those with stage-fright.

W10 Intro to Threat Hunting with ELK Hands-On

Thursday, April 6, 2017 
9:00 AM – 5:00 PM

One-Day, 8 CPEs
Fred Mastrippolito, President & CEO, Polito, Inc.
Ben Hughes, Senior Security Engineer, Polito, Inc.

Successful log analysis is a cornerstone of any network or endpoint security program. Whether your organization is relying primarily on "next-gen" commercial security appliances or free security solutions, these tools will typically generate logs at scale that need to be collected, managed, tuned, enriched, monitored, analyzed, correlated, and reported. Even if your organization does not have a "next-gen" security monitoring solution at the network perimeter or on endpoints, or perhaps does not have a commercial SIEM solution, open source, or otherwise, free alternatives can be rapidly deployed to provide inexpensive yet effective security log monitoring and threat hunting capabilities.
This hands-on class will walk attendees through the basics of how to leverage the open source ELK stack to automatically and manually analyze diverse logs to proactively identify malicious activity. The basic tools, techniques, and procedures taught during this class can be used to investigate isolated endpoint security incidents or implemented at scale for monitoring an enterprise. Students will be provided with access to a preconfigured ELK instance in the cloud, as well as extensive sample logs containing malicious events waiting to be discovered.
This course is designed for entry to mid-level security analysts and managers. Students who complete this class will be better equipped with practical tools and techniques in order to understand, deploy, and leverage log monitoring and analysis tools in support of enterprise defense efforts.
This Class Will Cover:

• Introduction to log monitoring and analysis
     o Security Information and Event Management (SIEM)
     o Different types of event logs
     o Log ingestion, indexing, and searching
     o Log correlation and enrichment using additional data sources
     o How network perimeter and endpoint security logs complement each other
• Introduction to threat hunting
     o Where threat hunting fits into your security program
     o Proactive monitoring/hunting vs. dead box forensics
     o Understanding the malware kill chain
     o The role of threat intelligence
     o Identifying and hunting for Indicators of Compromise (IOCs)
• Relevant tools including mostly open source or otherwise free tools:
     o ELK stack (popular open source log management platform)
          Elasticsearch (index and search)
          Logstash (log ingestion)
          Kibana (search and dashboard frontend)
     o Sysmon (free Microsoft Sysinternals endpoint logging tool)
• Threat hunting with logs
     o How to search logs to find anomalous/malicious events
     o How to build and use dashboards, automation, and alerting capabilities
     o How to integrate threat intelligence feeds and enrich data
     o Next steps

Students must bring a Windows, Mac, or Linux laptop with at least 6 GB and a web browser. Previous experience with log analysis, threat hunting, malware analysis, forensics, network security monitoring, and/or threat intelligence is helpful but not required.
    Event Sponsor
 HP 200x110

      Platinum Sponsors

   accelerite 200x110

 Lieberman 200x110

Malwarebytes 200x110 






      Gold Sponsors

Anomali 200x110

CheckPoint 200x110

Cylance 200x110