Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Presentations

Hacking is a game, and defense both makes the rules and is under no particular obligation to play fair. So cheat. Dan Kaminsky explores better ways to deploy cryptography, protect data, leverage clouds, and more.
Using social logins is a good way to boost security. However, this often makes site owners complacent, skipping security measures they still need to maintain. Ido Safruti and Tomer Cohen explain how attackers have found ways to exploit this and bypass the auth providers’ defenses, attacking some of the world’s largest services, and demonstrate how to protect yourself from such attacks.
We're all sick of hearing it. Day after day, another "junk hack" pops up in the news. The stories are tiring and repetitive, but what is a blue team to do? Don Bailey explains that defense in the IoT is less about the technology and more about the process of deploying, monitoring, and maintaining technology. With a well-defined set of processes, we can antiquate the concept of junk hacking.
Docker offers a lot of advantages, simplifying both development and production environments, but there is still uncertainty around the security of containers. Ben Hall shares his experiences while leading a hands-on demonstration of Docker and container security.
The global populace is asking for the IT industry to be held responsible for the safe-guarding of individual data. If the cat is out of the bag and collection will not stop, then the next logical question is how do we protect the privacy of individuals? Steven Touw examines how to design your data and analytics architecture to keep your data science teams delivering results legally.
Hunter King and August Huber explain how to implement machine identity at scale in a heterogeneous environment. Discover the pitfalls of endpoint attestation. Hunter and August made the mistakes so you won't have to.
Alex Pinto demonstrates how to apply descriptive statistics, graph theory, and nonlinear scoring techniques on the relationships of known network IOCs to log data and how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction.
The single most important element to successful cybersecurity incident response is developing a holistic, cross-functional incident response process. Jennifer Martin provides guidance for building trust and educating stakeholders on each others' priorities, roles, and responsibilities to mitigate against internal confusion and strife during a crisis.
Information sharing is a key element in detecting security breaches and proactively protecting information systems and infrastructures, but the practical aspect is often forgotten. Alexandre Dulaunoy offers an overview of MISP, a free software tool that supports information-sharing practices among communities, and shares some lessons learned while building it.
Katrin Anna Ruecker explains how Facebook's privacy managers work with product teams to build products with privacy in mind. Join Anna to learn about the privacy review process and how Facebook designs privacy controls and user education.
Program chairs Courtney Nash and Allison Miller provide closing remarks for the first day of keynotes.
Program chairs Courtney Nash and Allison Miller provide closing remarks for the second day of keynotes.
Clair is an open source container image security analyzer that enables developers to build services that scan containers for security threats and vulnerabilities. Quentin Machu offers an overview of Clair and explores a real-life example to demonstrate how Clair is able to automatically detect known vulnerabilities in Docker and rkt containers before they get exploited.
Who did it? Attributing computer network intrusions is commonly seen as one of the most intractable technical problems, solvable (or not) depending mainly on the available forensic evidence. But is it? Is this a productive understanding of attribution? Ben Buchanan shows that attribution is what companies—and governments—make of it.
Rudder is an open source IT compliance automation tool that focuses on continuously checking configurations to provide a real-time high-level compliance status or break down noncompliance issues to a deep technical level. Jonathan Clarke offers an overview of Rudder and demonstrates how to use it to drill down to any issues that need remediating.
In a world of continuous everything, each discipline has to find ways to provide value fast and reliably—whether it's business people adapting to an ever-changing world, developers delivering software many times per day, or operations providing high-availability infrastructure in an instant. Stein Inge Morisbak and Erlend Oftedal explore how to integrate security into this work stream.
You’ve been hacked. . .or are you doing the hacking? Join Desiree Matel-Anderson to solve a simulated hack in real time and put yourself in the shoes of a white hat defending essential data or a black hat fortifying your access to private data.
As traffic to websites and web applications increases, infrastructure must be put in place to handle scaling—but with that comes an increased risk for security breaches. James Baker and Mira Thambireddy dive into specific client-side vulnerabilities, discussing design patterns that scale an application securely and which frameworks currently in the market already employ these practices.
Drill is an open source, schema-free SQL engine that can query all kinds of data. Applying Drill to network security problems potentially offers a leap forward in network analysis. Charles Givre demonstrates how to use Drill to query simple data, complex data, and data from databases and big data sources and walks you through writing your own functions to extend Drill's functionality.
Security teams fought hard to get board attention and budget. Often they own the privacy/GDPR brief too, allocated to them as an afterthought. Chiara Rustici explains why it is impossible for GDPR implementation to go ahead unless the board has given a clear data business model and helps escalate the personal data cost/benefit equation to the C-suite.
Masha Sedova shares the steps she’s taken to increase the reporting of suspicious activity by her employees and explores the measurable impact it has had in helping keep Salesforce’s employees and customers secure.
Join Jay Jacobs, Charles Givre, and Bob Rudis, the authors of Data-Driven Security, for a hands-on, in-depth exploration into the foundations of security data science. You’ll learn how to explore and analyze data you probably already have and gain valuable exposure to and experience with tools and techniques to prepare, analyze, and visualize the knowledge hiding in your data.
Program chairs Courtney Nash and Allison Miller welcome you to the final day of keynotes.
During lunch, you'll have the chance to participate in a Birds of a Feather session with like-minded people.
Office Hours are your chance to meet face-to-face with Security Conference in Amsterdam presenters in a small-group setting. Drop in to discuss their sessions, ask questions, or make suggestions.
Your engineering team is using AWS for deploying applications, storing data, hybrid networking, and many other services, but what does it mean for IT security? Dan Amiga and Dor Knafoa offer a technical, hands-on overview of how engineering is using AWS and outline the missing security pieces that should be put in place.
Defensive technology that is not practical will not be deployed and will defend nothing at all. Dan Kaminsky discusses how a strong focus on ease of use—for developers, operators, and users—is our only hope for migrating to a more secure Internet.
Capture the Flag tournaments have long been used to test hacker skills, but they can also serve as effective security training for developers. Kyle Rankin shares a case study where he turned teams of developers with no prior security training against each other in a CTF arena featuring their own applications and watched them rack up points as they popped shells in each other's applications.
InSpec is an open source runtime framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. Mandi Walls offers an introduction to the InSpec language and workflow, which takes the tediousness out of tracking security and compliance requirements for audits.
Algorithms influence our everyday decision making, but at what point does innovation turn into invasion? Matthew Carroll discusses how regulators and consumers can take back control by inserting legal checks and balances into the data science process.
Ernest Kim shares how the MITRE Corporation, a US federally funded research and development center, integrated security tools into its DevOps chain to get continuous insight into the security posture of the various Linux distributions it uses and rapidly deploy fixes when needed.
Do you know what’s connected to your network? While 802.1X is commonly used to authenticate connections to wireless networks, successfully applying the same technology to your wired infrastructure is far from straightforward. Pat Parseghian shares the story of what a small, determined team did to make wired 802.1X a reality on Google’s enterprise network.
Katie Moussouris, Founder & CEO, Luta Security
Isolation is a new approach to security that is gaining momentum across many industries. Dan Amiga and Dor Knafo cover the important things you need to know about isolation: why now, how isolation can improve productivity, detection versus isolation, technologies, different approaches, caveats, evaluation criteria, live demos, and deployment strategies into the existing IT security environment.
Global business offerings face a more complex regulatory environment than ever before. Wayne Anderson shares lessons learned from a multiyear program build to translate regulations and compliance obligations into practical security controls.
Brian Sletten introduces Google Macaroons, a fine-grained, decentralized authorization mechanism that is web friendly and suitable for cloud and microservices.
Tests of pseudo-random number generator (PRNG) performance use deterministic analysis to expose weaknesses, which new PRNGs are designed to satisfy. Modern supervised learning algorithms offer an improved method to test PRNG performance. Richard Freytag offers a short, concrete, and intuitive exploration of how to apply machine learning as a black box in pseudo-random number generators.
Nothing good or bad can happen on the Internet without involving the Domain Name System (DNS), which provides visibility of the global Internet and unparalleled intelligence on cybercriminals and attack methods. Merike Käo discusses the value of DNS to cyber investigations and explores how real-time DNS observations can improve accuracy and response time to cyberattacks.
Trey Darley cuts through the hype surrounding threat intelligence and reframes the concept within a broader historical context, showing how information sharing can be a effective tool for both organizations with sophisticated security programs and organizations falling below the security poverty line.
Marie Moe discusses medical device security and privacy, focusing on connected medical devices like implanted cardiac devices with remote monitoring functionality.
Dan Kaminsky, Cofounder and Chief Scientist, White Ops
Bootstrapping the identity of services deployed with Docker containers is hard. Nick Sullivan offers an overview of an open source tool called PAL CloudFlare built to help solve this problem and explains how PAL can be used to bolster the security of your Docker container deployments.
You don’t have to be a SOC analyst or an incident response guru to leverage network forensics. Marcelle Lee and Lisa Foreman-Jiggetts explore the wealth of information that can be learned through network traffic analysis.
The SDLC has been the model for web application security over the last decade. However, the SDLC was originally designed in a waterfall world and often causes more problems than it solves in the shift to Agile, DevOps, and CI/CD. Zane Lackey shares actionable tips on the most effective application security techniques in today's increasingly rapid environment of application creation and delivery.
Developers face significant challenges defending their platforms from attackers who try to co-opt platforms to distribute attacks on users. Noé Lutz discusses lessons learned over the past decade by the Google Safe Browsing (GSB) team about how to thwart these increasingly sophisticated threats, focusing on how developers can leverage GSB’s open source APIs to protect their users.
Thomas Dullien explores how our software and hardware stacks could be rearchitected to allow reliable detection of compromise and outlines a number of different technologies that are needed for this, including reproducible builds, public ledgers like certificate transparency, and hardware with nonupdateable checksumming that is user inspectable.
Frederic Branczyk offers an overview of rkt, a container runtime engine developed by CoreOS that was designed for security. rkt can run the same container with varying degrees of protection, from lightweight, OS-level namespace and capabilities isolation to heavier, VM-level hardware virtualization.
Current approaches to threat modeling emphasize manual analysis by trained teams, which can result in a bottleneck in the development process, reducing the appeal of performing this activity. Stephen de Vries presents a technique that uses reusable risk patterns to open the door to automated and scalable threat modeling.
The use of big data and machine learning to detect and predict security threats is a growing trend, with interest from financial institutions, telecommunications providers, healthcare companies, and governments alike. But is this technology all hype or real? Eddie Garcia explores how companies use Hadoop-based solutions to protect their organizations.
Security people are "only members of the public who are paid to give full-time attention to duties which are incumbent on every citizen in the intent of the community welfare," but often the relationship between security and everyone else is fraught. Brendan O'Connor explores how another group charged with protecting everyone handled this problem with humor, kindness, and a commitment to service.
Why do certain devices, programs, or companies lead to utter frustration while others consistently delight us? What can we learn from these insights when dealing with human behavior related to security? Jelle Niemantsverdriet explores user-centered design methods in other disciplines like economy, psychology and marketing that can help us build security in a truly usable way.
It happens to every security team: after explaining operational security to management, it feels like nothing stuck. Why do eyes glaze over when we talk about encryption? How can we make sense of defense in depth for others? Jessy Irwin shows you how to find common ground and truly share security with nontechnical users, helping better communicate the mindset behind security.
Be sure to join us in the Sponsor Pavilion for drinks and food for the Attendee Reception. This will be your first opportunity to network with other Security attendees, so don’t miss out.
Google’s Safe Browsing team obtains an outsider’s perspective of their systems by engaging with a spectrum of adversaries and allies. Nav Jagpal shares a combination of fun stories and lessons learned and offers recommendations on how to design systems and develop policies to deal with spectrums of behavior.
How should an organization approach monitoring networks and hosts to make informed security decisions? Ryan Huber and Nate Brown discuss useful examples of how security and operations teams can become more effective by scaling their visibility into large distributed networks using tools like kernel auditing and large-scale log processing with Elasticsearch and ElastAlert.
HTTPS is no longer only for sensitive sites; it’s a critical piece of the web user experience and necessary for the long-term health of the Web. Google is methodically hunting and tackling major hurdles for TLS adoption to guide the Web toward HTTPS everywhere. Emily Schechter shares lessons learned on the road to ubiquitous HTTPS, focusing on the benefits of HTTPS.
Bots are a reality, and it’s hard to separate your users and good bots (e.g., search) from the bad ones (brute force, fraud, scrapers, etc.). Ido Safruti and Ariel Sirota review how bots work, explain how to operate a few common bots, and, most importantly, show what you can do to detect and block malicious activity while enabling your users and good bots to work uninterrupted.
Dyn was recently the subject of a major DDoS attack, its first significant disruption in over 15 years of operation. Phil Stanhope shares Dyn's experience before exploring the rapid evolution of multilayer attacks happening on the Internet and outlining the steps to take to deal with them from an ops perspective.
We keep our whole lives on our mobile devices. If we use our personal devices for work, we have still more sensitive information in the form of company data. Many employees are concerned about what personal information is visible to their employers. James Plouffe explores whether it's possible to secure corporate data and respect privacy.
Program chairs Courtney Nash and Allison Miller welcome you to the first day of keynotes.
During lunch, you'll have the chance to participate in a Birds of a Feather session with like-minded people.
Office Hours are your chance to meet face-to-face with Security Conference in Amsterdam presenters in a small-group setting. Drop in to discuss their sessions, ask questions, or make suggestions.
The failure of a target company to comply with applicable privacy and data security legislation, regulations, and standards can present a significant risk to the acquiring company. Shannon Yavorsky explains why understanding a target’s data privacy and data security profile has become a critical consideration in M&A transactions.
From Heartbleed to ImageTragick, vulnerabilities in open source are repeatedly shaking the Web. But who is responsible for fixing these issues? OSS is a community feat, and so must securing it be. Guy Podjarny discusses the roles for authors, consumers, and tools in keeping open source secure.