Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY
 
Beekman
Add Inside an active APT incident response to your personal schedule
11:20am Inside an active APT incident response brian candlish (Telstra), Christian Teutenberg (Telstra)
Add DevSec: Continuous compliance and security with InSpec to your personal schedule
1:15pm DevSec: Continuous compliance and security with InSpec Christoph Hartmann (Chef Software), Dominik Richter (Chef Software)
Add A system dynamics approach to CNO modeling to your personal schedule
2:10pm A system dynamics approach to CNO modeling Sara Mitchell (Carnegie Mellon University)
Add Symbolic execution for humans to your personal schedule
3:50pm Symbolic execution for humans Mark Mossberg (Trail of Bits)
Sutton North
Add Zero-trust networking: Never trust, always verify to your personal schedule
11:20am Zero-trust networking: Never trust, always verify Harry Sverdlove (Edgewise Networks)
Add Incident response: From IT to business to your personal schedule
2:10pm Incident response: From IT to business Carole Fennelly (CFennelly Consulting)
Add Using security champions and automation to create an effective SPLC to your personal schedule
3:50pm Using security champions and automation to create an effective SPLC Taylor Lobb (Adobe), Julia Knecht (Adobe)
Sutton South
Add BeyondCorp: Beyond “fortress” security to your personal schedule
1:15pm BeyondCorp: Beyond “fortress” security Neal Mueller (Google), Max Saltonstall (Google)
Add Going serverless: Security outside the box to your personal schedule
2:10pm Going serverless: Security outside the box Jack Naglieri (Airbnb), Austin Byers (Airbnb)
Add Router security to your personal schedule
3:50pm Router security Michael Horowitz (Independent)
Add The razor's edge: Cutting your TLS baggage to your personal schedule
4:45pm The razor's edge: Cutting your TLS baggage Jan Schaumann (The Internet)
Regent
Add Travel computing security: Old and new problems to your personal schedule
2:10pm Travel computing security: Old and new problems Ryan Lackey (ResetSecurity)
Add Sensible Conversations about security to your personal schedule
3:50pm Sensible Conversations about security Jim Gumbley (ThoughtWorks)
Add Cloud security requires confidence and sensitivity. to your personal schedule
4:45pm Cloud security requires confidence and sensitivity. Michele Iacovone (Intuit)
Sutton Center
Add Wednesday keynote welcome to your personal schedule
Grand Ballroom
9:00am Wednesday keynote welcome Rachel Roumeliotis (O'Reilly Media), Allison Miller (Google)
Add Building a culture of security at the New York Times to your personal schedule
9:05am Building a culture of security at the New York Times Runa Sandvik (New York Times)
Add An infinite set of security tools to your personal schedule
9:30am An infinite set of security tools Window Snyder (Fastly )
Add What defenders need to know about jihadist threats to your personal schedule
9:55am What defenders need to know about jihadist threats Alex Kassirer (Flashpoint)
Add 2017 O'Reilly Defender Awards to your personal schedule
10:20am 2017 O'Reilly Defender Awards Rachel Roumeliotis (O'Reilly Media), Allison Miller (Google)
10:45am Coffee Break | Room: Grand Ballroom Foyer
2:50pm Afternoon break | Room: Grand Ballroom Foyer
Add Wednesday lunch and Birds of a Feather sessions to your personal schedule
12:00pm Wednesday lunch and Birds of a Feather sessions | Room: Americas Hall 1 & 2
Add Wednesday Speed Networking to your personal schedule
8:15am Wednesday Speed Networking | Room: 3rd Level Promenade
11:20am-12:00pm (40m) Security analytics
Inside an active APT incident response
brian candlish (Telstra), Christian Teutenberg (Telstra)
Brian Candlish and Christian Teutenberg discuss a security incident Telstra suffered as a result of an acquisition and the ongoing year of incident response that followed to evict the intruders.
1:15pm-1:55pm (40m) Security usability
DevSec: Continuous compliance and security with InSpec
Christoph Hartmann (Chef Software), Dominik Richter (Chef Software)
It's still very cumbersome to implement best practices for server hardening and patching. As a result, many servers are still unsecured. Christoph Hartmann and Dominik Richter offer an overview of InSpec—an open source tool for infrastructure, security, and compliance testing—and demonstrate how patch and security level can be assessed in CI/CD and production environments.
2:10pm-2:50pm (40m) Bridging business and security
A system dynamics approach to CNO modeling
Sara Mitchell (Carnegie Mellon University)
Sara Mitchell shares a model that attempts to explain the optimal resource allocation of advanced persistent threats (APTs) and targets based on the feedback loops present in system dynamics. The assumption is that in this allocation there is an optimal way to operate to either attack or defend infrastructure.
3:50pm-4:30pm (40m) Tools and processes
Symbolic execution for humans
Mark Mossberg (Trail of Bits)
Mark Mossberg offers a practical introduction to symbolic execution, exploring cutting-edge research in automated software testing, along with its strengths, weaknesses, and applications. Mark uses Manticore, a simple, usable, symbolic execution tool, to bridge theory and practice with concrete examples. You’ll walk away better prepared to make informed decisions about how to test your software.
4:45pm-5:25pm (40m) Security analytics
Assessing your public security exposure without sending a single packet
Peleus Uhley (Adobe)
An accurate understanding of your public network and application exposure is necessary for everything from scalable security automation to red team exercises, but it can be overwhelming trying to keep up with a large organization. Peleus Uhley shares techniques for leveraging freely available data to create complete network graphs, track best practices, and identify security issues.
11:20am-12:00pm (40m) Tools and processes
Zero-trust networking: Never trust, always verify
Harry Sverdlove (Edgewise Networks)
In today's world of dynamic computing environments and advanced threats, the axiom "trust but verify" is not an effective strategy. The zero-trust model forces you to rethink the way you secure your networks. Harry Sverdlove breaks down zero-trust networking into simple principles that can be applied to any organization to both improve your security posture and simplify its management.
1:15pm-1:55pm (40m) Security usability
It's us, not them: Exploring the weakest links in security
Jessy Irwin (Jessysaurusrex)
When a major security incident hits the news, security practitioners are quick to place the blame on users for being the weakest link in security. Jessy Irwin debunks the myth that users are the root of all failure and explores how security teams can even the playing field to transform people into an extra line of defense when we need them the most.
2:10pm-2:50pm (40m) Bridging business and security
Incident response: From IT to business
Carole Fennelly (CFennelly Consulting)
The worst time to figure out how to respond to a security incident is when you’re in the middle of one. Carole Fennelly explains why an effective incident response plan requires that policies, plans, people, technologies, and processes be in place and tested before a security incident occurs.
3:50pm-4:30pm (40m) Tools and processes
Using security champions and automation to create an effective SPLC
Taylor Lobb (Adobe), Julia Knecht (Adobe)
Taylor Lobb and Julia Knecht explain how a team of just two security analysts created a successful secure product lifecycle (SPLC) program by leveraging automation and establishing security ambassadors (champions) within the product engineering teams. This program has successfully scaled to support thousands of engineers due to the solid framework built on automation at its core.
4:45pm-5:25pm (40m) Bridging business and security
Embracing security as a culture: Users aren't the problem; they're remotely deployed sensors.
Chester Wisniewski (Sophos)
Users aren't just part of the problem; they're part of the solution. Creating a security culture takes more than security awareness training. It takes commitment from all parts of an organization. Chester Wisniewski explains why we need users to take an active part in helping manage security risk in order to improve security and better defend against and respond to phishing attacks.
11:20am-12:00pm (40m) Tools and processes
How to launch and run a successful bug bounty program: A security team perspective
Alexandra Ulsh (Mapbox)
Launching a bug bounty program is hard. Running and maintaining a successful bug bounty program is even harder. Using real-world stories of both failure and success, Alexandra Ulsh details how Mapbox's security team used tools, processes, automation, and empathy to decrease response time by 90%, reduce noise, and improve average report quality for its bug bounty program.
1:15pm-1:55pm (40m) Security usability
BeyondCorp: Beyond “fortress” security
Neal Mueller (Google), Max Saltonstall (Google)
Most companies today use some variation of the firewall or “fortress” model for perimeter security. This model assumes everything on the outside is dangerous and everything in the inside is safe and worked well when employees worked on desktop computers at the company HQ. Neal Mueller and Max Saltonstall offer an overview of Google’s BeyondCorp, a new model for today's dispersed BYOD workforce.
2:10pm-2:50pm (40m) Tools and processes
Going serverless: Security outside the box
Jack Naglieri (Airbnb), Austin Byers (Airbnb)
The advent of serverless technologies and infrastructure as code has changed how we build and deploy security services, empowering teams to create low-cost, scalable, and secure services to protect organizations. Drawing on their real-world experiences, Jack Naglieri and Austin Byers explore tools and techniques for successfully building, deploying, and debugging serverless security applications.
3:50pm-4:30pm (40m) Teachable moments
Router security
Michael Horowitz (Independent)
Routers are a perfect target both because of the important role they play and the generally insecure way they are configured. Michael Horowitz covers some interesting router bugs and explains how to configure a router to be as secure as possible, how to test a router, and what to look for when buying a router.
4:45pm-5:25pm (40m) Tools and processes
The razor's edge: Cutting your TLS baggage
Jan Schaumann (The Internet)
Jan Schaumann shares insights into TLS cipher specs and protocols and threat analysis of dozens of vulnerabilities and attacks and explains how to effect change across a diverse legacy stack, how to collaborate with a significant number of teams on goals that may not be directly in line with their roadmaps, and how to get buy-in from your executives.
11:20am-12:00pm (40m) Bridging business and security
Weathering the storm: The art of crisis communications
Jen Ellis (Rapid7)
It’s a widely held belief in security that at some point most organizations will fall victim to some kind of breach or significant security incident. Jen Ellis outlines the considerations for successful crisis communications to help you weather the storm, covering the key tenets of good communications strategies, from preparation to dealing with press and everything in between.
1:15pm-1:55pm (40m) Bridging business and security
Enterprise SaaS startups: The business case for security
Kyle Randolph (Optimizely)
It's a huge act of trust for an established company to allow a startup access to its data and infrastructure. Kyle Randolph shares lessons learned building an enterprise SaaS startup, where security went from zero to paramount as the company scaled, and explains how to meet customers' needs, how to sell security to management, and how to build security into engineering.
2:10pm-2:50pm (40m) Tools and processes
Travel computing security: Old and new problems
Ryan Lackey (ResetSecurity)
As laptop bans, border searches, and filtering become more common, travel computing security—keeping your data and systems safe while traveling and keeping your home systems safe when you return—is a timely topic. Ryan Lackey explores the unique challenges for the traveling user and shares policy and technical solutions, as well as how security threats and technologies have evolved over time.
3:50pm-4:30pm (40m) Bridging business and security
Sensible Conversations about security
Jim Gumbley (ThoughtWorks)
We want Agile software delivery teams to bake security into the work they deliver in every iteration. Jim Gumbley offers an overview of Sensible Conversations, an open source, low-fi, visual, collaborative set of materials and workshops about security, and shares what works (and doesn't), drawn from his experience working with a variety of public and private sector software delivery teams.
4:45pm-5:25pm (40m) Bridging business and security
Cloud security requires confidence and sensitivity.
Michele Iacovone (Intuit)
Michele Iacovone outlines best practices to securely move customer data to the cloud through AWS while also keeping your customers' interests top of mind. Along the way, Michele explains how companies can successfully and securely harness the power of the cloud to ensure the speed of innovation.
11:20am-12:00pm (40m) Sponsored
The new security playbook: New regulations, new threats, and a data-centric approach (sponsored by Vera Security)
Prakash Linga (Vera Security)
Third-party providers are the newest weak link in our infrastructure; attacks are increasingly focused on damaging data integrity; and perimeter-based defenses are no longer a sufficient strategy. Prakash Linga explains how innovative companies are shifting to a more proactive, data-centric security model to protect their crown jewels.
1:15pm-1:55pm (40m) Sponsored
Effective security in zero-trust environments (sponsored by Duo Security)
Taylor McCaslin (Duo Security)
Duo recently launched Duo Beyond, the first commercial implementation of Google’s BeyondCorp security model. Taylor McCaslin offers an overview of BeyondCorp and explains how a company that doesn’t have the resources of a company like Google can achieve a similar security posture.
9:00am-9:05am (5m)
Wednesday keynote welcome
Rachel Roumeliotis (O'Reilly Media), Allison Miller (Google)
Security Conference program chairs Rachel Roumeliotis and Allison Miller welcome you to the second day of keynotes.
9:05am-9:30am (25m)
Building a culture of security at the New York Times
Runa Sandvik (New York Times)
The New York Times has staked its future on being a destination for readers. As a result, the company is working to incrementally improve the security of its environment. Drawing on this work, Runa Sandvik shares practical lessons on how to build and foster a culture of security across an organization.
9:30am-9:55am (25m)
An infinite set of security tools
Window Snyder (Fastly )
You can spend your entire security budget on signal-based technologies (such as endpoint security, antimalware, and vulnerability detection) and incrementally improve the security of your environment. But the real value is in people. Join Window Snyder to learn why the basics are hard to implement consistently but will get you a lot further than yet another set of signal-based tools.
9:55am-10:20am (25m)
What defenders need to know about jihadist threats
Alex Kassirer (Flashpoint)
While the cyber skills of jihadists are often limited, the reach and impact of their physical incidents is, unfortunately, wide and well known. Alex Kassirer explains why synergy between physical security and cybersecurity teams is crucial to mitigate the hybrid risk posed by jihadists, particularly as it pertains to brand reputation, terror financing, execution protection, and insider threats.
10:20am-10:40am (20m)
2017 O'Reilly Defender Awards
Rachel Roumeliotis (O'Reilly Media), Allison Miller (Google)
The second annual O’Reilly Defender Awards acknowledge and celebrate our security heroes and heroines who have demonstrated exceptional leadership, creativity, and collaboration in the defensive security field. These honors will be presented during keynotes.
10:45am-11:20am (35m)
Break: Coffee Break
2:50pm-3:50pm (1h)
Break: Afternoon break
12:00pm-1:15pm (1h 15m)
Wednesday lunch and Birds of a Feather sessions
Birds of a Feather (BoF) sessions provide face-to-face exposure to those interested in the same projects and concepts. BoFs can be organized for individual projects or broader topics (best practices, open data, standards, etc.). BoFs are entirely up to you. We post your topic and provide the space and time. You provide the engaging topic.
8:15am-8:45am (30m)
Wednesday Speed Networking
Meet us before the opening keynotes on Wednesday morning to get to know fellow attendees in quick, 60-second discussions.