Day 1 - June 5, 2018

June 5 - 11:00am-11:50am

Supply Chain Strategy

Reducing Cyber Risk in the Supply Chain - Practical Considerations for Building a Strategy

Jeff Fawcett, Cisco  Presentation

This session will shine a spotlight on common, and dangerous supply chain management risks, as well as the challenges of mitigating them. Objectives and practices that should be part of any supply chain cybersecurity risk management strategy will be clearly highlighted. The scope will include contractors, vendors and custom-developed software applications where supply chain access to state information systems heightens risk. Examples of the practical areas of focus include developing a program, securing the vetting process, and instituting technical controls such as authentication, logical segmentation, monitoring, and more.

Securing our Digital Wallet

Blockchain Applications

Adewale Omoniyi, IBM

Living in this digital age it has never been more difficult to ensure the integrity of the data that the world runs on. With new challenges comes new solutions, and one very promising driver of innovation is blockchain. With the ability to have a common understanding of transactions that can be verified through the use of encryption there is now the promise of assuring all involved parties of the data integrity. Attend this session to understand new and exciting applications of blockchain that enables cyber assurance.

Controls & Frameworks

Getting Some Quick Wins

Renault Ross, Symantec

This session will offer practical guidance on adopting the NIST Cybersecurity Framework to understand your security program gaps, obtaining stakeholder sponsorship, and  using the Center for Internet Security (CIS)  Critical  Security Controls (CSC) for effective cyber defense to address programmatic gaps. 

Managing AI

Mitigating Human and Cyber Risks

Gopal Padinjaruveetil, CISO, Auto Club Group

Alexander Stein, PhD Dolus Advisors

In this presentation, an experienced CISO and a specialist in human factor psychodynamics join forces using film clips, humor, and gripping from the trenches use cases of cause and effect relationships in cybersecurity to offer actionable cutting edge perspectives and solutions to critical risks and problems at the intersection of technology and psychology. 

Artificial intelligence, machine learning, and cognitive computing driven algorithms are powering automation intended to reduce or replace human supervision and involvement, increase productivity, and create a more secure and prosperous world. Yet intelligent machines (IoT) and autonomous agents may also create untold vulnerabilities to malicious abuse or trigger other adverse ramifications exponentially compounding, not reducing, cybersecurity risks.

What are some of the unintended consequences from coding inaccuracies, biases, and fallacies about mental architecture and human behavior into the software development life cycle (SDLC)? How do misunderstandings and oversimplification about root causes and probable outcomes lead to risk amplification and technical debt? What can be done? How can organizations use psychodynamic analysis to proactively manage human risks and strengthen ethical culture? What are the benefits to expanding traditional dimensions of identity intelligence and amplifying behavioral analytics profiles? How can efforts to legislate against misconduct/malfeasance through compliance guidelines, regulatory and legal measures, and culture audits be made more effective?

The session will address these questions head-on, and also provide recommendations for integrating psychodynamics and technology to enable technologists, cybersecurity professionals, and corporate leaders to more accurately forecast and robustly mitigate human and technological risks, and strengthen ethical culture in an automation driven world.

Security Evolution

Where Have We Been - Where Are We Going?

Michael Corby, M Corby & Associates, Inc.

Security has been transformed in many ways over the past several decades. Just by its name, it started out being called "Computer Security", has progressed through "Information Security", "Systems Security", and now is being called "Cyber Security."  It has been supplemented by procedures for Business Continuity/Disaster Recovery, Data Loss Prevention, Data Privacy and Information Protection.  Compliance regulations and security models are too numerous to mention.  So what has this path meant to accomplishing the goals of making business and government more efficient and responsive to the changing cultural and performance expectations?  This session will use some key milestones to illustrate and project what has changed and what may be coming next.  More importantly, how can our security organizations be poised to make whatever transition is coming smooth and uncomplicated.


Session 1: Behavioral Analysis

Paper: Using Multimodal Data to Infer Group Dynamics in an Adversarial Group Game

Paper: Manager-Analyst Interactions in Fraudulent Earnings Calls

June 5 - 1:00pm-1:50pm

Supply Chain Strategy

Supply Chain Insecurity:  WannaCry, NotPetya, & Meltdown vs. Dieselgate

Raj Goel, Brainlink

What's the difference between WannaCry, NotPetya, Meltdown and Dieselgate?  Why are users bearing the costs for cleaning up after the first three incidents, whereas regulators have successfully prosecuted companies and individuals for Dieselgate? It's no secret that only two industries in America have zero consumer protections - illegal drugs and software.  In this presentation, Raj shows the staggering financial and social costs of EULAs and why we as consumers and corporate professionals need to demand that software come with the same consumer safety and lemon laws as cars, cigarettes and potato chips.

Securing our Digital Wallet

Blockchain Myth and Reality Part I

NYS Forum Security Workgroup

The NYS Forum Information Security Workgroup is proud to present a two-part session on Blockchain Myths and Reality. The discussion will focus on blockchain, its transformative technologies, common misconceptions, practical use across multiple industries and applications. In session one, industry-leading experts will present on the blockchain, distributed ledger technologies, cryptocurrency, security, crypto mining, and practical application for manufacturing, healthcare, and the public sector. Session two will continue with demonstrations as well as a panel discussion with experts on the blockchain, its future across multiple fields, industry adoption and integration of blockchain and cryptocurrencies.

Controls & Frameworks

Classified or Just Classy? - Kicking Assets with Data Classification

Christina D'Antonio, GreyCastle Security

Don't build a $100 fence around a $10 horse. This advice continues to escape organizations for one reason - they don't know which assets to protect. Data classification is the process of inventorying, labeling and defining handling requirements for assets according to their importance and sensitivity, yet it is as much art as it is science. Implementing data classification can have profound benefits but it requires practicality, visibility and a steady hand. Join GreyCastle Security as we explore the barriers to classification, demystify the process and demonstrate how classification can save your organization time, money and energy.

Managing AI

Maintaining Business Continuity through Crisis in Brittle, Digital Systems

Emilian Papadopoulos, Good Harbor Security Risk Management

Society and individual organizations have achieved remarkable advances through digitization, automation, and interconnectedness. As we have designed systems to be digital and achieve these objectives, we have often -- knowingly or unknowingly -- abandoned the ability to run systems manually.    Business leaders and practitioners depend on the reliability and predictability of IT and OT, often without the same awareness that information security professionals have about the vulnerability of these digital systems we've built. When these systems go offline or cannot be depended upon to deliver accurate information, business processes that have not been designed in a resilient way can grind to a halt.    At the same time, information security professionals tend to focus on the threat to digital systems and how to recover those digital systems, rather than how to maintain business continuity of critical processes without them.    In summary, business leaders may be unaware of the brittleness of digital systems, and therefore do not plan for business continuity without them, while information security leaders understand the brittleness all too well, but focus on recovering digital systems rather than surviving for a time without them.    This presentation will sketch this problem and then provide organizational, technological, procedural, and cultural recommendations, as well as a call to action to enhance business continuity in the face of digital disruption.

Security Evolution

Cybersecurity Best Practices and Expectations for the Future

Michael Singer, AT&T

This session will cover the evolution of threat analytics, identity/access management, and virtualized security.  AT&T will provide best practices and discuss securing legacy and current technologies.


Session 2: Privacy and Security

Paper: Internet of Things: Data Privacy and Cyber-Security Implications

Paper: Securely Moving Forward with Serverless Architecture

June 5 - 2:10pm-3:00pm


Why It's Time to Rethink Your Access Management Strategy

Joel Rader, Identity Automation

With mounting cyberattacks and more stringent compliance regulations, there's more pressure than ever to lock down access to government systems and data. However, the digital transformation has led to more users, accessing more systems and data, from any number of devices and locations. Gone are the days when agency resources sat safely behind a firewall to only be accessed by trusted employees from corporate-owned devices. And while agencies may have taken steps to further protect access to certain, highly-sensitive systems, today's reality is that any unsafe system or individual puts your entire agency at risk. This session delves into why security and verification must be consistent across all user entry points. Learn strategies for how to reduce your agency's number of user entry points, as well as modern access management approaches that harden access points for all end-users, without negatively impacting user-experience.

Securing our Digital Wallet

Blockchain Myth and Reality Part II

NYS Forum Security Workgroup

The NYS Forum Information Security Workgroup is proud to present a two-part session on Blockchain Myths and Reality. The discussion will focus on blockchain, its transformative technologies, common misconceptions, practical use across multiple industries and applications. In session one, industry-leading experts will present on the blockchain, distributed ledger technologies, cryptocurrency, security, crypto mining, and practical application for manufacturing, healthcare, and the public sector. Session two will continue with demonstrations as well as a panel discussion with experts on the blockchain, its future across multiple fields, industry adoption and integration of blockchain and cryptocurrencies.

Controls & Frameworks

Tailoring the Cybersecurity Framework for Government Agencies

Colin Soutar, Deloitte

Kevin Heckel, Deloitte

As government agencies adopt the NIST Cybersecurity Framework to help manage their cyber risks, they should develop their own risk profile to tailor the framework implementation. We'll discuss how establishing an agency-specific risk profile can help contextualize and quantify the impact of cyber risks.  Participants will also learn what structures can be put in place to help enable cyber risk management, and who should have a seat at the table when defining profiles .  We'll provide examples of how risk profiles can empower an agency to make consistent, justified, risk-based decisions going forward, and introduce the concept that they should also be continuously adjusted by the organization over time to align key business decisions and support prioritization of cyber risk management efforts.

Managing AI

Building Security that Thinks - Machine Learning Fundamentals for Cybersecurity Professionals

Andrew Bryan, Vectra Networks

Artificial intelligence (AI) is the next big thing in cybersecurity. Applied correctly it will reduce human analysts workloads and increase speed of incident response. In this session, we will discuss key machine learning (ML) algorithms, techniques, and expected outcomes along with specific examples of machine learning  in use. When AI or machine learning is the foundation behind a product, the promises that the product makes should be specific and measurable. Cut through the hyperbole and empower yourself to ask insightful and probing questions that validate or expose vendor claims around AI cybersecurity technology.

Security Evolution

Different Size Organizations, Different Security Approaches

Thom Hallock, Mountain Lake PBS

Kathleen Kelleher, Arrow Financial Corp.

Devi Momot, Twinstate Technologies

How often do you attend a conference looking for answers and get frustrated with presentations that bring up the challenges but do not offer solutions?  This session will discuss different organizations, different approaches, and focus on what works in each  organizations programs. Some topics that impact all of us and may require different approaches include:   1) Hiring and keeping qualified security employees;   2)  Developing a culture where security matters and is a priority;  3) Staying current with cybersecurity threats;  4) Supplementing staff with cybersecurity experts from external resources;  5) Selecting security technologies;  6) Justifying funding for security;   7) Dealing with legacy systems;  8) Access to cyber intelligence;  9) Access to the right training for employees;  and 10) Cloud technologies    The format will be a panel discussion with questions welcomed from attendees during and after the session.


Session 3: Hardware Trojans

Paper: Strategically Managing the Risk of Hardware Trojans Through Augmented Testing

June 5 - 3:20pm-4:15pm


Thinking Differently: Protecting the Public, Employees, Educators and the Supply Chain through DMARC Enforcement

Denis Ryan, Proofpoint Inc. Presentation

E-Mail has been the preferred vector to launch attacks for some time.  Today's session will focus on the Domain-based Message Authentication, Reporting and Conformance (DMARC) email-validation system designed to protect your email ecosystem from today's advanced email threats by authorizing legitimate email senders and blocking fraudulent messages before they reach your inbox.

Securing our Digital Wallet

Security Holes in Fintech

Leigh-Anne Galloway, Positive Technologies

Timur Yunusov, Positive Technologies

Payment technologies have become a ubiquitous part of our lives - from online platforms, to contactless, to mobile wallets - we use them multiple times, every day. However, how conscious are we of how the technology actually works? Moreover, has our drive for convenience blinded us to the risks behind the technology? The risk to these technologies is all too real - according to 2017 Data Breach Investigations Report the theft of cards data through POS terminals is a common thing for the service sector (hotels, restaurants, etc.), and the success of such attacks is estimated at 98%.  Even more established technologies such as ATMs, which you may assume are beyond reproach, have repeatedly been found to be fallible. The first half of 2017 in Europe saw 1,221 incidents involving the use of ATM skimmers. As a result of such attacks, about 118 million euros were stolen during 6 months.   In this talk, Positive Technologies researchers will outline how the Fintech we take for granted every day works and, more critically, how it has shown to be broken and what measures should be taken to protect these technologies, and the incredibly valuable assets they hold.

Controls & Frameworks

Strategic Planning for Cyber Risk: Protecting Data and Meeting Regulatory Requirements with NIST SP 800-171

Heather Engel, Sera-Brynn, LLC Presentation

If your organization accepts Federal or Department of Defense dollars, understanding Federal Acquisition Requirements (FAR) and NIST SP 800-171 is a critical compliance issue that affects everything from risk management to supply chain security. These regulations cast a wide net impacting manufacturers, research organizations, aerospace, colleges and universities, and cloud services; and the scope is expected to grow in 2018 as the government regulations expand. This framework is also being adopted across industries as a standard for protecting the confidentiality of data.    In this session, Heather Engel will discuss what these requirements may mean for your organization, present practical solutions for implementing controls, and offer insight into what to expect from future regulations. By planning, implementing, and auditing based on cyber risk intelligence, organizations can measurably improve security and protect the value of information. This session will also briefly explore mapping other regulations to NIST 800-171 including GDPR, NIST 800-53, ISO 27000, and 23 NYCRR 500 to find efficiencies in managing various aspects of compliance.

Managing AI

Organizational Maturity in the Age of Cyber and Artificial Intelligence / Machine Learning

Terry Rice, Epigen Technology Corporation

Are organizations more secure today than they were yesterday?  Are they positioned to ensure they are secure tomorrow?  Policy automation has significantly increased productivity since the 80s.  The information made available through that automation is now the online target from both external and internal sources.  The organization must now continuously secure systems from threats while improving processes.    Today's analytics, artificial intelligence (AI), machine learning (ML), recommendation and optimization technologies can help organizations 1) review yesterday's results, 2) assess/plan for today, and 3) predict tomorrow's resource and system priorities.      Currently, executives and managers throw a wide net of resources and tools to prevent infiltrations.  Quarter after quarter, volumes of proactive activities and related costs are reported and expectations of activities and costs are set for the next quarter. Certainly a lot of hard work is being done, but are all threats being addressed adequately and proactively?      Executives and managers have to develop structures and processes that dynamically assess and prioritize resources and tools in an ever-changing landscape.      From this presentation, learn  about analytics, AI, ML and recommendation and optimization (brief overview);  how crucial resource/policy planning is to the successful implementation of smart technologies;  how to allocate the right resources/tools to respond to the organization's changing landscape;  how to assess where the organization stands today;how that assessment differs from external and internal perceptions; and how to write clear Statements of Work that result in effective responses.

Security Evolution

Making the Case - How to Overcome Cultural Barriers to Adopt a Cyber Prevention Strategy

Jeffrey Baez, Palo Alto Networks

How does your organization look at cybersecurity today?  Does it have the capability to overcome both known and unknown threats from an increasingly automated adversary?  The challenge is 'closer to home' than you think.  An organization's culture, along with leadership mindset, creates an intention for how an organization approaches cybersecurity and implements a strategy.  Taking the typical approach to cybersecurity, investing in detection technologies and antivirus, simply isn't enough.  It is essential to look at the fundamentals, creating effective policy, working across the organization where business needs are understood and IT enables the business. In this session, the presenter will provide a framework that enables you to assess your organization's current cybersecurity posture, be able to discuss this with your leadership, and implement a prevention strategy that protects you from both known and unknown threats. The  discussion will include relevant use cases and customer agnostic issues that were resolved by overcoming cultural and procedural barriers , putting the business first, and influencing leadership to adopt change by "making the case."


Session 4: Intrusion Detection

Invited Talk: Characterizing Intrusions Using an SVM Based Classifier