|Visit the Information Security Decisions 2008 Web site|
At Information Security Decisions 2008, many of the industry's leading information security experts gathered to share vendor-neutral expertise and proven security strategies. If you couldn't make it to Chicago for this year's event, worry not. Below you can download speaker presentations from a selection of this year's sessions. Feedback on Information Security Decisions 2008 presentations can be submitted via SearchSecurity.com. (Note: All presentations are in PDF format.)
The State of incident response
During the last six months, Kevin Mandia has responded to over 10 computer security incidents at some of America's largest organizations. He was on the front lines assisting these organizations in responding to international computer intrusions, theft of intellectual property, electronic discovery issues, and widespread compromise of sensitive data. Kevin is an internationally-recognized expert in the field of information security. He has been involved with information security for over fifteen years, beginning in the military as a computer security officer at the Pentagon.
Legislation, financially driven attackers and high profile breaches have changed the economics of security. We need to rethink the motivations of attackers and the new attacker economy given a growing stolen identity information trade and the rise of organized electronic crime. We need to study "hackernomics", the social science concerned with description and analysis of attacker motivations, economics and business risk. Dr. Herbert Thompson is chief security strategist at People Security and a world-renown expert in application security. He earned his Ph.D. in Applied Mathematics from Florida Institute of Technology, where he remains on the graduate faculty and also holds the CISSP certification.
Tips for learning and practicing security agility
Organizations today require agility to thrive and survive. New knowledge workers, known as Generation Y, enter the work force and operate best in an environment where home and work overlap from an IT/networking/communications point of view. In order to keep pace with Generation Y, your IT department must be as agile and mobile as the organization. Joel Snyder is an expert at helping companies build larger, faster, safer and more reliable networks, and has done so since 1981 when he signed on with CompuServe Research and Development.
The four horsemen of the virtualization security apocalypse
Despite shiny new stickers on the boxes of our favorite security vendors' products that advertise "virtualization ready!" or the hordes of new startups emerging from stealth decrying the second coming of security, there exists the gritty failed reality of attempting to replicate complex network and security topologies in virtualized environments. Christofer Hoff focuses on the realities of operationalizing virtualized security; from virtualization-enabled chipsets to the hypervisor to the VM's.
A tale of 2.0 Webs, it was the best of times, it was the worst of times
Web 2.0 has brought us an unprecedented ability to not only access data but to remix it in previous unthought-of applications and in the process enable users and vendors in here-to impossible ways. This has also led to security and privacy issues that have so far only been the purview of distopian fiction. Is it really that bad? Or is it far worse? Get straight answers from David Mortman, CSO in-residence, Echelon One, and find out what you need to know about Web 2.0.
What organizations need to know about insider cyber crimes
CERT's insider threat team, which was formed in 2001, has gathered over 250 prosecuted cases of insider crime. The team, composed of CERT's technical experts, psychologists and subject matter experts from the Department of Defense, used system dynamics to model and analyze the dynamic nature of the insider threat problem. In this presentation, Andrew Moore, a senior member of the Technical Staff of the CERT Program, describes the findings based on three primary insider cyber crimes: IT sabotage, theft/modification for financial gain, and theft for business advantage.
Creating successful information security governance using a risk-based approach
More than ever information security requires a thorough combination of governance elements, including policies, procedures, technology and, most importantly, training and awareness. In this session, Eric Holmquist explores the key elements of sound information security governance and how to successfully manage and coordinate all of the complex and important elements. Eric is the Vice President and Director of Operations Risk Management for Advanta Bank Corp.
Ensuring your outsourcers meet your compliance mandates
While organizations are increasingly turning to service providers to reduce cost, augment their product set, and focus on core services, it's no secret that many of the recent data breaches occurred due to missteps with a third-party vendor. Most regulations from those specified by the FFIEC, GLBA and PCI require organizations to ensure that their service providers protect sensitive data according to the requirements of the regulation or contract. Richard Mackey discusses these requirements stated in various regulations and practices designed to help you effectively manage your service providers.
Case study: Mapping products to compliance
Through case studies, including an international retail franchise, a medium-sized hospital network, and a large manufacturing organization, you'll learn how to get the maximum out of products to support sustainable security and compliance programs, avoid fad technologies and defend product purchasing decisions. Vik Phatak is CEO of NSS Labs, the leading independent security product testing and certification lab, as well as one of the information security industry's foremost thought leaders on vulnerability management and threat protection.
Achieving "world peace" in the enterprise with promising security tools
Security teams and the tools that they deploy are often the first to face the wrath of budget cuts, blame games by operations for outages, and are described by many business leaders as a "necessary evil". In this session, Spyro Malaspinas will arm you with financial prowess to wield against the business leaders in your organization, forcing the hand that endorses budget approvals while winning the respect of executive management and operations.
React faster: How to leverage monitoring to keep attacks from becoming catastrophes
We don't know where the next major attack will come from and we collectively have a horrible track record at predicting it. Thus, we need to take a different approach to securing our private data and intellectual property. Since we can't "get ahead of the threat," we need to get better at detecting an issue and collecting the data to investigate it. Mike Rothman details both a philosophy and a method to monitor your networks, systems, applications and databases to find emerging attacks - before they cause downtime and breaches. Rothman is Security Incite's president and principal analyst.
Five steps to securing mobile devices
Mobile devices, including PDAs, cell phones, VoIP phones, and notebook computers, represent a clear wave of technology that all enterprises must support. This wave is being pushed for both competitive reasons and cultural ones, as the new generation of employees and customers assume anytime/anywhere access to information. In this session, Joel Snyder covers the main threats to mobile devices (with access to email and corporate data) and the strategies needed to deal with these threats both within the corporate network and when roaming around the globe.
The information centric security lifecycle
We hear time and again how the bad guys are after our data, and that firewalls and antivirus aren't enough. But there's a lack of information on taking a strategic, cost-effective approach to data security. Confused by DLP, encryption and database security? This session presents a strategic overview of the new approaches of information-centric security. Adrian Lane, a senior security strategist with 22 years of industry experience, shows you which tools, techniques, and technologies work best in order to protect your most sensitive information.
Case study: Allstate Insurance Company's local data protection (LDP) project
Protecting data-at-rest, data-in-transit and data-in-use in large information intensive enterprises is a daunting challenge from both the technological and financial perspective. Eric Leighninger, the Chief Security Architect for Allstate, provides first-hand advice on how Allstate is attacking this problem with regard to data-at-rest on mobile devices and removable media.
Software security: State of the practice
With software running the world's most critical business processes, it's essential to understand both its utility and the risk it can bring to those processes. Organizations need to design for functionality, yet constrain behavior so that software meets the appropriate risk levels and is manageably secure in the enterprise. In this presentation, Diana Kelley, using her 17 years of experience creating secure network architectures and business solutions for large corporations, shows you how to incorporate risk management into the software development lifecycle effectively.
This was first published in November 2008