Track: Security: Lessons Attacking & Defending

Location: Pacific DEKJ

Day of week: Wednesday

Security: Lessons Attacking and Defending brings together stories about various successful approaches to security. Come learn what has worked to protect others while being targeted by increasingly sophisticated adversaries. Come ask questions about how to make good security tradeoffs when writing software. And do all of this with some of the top security practitioners in the industry today!

Track Host: Werner Schuster

InfoQ Editor Functional Programming, QCon PC, Wolfram

Werner Schuster focuses on languages, VMs and compilers, Wolfram Language, performance tuning, and recently cloud taming. He's on the PC for QCon NYC/SF/London

CASE STUDY TALK (50 MIN)

10:35am - 11:25am

Security & Psychology: Demotivating Persistent Threats

Preventing advanced cybercriminals from accessing and exploiting your most sensitive data requires more than just a strong threat detection infrastructure — it demands a personal understanding of the attackers themselves. Once an attack group’s motivations are identified you can start generating a profile and persona that will make disincentivizing them a whole lot easier. Without this added layer of psychological analysis, you will find yourself addressing incident after incident with no end in sight. 

At the core, an actor’s intent is always the same - motivated people with economic justification for their actions are committing large-scale attacks because their livelihood depends on it. It’s up to you to disrupt those economics so they move to softer targets. 

In this session, Shape Security Director of Engineering Jarrod Overson will break down the workflow for effective threat mitigation of sophisticated attackers into four distinct stages: 

  • Stage 1) Classification. Look at how can traffic be bucketed into distinct segments that define individual actors or groups. 
  • Stage 2) Research and generate an actor profile. Understand what these actors are getting out of these attacks, and form some hypotheses from their attack characteristics. Are they data resellers? Developers? Independent actors or full-time employees? What hours are they active? How quickly do they respond to mitigation? This actor profile will help define the approach in Stage 3.
  • Stage 3) Counter attack. Develop and deploy countermeasures that target the attack in a way that drives up cost while reducing value. Play with them, target the damage on their off hours, give sporadic and variable feedback. Increasing the psychological cost is a damage multiplier.
  • Stage 4) Rinse & repeat until all threats are cleared. This is only temporary, of course. As long as value remains then new attackers will fill the vacuum and each subsequent attack will be more sophisticated than the last. Relentless, targeted responses will eventually wear away the motivation to continue the attack. 

Jarrod has seen traffic from individual attackers, coordinated groups, state actors, and more - all of which require different approaches. Sophisticated threats rarely engage in attacks for no reason - understand where the money is coming from and the motivations behind an attack and you can disrupt the attackers with greater force.

Jarrod Overson, Engineering Director @ShapeSecurity & JavaScript Expert
CASE STUDY TALK (50 MIN)

11:50am - 12:40pm

Using Data to Measure Risk in Cyber Systems

Risk analysis in cyber systems remains an immature field with significant potential. Despite widespread belief that cyber can't be quantified, the tools and data already exist to significantly improve risk management. In this talk, we'll review the literature on risk quantification and discuss examples of data-driven risk analysis.

Marshall Kuypers, Director of Cyber Risk @QadiumInc
CASE STUDY TALK (50 MIN)

1:40pm - 2:30pm

Taking the Canary Out of the Coal Mine

In this talk, we'll discuss how canaries can take all shapes and sizes: Web servers, network devices, cloud instances, and numerous token variants. We'll dig into what actually is a canary, modern canary tools and services, how deploying canaries will provide an early warning against even the most careful attackers - and perhaps most importantly - how automating their deployment can give every device in your environment a means to let you know they're being tampered with; intrusion detection at scale.

Mike Ruth, Staff Security Engineer @Cruise Automation
CASE STUDY TALK (50 MIN)

2:55pm - 3:45pm

Security Panel

The panel discusses how to integrate security teams into the development process, whether bounty programs make sense, risk analysis, how to get into security, and much more.

Werner Schuster, InfoQ Editor Functional Programming, QCon PC, Wolfram
Marshall Kuypers, Director of Cyber Risk @QadiumInc
William Bengtson, Security Researcher, Leader, Advisor @Netflix
Travis McPeak, Sr. Cloud Security Engineer @Netflix
Jarrod Overson, Engineering Director @ShapeSecurity & JavaScript Expert
CASE STUDY TALK (50 MIN)

4:10pm - 5:00pm

Reducing Risk of Credential Compromise @Netflix

Building a secure system is like constructing a good pizza – each individual layer adds flavor that ultimately builds to the perfect bite. At Netflix we have hand-crafted ingredients that by themself are scrumptious, but when placed together strategically on the crust (read: cloud), constructs a pizza so large that any pizza lover (read: attacker) would be challenged to finish.  Attendees will learn the secret to the sauce that is Netflix Infrastructure Security, be equipped to start baking pizza in their own kitchen, and leave satisfied.

William Bengtson, Security Researcher, Leader, Advisor @Netflix
Travis McPeak, Sr. Cloud Security Engineer @Netflix

Tracks

Monday, 5 November

Tuesday, 6 November

Wednesday, 7 November

The all-new QCon app!

Available on iOS and Android

The new QCon app helps you make the most of your conference experience. Easily browse and follow the conference schedule, star the talks you want to attend, and keep tabs on your personal itinerary. Download the app now for free on iOS and Android.