Arrival and registration
Opening remarks from the Chair
Opening Keynote Address: Examining the impact of people, processes, technology and regulation in combating cyber-attacks: how much progress have we made?
Charl van der Walt, Chief Strategy Officer, SecureData SensePost (UK)
- What victories have been achieved from a defender point of view?
- What advancements have been made?
- What progress has been made in terms of the push towards better identity and authentication management/processes (MFA)?
- What positive impact have regulation and compliance requirements such as GDPR had?
International Keynote Address: Politics and power in cybersecurity: how cyber operations are intimately linked with geo-strategy
Pukhraj Singh, Security Operations & Threat Intelligence Practitioner (India)
- Examining the collapsing precepts of nation-state sovereignty in cyberspace
- A 'contested territory': 20 years of anxiety around the paradox of control in cyberspace
- Understanding the structural dominance of offence: why offensive A-teams have a political architecture
- Examining offensive mathematics and political lineage: exploitation as a technology tree
- On opcodes and ontology
Analysing the gradual shift from declaratory to escalatory dominance
International Keynote address: Business and cybersecurity: the codependency
Pete Herzog, Managing Director, The Institute for Security and Open Methodologies (ISECOM) (USA)
There is something quietly unsettling about cybersecurity. There is something pathetically optimistic about cybersafety. There's something nauseously helpless about being breached. Let's face it, cybersecurity is made from human suffering. We didn't know this when we got into it. With wide, shiny eyes we jumped in to do good. And like growing into adulthood, it slowly ate away our naïve joy. Your job is to secure operations. But nobody listens to you. There's no budget. Management keeps making bad security decisions that seem to sabotage your efforts. The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we're trying to protect. And that's where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse - shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new-found stance. This is how we get the thrill back from our jobs while lessening the pain: the technical, the managerial and the emotional.
Morning refreshments and networking
Total Wipe Out: What could happen if cyber criminals successfully attacked a country's critical infrastructure systems?
Veronica Schmitt, Lead Forensic Analyst, DFIR Labs
The probability and impact of cyber-attacks was rated as the top man-influenced risk facing countries and organisations in the recent 2018 World Economic Forum Global Risks Landscape report. The health, safety, security, economic well-being of citizens, effective functioning of government, and perhaps even the survival of the industrialised world, relies heavily upon interconnected critical systems. A country may experience widespread disruption or even loss of human life if these systems become inoperable. South African organisations responsible for critical infrastructure need to have a consistent and iterative risk-based approach towards identifying, assessing and managing cybersecurity risk. During this facilitated discussion, Craig will engage with key public and private sector stakeholders to discuss:
- The current cyber risk challenges facing SA
- Who are the main public and private institutions accountable at a national level?
- What is the current state of our country's readiness to mitigate these threats?
Proposed initiatives and timelines and possible opportunities for joint public/private partnerships
Case study living through a data breach (and how to make sure it doesn't happen again)
Henry Denner, Information Technology Security Officer, Gautrain Management Agency
A data breach changes you, on many levels. It is a stressful experience that tests not only your ability as a human to deal with the unknown, but also the organisation's readiness and resiliency in dealing with the breach and resume operations. But it is not all bad. Being exposed to a breach exposes you to the other side of cybercrime and cybersecurity: the real, criminal side. It will change your and the organisation's perspective on cybersecurity and will help you to better prepare for future potential breaches.
This session will take delegates through an actual breach case study, from when the breach was detected, the investigation, interaction with law-enforcement agencies and the long road through the legal proceedings. Additionally, delegates will also get a better understanding of what to do and what not to do during a breach, the lessons learned and the key aspects to consider in preparing for a breach.
Threat intelligence sharing and collaboration: what is international best practice and to what extent could this be applied in SA?
Lunch and networking
Track One - Strategy and User Awareness
This track takes a strategic look at implementing a business-driven cyber security plan and where the responsibility for cyber security should sit within your organisation. It also examines how to raise awareness of cyber security throughout your business, from the boardroom to the shop-floor.
Where does cybersecurity belong in your organisation? Creating the right culture and structure to enable cybersecurity to be effective
- What are the pros and cons of locating cybersecurity within the following departments:
- Physical security
- Who is responsible for what? Creating appropriate reporting lines specific to your organisation and separating the governance of cybersecurity from its implementation
- Ensuring collaboration across all the different departments and encouraging the person responsible for cybersecurity to share information
- Getting the culture right: creating an environment of openness and transparency in order to manage the organisational risk
- Creating an agile structure for a fast response, e.g. emergency procurement processes
- What are the pros and cons of outsourcing the CISO function and cybersecurity services?
Panel discussion How do you increase user awareness and keep your workforce 'cyberfit'?
- Understanding cyberpsychology: what is the impact of human behaviour on security within your organisation?
- How do you demonstrate to users the risks on a business and personal level, e.g. what happens if you click on a link?
- How do you design and implement an effective, ongoing phishing awareness campaign?
- Creating a culture of reporting security incidents based on trust and understanding rather than fear
Afternoon refreshments and networking
Cyber insurance: what are the benefits and what to look out for when choosing a cyber insurance product?
- Examining the benefits of cyber insurance: what does it cover?
- Understanding how a cyber insurance policy helps to mitigate risk exposure in the case of a breach
- What should you look out for when choosing a cyber insurance policy? What questions should you ask?
- What do cyber insurance providers look for when deciding whether to provide coverage and what level?
Quantifying cyber risk - bridging the divide between technology and the Board
Johan Botha, Chair, South Africa Chapter, FAIR Institute
Cybersecurity is being considered as a top-three risk by most organisations today as cyber-attacks, online fraud and internal threats make a material impact on their businesses. And, while boards and executives expect to be informed about cyber risk, they are not getting the answers they want. Too often, cyber risk reporting is filled with technical jargon and colourful but hard to understand risk registers and heat maps. Those responsible for cybersecurity - from the Board and the CEO on down - are urgently looking for better ways to measure and report risk that will enable well-informed decision-making, regarding questions such as:
- What are the organisation's top cyber risks and how much exposure do they represent expressed in financial terms?
- Which cyber risk management investments matter most?
- Are they investing enough (or too much) in cyber risk management?
This presentation will provide an overview of a pragmatic solution and approach to cyber risk quantification that is based on the Open Group's Open FAIR risk quantification standard that enables Chief Information Security and Chief Risk Officers with the means to bridge the divide between IT and information security on the one side, and the Board and executive management on the other. Open FAIR provides a model for understanding, analysing and measuring information risk in financial terms, thereby addressing the current challenges of cyber risk reporting and enabling the organisation to prioritise effectively, making trade-offs and choosing cost-effective cyber risk mitigation solutions.
- Understanding the current challenges to measuring and reporting cyber risk
- Examining a solution to quantifying cyber risk that enables well-informed cyber risk decision-making
- Understand how the FAIR methodology, coupled with software, can empower information security and risk professionals to improve cyber risk reporting
An update on the Cybercrimes Bill
- Examining the latest version of the Cyber Crimes Bill: what does and doesn't it cover? When will it be passed into law?
- How will the broad phrasing in the Bill impact CIOs and companies, i.e. to what extent could they become criminals based on their use and handling of data?
- Does this legislation go far enough to address the issues that SA is currently facing in terms of cyber crime and cybersecurity? What more needs to be done from a policy/legislative point of view?
Closing remarks from the Chair and End of Conference
Track Two - Trends Impacting Security
This track will focus on the latest technology developments and the implications they have for information and cyber security. Some of the subjects covered include: AI, blockchain, cloud, IOT, containerisation, mobile devices, DevSecOps and much more.
Cloud security: how does the traditional security model need to change for cloud services?
- What are the challenges involved in keeping your organization's files, applications and accounts safe in the cloud?
- Understanding how to plan for and minimize risk when it comes to your cloud deployments
- Examining essential cloud concepts:
- Defining trust models for clouds
- Complying with legal and audit requirements
- Managing incident response
- Maximizing application security
- Managing encryption and keys
- Implementing virtualization
Reviewing cloud security best practices from the Cloud Security Alliance and the European Network and Information Security Agency (ENISA)
Software and hardware supply chain compromises and how to deal with these
Tamara Mkula, Information Security Risk Manager, Telkom SA
Afternoon refreshments and networking
Understanding the different approaches to EDR – which one is right for you?
Jeremy Matthews, Regional Manager, Panda Security
EDR (Endpoint Detection & Response) is the new buzz word in endpoint security but what does it really mean? According to Gartner, most EDR tools are not capable of replacing endpoint protection platforms entirely so it's important to understand the relationship between EDR and traditional EPP solutions. How do you go about choosing the best technology for your business in a landscape where endpoint security has become so integral to your cybersecurity strategy? This presentation will help you answer these questions as well as look at some of the added benefits EDR can offer.
- What is EDR? EDR vs EPP
- Understanding the different technology approaches to EDR and how to choose the right one for your business
- Examining the value of EDR Telemetry and the role of EDR when implementing a Security Information & Events Management (SIEM) solution
Is incident response broken? Why traditional incident response is not stopping cyber breaches
Jason Jordaan, Principal Forensic Analyst, DFIR Labs
The news is filled with stories of massive data breaches and other cyber-attacks directed at organisations, in both the public and private sectors. When organisations discover that they have been attacked or are currently under attack, they often respond to the incident using a variety of incident response and digital forensic strategies, most often designed to try and stop the attack and prevent it happening again. However, despite the incident response process, many of the organisations attacked are rapidly reattacked and compromised again and again, often by the same threat actors. So, what is going wrong? Is there a problem with how we do incident response? The harsh reality is that traditional incident response is failing us, and we need to have an honest reflection of why it is failing.
Traditional incident response was developed in an era where the adversaries were not the same ones that we face now; the threat landscape was in many ways simpler and easier to address. The threats have changed and so too must our approach to incident response. Using data from some of the large incidents happening around the globe, Jason will explore the disjoint between what you need to do when responding to an incident versus how you actually respond to and deal with an incident. He will also examine the conflict between security and business operations when it comes to responding to an incident and highlight the real business risks of current incident response practices.
- Understanding the purpose of incident response and how to be effective in responding to an incident
- Identifying the actual risks to an organisation through current incident response practices
- How to bring security and management together for effective incident response
- Understanding the relationship between incident response and threat hunting
Threat Hunting: seek and you "might" find?
Andrew Lam, Head of Detections, SecureData
Threat hunting has become an item on many CISO's or CTO's wish list as part of their cybersecurity armoury alongside managed detections and response. Threat hunting, however, is relatively immature, with a heavy reliance on the skills of individuals and the very nature of the activity makes it difficult to quantify the success and productivity of these individuals. This makes it hard for businesses to justify the spend on the resource, or even asking existing members of their MDR, SOC or Security Analysts to pursue threat hunting.
Starting small with concentrated hunts and strong hypotheses will form a basis for any threat hunting activity. The metrics and outcomes may not always be apparent, but you will discover things about your network which could become issues in the future. We have taken the approach of looking at hunting activities which are straight forward, such as evaluating IP addresses scanning your network perimeter, anomalous user login activity and DNS requests analysis which provides great insights into an environment. These are clear and directed routine hunts which are achievable in a timely manner. We have now expanded to specific features mapping detections to kill chain phases and hunting in the gaps where we do not have current capability. This in turn builds better detections which are easier to quantify. We have also progressed into use of automation and "I'll say it once only, machine learning". The main point is that there are different levels, time requirements and skills which can be used to start threat hunting and this activity can be quantified and measured to convince the powers to be that this is a worthwhile activity.
This talk seeks to provide some practical steps into how one can start conducting threat hunting and to quantify tangible outcomes for threat hunting teams. We will take the example of how this was implemented within an MSSP and how threat hunting can be mapped to established frameworks to provide useful security insights in any IT environment.