Agenda day 2Wednesday 29 May 2019 - Sandton Convention Centre

Arrival and registration
Opening address from the Chair

Nastassia Arendse, Host, ClassicFM and Business Day TVNastassia Arendse, Host, ClassicFM & Business Day TV

International Keynote Address: Politics and power in cybersecurity: how cyber operations are intimately linked with geo-strategy

Pukhraj Singh, Security Operations and Threat Intelligence Practitioner/WriterPukhraj Singh, Security Operations & Threat Intelligence Practitioner (India)

  • Examining the collapsing precepts of nation-state sovereignty in cyberspace
  • A 'contested territory': 20 years of anxiety around the paradox of control in cyberspace
  • Understanding the structural dominance of offence: why offensive A-teams have a political architecture
  • Examining offensive mathematics and political lineage: exploitation as a technology tree
  • On opcodes and ontology
  • Analysing the gradual shift from declaratory to escalatory dominance
International Keynote address: Business and cybersecurity: the codependency

Pete Herzog, Managing Director, The Institute for Security and Open Methodologies (ISECOM) Pete Herzog, Managing Director, The Institute for Security and Open Methodologies (ISECOM) (Spain)

There is something quietly unsettling about cybersecurity. There is something pathetically optimistic about cybersafety. There's something nauseously helpless about being breached. Let's face it, cybersecurity is made from human suffering. We didn't know this when we got into it. With wide, shiny eyes we jumped in to do good. And like growing into adulthood, it slowly ate away our naïve joy. Your job is to secure operations. But nobody listens to you. There's no budget. Management keeps making bad security decisions that seem to sabotage your efforts. The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we're trying to protect. And that's where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse - shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new-found stance. This is how we get the thrill back from our jobs while lessening the pain: the technical, the managerial and the emotional.

International Keynote Address How to create proper cyber hygiene within your organisation – and why doing so is critical across all industries

Shira Rubinoff, President, SecureMySocial; President and Co-Founder, Prime Tech Partners (USA)Shira Rubinoff, President, SecureMySocial; President & Co-Founder, Prime Tech Partners (USA)

Over the past few years we have witnessed major data breaches – compromising billions of confidential records – at some of the most recognised brands around the world. Nearly all of these breaches shared one major contributing factor: human error. Human error that, in many cases, might have been preventable had all relevant people throughout the targeted organisation been practising proper cyber hygiene.
This keynote will explore how to dramatically reduce the likelihood of human error/insider threats both malicious and non-malicious - and the cybersecurity nightmares that it can create - and will cover four major components of establishing proper cyber hygiene: continuous training for all employees, global awareness and education, maintaining up-to-date security and patching and implementing a zero-trust model. It will also cover various aspects of employee demographics, will explore the difference – and conflict between - security culture vs compliance culture and examine the human dynamics ramifications for security of different management styles. Providing the right training and having your employees understand that they are part of the solution and not the problem when it comes to overall strong cyber hygiene in your organisation will lead to a secure environment and happy and loyal employees.

Morning refreshments and exhibition visit
International Keynote Address Levers of human deception: the science and methodology behind social engineering

Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4 (USA)Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4 (USA)

No matter how much security technology we purchase, we still face a fundamental security problem: people. This talk will explore the different levers that social engineers and scam artists pull to make us more likely to do their bidding. Perry Carpenter will provide fun and engaging examples of mental manipulation in everyday life: from the tactics used by oily car dealers, to sophisticated social engineering and online scams. Additionally, he will look at how to ethically use the very same levers when educating your users:

  • The perception vs. reality dilemma
  • Understanding the OODA (Observe, Orient, Decide, Act) Loop
  • How social engineers and scam artists achieve their goals by subverting the OODA Loop's different components
  • How we can defend ourselves and our organisations
Case study living through a data breach (and how to make sure it doesn't happen again)

Henry Denner, Information Technology Security Officer, Gautrain Management AgencyHenry Denner, Information Technology Security Officer, Gautrain Management Agency

A data breach changes you, on many levels. It is a stressful experience that tests not only your ability as a human to deal with the unknown, but also the organisation’s readiness and resiliency in dealing with the breach and resume operations. But it is not all bad. Being exposed to a breach exposes you to the other side of cybercrime and cybersecurity: the real, criminal side. It will change your and the organisation’s perspective on cybersecurity and will help you to better prepare for future potential breaches.
This session will take delegates through an actual breach case study, from when the breach was detected, the investigation, interaction with law-enforcement agencies and the long road through the legal proceedings. Additionally, delegates will also get a better understanding of what to do and what not to do during a breach, the lessons learned and the key aspects to consider in preparing for a breach.

Results of the 2019 Security Survey revealed

 Ian Jansen van Rensburg, Lead Technologist & Senior Systems Engineering Manager, VMware

Hackathon Update: Protecting the digital citizen in the Fourth Industrial Revolution

Tiyani Nghonyama, COO, Geekulcha

The #SS19Hack takes place on the sidelines of the ITWeb Security Summit. In this session, teams of young techies give a sneak preview of what they have been building during the Hackathon. These are aspiring young security professionals working on building their skills in innovation/mechanism development to protect digitally connected citizens. You also get to vote and give guidance on the different projects being presented. A Summit's Choice award will be given to the team with the most votes.

Sponsor prize draws
Lunch and exhibition visit

Track One - The latest threats and how to respond

This track looks at what methods threat actors are currently using and how best to mitigate these threats. Hear the latest on ransomware attacks, phishing, software and hardware supply chain compromises, industrial control system threats and more.

Track Chair:

Cyber security and enterprise risk management, Old MutualWinston Hayden, Independent Management Consultant and Advisor

NETSCOUT Threat Intelligence Report 2H 2018: Dawn of the Terrorbit Era

Nuno Ceitil, Consulting Systems Engineer, NETSCOUTNuno Ceitil, Consulting Systems Engineer, NETSCOUT

When it comes to the global threat landscape, the second half of 2018 revealed the equivalent of attacks on steroids, as attackers bulked up existing tactics, rapidly evolved new ones, and applied smart business techniques to vastly accelerate their growth rate. IoT devices were attacked within five minutes of being plugged into the internet. Nation-state APT group activity ratcheted up in volume and targets while existing actors continued to innovate, including the first observed use of Chrome extensions to enable persistence in the STOLEN PENCIL campaign. Finally, the use of business practices such as the affiliate model empowered crimeware such as Danabot to achieve rapid global targeting. Please join our presenter to discuss:

  • Nation-state Innovation in APT: new groups discovered and new TTPs combining custom tools and crimeware
  • Crimeware goes to B School: we saw a robust marketplace driven by well-stocked innovation pipelines from rapidly growing organizations
  • Understanding the ever-changing DDoS landscape – key vertical targeting and techniques
Ransomware: the rise, death and resurrection of digital extortion

John Fokker, Head of Cyber Investigations, Advanced Threat Research, McAfeeJohn Fokker, Head of Cyber Investigations, Advanced Threat Research, McAfee

Recent statistics point to a decrease in the number of ransomware variants. So, is ransomware dead? Not so fast. Get up to speed on what are now the main forms of ransomware and learn about the ongoing effort to combat this type of threat. Hear about the successes and lessons learned from the No More Ransom initiative, an online portal that has prevented millions of dollars in ransom payments to cybercriminals. Lastly, since an ounce of prevention is still better than a pound of cure, you will also learn some essential ransomware prevention and mitigation tips.

Afternoon refreshments and exhibition visit
Case study Managing software and hardware supply chain compromises

Tamara Mkula, Information Security Risk Manager, Telkom SATamara Mkula, Information Security Risk Manager, Telkom SA

Supply chains are an integral component of an organisation’s business operations. An organisation’s strategy to integrate a supply chain into its operations is to ensure it can focus on its core business to gain a competitive advantage. Through the supply chain, an organisation’s most valuable assets, such as information, are being shared, but it is often not known how this information is shared or even if it is protected by a supplier the same way it is protected by the organization itself. Once information is shared with the supplier, an organisation loses control over the protection of its information.
In this presentation, Tamara will reference recent incidents from different companies which have lost millions of Rands through software and hardware cyber supply chain compromises. She will also take the audience through the success factors of how to deal with these security issues. She will also share her insights on:

  • How to successfully select a supplier through an effective risk management process
  • How to effectively manage identified supply chain risks
  • A simple model to continuously manage information security risks in supply chains
Case study Cybersecurity in Industrial Control Systems: The Bad, the Ugly and how to get to the Good

Kobus Pienaar, CIO, Vedanta Zinc International Kobus Pienaar, CIO, Vedanta Zinc International

In the digital age, cybersecurity is on everyone’s radar, and nowhere more so than in the Industrial Control Systems (ICS) arena. The damage and losses that can occur if an ICS system is compromised are potentially huge, with large amounts of production losses translating to large financial losses. Scenarios could be from as little as wrong reagent mixes going into processes, affecting the efficient extraction of products, to full shutdown of a plant or factory.
There are still a significant portion of organisation that believe that creating an isolated, or ‘air-gapped” ICS installation, will prevent compromise. What they forget is the human element that operates in these environments. Companies should be looking holistically at the ICS cybersecurity, from the systems installed, human elements, procedures and connectivity requirements. “Air-gapping” is not a solution in today’s world.
During the session, we will explore some of the scenarios we have found over the years that compromise ICS systems. Then we will look at the progress that ICS vendors and their products have made how they build their systems, and lastly we will look at how to build your cybersecurity layers in your ICS environment to ensure maximum protection against a compromise of the environment.

Arriving at a narrative: a hands-on journey into orchestrating cross-functional cybersecurity teams

Dr James Stanger, Chief Technology Evangelist, CompTIA (USA)Dr James Stanger, Chief Technology Evangelist, CompTIA (USA)

Our industry has adopted myriad attack detection tactics, threat intelligence schemes and incident response plans over the past few decades with varying results. But rarely have any of these solutions provided a "big picture" narrative that helps an organisation improve its security. What are some of the more useful strategies, or what Dr Stanger calls "context engines", that have helped certain organisations effectively adjust their strategies and tactics today?
Dr Stanger will provide case studies based on conclusions drawn from CompTIA's cybersecurity research culled from thousands of subject matter experts, as well as his interactions with dozens of managers, executives and security techs from around the world. He will detail key interactions between these teams as they have cooperated to identify and react to indicators of attack and indicators of compromise. By the end of his presentation, you will have gained insights about how to bring value to core security activities, over and above Security Orchestration, Automation and Response (SOAR).

Closing remarks from the Chair and End of Summit

Track Two - Governance, risk, compliance and data

This track will provide an update on all the current and proposed legislation around cyber security, most notably, the Cybercrimes Bill. It also examines the need to quantify your cyber risk and how to empower your internal audit team to assist with cyber security.

Track Chair:

David Luyt, associate, MichalsonsDavid Luyt, Associate, Michalsons

Quantifying cyber risk - bridging the divide between technology and the Board

Johan Botha, Chair, South Africa Chapter, FAIR InstituteJohan Botha, Chair, South Africa Chapter, FAIR Institute

Cybersecurity is being considered as a top-three risk by most organisations today as cyber-attacks, online fraud and internal threats make a material impact on their businesses. And, while boards and executives expect to be informed about cyber risk, they are not getting the answers they want. Too often, cyber risk reporting is filled with technical jargon and colourful but hard to understand risk registers and heat maps. Those responsible for cybersecurity - from the Board and the CEO on down - are urgently looking for better ways to measure and report risk that will enable well-informed decision-making, regarding questions such as:

  • What are the organisation's top cyber risks and how much exposure do they represent expressed in financial terms?
  • Which cyber risk management investments matter most?
  • Are they investing enough (or too much) in cyber risk management?

This presentation will provide an overview of a pragmatic solution and approach to cyber risk quantification that is based on the Open Group's Open FAIR risk quantification standard that enables Chief Information Security and Chief Risk Officers with the means to bridge the divide between IT and information security on the one side, and the Board and executive management on the other. Open FAIR provides a model for understanding, analysing and measuring information risk in financial terms, thereby addressing the current challenges of cyber risk reporting and enabling the organisation to prioritise effectively, making trade-offs and choosing cost-effective cyber risk mitigation solutions.

  • Understanding the current challenges to measuring and reporting cyber risk
  • Examining a solution to quantifying cyber risk that enables well-informed cyber risk decision-making
  • Understand how the FAIR methodology, coupled with software, can empower information security and risk professionals to improve cyber risk reporting
"Back from the Future": What do the films Terminator, iRobot and Minority Report have to do with Identity Governance?

Ben BulpettBen Bulpett, EMEA Identity Platform Director, SailPoint

Identity Governance is the platform that will protect us now and in the future: come and hear how the challenges in data, robotics, reporting and scale can be addressed by an end-to-end Identity Governance programme. Identity has never been so strategically important. It has absolutely become a board-level priority today. As the importance of identity increases in organizations, the need to implement an end-to-end identity governance platform becomes increasingly crucial, so you can efficiently and securely manage your digital identities and embrace digital transformation with confidence. At the end of the session you will have a better understanding of how an end-to-end Identity Governance platform can help your organisation prepare for the future and digital transformation.

Afternoon refreshments and exhibition visit
Cyberlaw and governance in an age of cyber-attacks and cybercrime

Trishana Ramluckan, Researcher, University of KwaZulu-NatalDr Trishana Ramluckan, Reseacher & Dr Brett van Niekerk, Senior Lecturer, University of KwaZulu-Natal

By its boundless nature, the Internet creates legal challenges regarding issues such as jurisdiction and state sovereignty. Normally every sovereign nation would create its own legislation, which is applied within its governing jurisdiction. However, since cyber-space has no physical borders, therefore no jurisdictional regulation, it becomes difficult to govern, nationally and internationally. Further to this, the recent surge in privacy legislation e.g. GDPR, has created another challenge concerning the right to monitor online activity and to gather user information. Although most legislation regarding cyber-space falls within the ambit of privacy or criminal law, this still presents challenges for organisations who are victims of international or state-backed cyber-attacks. These challenges require effective legal regulation to address cybersecurity, its technical and social complexities, including legislative frameworks together with collaboration with the global communities, the private sector, professional educational and capacity building. The presentation will discuss the legal challenges related to cyber-security, provide an overview of international legal frameworks and guidelines, and the implications for organisations, as cyber-security is becoming a major concern as new technology models, combined with a greater dependency on technology are driving changes in companies approach to security in a new way.

How to map and model your data flows to optimise business, security, resilience and data protection

Fergus Cloughley, CEO & Paul Wallis, CTO, OBASHI

Understanding how data flows through people, process and technology is essential if a business wants to thrive or even survive. Indeed, fundamental to cyber security is a need to fully understand and be able to demonstrate where data is coming from and going to - and that’s not just at an infrastructure or software level, it’s across the whole organisation. From GDPR regulations to BASEL banking standards, more and more regulatory authorities are requiring companies to understand (and be able to demonstrate and document) how data flows throughout their business.
However, the methods for doing this accurately are poorly understood and the need to map and model the interdependencies of people, process and technology are critical. That is why Scotland is becoming the first country to teach an accredited methodology in schools and colleges, teaching students how to optimise business while building resilience. With case studies and examples of organisations who have successfully mapped and modelled their data flow this session will answer:

  • What is the value of data flows to business?
  • How does understanding our data flow build resilience in business?
  • Can data protection exist if our data flows are not accurately mapped?
No organisation is an island: Managing security under data processing relationships with empathy

David Luyt, associate, MichalsonsDavid Luyt, Associate, Michalsons

How you manage data processing relationships matters, because no organisation is an island entirely of themselves. Every organisation is a piece of the archipelago, a part of the island chain.
Your organisation is probably a link in a chain, beginning with a sole or joint controller at the top, generally passing down to a processor and often ending with a sub-processor (or even additional subsequent processors) at the bottom. There are strict data protection laws (including the GDPR in the EU, the DPA in the UK and POPIA in South Africa) that regulate how that chain operates and require each link to enter into written data processing agreements (DPAs) with their neighbours.
Those DPAs need to meet certain requirements related to the security of personal data. In this presentation, David will explore them and what they mean for your organisation, based on your position in the chain. You will learn:

  • How to have better relationships with other organisations that you share data processing with when it comes to the security of that personal data
  • The significant steps you need to take towards complying with relevant data protection laws, when it comes to your data processing relationships and security
  • How to stand a better chance of escaping fines and other penalties for failing to comply with relevant data protection laws, when it comes to your data processing relationships and security
Closing remarks from the Chair and End of Summit

Track Three - Trends impacting security

This track will focus on the latest technology developments and the implications they have for information and cyber security. Some of the subjects covered include: AI, blockchain, cloud, IOT, containerisation, mobile devices, DevSecOps and much more.

Track Chair:

Kris Budnik, Independent Security Consultant

Case study Data security: how to ensure the protection of your data across complex legacy and modern IT systems

 Lizelle van der Klashorst, Head: iDnA Governance, Risk & Compliance, FNB

The use of data and information has become the lifeblood of any business, organisation and or large enterprise for business performance and competitive advantage. However, the pervasive availability and access to data, including very sensitive, privileged, contextualised information, has become a concern and definite area of focus for Boards and Executives alike. In addition, large organisations are faced with a mix of legacy and new systems with a high probability of duplication, including huge historical archives of data across the enterprise.
This reality poses significant risk and consequence from a regulatory compliance perspective and hefty fines, reputational impact, including business sustainability, as data can be misused for fraudulent and or malicious objectives. An integrated and holistic approach towards protecting data and data security must be formalised across business structures, products and services, people and culture, process, data/ information, technology and systems. Engagement, decision-making and governance structures are critical in ensuring that data protection strategy execution and operationalisation is achieved and data protection resilience maturity is optimised. This presentation will explore how to:

  • Simplify a complex problem using a structured, systems approach
  • Identify the core components required to drive a data protection programme
Please enter your DNA here: the risks and opportunities of behavioural biometrics

Alan Radomsky, EMEA Sales Engineering Manager, MalwarebytesAlan Radomsky, EMEA Sales Engineering Manager, Malwarebytes

Today’s digitized world leaves us yearning for a password-less alternative, where we don’t need to memorize a plethora of cryptic characters. An innovative solution could be derived from the field of behavioural biometrics, where an individual’s behavioural patterns can be assessed for authentication. While such a method could bring about a new level of convenience and security, it also comes with considerable risk when the protection of your most sensitive data is in question. Attend this session to learn:

  • Examples of where these behavioural biometrics are already in place
  • Insights on recently identified opportunities and risks
  • How your DNA, behavioural biometrics and China’s social surveillance system are already connected
Afternoon refreshments and exhibition visit
Situational awareness for better cyber security

Kris Budnik, Independent Security Consultant

  • What is cyber analytics? How is data currently being used to protect/defend the organisation, rather than to react and contain?
  • Examining how to implement cross-competency analytics, i.e. bringing disparate sets of data together, to assist in developing your cyber security plan
  • Analysing examples of using analytics for situational awareness, driving security improvements and for facilitating a breach response
Case study Security considerations and innovations in the Blockchain ecosystem

 Adele Jones, Lead Architect: Information Security and Blockchain, Nedbank

Blockchain technology has evolved significantly since the first genesis block was mined in the Bitcoin network in 2009. People have recognised that the underlying technology platform of the Bitcoin network offers disruption opportunities to a number of industries. The introduction of smart contracts in the Ethereum network opened up yet another host of business opportunities. As with any new and cutting-edge technology, security considerations are still being discovered and developed. In this presentation Adele will explore:

  • The different security considerations that solutions need to address in the blockchain ecosystem
  • How privacy concerns are being addressed with some new developments in the blockchain ecosystem
  • The identity management evolution that is happening on blockchain platforms
  • Smart contract security best practice
Case study DevSecOps: how to implement security into the different stages of the software development lifecycle

Tammy Naicker, Executive Head of Department: Group Technology Governance & Assurance, VodacomTammy Naicker, Executive Head of Department: Group Technology Governance & Assurance, Vodacom

  • What is DevOps?
  • Security by design: principles to create a "Security as Code" culture
  • Unravelling DevSecOps in the digital era
Closing remarks from the Chair and End of Summit

Track Four - Blue team strategies

This track will focus on the defensive tools, technologies and strategies that your blue team should be considering. Topics such as EDR, incident response, threat hunting and building an SOC will be covered.

Track Chair:

 Wicus Ross, Lead Researcher, SecureData

Understanding the different approaches to EDR – which one is right for you?

Jeremy Matthews, Regional manager, Panda Security AfricaJeremy Matthews, Regional Manager, Panda Security

EDR (Endpoint Detection & Response) is the new buzz word in endpoint security but what does it really mean? According to Gartner, most EDR tools are not capable of replacing endpoint protection platforms entirely so it's important to understand the relationship between EDR and traditional EPP solutions. How do you go about choosing the best technology for your business in a landscape where endpoint security has become so integral to your cybersecurity strategy? This presentation will help you answer these questions as well as look at some of the added benefits EDR can offer.

  • What is EDR? EDR vs EPP
  • Understanding the different technology approaches to EDR and how to choose the right one for your business
  • Examining the value of EDR Telemetry and the role of EDR when implementing a Security Information & Events Management (SIEM) solution
Is incident response broken? Why traditional incident response is not stopping cyber breaches

Jason Jordaan, principal forensic scientist and MD, DFIRLABSJason Jordaan, Principal Forensic Analyst, DFIR Labs

The news is filled with stories of massive data breaches and other cyber-attacks directed at organisations, in both the public and private sectors. When organisations discover that they have been attacked or are currently under attack, they often respond to the incident using a variety of incident response and digital forensic strategies, most often designed to try and stop the attack and prevent it happening again. However, despite the incident response process, many of the organisations attacked are rapidly reattacked and compromised again and again, often by the same threat actors. So, what is going wrong? Is there a problem with how we do incident response? The harsh reality is that traditional incident response is failing us, and we need to have an honest reflection of why it is failing.
Traditional incident response was developed in an era where the adversaries were not the same ones that we face now; the threat landscape was in many ways simpler and easier to address. The threats have changed and so too must our approach to incident response. Using data from some of the large incidents happening around the globe, Jason will explore the disjoint between what you need to do when responding to an incident versus how you actually respond to and deal with an incident. He will also examine the conflict between security and business operations when it comes to responding to an incident and highlight the real business risks of current incident response practices.

  • Understanding the purpose of incident response and how to be effective in responding to an incident
  • Identifying the actual risks to an organisation through current incident response practices
  • How to bring security and management together for effective incident response
  • Understanding the relationship between incident response and threat hunting
Afternoon refreshments and exhibition visit
Case study Building a cost-effective cybersecurity Security Operations Centre for threat hunting and incident handling

Muyowa Mutemwa, Senior Cyber Security Specialist, CSIRMuyowa Mutemwa, Senior Cyber Security Specialist, CSIR

In order to secure an IT environment against cybercrimes, there is a need to setup a Security Operations Centre (SOC). SOCs are critical to all organisations when it comes to detecting, analysing and reporting on various malicious activities that could occur. Implementing and operating a SOC is an expensive exercise, therefore in order to realize the desired ROI, a fine balance must be realised between the people, processes and technologies involved. This presentation will explain an architectural design of a cost-effective SOC using open-source tools, the different threat hunting models, listing the SOC maturing levels, listing of the required personnel skills, defining processes and procedures, defining the incident lifecycle and threat intelligence tools. Finally, this presentation will examine two examples of incidents that could occur in a SOC and how responders would handle the incident from identification to reporting and learning

  • Building a SOC for SMEs on a low budget
  • Requirements for SOC staff: what are the minimum skills needed?
  • What technology should be used?
  • What processes need to be put in place for successful running of a SOC?
Flipping the cyberdefence equation to tip the scales back in our favour

Sam Linford, Regional Director, Carbon BlackSam Linford, Regional Director, Carbon Black

Far too often, the cybersecurity industry focuses too heavily on all the advantages attackers have. We've all heard the saying: "Defenders have to be right 100% of the time while attackers only have to be right once." Well, what if we could flip that equation? As defenders, we have the home field advantage, so why does it seem like we are consistently losing? In order to shift this model and tip the scales back in our favour, we need to be thinking about "Disruption in Depth" rather than just "Defence in Depth." We need to be making attackers' lives significantly harder. Attackers make mistakes all the time. Let's make them have to be 100% right all the time instead of us. Join Carbon Black's Regional Director, Sam Linford, as he reveals the reality behind the modern threat landscape and uncovers what security teams can do today to tip these scales and make attacking your organisation exponentially more difficult for attackers.

Threat Hunting: seek and you "might" find?

Andrew Lam, Head of Detections, SecureDataAndrew Lam, Head of Detections, SecureData

Threat hunting has become an item on many CISO's or CTO's wish list as part of their cybersecurity armoury alongside managed detections and response. Threat hunting, however, is relatively immature, with a heavy reliance on the skills of individuals and the very nature of the activity makes it difficult to quantify the success and productivity of these individuals. This makes it hard for businesses to justify the spend on the resource, or even asking existing members of their MDR, SOC or Security Analysts to pursue threat hunting.
Starting small with concentrated hunts and strong hypotheses will form a basis for any threat hunting activity. The metrics and outcomes may not always be apparent, but you will discover things about your network which could become issues in the future. We have taken the approach of looking at hunting activities which are straight forward, such as evaluating IP addresses scanning your network perimeter, anomalous user login activity and DNS requests analysis which provides great insights into an environment. These are clear and directed routine hunts which are achievable in a timely manner. We have now expanded to specific features mapping detections to kill chain phases and hunting in the gaps where we do not have current capability. This in turn builds better detections which are easier to quantify. We have also progressed into use of automation and "I'll say it once only, machine learning". The main point is that there are different levels, time requirements and skills which can be used to start threat hunting and this activity can be quantified and measured to convince the powers to be that this is a worthwhile activity.
This talk seeks to provide some practical steps into how one can start conducting threat hunting and to quantify tangible outcomes for threat hunting teams. We will take the example of how this was implemented within an MSSP and how threat hunting can be mapped to established frameworks to provide useful security insights in any IT environment.

Closing remarks from the Chair and End of Summit

Event Sponsor

Diamond Sponsor

Platinum Sponsors

Security Survey & Executive Roundtable Sponsor

Gold Sponsors

Silver Sponsors

Bronze Sponsors

Display Sponsors

Showcase Sponsor


Endorsed by