Arrival and registration
Opening Keynote Address: Examining the impact of people, processes, technology and regulation in combating cyber-attacks: how much progress have we made?
Charl van der Walt, Chief Strategy Officer, SecureData SensePost (UK)
- What victories have been achieved from a defender point of view?
- What advancements have been made?
- What progress has been made in terms of the push towards better identity and authentication management/processes (MFA)?
- What positive impact have regulation and compliance requirements such as GDPR had?
International Keynote Address: Politics and power in cybersecurity: how cyber operations are intimately linked with geo-strategy
Pukhraj Singh, Security Operations & Threat Intelligence Practitioner (India)
- Examining the collapsing precepts of nation-state sovereignty in cyberspace
- A 'contested territory': 20 years of anxiety around the paradox of control in cyberspace
- Understanding the structural dominance of offence: why offensive A-teams have a political architecture
- Examining offensive mathematics and political lineage: exploitation as a technology tree
- On opcodes and ontology
Analysing the gradual shift from declaratory to escalatory dominance
International Keynote address: Business and cybersecurity: the codependency
Pete Herzog, Managing Director, The Institute for Security and Open Methodologies (ISECOM) (USA)
There is something quietly unsettling about cybersecurity. There is something pathetically optimistic about cybersafety. There's something nauseously helpless about being breached. Let's face it, cybersecurity is made from human suffering. We didn't know this when we got into it. With wide, shiny eyes we jumped in to do good. And like growing into adulthood, it slowly ate away our naïve joy. Your job is to secure operations. But nobody listens to you. There's no budget. Management keeps making bad security decisions that seem to sabotage your efforts. The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we're trying to protect. And that's where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse - shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new-found stance. This is how we get the thrill back from our jobs while lessening the pain: the technical, the managerial and the emotional.
Morning refreshments and networking
International Keynote address: From overwhelmed to empowered
Ljupcho Joshevski, Head of Cybersecurity Systems Engineering, Cisco Systems
In today’s more interconnected world than ever, where business growth is defined by tech innovation, managing the security risk becomes an overwhelming task. The threat landscape is growing in sophistication by the day and adversaries are increasingly attracted to this lucrative cybercrime industry. In this session, you will hear about the risk reality as we see it, the threat landscape that we observe across the globe and approaches on how to confront this risk. Traditional prevention strategies are simply inefficient and strategies that are threat-centric and span across the entire attack continuum are required more than ever.
Total Wipe Out: What could happen if cyber criminals successfully attacked a country's critical infrastructure systems?
Veronica Schmitt, Lead Forensic Analyst, DFIR Labs
Cyber warfare can be described as digital attacks which are aimed against a country or nation in order to cause disruption to the computer systems which are associated with critical infrastructure. The aim of a cyber war like this would be to create the most significant damage, potential death, destruction and/or total anarchy. The term "BlackOut" is used in hacker circles to refer to a plan to cause a total blackout within a country or nation of all critical infrastructure. With the ever-increasing interconnectivity of a country's critical infrastructure, it's possible that a country could experience BlackOut and be crippled within a month. This presentation will be in the format of a reenactment of a theoretical BlackOut plan on a fictional country, "Barony of Mejis", by using information and tooling that is freely available on the Internet. The presentation will be given around a set timeline indicating a high-level approach to a BlackOut plan. All targets will be applicable in real life, and based on realistic systems, but will be fictionalised.
- Understanding the Internet of "hackable" Things
- Understanding how critical infrastructure is connected to the Internet
- Understanding the vulnerabilities within these systems
- Insights into a BlackOut plan and getting into the mind of cyber war criminals
Using examples of real-world hacks which have taken place
Case study living through a data breach (and how to make sure it doesn't happen again)
Henry Denner, Information Technology Security Officer, Gautrain Management Agency
A data breach changes you, on many levels. It is a stressful experience that tests not only your ability as a human to deal with the unknown, but also the organisation's readiness and resiliency in dealing with the breach and resume operations. But it is not all bad. Being exposed to a breach exposes you to the other side of cybercrime and cybersecurity: the real, criminal side. It will change your and the organisation's perspective on cybersecurity and will help you to better prepare for future potential breaches.
This session will take delegates through an actual breach case study, from when the breach was detected, the investigation, interaction with law-enforcement agencies and the long road through the legal proceedings. Additionally, delegates will also get a better understanding of what to do and what not to do during a breach, the lessons learned and the key aspects to consider in preparing for a breach.
Why the evolving threat landscape has made cyber resilience a top-ten business priority
Brian Pinnock, Director Sales Engineering MEA, Mimecast
South African businesses do not take cyber threats as seriously as elsewhere and it’s becoming evident in the statistics. The key lesson from the massive attacks of the last few years is that while protection is important, it’s equally important to ensure your recovery process is strong. This presentation will discuss:
- The evolution of threats and our responses to them
- The underlying causes of the change in threats, threat actors
- South Africa in the Post Infrastructure Era
- The role of cyber resilience and why a defence-only strategy is a flawed approach
Lunch and networking
Track One - Mitigating cybersecurity risks and the latest threats
This track takes a look at key risks that organisations are facing and what options are available to mitigate these risks. Some of the latest threats and response strategies will also be discussed.
Track Chair: Winston Hayden, Independent Management Consultant and Advisor
Understanding the digital employee by building a security culture
Robyn Bartlett, Security Awareness Co-Ordinator, DRS
We all live in this awesome, but sometimes terrifying, digital age where information is the most valuable asset that exists today. Why hack technology when it is easier to hack the human? Our users are the most susceptible to online deceit, but how can we create a security culture that every employee can relate to? DRS has embarked on a campaign to increase cyber awareness in businesses across South Africa. How are we doing it? Attend this talk to find out.
Cyber insurance: what are the benefits and what to look out for when choosing a cyber insurance product?
Ryan van de Coolwijk, Product Champion: Cyber, ITOO Special Risks
- Examining the benefits of cyber insurance: what does it cover?
- Understanding how a cyber insurance policy helps to mitigate risk exposure in the case of a breach
- What should you look out for when choosing a cyber insurance policy? What questions should you ask?
- What do cyber insurance providers look for when deciding whether to provide coverage and what level?
Afternoon refreshments and networking
Software and hardware supply chain compromises and how to deal with these
Tamara Mkula, Information Security Risk Manager, Telkom SA
Supply chains are an integral component of an organisation’s business operations. An organisation’s strategy to integrate a supply chain into its operations is to ensure it can focus on its core business to gain a competitive advantage. Through the supply chain, an organisation’s most valuable assets, such as information, are being shared, but it is often not known how this information is shared or even if it is protected by a supplier the same way it is protected by the organization itself. Once information is shared with the supplier, an organisation loses control over the protection of its information.
In this presentation, Tamara will reference recent incidents from different companies which have lost millions of Rands through software and hardware cyber supply chain compromises. She will also take the audience through the success factors of how to deal with these security issues. She will also share her insights on:
- How to successfully select a supplier through an effective risk management process
- How to effectively manage identified supply chain risks
- A simple model to continuously manage information security risks in supply chains
Optimizing your data protection and data privacy programme from device-to-cloud
Neal Botje, Account Executive, McAfee
To be effective, data protection needs to consistent across all enterprise ICT assets - from the server to the endpoint, at the office and at home, the network perimeter including Web and email and, most importantly, it needs to address the transformation to the cloud. Data loss prevention is one of the most complex, resource-intensive, time-consuming and least-understood aspects of security. There are significant resource shortfalls and very little automation included in the DLP process. In this session we will uncover the reasons for the low success rate and how to address them. The outcome will be a practical, more efficient, more effective, less resource-intensive, higher-value and lower-cost methodology that’s simple to apply to any business. We will show you how to:
- Simplify the decision-making process
- Use basic algorithms to improve efficacy and efficiency
- Improve the mapping process by answering a few key questions -
- Strategic/business objectives – how to make sure the data privacy and protection program is aligned to the business objectives
- Risks - there are thousands of threats and threat actors, how do I get the best coverage to reduce the risk window?
- Regulatory requirements - how to initiate compliance without a lengthy and costly advisory process
- Standards and frameworks - how to streamline the mapping process
- Use cases - which ones are relevant
- Controls - quick wins
Quantifying cyber risk - bridging the divide between technology and the Board
Johan Botha, Chair, South Africa Chapter, FAIR Institute
Cybersecurity is being considered as a top-three risk by most organisations today as cyber-attacks, online fraud and internal threats make a material impact on their businesses. And, while boards and executives expect to be informed about cyber risk, they are not getting the answers they want. Too often, cyber risk reporting is filled with technical jargon and colourful but hard to understand risk registers and heat maps. Those responsible for cybersecurity - from the Board and the CEO on down - are urgently looking for better ways to measure and report risk that will enable well-informed decision-making, regarding questions such as:
- What are the organisation’s top cyber risks and how much exposure do they represent expressed in financial terms?
- Which cyber risk management investments matter most?
- Are they investing enough (or too much) in cyber risk management?
This presentation will provide an overview of a pragmatic solution and approach to cyber risk quantification that is based on the Open Group’s Open FAIR risk quantification standard that enables Chief Information Security and Chief Risk Officers with the means to bridge the divide between IT and information security on the one side, and the Board and executive management on the other. Open FAIR provides a model for understanding, analysing and measuring information risk in financial terms, thereby addressing the current challenges of cyber risk reporting and enabling the organisation to prioritise effectively, making trade-offs and choosing cost-effective cyber risk mitigation solutions.
- Understanding the current challenges to measuring and reporting cyber risk
- Examining a solution to quantifying cyber risk that enables well-informed cyber risk decision-making
- Understand how the FAIR methodology, coupled with software, can empower information security and risk professionals to improve cyber risk reporting
Closing remarks from the Chair and official networking cocktail function
Track Two - Trends Impacting Security
This track focuses on the latest technology developments and the implications that they have for information and cybersecurity. Topics covered include Cloud, EDR, Incident Response, Threat Hunting and more.
Leveraging application integrity management to prevent insider threats
Maeson Maherry, Chief Solutions Officer, Lawtrust
Insider threats or employee fraud can have a devastating impact on a company’s bottom line performance because of the legitimate access they have to critical functions in business systems. This presentation will cover a method of applying security technology to change the behaviour and prevent the occurrence of insider fraud in the first place. Maeson will reveal how experience built up in national security and financial applications over the years has led to the development of an approach to application integrity coupled with human integrity, through the use of biometric strong authentication, along with digitally-signed and timestamped data, which is then retained as original evidence without the risk of repudiation from the user.
Bridging points to a Cloud Access Security Broker (CASB): the roles of Web and DLP
Craig McGee, Sales Engineer – Sub Saharan Africa, Forcepoint
CASB is a big discussion point in organizations and companies worldwide. There is a huge push for it, but there is still some caution to embracing CASB. Have companies understood the correct reason to deploying a CASB in their environment? Some might not know how to do it. Forcepoint believes that Web and DLP play a significant part in a CASB journey and that these two historic assets must not be overlooked as the starting points for a CASB journey. Web and DLP will support the adoption of CASB. In the presentation we will unpack Web and DLP and the roles that they should be playing in the initial phases for CASB adoption. DLP will ensure that you have your data controls in place as you start your CASB journey. Web will help ease the CASB journey by easily moving Manger Users inline into the CASB service:
- DLP will be a determining factor in determining the pass/fail of onboarding CASB
- Use the Web egress point to seamlessly onboard corporate personal into your CASB environment
Afternoon refreshments and networking
Understanding the different approaches to EDR – which one is right for you?
Dominic Richardson, CMO - Africa, Panda Security
EDR (Endpoint Detection & Response) is the new buzz word in endpoint security but what does it really mean? According to Gartner, most EDR tools are not capable of replacing endpoint protection platforms entirely so it's important to understand the relationship between EDR and traditional EPP solutions. How do you go about choosing the best technology for your business in a landscape where endpoint security has become so integral to your cybersecurity strategy? This presentation will help you answer these questions as well as look at some of the added benefits EDR can offer.
- What is EDR? EDR vs EPP
- Understanding the different technology approaches to EDR and how to choose the right one for your business
- Examining the value of EDR Telemetry and the role of EDR when implementing a Security Information & Events Management (SIEM) solution
Is incident response broken? Why traditional incident response is not stopping cyber breaches
Jason Jordaan, Principal Forensic Analyst, DFIR Labs
The news is filled with stories of massive data breaches and other cyber-attacks directed at organisations, in both the public and private sectors. When organisations discover that they have been attacked or are currently under attack, they often respond to the incident using a variety of incident response and digital forensic strategies, most often designed to try and stop the attack and prevent it happening again. However, despite the incident response process, many of the organisations attacked are rapidly reattacked and compromised again and again, often by the same threat actors. So, what is going wrong? Is there a problem with how we do incident response? The harsh reality is that traditional incident response is failing us, and we need to have an honest reflection of why it is failing.
Traditional incident response was developed in an era where the adversaries were not the same ones that we face now; the threat landscape was in many ways simpler and easier to address. The threats have changed and so too must our approach to incident response. Using data from some of the large incidents happening around the globe, Jason will explore the disjoint between what you need to do when responding to an incident versus how you actually respond to and deal with an incident. He will also examine the conflict between security and business operations when it comes to responding to an incident and highlight the real business risks of current incident response practices.
- Understanding the purpose of incident response and how to be effective in responding to an incident
- Identifying the actual risks to an organisation through current incident response practices
- How to bring security and management together for effective incident response
- Understanding the relationship between incident response and threat hunting
Threat Hunting: seek and you "might" find?
Andrew Lam, Head of Detections, SecureData
Threat hunting has become an item on many CISO's or CTO's wish list as part of their cybersecurity armoury alongside managed detections and response. Threat hunting, however, is relatively immature, with a heavy reliance on the skills of individuals and the very nature of the activity makes it difficult to quantify the success and productivity of these individuals. This makes it hard for businesses to justify the spend on the resource, or even asking existing members of their MDR, SOC or Security Analysts to pursue threat hunting.
Starting small with concentrated hunts and strong hypotheses will form a basis for any threat hunting activity. The metrics and outcomes may not always be apparent, but you will discover things about your network which could become issues in the future. We have taken the approach of looking at hunting activities which are straight forward, such as evaluating IP addresses scanning your network perimeter, anomalous user login activity and DNS requests analysis which provides great insights into an environment. These are clear and directed routine hunts which are achievable in a timely manner. We have now expanded to specific features mapping detections to kill chain phases and hunting in the gaps where we do not have current capability. This in turn builds better detections which are easier to quantify. We have also progressed into use of automation and "I'll say it once only, machine learning". The main point is that there are different levels, time requirements and skills which can be used to start threat hunting and this activity can be quantified and measured to convince the powers to be that this is a worthwhile activity.
This talk seeks to provide some practical steps into how one can start conducting threat hunting and to quantify tangible outcomes for threat hunting teams. We will take the example of how this was implemented within an MSSP and how threat hunting can be mapped to established frameworks to provide useful security insights in any IT environment.