Sessions

Detect ’17 Keynote Sessions – Thursday, September 21

9:00 – 9:50am


Keynote: Cyber Security and the Threat of a Cyber Attack

General Michael Hayden is a leading expert regarding our nation’s cyber security. He was on the frontline of geopolitical strife and the war on terror when communication methods were being revolutionized, and he recognized that the world of information was changing rapidly. Hayden understands our nation’s need to adapt to our ever-changing informational landscape and the dangers, risks, and potential rewards of our digital security situation. For these reasons, he is often turned-to by media outlets for his expertise. Having served as the number one military intelligence officer in the country, he discusses geopolitics, cyber security, our vulnerabilities and challenges, the threat of a real attack, and its potential ramifications.

Speaker: General Michael Hayden, Former Director of the Central Intelligence Agency and the National Security Agency


10:10 – 11:00am


Keynote: Kingpin: Privacy, Crime and Security Online

If anyone knows the inner workings of internet security systems, it is Kevin Poulsen. This former hacker and cybercrime expert is now a respected journalist working as the senior editor at Wired.com. Audiences will learn from his first-hand experience what cybercriminals will do to steal your privacy and corrupt your online security. Poulsen outlines the various security vulnerabilities that could exist in your company, and what you need to do to improve your IT systems.

Speaker: Kevin Poulsen, Cyber Crime Expert and Author of Kingpin


11:00 – 11:50am


Keynote: Global Security for the 21st Century: Managing Your Organization’s Cyber Risk" or “A 360 Degree Outlook On The Global Security Landscape

Cyber risk is an international challenge that requires non-traditional collaboration. Widely recognized as one of the world’s top security experts, Michael Daniel draws on his role as former White House cybersecurity coordinator to provide a global outlook on security and risk management in the 21st century. Breaking down the short and long-term challenges we face as a society and those that affect the public and private sector, Michael also stresses the importance of collaboration and information sharing across business and industry as key to effective defense against online adversaries. With the internet’s increasing pervasiveness, Michael’s insights are crucial to a comprehensive knowledge of today’s security landscape, including the potential impact of the Trump administration’s approach to cybersecurity and the heightened power of the Internet of Things and Big Data, to thrive in an interconnected world.

Speaker: Michael Daniel, Cybersecurity Coordinator to President Barack Obama (2012 - 2016) & Special Assistant to the President


11:50 – 12:30pm


Keynote: Cyber Security in the Age of Espionage

CyberSecurity/ Protecting yourself and your company online: Recent years have seen a massive increase in cyber theft of private and confidential information from government agencies, business and private individuals. The modern spy is responsible for these attacks. Today’s spies are sophisticated, brilliant, devious and technologically advanced, and they are targeting your data. Robert Hanssen was the first of these new cyber spies, charged with selling American secrets to Russia for more than US$1.4 million in cash and diamonds. His ability to exploit computer systems allowed him to protect his identity during a 22 year spy career. Join Eric as he uses real-life spy stories to show how careful diligence, counter espionage techniques and restraint in social media can help identify the numerous spies, hackers, hacktivists and trusted insiders that threaten every stroke of the keyboard.

Speaker: Eric O’Neill, General Counsel, Investigator & Spycatcher


Detect ’17 Track Sessions – Thursday September 21

2:40 – 3:30pm


Acceleration: The Critical Component and Recipe for Closing the Gap on Cybercrime

What is the recipe for acceleration? There are lessons to be learned from the poster child on how to accelerate innovation, knowledge and capabilities to elevate ones cyber game. Information superiority and a pro active defense in cyber to increase our preparedness.

Speaker: Maria Vello, Chief Operating Officer – Cyber Defense Alliance


Intelligence Led Security Operations for the Financial Services Industry

Join Travis Farral, Director of Security Strategy at Anomali as he leads a panel of leading financial services security operations executives in a discussion focused around "Intelligence Led" security programs. Travis will be joined by AIG, BNY Mellon, Citi, and S&P Global to discuss how the management of intelligence is critical for key stakeholders within their organizations. The overwhelming and ever-increasing amount of threat intelligence data must be automated, managed and integrated into existing customer environments, especially the event management systems which are capturing all the signals coming from the business. In addition collaboration among the internal teams and external collaboration with other organizations is also a must have to increase the effectiveness of the security operations teams.

Panelists: Marco Maiurano, Director of Intelligence – AIG
Grey Burkhart, Director, Head Cyber Threat Intelligence Group – BNY Mellon
Steven Kim, Client Services and Collection Management – Citi
Thomas Stephenson, Director, Cybersecurity Operations and Threat Intelligence – S&P Global


Cook County -- Developing a Successful County-Level ISAC

The Cook County Department of Homeland Security and Emergency Management, Information Security Office set out to provide a mechanism for a stronger, collaborative front against malware, distributed denials of service, Ransomware and other cybercrime especially for municipalities and communities with limited resources. Additionally, the team needed to create an effective threat notification service that formats alerts that are actionable for security specialists yet are easily understandable for city and county analysts. The Cook County Cyber Threat Intelligence Grid (CCCTIG) integrates with existing infrastructure but allows for sharing with external entities in a secure manner and provides a security solution for smaller communities that cannot always afford the cost of other cybersecurity solutions. Join our conversation to learn how the CCCTIG was able to provide participating municipalities with access to a secure platform which shares a wealth of cyber-threat intelligence which includes bad actors, malicious campaigns and security incidents.

Speakers: Ricardo Lafosse, CISO – Cook County ISO
Katie Kolon, Cyber Threat Analyst – Anomali


Meaningful Metrics for Intelligence Operations

Measuring metrics is probably one of the most challenging—and often counterproductive—tasks a manager performs; doing so in the area of cyber-threat intelligence is no exception. As if the process of developing, measuring, and reporting them wasn’t hard enough the ever elusive hurdle remains of actually leveraging them to improve operations. As we’ve worked with customers over the past year to build and mature cyber-threat intelligence programs, we have developed a few methodologies which we would like to share. Our objective was to not only develop meaningful quantitative metrics to express work done, but to move past that into developing qualitative metrics capturing outcomes and effects. This session will look at some of the fundamental principles of intelligence operations and illustrate how incorporating them into the INFOSEC-management processes can produce meaningful metrics to drive process improvement and program maturation.

Speakers: John Holland, Cyber Threat Intelligence Analyst - Anomali
Paul Sheck, Senior Threat Research Analyst – Anomali


Expectations of Machine Learning as a New Cybersecurity Tool

In the past decade many fields like healthcare, transportation, biology and robotics have seen a renaissance from machine learning technologies. Will the same be true for cybersecurity? Many cybersecurity practitioners are skeptical of the technology. One perspective is skeptical arguing that dollar-driven promotion justifying overly ambitious claims. On the other hand, cybersecurity experts often make claims of ML futility based on ill-informed understanding of the technology and limited experience.

This talk will examine popular claims about machine learning. In an attempt to cut through buzz words and address skepticism from cybersecurity practitioners to provide a more solid understanding fair expectations of the future of machine learning in cybersecurity. We discuss how to think about threat intelligence indicators, signatures, and machine learning models. Machine learning can complement humans, through reinforcement learning and through interpretable model explanations. we illustrate how effective machine learning requires good data, subject matter familiarity and statistical modeling expertise.

Speakers: Evan Wright, Principal Data Scientist – Anomali
Akshay Kumar, Data Scientist – Anomali


3:40 – 4:30pm


Integrated Threat Intelligence

The security world is awash in vendors, all selling products and point solutions to solve all your security needs. Each vendor wants to sell you their threat intel fees, and in the end you can end up with a hodge podge of siloed systems with no consistent dataset. The power of any good information security architecture is how to make all of these systems work together.

In this talk we will discuss the speakers experience in implementing an integrated threat intelligence and automated response system, and some practical steps on how to do this in your environment as well.

Speaker: Jessica Ferguson, Director Information Security Architecture - Alaska Airlines


Cyber security and the 323 year old bank: Using threat intelligence to tell your story and inspire your people

Cyber security is a people challenge every bit as much as is it a technical challenge. Unlike technology, people need motivating, educating and inspiring and when you get this right, your people become your first line of defense. This presentation will show how the Bank of England has used threat intelligence to tell the story of why cyber security matters in a 323 year old organization and how threat intelligence drives risk, policy, education and investment as well as threat detection.

This presentation will cover:

  • Getting dissemination right, making sure that your reports don’t just sit on the shelf
  • Reaching the heard to reach: Communicating threat intelligence to different audiences
  • Specific tips and lessons on executives and board members
  • Setting the tone – working with people on day 1 in the organization
  • Driving threat detection using intelligence-based use cases rather than processing IoCs
  • The role of threat intelligence in education and awareness

Company: Bank of England


Cyber threat intelligence: Building and maturing an intelligence program that supports the business, not just the SOC

This talk is about identifying the characteristics of a mature cyber threat intelligence program and how it can be measured. Traditionally intelligence has been about providing decision support to executives whilst the field of cyber threat intelligence supports this customer type plus also network defenders which have different requirements. By using the intelligence cycle, this talk will seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their program to the next level.

Speaker: Mark Arena, CEO - Intel 471


Threat or not? Actionable threat intelligence based on informed decision making

Learn how an analyst can trigger active blocking on a e.g. firewall by leveraging threat context from Threat Intelligence Platforms. The session covers the pros and cons of analyst-driven versus fully-automated countermeasures when responding to threats. A use case will show how threat intelligence can not just be applied but how it makes the already existing security infrastructure much more effective.

Speaker: Frank Lange, Principal Security Architect – Anomali


Counter Intelligence

Actively collect threat intelligence. Find and engage your adversaries. Fill in the blanks and track bad actors. We will go over what to do with your phishing email, detecting phishing and bots in your web logs, and creating campaigns to track adversaries.

Speaker: Anthony Aragues, VP Security Research – Anomali


4:40 – 5:30pm


Defining Cyber Threat Hunting: What is it and what is it not?

You've deployed firewalls, tuned the IPS, installed endpoint protection, set up the SIEM, and integrated Cyber Threat Intelligence (CTI) feeds, but this still may not be enough to detect the malicious actors already within your network. With the ever-changing threat landscape and fading network perimeters, chances are very high that you already have Advanced Persistent Threats (APT) lurking inside your network. Today's malicious adversaries are skilled in camouflaging their actions to bypass common detection methods and blend in with typical network activity. With this in mind, it is often necessary to move from an alert-driven response to analysis-driven threat hunting, which aims to contain and minimize damage from these APTs. You are likely doing some of this today informally.

This talk will define what cyber threat hunting is, and most importantly, what it is not. We will discuss how to build a cyber threat hunting program within your organization, identify the skillset of an ideal analyst, and present some tools and processes to make the program successful. We will describe how we built a cyber threat hunting program, what worked, and what did not work so well. Our objective is to arm you with the knowledge to effectively leverage cyber threat hunting to detect malicious adversaries within your network.

Speaker: Jeff Weaver, Sr. Network Security Engineer – Donnelley Financial


Know Thy Enemy

“Know they Enemy” in which we try and dispel some of the myths surrounding attackers emanating from the DDW, they are not a homogeneous group of all-knowing cyber ninja’s like the movies portray them. To effectively mitigate the threat it pays to follow Sun-Zhu’s advice to know yourself and your enemy. In this talk we offer some characteristics that can be used to differentiate between different types of adversaries and illustrate these cases with examples from the recent past and current events.

Speaker: Maurits Lucas, Director of Strategic Accounts – Flashpoint


Typecasting Villains: Importance of Threat Actor Profiling in your Enterprise

The current state of threat intel in the enterprise is in shambles. Management doesn’t know the actual risks to the organization, IR teams are flying blind in incidents, and SOCs have no indication what they should be hunting for.

For many years, it was believed that threat actor attribution was both impossible and provided little to no value to most enterprises. But by using threat intel platforms, organizations can provide context to its analysts through the analysis of an actor’s behaviors, motivations, and capabilities. This leads to all stakeholders being better informed of current risks in addition to better predicting the risks they will encounter tomorrow.

Speaker: Greg Mathes, Network Security Engineer - Arvest Bank


Cyber Insurance, Mergers and Acquisitions: Using Historical Events to Quantify Risk

Understanding the metrics considered whilst pricing a cyber insurance policy can be difficult. From the insurance providers point of view, determining risk, then underwriting and pricing are based on risk assessments and exposure factors. Calculating these can be a drawn-out process that may include interviews, questionnaires, security audits and complex actuarial calculations.

Similarly, after a merger or acquisition there are immediate benefits and cost savings to be gained by consolidating infrastructure and connecting disparate networks.: but how do you know that you're not jeopardizing existing security controls by connecting to a network and systems with a lower level of cyber hygiene than your own? What new risks are being introduced and how are these best quantified?

This session will suggest alternative uses for historical data beyond breach analytics and threat hunting. Comparing millions of observables retrospectively against logged events allows an almost immediate view of previously undetected threats and responses to known attack vectors. These point towards an entities’ overall security posture. Related trends can be used to determine relative risk or as a basis for due diligence.

Speaker: Niall MacLeod, Sales Engineering Manager EMEA – Anomali


Intel Sharing and The Threat Sharing Evolution

Intelligence and indicator sharing has come a long way from the dark ages of private forums to the current state, where Threat Intelligence Platforms are regularly leveraged in operations centers across the globe to triage and disseminate actionable information. This talk will focus on the history of information sharing, current state where modern Information Sharing Analysis Centers and Organizations are leveraged to automate Incident Response processes, and end with a look at the near-term future.

Speaker: Alex Rifman, Director of ISAC Operations – Anomali

Detect ’17 Keynote Sessions – Friday, September 22

9:10 – 9:45am


Utilizing Deep & Dark Web Intelligence to Address Insider Threats

Insider threats arise when rogue employees exploit access to their organization’s sensitive internal information for personal or political gain. With much attention placed on mitigating external attacks, many organizations may not be aware of potential threats posed by current or former employees. Organizations seeking to gain full visibility into these threats require access into illicit communities, including forums and marketplaces on the Deep & Dark Web, which requires highly-advanced operations security, and an intimate familiarity with malicious insiders’ techniques, tactics, and procedures (TTPs). This presentation will examine use-case examples to illustrate how organizations have utilized Deep & Dark Web Intelligence to address and mitigate challenges such as intellectual property theft, insider recruitment, employee verification and insider trading.

Speaker: Tom Hofmann, VP Intelligence – Flashpoint


9:45 – 10:30am


ISAC Panel

The ISAC panel is a discussion with leaders in the ISACs to share experiences, processes and challenges. It will provide an insight into the ISACs and what differentiates them from each other. ISACs bring a focus on a particular context and relevance that works well when compared and to and fed from a set of global threat intelligence. ISACs also focus heavily on information sharing and how to get the most from it. Anomali is the threat intelligence sharing and management platform for several ISACs.

Panelists: IT-ISAC, Automotive ISAC, NCFTA, EnergySec, R-CISC


Detect ’17 Track Sessions – Friday, September 22

10:40 – 11:30am


Closing the Threat Intelligence Gap with DNS

Today an incident response investigation may begin when a suspicious IP address, domain name or other indicator of compromise is discovered. Yet without additional context for these IoCs, the investigation may stall -- wasting precious time and resources for the security team while leaving the organization vulnerable to attack. In this presentation, “Closing the Threat Intelligence Gap with DNS,” Internet pioneer and Farsight Security CEO and Cofounder Dr. Paul Vixie will reveal the rich context that only the Domain Name System (DNS) can provide investigators, since every online transaction, good or bad, begins with a DNS lookup. Dr. Vixie will demonstrate how visibility of the global DNS can reveal new information about a given IP address or a domain name that advances the investigation. Pulling on these newly revealed IP addresses and name servers will lead to more domain names of interest, etc. When you're done investigating, you'll have new threat intelligence about "what's connected to what" in your specific incident investigation to enable faster response and mitigation.

Speaker: Paul Vixie, CEO - Farsight Security, Inc.


Anatomy of Criminal Hosting Infrastructures

Malware, phishing, cybercrime forums, and stolen credentials shops are commonly hosted on bulletproof hosting (BPH) servers. The “don’t ask, don’t tell” tone of these infrastructures fosters the perfect environment for criminals of every breed to wage attack campaigns or host illegal content, without the fear of takedown by law enforcement agencies. As malware campaigns and illegal marketplaces gain more momentum, criminal hosting continues to be a thriving industry. This talk will dissect recent threats, uncovering not only how they affect their victims, but how their criminal hosting infrastructures are harvested and maintained. In addition, Dr. Mahjoub and Atheana Altayyar will drill down on specific use cases and showcase compelling stories through live demos of Cisco Umbrella Investigate.

Speakers: Dr. Dhia Mahjoub, Head of Security Research – Cisco Umbrella
Atheana Altayyar, Product Marketing Manager – Cisco Umbrella


Using Threat Intelligence to Match Botnet Activity and Investigate Enterprise Threats

Concept: How AT&T uses threat intelligence to monitor botnet activity and identify botnet-related threats to its internal Enterprise. We will show how threat intelligence is used and generated in botnet analysis. We will demonstrate botnet tracking and contributed to threat intelligence. We will also demonstrate how threat intelligence queries are used to match internal enterprise data to known botnet intelligence to monitor for participation, recruitment, etc of known assets.

Speaker: Joe Harten, Director Technology Security - AT&T
Manny Ortiz - AT&T


Proactive Network Security with Threat Intelligence

In the field of information security, incident and event response time is critical in reducing the potential damage that a realized threat can cause. In the case of the U.S. Cellular Network Security team, our highest priority is network availability, and with the legal obligations of the business as a telecommunications carrier, the tolerance for downtime is zero. As such, it is of the utmost importance that we prevent threats from becoming realized. We are constantly pushing towards a more proactive approach to network security, so the question we often ask ourselves is: what can we do to protect our network and subscribers in a transparent way?

Speaker: J Luigi Esposito, Network Security Engineer – U.S. Cellular


11:40 – 12:30pm


Internet of Things: You Must Define it Before You Secure It

Within the industry there is no agreed upon definition of Internet of Things (IoT) as a device category. This lack of definition makes it difficult to have security baselines and fit these devices into current security paradigms. This presentation will propose a definition for IoT and review current threats in the IoT space.

Speaker: Michael Young, Vice President, Senior Technical Manager – Bank of America


From the Trenches and Beyond: How Not to do Intel Sharing

Information sharing isn't as simple as telling what you know to others. When during an investigation should you share even if it might hurt your response efforts? Should you shout it from the rooftops, or only share with tight knit, trusted communities? Should you call out indicators as being specific to a given intrusion or attacker, or simply mix them in with other indicators of badness?

Starting with the US-CERT EWIN-11-077A in early 2011 we'll talk about vetting of information, circles of trust, timeliness, and appropriate(?) use of shared information. We'll touch on efforts to improve on information sharing during the NASDAQ and RSA responses. We'll pivot to the OPM intrusion, and wrap up by discussing GRIZZLY STEPPE and the DHS Automated Indicator Sharing (AIS) program.

Speaker: Chris Hallebeck, Director, Endpoint Detection and Response (EDR) Team – Tanium


There is More to Structured Analytic Techniques Than Just ACH

As private sector intelligence capabilities and tradecraft continue to evolve, structured analytic techniques (SAT) are being incorporated into intelligence programs. Driven in part by events including WannaCry, the Analysis of Competing Hypotheses is perhaps the most featured SAT in use today. In this talk, Rick will highlight additional SATs can be leveraged to reduce the uncertainty within intelligence assessments. Rick will discuss specific use cases and highlight the pros and cons of different approaches.

Speaker: Rick Holland, Vice President Strategy – Digital Shadows


Sharing Threat Intelligence Should be Sexy

Threat intelligence sharing is not happening nearly as prolifically as it should be. Organizations are widely becoming involved in industry and government sharing programs but how active are they in sharing their own intelligence vs. simply consuming what is provided? There is a lot being missed by not sharing more actively and there are several more considerations that could lead to much strengthened security. This talk will consider the topic of sharing intelligence and discuss several ways that further value could be delivered through it.

Speaker: Travis Farral, Director Security Strategy – Anomali


Continuous Security Validation and Threat Intelligence - Measuring Security and Quantifying Cyber Risks

Enterprises have invested extensively to address the evolving threat landscape, but security effectiveness remains a guessing game. The problem is, enterprise security teams cannot be sure of the effectiveness of their security controls once they are in place. At the same time, they are under pressure to quantify their cyber risks. In this session, we will explore how continuous security validation using threat intelligence enables organizations to address security effectiveness, quantify risk and deliver peace of mind to key stakeholders.

Speaker: Gautam Aggarwal, Head of Products, NSS Labs


2:10 – 3:00pm


Automated Indicator Sharing (AIS) 2.0 – What’s Next?

This presentation will focus on outlining the various capabilities and features that the NCCIC is considering for the next phase of the AIS Program to include: moving beyond basic indicator sharing to analytic sharing, Sightings, Context, Analyst Notes, Coarse of Action, STIX 2.x, MISP Interoperability and more.

Speaker: Omar Cruz, Project Manager - Department of Homeland Security


Web-based malware: Why overt is too late

Information security leaders inherently know that managing malware data requires a paradigm shift and that traditional security defenses are inadequate against web-based malware. In order to fortify their enterprise’s security posture against web-based threats, analysts to need to recognize that overt is too late. In this session you will:

  • Learn why traditional defenses, including web-filters and public threat intelligence, feeds fail to sufficiently protect organizations against malware that enters your enterprise network through everyday internet use at work.
  • Discover how legacy defense strategies backfire as employees get funneled to malware infested websites.
  • Understand how both the quality of threat intelligence feeds and way it is used determines the strength of an enterprise’s security posture in more ways than one.
  • Uncover how your enterprise website is as much a contributor to the perils and promises of the Internet as every other website.

Speaker: Chris Olsen, CEO & Founder – The Media Trust


Your Rock Star CTI Team Isn’t Delivering Business Value

Companies large and small continue to add Cyber Threat Intelligence (CTI) to their list of competencies, but hiring an all-star group of analysts doesn't necessarily guarantee business value. Over the last 2 years assisting clients with building, rebuilding and assessing their CTI capabilities one thing is clear - without proper process parity it's difficult to show business value.

This talk focuses on how to capitalize on your technical talent, with anecdotes and lessons learned from program development from published research. Whether you have one part-time analyst or a team of a hundred full-time CTI experts, success lies in how well your program and processes are structured and developed.

We will talk through and dissect the three most commonly encountered cases and provide real world examples of what it takes to create a business-valuable CTI function, that works for you.

Speaker: Rafal Los, Managing Director, Solutions & Program Insight - Optiv Security, Inc.


Grandmothers, Gangsters, Guerrillas and Governments

This presentation will explore threat actors including insiders, cybercriminals, hacktivists and nation-states. Historical juxtaposition, detailed use cases and personal stories across two decades, 50 countries and six continents will help the audience better understand these threat actors.

Threat actors are motivated by financial, political and personal reasons. They act alone or in concert with others. Regardless, we hear all too often about attacks risking lives, destroying assets, threatening national security, and damaging businesses. In this presentation, we will explore profiles of each threat actor type to better understand the risks that each pose. By better understanding our enemies, our security can be more effective.

This presentation will translate the “who, how and why” of cyberattacks. We will identify multiple “old school” and modern-day threat vectors and organize attacks by motives like sabotage and espionage. Each threat actor type will be explored in detail with real-life use cases and personal accountants. The examples used will illustrate the diversity in threats, methods, motivations, and organizational responses.

Speaker: Brian Contos, CISO – Verodin


WannaCry Response: How Information Sharing and IOC Collection Made a Difference in Healthcare

The HITRUST Cyber Threat XChange (CTX) is an automated intelligence sharing system used by payers and providers across the nation. The HITRUST CTX collects IOC’s from the many attack vectors within an organization while automating the sharing through the Anomali trusted circle, providing participants with significant IOC’s to greatly reduce the risk of compromise.

HITRUST’s Cyber Lab, in partnership with Anomali and Trend Micro identified WannaCry IOCs two weeks in advance of the WannaCry Ransomware attack. CTX members were able to automatically receive indicators, update defenses, and stop the WannaCry threats before systems were compromised. This presentation will highlight lessons learned from CTX and demonstrate how intelligence sharing helped Healthcare prevent a ransomware breach.

Speaker: Elie Nasrallah, Director of Cyber Security Strategy – HITRUST


3:10 – 4:00pm


Securing Against Advanced Threat Adversaries

As organizations continue to adopt Hadoop for IT Operations and cybersecurity use cases they are faced with a fundamental question: How do you make sense of, and understand the relationship between, log files and telemetry data from (in many cases) hundreds of systems inside the enterprise? Going further, are there choices to be made that grow or shrink the eco-system of complementary products?

Apache Spot tackles this question head on with the Spot Open Data Model (ODM). Spot’s ODM provides a simple and powerful taxonomy that combines telemetry data, log data and context data to create hyper enriched entity views based on Network, Endpoint and User. This enriched data set can then be used to drive efficiencies in SOC operations, enable new use cases and ML / AI based analytics.

Speaker: Rocky DeStefano, Cybersecurity SME – Cloudera


Hunting as an Intelligence Source

As endpoint security solutions proliferate, information security professionals are more and more exposed to rich, action-worthy telemetry they have rarely experienced in the history of securing enterprises. This kind of data in the hands of an intentional, operationalized hunting organization can create an interesting condition where it is difficult to distinguish between a threat hunter and an intelligence analyst. Is this intelligence-drive security, or is it security-driven intelligence? Where does hunting fit into the intelligence lifecycle? We will discuss these questions and suggest some answers based on our experience building, scaling, and optimizing a 24x7 threat hunting organization that behaviorally detected nation-state actors almost daily.

Speakers: Bryan Geraldo, Director Professional Services & Customer Success - Anomali
Kris Merritt, Co-Founder – Vector8


Incorporating Threat Intelligence into a World-Class Third Party Risk Program

The days of self-assessment questionnaires being sufficient for evaluating third party risk are long gone. As regulators are focusing more and more on third party risk, organizations will need to build adaptive programs to manage that risk or not only needlessly expose themselves to such risk but also face regulatory penalties for failing to properly control their third party ecosystem. This talk will provide guidance on building such an adaptive third party risk program by illustrating how third party risk cannot properly be managed without including threat intelligence into the assessment process.

Speaker: Cody Wamsley, Associate, Data Privacy & Cybersecurity – McDonald Hopkins


Making the Most of Your Threat Intelligence Platform

Threat Intelligence Platforms have quickly become a must-have capability for organizations combating todays online threats. However, many of these organizations have yet to leverage the full potential of these platforms. This session will cover best practices, real-life use cases, and lessons learned from industry experts who have successfully integrated Threat Intelligence Platform into their security infrastructure.

Speaker: Ryan Clough, Senior Product Manager – Anomali


4:10 – 5:00pm


Threat Intel, SIEM & GRC - Where's the Risk?

The effective incorporation of threat intelligence into existing security controls, i.e. SIEM to see real-time transactions of internal assets communicating to malicious entities is only part of the context organizations need to understand the true risk to the business. Integrating T.I. into real-time correlation engines coupled with asset management knowledge and context pays dividends to understanding the real risk to the business.

Speaker: David Empringham, Principal Sales Engineer – Anomali


Extracting Reliable Threat Intelligence from Malware

We all want bad actors out of our network, but how best to determine quality of the indicator intelligence from bad actors? Domains and IPs can come from a variety of sources like malware code, malware execution, passive DNS, indicator registration data, and a variety of internet-hosted repositories.

This presentation will walk-through identification and collection of malware threats like ransomware and credential harvesting malware in the context of NCFTA’s malware analysis work. We’ll review filtering techniques of malware indicators that complicate indicator quality like use of TOR, shared hosting, Domain Generation Algorithms, domain parking. After indicators are filtered to ensure quality, we discuss operationalizing these indicators in the enterprise then sharing them with trusted parties.

Speaker: Evan Wright, Principal Data Scientist – Anomali


Tightening the Noose on Exploit Kits Using pDNS

The Web has always been a questionable place, over the last few years awareness of Exploit Kits has increased showing just how dangerous the web can really be. The battle of Exploit Kits (EKs) is a cat and mouse game, and unfortunately we are definitely the mouse. As the tricks the EKs employ shift, it's a matter of reducing the time between detection and mitigation. This is a high stakes game and the pieces move quickly, as the domains and IPs used are very short lived.

With this methodology leveraging Passive DNS and ThreatStream, the defender's odds are improving by tightening the noose around first detection and reducing the time to mitigate these nefarious domains. Using pDNS data and WHOIS registrant information, the idea is to take known malicious and compromised domains, detect newly activated subdomains and get them to customers to mitigate as soon as the data is available. Additionally, harvesting available information from indicator expansion to identify previous unknown domains and subdomain patterns for future identification and mitigation.

Speaker: Paul Sheck, Senior Threat Research Analyst – Anomali


Cloud Native Infrastructure – What it Means for the SOC

The past couple of years has seen the adoption of technologies like Docker, Mesos and Kubernetes by enterprises wanting to build highly elastic and resilient services, supplanting the virtual machine and bare metal server. As a result, the traditional perspective on securing that infrastructure needs to change from the ground up. In addition, this new technology present new types of attack vectors that require a different approach for detection and remediation. In this talk, we will cover these topics, discussing the technical and cultural changes, how it impacts the enterprise, as well as some discussion on how to adopt these new technologies securely.

Speaker: Glenn Russel, Director of Engineering – Anomali