Security BSides Atlanta - "The Business Doesn't Care..."

•

1 j'aime•755 vues

This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.

Technologie

The Business Doesn’t Care
…and its your fault.

Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software
Security BSides Atlanta

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Follow me down the rabbithole.

© Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

“Security” is estranged from business
Why?

A vast amount of IT Security professionals are distant from their business.

• Why is this?
–what are some of the reasons you think this is true?
• What are the results?
–what are some of the observed results?

3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

This is an …

4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

And this is an …

5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

That was too easy …
6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Define Risk
1. First definition
2. Second definition
3. Third definition

7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Define
Vulnerability
1. First definition
2. Second definition
3. Third definition

8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Security IS part of the business.

…but what does that
mean, really?
• Is your CISO/CSO on the executive board of the
company?
• Does your CISO/CSO have executive power?
• …what does this mean?
10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Relating Security <> Business

What are the 3 of your company’s board-
level goals for the next fiscal year?
1. Goal 1
2. Goal 2
3. Goal 3

11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

The bridge between Security | Business is out.

12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

We speak “security talk”

vulnerabilities
SQL Injection, XSS, …
0-day attacks
hacking
critical, high, medium…

13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

“The business” speaks a different language

Leveraged risks
Business exposures
Cost of capital
Velocity of change
Shareholder value

14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Driving off the risk/reward cliff …blind

15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Oh …

16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

No what? How do you succeed?

• “Speak business language”
• cliché …but how?
• How do you relate IT risks to
business risks?

17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Get to know your business

Get to know your business
• what does your company really do?
• what does your board care about?
• what gets your CEO his or her bonus?
• what do analysts say about your company?
• what do your customers care (or not) about?

What are your company’s business exposures, risks?
• what are your market risks from doing business?
• what are your critical business exposures?
• how can the CISO/CSO help mitigate those issues?

18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

How can we relate IT to business ‘security’?

How would you convince
your CEO that a SQL
Injection vulnerability can
sink their shareholder
value?
19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Ultimately “IT Security” will evolve

20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Security Ops vs. Security Strategy

Security Operations (SecOps) Security Strategy

• Operational security group • IT “risk” advisory consulting
• Traditional firewall controls • Align to risk management, legal
• Day-to-day security technology • Review, relate, advise the business
VS
• Not a separate IT unit (“security”) • Independent, small, agile group
• Infused into operational IT groups • Report into CRO, CFO
• server management • eliminate conflict of interest
• network management • get “closer to the business”
• desktop management

21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

It is possible to do both

“Serve the business”
Reduce IT vulnerabilities

22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here

Thanks for learning something.
Follow me on Twitter:
@Wh1t3Rabbit

Read my blog:
hp.com/go/white-rabbit

Listen to the podcast:
podcast.wh1t3rabbit.net (or iTunes)

Discuss on LinkedIn:
23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice. Confidentiality label goes here
Join the ‘SecBiz’ group

Contenu connexe

Tendances

Prevent Getting Hacked by Using a Network Vulnerability Scanner

GFI Software

Enumerating your shadow it attack surface

Priyanka Aash

Although SIEM has been the cornerstone of security data analysis for years, it has struggled to meet the data triage and analysis needs required for incident response and hunting. It is too slow, difficult to use, and is often inadequately tuned or maintained to be helpful for on-demand data analysis. In this session we’ll explore new security analytics technologies – rapid search, natural language, pattern-based correlations, and unstructured data – that can extend the on-demand data analysis of the SIEM to improve threat hunting and accelerate incident response. Presented at AusCERT: May 25, 2016.

Security Analytics for Data Discovery - Closing the SIEM Gap

Eric Johansen, CISSP

Over the last several years, we have seen that attackers are innovating much faster than defenders are. This trend is steering many companies to look towards cyber threat intelligence (CTI) to help them navigate today’s threatening landscape. SANS conducted a survey this year to explore who is using cyber threat intelligence and how they are using it. The survey collected responses from 326 IT professionals working in a variety of industries, in all sizes and from many different regions. 69% of the respondents reported implementing CTI to some extent, with only 16% planning not to pursue CTI in their environments. Which side of this percentage do you fall into? The infographic below provides some of the key questions to ask when getting started with threat intelligence, along with data from the SANS survey to show you how others are using threat intelligence.

Alien vault sans cyber threat intelligence

AlienVault

IT Security Initiatives create strategic and operational value to all enterprises; however, many IT professionals do not know how to economically quantify and forecast the benefits of IT security. Additionally, the new digital business ecosystem is resulting in rapid business cycles, which require faster speed and agility in all IT areas and IT services. The new ecosystem, largely caused by the Internet-of-Things, mobility and the Cloud, create a challenge for selecting and prioritizing IT security tools and projects. This session will present an overview of principles, models, trends and best practices, which can have been adopted by individuals and organizations to get right IT security initiatives approved.

Ruben Melendez - Economically Justifying IT Security Initiatives

centralohioissa

One of the most important and yet least discussed aspects of any corporate structure is the incident response framework. As recent events have highlighted, the risk of intellectual property and critical infrastructure being the target of a cyber-attack is quite real. More than ever before, corporate preparation and response plans are necessary for any entity operating in the digital age. This webinar will examine how an organization's incident response framework can help limit the exposure of intellectual property and critical infrastructure to outside, malicious parties. Our presenters will review how to construct corporate response plans that yield best-of-breed preparedness. Our featured speakers for this timely webinar are: -Mike Gibbons, Managing Director, Alvarez and Marsal, former FBI Special Agent as Unit Chief, overseeing all cyber crime investigations -Art Ehuan, Managing Director, Alvarez and Marsal, former FBI Supervisory Special Agent assigned to the Computer Crimes Investigations Program -Gant Redmon, Esq. CIPP/US General Counsel and Vice President of Business Development at Co3

Incident Response in the age of Nation State Cyber Attacks

Resilient Systems

With all the hype around Cloud and SDN, business decision makers are finding themselves trying to navigate through many new concepts and consequently needing to change the way they have traditionally selected their IT infrastructure. Technologies are now becoming more integrated and it is more important than ever to help your business be agile enough to keep up with the demands of your users and your customers. Come hear from Lisa Guess to learn how organizations can embrace Cloud technologies such as automation, SDN and Orchestration platforms to help you build next-generation networks.

Lisa Guess - Embracing the Cloud

centralohioissa

Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”. A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments” Where do you stand on this issue? In this talk. we will debunk the top myths of cloud security, including: Myth 1: We don’t really use the cloud Myth 2: I lose control of my data when it goes to the cloud Myth 3: Cloud is less secure than on-premise solutions Myth 4: I’m at the mercy of cloud vendors for patching Myth 5: Appliances provide greater control over scalability/performance Myth 6: Cloud security is more difficult to manage Myth 7: Cloud resources are more exposed to attack Myth 8: Multi-Tenant Clouds Expose Privacy Concerns Myth 9: Cloud vendors lack transparency Myth 9: Cloud vendors lack transparency Myth 10: Appliances are more reliable than the cloud

Bil Harmer - Myths of Cloud Security Debunked!

centralohioissa

Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.

2016 virus bulletin

Adrian Sanabria

For the past several years, software-defined networking (SDN) has been a popular buzz word in the networking industry. In many ways, networking has always been defined by software. Software is pervasive within all of the technology that impacts our lives and networking is no different. However, networks have been constrained by the way software has been configured, delivered and managed—literally within a box, updated monolithically, managed through command lines that are reminiscent to the days of minicomputers and DOS in the 1980’s. Well, almost.

Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN

centralohioissa

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

Anton Chuvakin

Five Mistakes of Vulnerability Management

Anton Chuvakin

2015 Cyber Security

Allen Zhang

Continuous Monitoring and Real Time Risk Scoring

Q1 Labs

Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?

Source Conference

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

North Texas Chapter of the ISSA

Data Security: What Every Leader Needs to Know

Roger Hagedorn

In January, the FDA has draft recommendations for medical device security after the sale. Among other things, the recommendations tell manufacturers how to evaluate security risks, how to build a program for coordinated vulnerability disclosure program, and how to intake vulnerability reports from researchers. While the security of medical devices is especially important given the potential consequences, we can learn from the FDA recommendations regardless of our industry. Any recommendations adopted by the FDA for medical devices are likely to be implemented across other verticals for their IoT devices as well. Whether you manufacture, purchase, integrate, implement, or generally try to run away from IoT devices, there’s plenty to take away from this session while learning about the future of IoT device security.

Jake Williams - Navigating the FDA Recommendations on Medical Device Security...

centralohioissa

Today, determining risk of a cyberattack is the generic vulnerability or malware rating ignoring aspects of how the business is impacted. Understanding the vulnerability state of the network, reputational risk, business loss, cost of IR and reconstitution cost are rarely understood. This presentation will show a data-driven approach to IR prioritizing response based on risk and business impact. (Source: RSA USA 2016-San Francisco)

Make IR Effective with Risk Evaluation and Reporting

Priyanka Aash

IBM Security Services Overview

Casey Lucas

Tendances (20)

Prevent Getting Hacked by Using a Network Vulnerability Scanner

Enumerating your shadow it attack surface

Security Analytics for Data Discovery - Closing the SIEM Gap

Alien vault sans cyber threat intelligence

Ruben Melendez - Economically Justifying IT Security Initiatives

Incident Response in the age of Nation State Cyber Attacks

Lisa Guess - Embracing the Cloud

Bil Harmer - Myths of Cloud Security Debunked!

2016 virus bulletin

Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN

What PCI DSS Taught Us About Security by Dr. Anton Chuvakin

Five Mistakes of Vulnerability Management

2015 Cyber Security

Continuous Monitoring and Real Time Risk Scoring

Anton Chuvakin - So You Got That SIEM, NOW What Do You Do?

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida

Data Security: What Every Leader Needs to Know

Jake Williams - Navigating the FDA Recommendations on Medical Device Security...

Make IR Effective with Risk Evaluation and Reporting

IBM Security Services Overview

Similaire à Security BSides Atlanta - "The Business Doesn't Care..."

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

Making Measurable Gains - Contextualizing 'Secure' in Business

Rafal Los

Ultimate Hack! Layers 8 & 9 of the OSI Model

Rafal Los

Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...

Atlantic Security Conference

Retail security-services--client-presentation

Joseph Schorr

"Thinking diffrent" about your information security strategy

Jason Clark

Software Security Assurance - Bruce Jenkins

IT-oLogy

However, what’s interesting is that the CISOs we spoke with say neither of these approaches effectively solves the problem. Quantitative risk analysis isn’t the end all, be all. Just because a risk is scored at 98 out of 100 doesn’t mean it will be remediated. Besides cost, the business significantly influences the decision of whether to spend money. And most surprising to us, in the end, many CISOs told us they ignore all their own data, vendor input and pundit whitepapers and made a gut decision. Let’s be clear: Gut decisions are not useful. Very often they’re based on a confirmation bias, also called confirmatory or “my side” bias. That’s the tendency for people to favor information that confirms their preconceptions or hypotheses, regardless of whether the information is true. If you have a confirmation bias that laptop theft is the largest concern, whether it is or not, you will find a way to get disk encryption to be the highest-priority project. Avoiding confirmation bias can be difficult. The first step is to realize that we’re all prone to it. If you have a tendency to collect a lot of information and then ignore it, or always find yourself debating the rest of the organization on which threats are most imminent, you may be more susceptible than average. Try this exercise: Ask your peers to honestly assess whether they think you frequently make decisions based on gut instinct. Listen to what they say, and understand that it’s almost impossible to build trust with an information source—such as your risk assessment team—if you have this tendency.

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

Michael Davis

In this Security technology workshop designed specially for senior IT and business line executives, we will show you how to navigate the “valley of death” of the complex sale of enterprise information protection and make or break the business justification with your management board. Through specific Business Threat Modeling(TM) tactical methods we will show you how to discover current data loss violations, quantify threats and valuate your risk in order to select the most cost-effective security technologies to protect your enterprise information.

Selling Data Security Technology

Flaskdata.io

Data Con LA 2020 Description It’s no secret that the roots of Data Science date back to the 1960’s and were first mainstreamed in the 1990’s with the emergence of Data Mining. This occurred when commercially affordable computers started offering the horsepower and storage necessary to perform advanced statistics to scale. However, the words “to scale” have evolved over time. The leap to “Big Data” is only one serial aspect of growth. Beyond the typical 1-off studies that catalyzed the field of Data Mining, Data Science now fulfills enterprise and multi-enterprise use cases spanning much broader and deeper data sets and integrations. For example, AI and Machine Learning frameworks can interoperate with a variety of other systems to drive alerting, feedback loops, predictive frameworks, prescriptive engines, continual learning, and more. The deployment of AI/ML processes themselves often involves integration with contemporary DevOps tools. Now segue to SEAL – the Scalable Enterprise Analytic Lifecycle. In this presentation, you’ll learn how to cover the major bases of a modern Data Science projects – and Citizen Data Science as well – from conception, learning, and evaluation through integration, implementation, monitoring, and continual improvement. And as the name implies, your deployments will be performant and scale as expected in today’s environments. Speaker Jeff Bertman, CTO, Dfuse Technologies

Modernizing the Analytics and Data Science Lifecycle for the Scalable Enterpr...

Data Con LA

Cyber attacks are reaching pandemic levels. State-sponsored groups and organized crime are successfully stealing valuable intellectual property—including critical infrastructure and operational readiness information, businesses’ and consumers’ financial data—often without anyone realizing the attack has occurred! But preparedness cannot be delegated solely to the IT department. The involvement of the entire enterprise, armed with an understanding of the highly dynamic landscape, is vital for warding off potential threats. Author: David Etue, VP of CorpDev Strategy, SafeNet Watch the webcast on demand: https://www.brighttalk.com/webcast/6319/75109

Cyber Security Management in a Highly Innovative World

SafeNet

Top 10 tips for effective SOC/NOC collaboration or integration

Sridhar Karnam

Is ITIL relevant for the New Style of IT Tony Price SITS15 V1

Tony Price

3 tips to funding your security program

CloudBees

The vortex of change continues all around us – inside the company, with our customers and partners. A new norm is upon us. Business models are being turned upside down – the hunters now the hunted, global equalization – size is no longer a guarantee of success. The innovative survive and thrive…the nervous and slow go under...what does all this change means for you? Find out how does Intel’s strengths help our customers in this world of change.

The Vortex of Change - Digital Transformation (Presented by Intel)

Cloudera, Inc.

Coexisting with Vulnerabilities

Dennis Chaupis

Database Security: What Gets Overlooked?

Brent Spencer

All the essential information you need about DLP in one eBook. As security professionals struggle with how to keep up with threats, DLP - a technology designed to ensure sensitive data isn't stolen or lost - is hot again. This comprehensive guide provides what you need to understand, evaluate, and succeed with today's DLP. It includes insights from DLP Experts, Forrester Research, Gartner, and Digital Guardian's security analysts. What's Inside: -The seven trends that have made DLP hot again -How to determine the right approach for your organization -Making the business case to executives -How to build an RFP and evaluate vendors -How to start with a clearly defined quick win -Straight-forward frameworks for success

The Definitive Guide to Data Loss Prevention

Digital Guardian

Can Information Security Survive

IT@Intel

Elastic's recommendation on keeping services up and running with real-time vi...

FaithWestdorp

HP Enterprise Software: Making your applications and information work for you

HP Enterprise Italia

Similaire à Security BSides Atlanta - "The Business Doesn't Care..." (20)

Making Measurable Gains - Contextualizing 'Secure' in Business

Ultimate Hack! Layers 8 & 9 of the OSI Model

Rafal m. los wh1t3 rabbit - ultimate hack - layers 8 & 9 of the osi model -...

Retail security-services--client-presentation

"Thinking diffrent" about your information security strategy

Software Security Assurance - Bruce Jenkins

Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work

Selling Data Security Technology

Modernizing the Analytics and Data Science Lifecycle for the Scalable Enterpr...

Cyber Security Management in a Highly Innovative World

Top 10 tips for effective SOC/NOC collaboration or integration

Is ITIL relevant for the New Style of IT Tony Price SITS15 V1

3 tips to funding your security program

The Vortex of Change - Digital Transformation (Presented by Intel)

Coexisting with Vulnerabilities

Database Security: What Gets Overlooked?

The Definitive Guide to Data Loss Prevention

Can Information Security Survive

Elastic's recommendation on keeping services up and running with real-time vi...

HP Enterprise Software: Making your applications and information work for you

Plus de Rafal Los

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf

Rafal Los

Irrational But Effective - Applying Parenthood Lessons to Cyber Security

Rafal Los

SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)

Rafal Los

Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...

Rafal Los

Lies, Fables and Security Metrics

Rafal Los

When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals. This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.

Losing battles, winning wars

Rafal Los

5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013

Rafal Los

Operationalizing Security Intelligence [ InfoSec World 2014 ]

Rafal Los

Operationalizing security intelligence for the mid market - Rafal Los - RSA C...

Rafal Los

Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...

Rafal Los

Cloud Security Alliance- Challanges of an elastic environment v8a [public]

Rafal Los

Threat modeling the security of the enterprise

Rafal Los

Software Security Assurance - Program Building (You're going to need a bigger...

Rafal Los

Defying Logic - Business Logic Testing with Automation

Rafal Los

Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)

Rafal Los

Oh No They Didn't! 7 Web App Security Stories (v1.0)

Rafal Los

The QA Analyst's Hacker's Landmark Tour v3.0

Rafal Los

Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2

Rafal Los

Sans Feb 2010 - When Web 2 0 Attacks v3.3

Rafal Los

Plus de Rafal Los (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024

The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdf

Irrational But Effective - Applying Parenthood Lessons to Cyber Security

SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)

Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...

Lies, Fables and Security Metrics

Losing battles, winning wars

5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013

Operationalizing Security Intelligence [ InfoSec World 2014 ]

Operationalizing security intelligence for the mid market - Rafal Los - RSA C...

Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...

Cloud Security Alliance- Challanges of an elastic environment v8a [public]

Threat modeling the security of the enterprise

Software Security Assurance - Program Building (You're going to need a bigger...

Defying Logic - Business Logic Testing with Automation

Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)

Oh No They Didn't! 7 Web App Security Stories (v1.0)

The QA Analyst's Hacker's Landmark Tour v3.0

Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2

Sans Feb 2010 - When Web 2 0 Attacks v3.3

Dernier

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

BooK Now Call us at +918448380779 to hire a gorgeous and seductive call girl for sex. Take a Delhi Escort Service. The help of our escort agency is mostly meant for men who want sexual Indian Escorts In Delhi NCR. It should be noted that any impersonator will get 100 attention from our Young Girls Escorts in Delhi. They will assume the position of reliable allies. VIP Call Girl With Original Photos Book Tonight +918448380779 Our Cheap Price 1 Hour not available 2 Hours 5000 Full Night 8000 TAG: Call Girls in Delhi, Noida, Gurgaon, Ghaziabad, Connaught Place, Greater Kailash Delhi, Lajpat Nagar Delhi, Mayur Vihar Delhi, Chanakyapuri Delhi, New Friends Colony Delhi, Majnu Ka Tilla, Karol Bagh, Malviya Nagar, Saket, Khan Market, Noida Sector 18, Noida Sector 76, Noida Sector 51, Gurgaon Mg Road, Iffco Chowk Gurgaon, Rajiv Chowk Gurgaon All Delhi Ncr Free Home Deliver

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

Delhi Call girls

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

CNv6 Instructor Chapter 6 Quality of Service

giselly40

The Raspberry Pi 5 was announced on October 2023. This new version of the popular embedded device comes with a new iteration of Broadcom’s VideoCore GPU platform, and was released with a fully open source driver stack, developed by Igalia. The presentation will discuss some of the major changes required to support this new Video Core iteration, the challenges we faced in the process and the solutions we provided in order to deliver conformant OpenGL ES and Vulkan drivers. The talk will also cover the next steps for the open source Raspberry Pi 5 graphics stack. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://eoss24.sched.com/event/1aBEx

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Igalia

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Dernier (20)

Finology Group – Insurtech Innovation Award 2024

Handwritten Text Recognition for manuscripts and early printed texts

Powerful Google developer tools for immediate impact! (2023-24 C)

Data Cloud, More than a CDP by Matt Robison

08448380779 Call Girls In Greater Kailash - I Women Seeking Men

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Artificial Intelligence: Facts and Myths

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

CNv6 Instructor Chapter 6 Quality of Service

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...

Automating Google Workspace (GWS) & more with Apps Script

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

GenAI Risks & Security Meetup 01052024.pdf

Boost Fertility New Invention Ups Success Rates.pdf

How to Troubleshoot Apps for the Modern Connected Worker

Tech Trends Report 2024 Future Today Institute.pdf

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Security BSides Atlanta - "The Business Doesn't Care..."

1. The Business Doesn’t Care …and its your fault. Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP Software Security BSides Atlanta © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

3. “Security” is estranged from business Why? A vast amount of IT Security professionals are distant from their business. • Why is this? –what are some of the reasons you think this is true? • What are the results? –what are some of the observed results? 3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

7. Define Risk 1. First definition 2. Second definition 3. Third definition 7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

8. Define Vulnerability 1. First definition 2. Second definition 3. Third definition 8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

10. Security IS part of the business. …but what does that mean, really? • Is your CISO/CSO on the executive board of the company? • Does your CISO/CSO have executive power? • …what does this mean? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

11. Relating Security <> Business What are the 3 of your company’s board- level goals for the next fiscal year? 1. Goal 1 2. Goal 2 3. Goal 3 11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

12. The bridge between Security | Business is out. 12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

13. We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium… 13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

14. “The business” speaks a different language Leveraged risks Business exposures Cost of capital Velocity of change Shareholder value 14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

15. Driving off the risk/reward cliff …blind 15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

17. No what? How do you succeed? • “Speak business language” • cliché …but how? • How do you relate IT risks to business risks? 17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

18. Get to know your business Get to know your business • what does your company really do? • what does your board care about? • what gets your CEO his or her bonus? • what do analysts say about your company? • what do your customers care (or not) about? What are your company’s business exposures, risks? • what are your market risks from doing business? • what are your critical business exposures? • how can the CISO/CSO help mitigate those issues? 18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

19. How can we relate IT to business ‘security’? How would you convince your CEO that a SQL Injection vulnerability can sink their shareholder value? 19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

20. Ultimately “IT Security” will evolve 20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

21. Security Ops vs. Security Strategy Security Operations (SecOps) Security Strategy • Operational security group • IT “risk” advisory consulting • Traditional firewall controls • Align to risk management, legal • Day-to-day security technology • Review, relate, advise the business VS • Not a separate IT unit (“security”) • Independent, small, agile group • Infused into operational IT groups • Report into CRO, CFO • server management • eliminate conflict of interest • network management • get “closer to the business” • desktop management 21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

22. It is possible to do both “Serve the business” Reduce IT vulnerabilities 22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here

23. Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes) Discuss on LinkedIn: 23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Join the ‘SecBiz’ group

Security BSides Atlanta - "The Business Doesn't Care..."

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Security BSides Atlanta - "The Business Doesn't Care..."

Similaire à Security BSides Atlanta - "The Business Doesn't Care..." (20)

Plus de Rafal Los

Plus de Rafal Los (20)

Dernier

Dernier (20)

Security BSides Atlanta - "The Business Doesn't Care..."