15

Days

06

Hours

51

Minutes

25

Seconds

BOSTON, MA

May 9 - 10, 2018

REGISTER NOW SUBMIT TALK (closed)

Welcome to SOURCE Boston!

We have assembled an outstanding selection of speakers across a variety of disciplines, and are looking forward to bringing everyone together.

Event Highlights:
- World class InfoSec Talks
- Three tracks
- 30+ speakers
- Business, technical and people-related talks
- Excellent networking opportunities
- Public speaking workshop
- Malware analysis workshop

Check out the podcast videos below (on this page) for a sample of the excellent content that we are bringing to Boston! More soon, check back frequently!

Come for the talks, stay for the networking and people/communications-related activities.

We have some great things in store for you!

For decades security awareness programs have been based on the assumption that employees don’t know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to “surf” motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees’ security behaviors and how practitioners can create meaningful metrics.

LEARN MORE about our new 18-minute concise format!

Conference Schedule

Click To Select Day

Pre-Conference Training Day 1

7 May 2018

Pre-Conference Training Day 2

May 8, 2018

Conference Day One

May 9, 2018

Conference Day Two

May 10, 2018

InfoSec Train the Trainer

9:00 - 5:00 Rob Cheyne

More Info

InfoSec Train the Trainer

Do you struggle to present technical information to a group? Your team? Your boss? Communicating technical information is a learnable skill and anybody can do it. This highly interactive course can help anyone be a better trainer, facilitator or presenter.

Your instructor for this session, Rob Cheyne, has traveled the world multiple times teaching some of the most technical information security content to some of the world’s toughest audiences. He has extensive training in presentation and training skills, and he has delivered in-person training to over 25,000 students at global Fortune 500 Companies. Rob specializes in serving as the universal translator between the technical and business sides of the house.

In this class, Rob will give away some of his best secrets for keeping an audience engaged for any length of time. If you are involved in delivering any kind of technical presentation or training, this is an opportunity that you are not going to want to miss.

Target Audience:
Anyone who wants to improve their technical presentation skills

Topics covered include:
– How to turn any presentation into a training/learning opportunity
– How to communicate your thoughts clearly and effectively
– How to powerfully begin and end your presentation or training
– How to effectively address audience questions

– How to turn a room of introverts into extroverts
– How to make sure everyone in the room gets your message
– How to manage the state of the room and the state of your audience
– How to use in-classroom exercises to cement learning
– How to create an effective session agenda
– How to give a great technical demo

Instructor Bio:

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He has 25 years of experience in the information technology field and has been working in information security since 1998.  Rob has led information security training classes for over 25,000 people across many industry-leading global organizations, and consults regularly with Fortune 500 clients.

Rob is the founder and CEO of Big Brain Security and the Executive Director of the SOURCE conferences. Previously, Rob was the co-founder and CEO of Safelight, a leading provider of information security education programs that was acquired by Security Innovation in July 2014.

He was was also an early employee of @stake, a well-known pioneer in information security consulting.  Rob was the author of LC4, a version of the award-winning L0phtCrack password auditing tool, and he also worked on the code scanning technology that was eventually spun off as Veracode.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

 

Application Security Risk for Executives and Managers

9:00 - 5:00 Rob Cheyne

More Info

Application Security Risk for Executives and Managers

Do you struggle to understand the things that your development teams worry about? Do you struggle to understand what your security team worries about?

There are two huge communication gaps in practically every business environment. The gap between business and technical folks, and the even bigger gap between business and security folks.

This interactive workshop covers the major areas of application risk that must be addressed in a way that anyone can understand it.

Over many years of teaching Infosec classes to developers, the #1 question was “this is great stuff, please tell my boss.” This is the class that answers that question.

Whether you are a manager of a technical team, or an executive at a company that has development teams, this class is an invaluable way to get up to speed quickly on today’s application security risks.

Your instructor, Rob Cheyne, has taught information security to over 25,000 people around the world over the past 10 years, and has over 25 years of IT-related experience. He has a knack for explaining technical concepts in a way that everyone in the room gets it.

Target Audience:
Managers, executives, and anyone who wants to participate in frank discussion of today’s application security risks.

Topics covered include:
– Learn how real-world attacks occur
– How teams can successfully mitigate the risk of attacks
– How to support your teams’ information security goals
– The most overlooked risk that every company has
– How to understand and communicate with technical people
– How to keep up with today’s infomration security risks

Instructor Bio:

Rob Cheyne is a highly regarded technologist, trainer, security expert and serial entrepreneur.

He has 25 years of experience in the information technology field and has been working in information security since 1998.  Rob has led information security training classes for over 25,000 people across many industry-leading global organizations, and consults regularly with Fortune 500 clients.

Rob is the founder and CEO of Big Brain Security and the Executive Director of the SOURCE conferences. Previously, Rob was the co-founder and CEO of Safelight, a leading provider of information security education programs that was acquired by Security Innovation in July 2014.

He was was also an early employee of @stake, a well-known pioneer in information security consulting.  Rob was the author of LC4, a version of the award-winning L0phtCrack password auditing tool, and he also worked on the code scanning technology that was eventually spun off as Veracode.

Rob regularly speaks at security and training conferences, and frequently presents to the local chapters of various security organizations.

Opening Remarks

8:30-9:00 Empire Ballroom SOURCE Team

Opening Keynote | Cyber Resilience as a Corporate and National Strategy

9:00-9:45 Empire Ballroom Rob Knake, Senior Research Scientist, Global Resilience Institute, Northeastern University

Career Development Track: Speed Networking

9:45-10:30 Empire Ballroom SOURCE Team

10:30-10:45 Short Break (move upstairs)

Hack your EQ (workshop)

10:45- 12:15pm Shubert Deidre Diamond

More Info

Let’s discuss the 14 EQ skills and how they manifest in the workplace. Cybersecurity talent retention rates are struggling. Tech in general is showing the same poor talent retention statistics. Is a focus on EQ the answer? Come to this EQ Workshop and let’s explore how improving your soft skills will advance your career.

Bio:

Deidre Diamond is the CEO and Founder of CyberSN.com, a cybersecurity research and staffing company, and the Founder of brainbabe.org, a cybersecurity not-for-profit organization. Deidre’s vision and leadership has resulted in a dramatic decrease in the frustration, time and cost associated with job searching and hiring for cybersecurity professionals. Prior to CyberSN, Deidre was the CEO of Percussion Software, the first VP of Sales at Rapid7 (NYSE:RPD) and the VP of Staffing and Recruiting for the national technical staffing company Motion Recruitment. Deidre leads with a strong commitment to transparency, equality, training, support, high-productivity and love in the workforce.

Dissecting Malware

10:45 - 11:25 Washington Anurag Dwivedy, Application Security Engineer at Cisco

More Info

 With millions of malicious programs in the wild, and more encountered every day, malware analysis is critical for everyone who responds to computer security incidents. The presentation will cover the overall process and methodology of analyzing malware, walks through the setting up of virtual machines to use as a safe environment for running malware and dives into describing common malware functionality and shows you how to recognize that functionality when analyzing malware.

Bio:

Anurag is a Security Enthusiast interested in the feild of Application Security, Web Application Security, and Systems Engineering.  He has recently Graduated from Northeastern University specializing in Information Assurance and Cyber Security. He has worked with NBCUniversal as Information Security Intern in New York. Prior to moving to information security, he used to work as a software developer. Experienced in C#, C, C++, PowerShell, SQL, Perl, x86 Assembly and is familiar with the common applications used in banking & financial infrastructure. He has been an integral part of the team which developed a web based MVC application to manage fraud Database and reconcilement of ATM transactions. He has also worked on an academic project which analyzed security mechanism in .NET and implemented countermeasures for OWASP Top 10 vulnerabilities

Application Security – It’s Not Just for Developers Anymore

10:45-11:25 Library Danny Harris, Senior Security Consultant & Instructor at Security Innovation

More Info

Application security has traditionally fallen on the shoulders of development and IT teams as organizations tend to view it as a technology issue. However, due to the inherent financial and operational risk software applications bring to the enterprise, organizations are rethinking their approach.Application security is considered a topic for technical people, and business leaders play a pivotal role in its success at their organizations. The responsibilities for application security are no longer just for the technical team, but executives also need to understand security risk and the secure software development lifecycle to ensure the delivery of secure and robust applications.This talk discusses how application security has become a business risk management

concern,and examines the gap between an organization’s perceived and actual security efforts. Additionally, it describes security challenges throughout the software development lifecycle (SDLC) and high-impact activities for various roles that will provide the foundation for a sustainable application security program.

Audience

  • Executives, project managers, software development team members

You Will Learn

  • Understand the gap between what people think application security is and what a mature organization does to build secure applications
  • Understand that application security involves not only everyone on the development team, but also people with responsibility for enterprise risk management
  • Understand that every role has a different set of application security responsibilities

Bio:
Danny Harris has been an information and application security practitioner for over 20 years. He is knowledgeable in all phases of the secure software development life cycle (SDLC) and is responsible for the creation and delivery of application security training and SDLC programs at Security Innovation. Previous teaching experience includes seven years as an adjunct professor for the Computer Security and Forensic Investigation program at Wilbur Wright College and as a security instructor for the SANS Institute
.

Honeypot Talk

11:35 - 12:15 Washington Phillip Maddux

More Info

This talk will provide a brief introduction honeypots, an overview of the cyber deception space, benefits and challenges of implementing deception as part of your cyber defense program. There should be more community discussion on the cyber deception space. I’ve had conversations with numerous organizations, and there is a consistent theme with their current thinking on deception. This talk aims to share these thoughts with the audience as well as hearing their feedback/thoughts/experience on deception. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating honeypot sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing what I call my “Frankenstein Cloud Architecture”, for minimal cost.

Bio:

Phillip Maddux is a Trusted AppSec Advisor and Senior Solutions Engineer at Signal Sciences. He has over 10 years of experience in information security, with the majority of that time focused on application security in the financial services sector. In his spare moments he enjoys converting ideas to code and committing them to Github.

Developing a Threat Modeling Mindset

11:35 - 12:15 Library Robert Hurlbut, Threat Modeling Architect at Financial Institution

More Info

Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this session, you will learn practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.

Bio:
Robert Hurlbut, based in Enfield, CT, is a Threat Modeling Architect/Lead at a large financial institution. Robert is a Microsoft MVP for Developer Technologies and Security and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in software security, software architecture, and software development. He speaks at user groups, national and international conferences, and provides training for many clients. You can follow Robert on Twitter at https://twitter.com/roberthurlbut and co-hosting on the Application Security Podcast at https://www.appsecpodcast.org.

12:15-1:15 Lunch Break

Threat Modeling (Workshop)

1:15 - 2:45 Library Robert Hurlbut, Threat Modeling Architect at Financial Institution

More Info

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some teams either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven’t quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principles of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objectives:
Attendees will learn about Threat Modeling through understanding concepts and hands-on demos:

Introduction to Threat Modeling, including how to conduct a typical Threat Modeling session
Understand practical strategies in finding Threats
Determine proper Mitigations, and how to apply Risk Management with the Mitigations
Review methods of documenting Threats
Hands-on demo of one or two Real World Threat Modeling case studies
Hands-on demos of the Microsoft Threat Modeling Tool 2016 and/or OWASP Threat Dragon

Bio:

 

Robert Hurlbut, Threat Modeling Architect at Financial Institution

Robert Hurlbut, based in Enfield, CT, is a Threat Modeling Architect/Lead at a large financial institution. Robert is a Microsoft MVP for Developer Technologies and Security and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in software security, software architecture, and software development. He speaks at user groups, national and international conferences, and provides training for many clients. You can follow Robert on Twitter at https://twitter.com/roberthurlbut and co-hosting on the Application Security Podcast at https://www.appsecpodcast.org.

(Details Coming Soon...)

1:15-1:55 Shubert (Details Coming Soon...)

GDPR: Why it Matters Now!

1:15-1:55 Washington Thomas Fischer, Global Security Advocate and Threat Researcher

More Info

Let’s explore what is covered by GDPR and how it may impact your organisation answering questions such as do I need to have a DPO; I don’t do business directly in the EU when does GDPR affect me; what data is affected? While many vendors have driven a compliance theme, we will cover why GDPR is not about compliance but about changing key processes and procedures such as incident response. The session will also include an interactive audience polling intended to provide insight on the potential impact GDPR will have on companies and steps InfoSec teams need to consider.
Some of the key take aways from this session:

  • Key aspects of GDPR that will impact Applications, IT and InfoSec teams, and how to prepare
  • Why GDPR extends beyond compliance and how to build it into your IR program
  • How GDPR will impact future legislations and best practices on how to prepare
Bio:

As a global security advocate and threat researcher, Thomas spends his time advising companies on managing their data protection activities against malicious parties. Thomas’ 25+ years background in IT includes varying roles from incident responder to security architect at fortune 500 company, vendors and consulting organizations.
Thomas is also an active participant in the InfoSec community not only as a member but also as director of Security BSides London, ISSA UK chapter board member and presenter at SANS DFIR EMEA, DeepSec, Shmoocon, various BSides events and ISSA-UK.

Topic: Data Breaches: Dealing with the Threat From Within

2:05 - 2:45 Shubert Paul Steen, Vice President, Global Product Strategy at Imperva

More Info

The worst kept secret in enterprise security is that the people on the payroll pose the biggest threat to a company’s data. Recent primary research in live environments identified otherwise unidentified insider threat incidents in every environment studied. Join this session to discuss the categories of ‘threats from within’, and the cyber security solutions to help protect your data from human nature.

Most insider theft occurs over long periods of time and almost always goes completely unnoticed. This session will review real examples of long-term and large scale insider data theft and the methods used to detect and prevent them.

Bio:

Paul Steen is the Vice President for Global Product Strategy at Imperva, Inc., a provider of data security solutions. In this role, Paul connects with Imperva’s largest customers around the globe, and helps them understand how to best leverage Imperva’s solutions. He also liaises with the Product Teams to ensure the going forward strategy matches customer requirements and needs. Paul has been with Imperva for over ten years and has managed engineering teams in the US as well as Asia and Australia/New Zealand. Paul has presented on IT security topics at events such as RSA, AusCert, OWASP, AISA, and taught professional security related product certifications in over 35 countries worldwide.

Prior to joining Imperva, Paul worked in a variety of technical roles at Check Point Software Technology Ltd., including security engineering and, partner and end-user instruction. Prior to that, Paul lectured on IT security topics at a number of schools and universities around the world
.

SDLC, SOC2, and other four letter words

2:05 - 2:45 Washington Nathan Cooprider, Agent Team Lead at Threat Stack

More Info

Except for any authors of trojans that may have stumbled in accidentally, we all want to write secure applications. In spite of our sincere desires, vulnerable code gets shipped. Why? What do we do to fix it? What can we do to prevent it from happening? The answers exist in the realm of the software development life cycle, or SDLC. Various compliance vehicles (such as SOC2) exist to help us formulate an effective SDLC, but any security expert knows that checking a box does not typically yield the desired results. This talk describes the SDLC used by the agent team at Threat Stack, while also bringing in outside experiences to supplement. It also goes over pitfalls observed and lessons learned. You might not use the same tools or produce the same product, but the talk focuses on principles to make the resulting product more secure.

Bio:

Nathan Cooprider is the software team lead for the Threat Stack instance agent. Nathan comes to Threat Stack from the endpoint engineering team of Carbon Black. Prior to Carbon Black, Nathan led the signal processing software team for the MQ9 Predator drone at BAE. He received his BS in CS from Brigham Young University and his PhD in CS from the University of Utah. Nathan has over a decade of experience working with computer systems. This includes eight refereed publications on the static analysis of microcontroller applications written in C. He also wrote a paper on multivariate data visualization, co-authored a paper on multiple hypothesis tracking, and has supported language modeling research. Nathan’s accumulated experience with various software engineering languages and tools includes C, C++, python, doxygen, Jenkins, OCaml, CIL, cmake, and many others.

2:45-3:35 Coffee Break/Turbo Talks

DECEPTICON: Deceptive Techniques to Derail OSINT attempts

3:35 - 4:15 Shubert Joe Gray, Senior Security Architect, IBM

More Info

When we think of the process for attacking an organization, OSINT comes to the front and center of our minds. This presentation takes a presenter with experience in applying OSINT to effective penetration testing and social engineering and reverse engineers the process to determine what steps can be taken to further complicate their efforts. This is a presentation that talks about online deception, decoy accounts, canary data, encryption, maintaining one’s social media in a secure manner, and protecting one’s identity as much as possible. While nothing is absolute, this is a presentation that will leave attendees more aware of techniques to make it harder for attackers to collect accurate OSINT, either by removal or deception.

Bio:

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.

Doing ISO 27001 with CIS CSC as the control set

3:35 - 4:15 Washington Walter Williams, Director of Information Security at Monotype

More Info

The CIS CSC controls are designed to prevent breaches, but there is no current means to be audited as compliant with this standard and prove that it was implemented effectively. ISO 27001 audits are generally done with the ISO 27002 control set in mind, but it is far from a requirement. In this talk, I’ll discuss how we’ve approached this frankenstein approach to security standards and auditing, and discuss our success and challenges.

Bio:

Walt Williams, CISSP®, SSCP®, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now serves as Director of Information Security at Monotype. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides, BASC, 27K, Wall of Sheep, and RiskSec Toronto.

Mr. Williams’ articles on security and service oriented architecture have appeared in the Information Security Management Handbook. He has sat on the board of directors for the New England ISSA chapter and was a member of the program committee for Metricon. He has a master’s degree in anthropology from Hunter College.

Big Security: An Introduction to Applying Data Science to Security

3:35-4:15 Library Kwan Lin and Vasudha Shivamoggi

More Info

Data science as a multi-disciplinary field is in a fairly nascent state, but it is burgeoning and beginning to find its way into a wide array of industries, often proving to be highly impactful. Data science approaches may sound unfamiliar to security practitioners, but can be tremendously effective in addressing challenges in the security space, particularly in detecting and responding to security incidents.

In this session, we will introduce the audience to a series of common steps that are essential to implementing a data science approach: acquiring security and network data, manipulating it into a suitable structure for analysis, identifying and applying a range of appropriate analytical methods based on the scenario, assessing the utility and reliability of the results, and communicating the findings to stakeholders in a digestible manner.

The audience will gain exposure to applying a systematic lens to analyzing security-related data, which differs markedly from the more traditional case-based approach to addressing security challenges.

Bio:

Kwan is a data scientist at Rapid7, a Boston-based cyber-security technology company. Much of his time is spent on wrestling with and eventually analyzing large-scale network data. He is an active R and Python user. In the past, Kwan has worked in data management and public accounting. He holds degrees in international relations and economics.

Vasudha is a data scientist at Rapid7, a Boston-based cybersecurity technology company. She develops predictive models to better understand the nature of security threats and vulnerabilities. Prior to this, Vasudha has worked in retail analytics and quantum computing, and has a PhD in theoretical physics.

Security Hotseat

4:30-5:30 Empire Ballroom SOURCE Team

Onsite Attendee Reception - Hosted by Sponsors

5:30 - 6:30 SOURCE Team

Offsite Attendee Reception

7:00 - 9:30 SOURCE Team

Opening Remarks - Conference Day 2

8:30 - 9:00 Empire Ballroom SOURCE Team

Using Behavioral Science To Secure Your Organization

9:00 - 9:45 Empire Ballroom Masha Sedova, Co-Founder, Elevate Security

More Info

For decades security awareness programs have been based on the assumption that employees don’t know the correct course of action and with the right training, they will start performing more securely. However, this approach has not proven to be effective. A second dimension needs to be considered in security behavior change: motivation. This talk will explore how and when to motivate employees to security action. It will also discuss how to “surf” motivation generated by both predictable and unpredictable security events to drive security behavior change in a workforce. Finally, this talk will explain how to measure changes in employees’ security behaviors and how practitioners can create meaningful metrics.

Bio:

Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security delivering a behavioral-science based platform that can measure, motivate, and educate employees on security behaviors that prevent breaches. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance and regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma and SANS.

SOURCE Snap Talk: Why Most Presentations Suck

9:50 - 10:10 Empire Ballroom Mary Cheyne, Public Speaking Trainer/Coach Magnetic Podium, LLC

More Info

According to author and Apple’s original chief evangelist, Guy Kawasaki, 95% of presentations SUCK. As a Silicon Valley venture capitalist, Kawasaki has sat through numerous pitch presentations and this is his definitive, unvarnished conclusion.

Have you ever had to sit through a bad presentation? Worse yet, have you ever given one?

Let’s face it. No one wants to be THAT presenter.

In this candid talk, Mary Cheyne reveals why most presentations DO
indeed suck, and how you can avoid being a statistic.

Bio:

Mary Cheyne, MBA, has trained over 15,000 people in over 25 cities around the world and has coached hundreds of individuals on how to communicate clearly & authentically in front of audiences as well as in personal conversations. She also taught communications-related classes at Northeastern University in Boston for 7 years.

Mary is the author of the Amazon Best Selling book “Present” Yourself in Public Speaking – Tell Your Inner Critic to SHUT UP! And the Real You to SPEAK UP! She is also the co-author of the book The Change 8 with Jim Britt, Tony Robbin’s first mentor on the topic of conscious communication.

She is the 2009 World Championship of Public Speaking second place winner out of 25,000 contestants from 14 countries.

SOURCE Snap Talk: Accelerating your business goals with DevSecOps

10:15am - 10:35am Empire Ballroom Mike Kail, CTO, Cybric

SOURCE Snap Talk: Shifting to Security Awareness 2.0

10:40am - 11:00am Empire Ballroom Jason Hoenich, Founder & Security Awareness Expert at Habitu8

11:00 - 11:20

Defense can be sexy too!

11:20 - 12:00 Shubert Aaron Katz, Director, Threat & Vulnerability Management, S&P Global

More Info

Learn the basics of implementing a robust vulnerability management program in a large enterprise. Discuss the components that make up a successful vulnerability management program, and how to interface with the various stakeholders in the enterprise to ensure the continued success of the program.

Key topics that will be addressed:

  • The fundamental components of a vulnerability management program
  • Shifting from a reactive to a proactive approach
  • The role of threat intelligence and a partnership with the IR team to provide timely responses to issues such as WCry and ShadowBrokers
  • Hiring and training fundamentals
  • General Security Awareness
  • Communicating and involving stakeholders outside of infosec
  • How to propagate the idea that security is “everyone’s responsibility”, rather than one dedicated team
  • Key contacts to cultivate throughout various departments (legal, board, C-suite, IT/Ops, business)
  • Improve IT hygiene without stepping on too many toes (the political quagmire of too many teams with too many managers)

Bio:

Aaron Katz is currently the Director of Threat & Vulnerability Management at Standard & Poor’s, and is responsible for working with the various groups within the organization to defend against all manner of threats.

Session Details Coming Soon!

11:20 - 12:00 Washington Session Details Coming Soon!

Strengthen Your SecOps Team by Leveraging Neurodiveristy

11:20am - Noon Library Megan Roddie, Sr. Security Analyst, Recon InfoSec, LLC.

More Info

High productivity, extreme attention to detail, logical/calculated, passionate, and hyper-focused. These are all characteristics considered valuable in the information security industry. However, a certain group of people who exceed expectations in these skill sets are constantly overlooked for job positions. That group of people is the High Functioning Autistic (HFA) community.

Individuals in the high functioning autistic community are often overlooked for job positions due to their social disabilities which makes them perform poorly in an interview and in their interactions with other people. However, if you look past their awkward behavior and social struggles, you will find these individuals are perfectly suited for roles in the information security industry.

This talk aims to show the listeners that, as many tech companies have found, the HFA community is ripe with individuals who could be the best of the best in the security industry if given the chance. The audience will realize that a small investment in time, understanding, and acceptance can result in the addition of an invaluable member to a Security Operations team.

Bio:

Megan Roddie, Sr. Security Analyst, Recon InfoSec, LLC.

Megan Roddie is a graduate student pursuing her Master’s in Digital Forensics at Sam Houston State University while also working as a Cyber Security Analyst with Recon InfoSec, LLC. As a 20-year old with Asperger’s Syndrome (High Functioning Autism), Megan offers a unique perspective in any topic she discusses. Megan can articulate her struggles and how small modifications in daily life have made her successful.
12:00 - 1:00 Lunch
12:00 - 1:10 Lunch Break

Public Speaking (Workshop)

1:10 - 2:40 Shubert Mary Cheyne, Public Speaking Trainer/Coach Magnetic Podium, LLC

More Info

Bring LIFE to Your Boring Presentation

Let’s face it – Most business presentations are dry & boring. Be honest, is yours?

This program will show you how to say goodbye to bland & hello to LIFE. Discover how to immediately resuscitate your presentation back from the dead & leave your audience wanting more.

In this workshop, you will:

Learn how to overcome nerves quickly.
Learn how to connect with the audience every time.
Discover the secrets of creating an engaging presentation that will keep your audience at the edge of their seats.
Add excitement to the delivery of your own presentations.

Bio:

Mary Cheyne, MBA, has trained over 15,000 people in over 25 cities around the world and has coached hundreds of individuals on how to communicate clearly & authentically in front of audiences as well as in personal conversations. She also taught communications-related classes at Northeastern University in Boston for 7 years.

Mary is the author of the Amazon Best Selling book “Present” Yourself in Public Speaking – Tell Your Inner Critic to SHUT UP! And the Real You to SPEAK UP! She is also the co-author of the book The Change 8 with Jim Britt, Tony Robbin’s first mentor on the topic of conscious communication.

She is the 2009 World Championship of Public Speaking second place winner out of 25,000 contestants from 14 countries.

Introduction to Cryptographic Attacks

1:10 - 2:40 Washington Matthew Cheung, QA Engineer at Veracode

More Info

Cryptography can seem like a mysterious black box making attacks even more mysterious. Introduction to Cryptographic Attacks is for those who have no experience with cryptographic attacks and how they work. In this workshop you will learn how simple some of these attacks are, and you will build a foundation in cryptographic primitives and potential weak points of real world systems.

The workshop will lead attendees through CTF style crypto challenges that illustrate critical cryptographic weaknesses. I will provide a VM with a python development environment setup with all of the libraries we use in the attacks.

Prerequisites: Minimal experience with cryptography and Python programming experience.

Materials: Laptop with VMWare or VirtualBox installed.

Bio:

Matthew Cheung (QA Engineer at Veracode) Westford, MA
Matt Cheung started developing his interest in cryptography during an internship in 2011. He worked on implementation of a secure multi-party protocol by adding elliptic curve support to an existing secure text pattern matching protocol. Implementation weaknesses were not a priority and this concerned Matt. This concern prompted him to learn about cryptographic attacks from Dan Boneh’s crypto 1 course offered on Coursera and the Matasano/cryptopals challenges. From this experience he has given talks and workshops at the Boston Application Security Conference and the DEF CON Crypto and Privacy Village.

Hacking Entrepreneurship: Lessons From Security Startup Founder

1:10 - 2:40 Library Sandy Carielli, Jennifer Andre, Georgia Weidman, Justine Bone

More Info

The number of cyber security companies continues to explode, even as some startups exit through acquisition. What should one consider before deciding to start their own venture? In this panel discussion, three successful entrepreneurs, all of whom applied their technical know-how to start new ventures in the security space, discuss their individual experiences on the pathways from practitioners to entrepreneurs and some of the pitfalls along their roads to startup “fortune and glory.” Topics covered will include that initial spark of innovation, the process of building a company instead of just a product, recruiting your team, possible accelerants to success, landing that all-important first customer, and pursuing the funding you may need to accelerate your business. We will consider the differences between startups that are product focused versus service focused. We will also hear our panelists’ thoughts on the state of the security market today and how startups have pushed the envelope on security innovation.

Bio:

Sandy Carielli has spent over a dozen years in the cyber security industry, with particular focus on identity, PKI, key management, cryptography and security management. As Director of Security Technologies for Entrust Datacard, Sandy guides the organization’s next generation security and technology strategy. Prior to Entrust Datacard, Sandy was Director of Product Management at RSA, where she was responsible for SecurID and data protection. She has also held positions at @stake and BBN. Sandy has been a speaker at RSA Conference, SOURCE Boston, the NYSE Cyber Risk Board Forum and BSides Boston. She has a Sc.B. in Mathematics from Brown University and an M.B.A. from the MIT Sloan School of Management.

Jennifer Andre, Sr Director Orchestration & Automation at Rapid7

Before joining Rapid7 as the Sr Director of Orchestration & Automation, Jen was the founder & CEO of Komand (acquired by Rapid7) the fastest way to automate your time-intensive security processes. Previously, she co-founded Threat Stack, a pioneering cloud security monitoring companies and serves on its board of directors. Jen has spent her career in security operations and product – starting off in the SOC as an analyst and later working as a researcher and developer at security companies Mandiant and Symantec. A recognized speaker in the security and engineering world, she also supports security innovation as a board member of the hacksecure.org cybersecurity investment syndicate.

Georgia Weidman, Founder and CTO at Shevirah Inc.

Shevirah founder and CTO Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has presented or conducted training around the world including venues such as NSA, West Point, and Black Hat. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary and the nonprofit Digital Citizens Alliance and is a member of the CyberWatch Center’s National Visiting Committee. She served as a judge for the FTC Home Inspector IoT security challenge.

Justine Bone, CEO at MedSec

Justine is a seasoned information technology and security executive with background in software security research, risk management, information security governance, and identity management. Her previous roles include Chief Information Security Officer at Dow Jones, a News Corporation company and publisher of the Wall Street Journal, CSO at Bloomberg L.P., CTO of Secured Worldwide, an NYC-based FinTech company, and CEO of well known vulnerability security research firm, Immunity Inc. Justine began her career as a vulnerability researcher with Internet Security Systems (now IBM) X-Force and New Zealand’s Government Communications Security Bureau.

2:40-3:10 Coffee Break

Selling Cyber to the Board

3:10-3:50 Shubert Vince Warrington, Founder at Protective Intelligence

More Info

Despite the growing cyber threat, many boardrooms still do not appreciate the levels of investment and resources required to keep their company better protected. Often, the cause of this misalignment is a lack of effective communication between technical and managerial functions – put simply, we don’t speak the same language as the Board and thus fail to convince them of the merits of enhanced cyber defences. With many years experience of delivering cyber programmes for both government and the private sector, U.K. cyber security specialist Vince Warrington will detail the strategies he has used in the past to secure high levels of funding from the C Suite. He will explain how building the ‘Cyber Story’ helps to explain complex security problems into business language, as well as giving you the ‘Do’s and Do Not’s’ of how to present to the Board.

Bio:

Vince Warrington, Founder at Protective Intelligence

Vince Warrington is a leading Information Assurance and Cyber Security expert with over 15 years experience heading-up large-scale, organisation-wide IT and cyber security programmes for central Government departments, blue chip private companies and well-known voluntary organisations across the globe.

Vince is an influential member of the Information Assurance Advisory Council (IAAC) and the UK Cyber Security Forum. He is currently advising on strategies to encourage more young people to consider a career in cyber security – especially females and those on the Autism spectrum.

Vince has recently helped to develop the internal Security Operation Centre and threat intelligence network for the Department of Work & Pensions along with its latest cyber security strategy. He has also delivered successful business change in cyber security programmes and IT security operations for organisations including GlaxoSmithKline, Diageo, Financial Conduct Authority, Euromoney Institutional Investor, Saudi Aramco, Metropolitan Police Service, Sainsbury’s, Foreign & Commonwealth Office, HM Treasury and Skillshare International, and most recently, the Financial Conduct Authority.

Vince has been instrumental in delivering successful security programmes across the globe including: USA, Holland Belgium, Brazil, China (Hong Kong), Afghanistan, Saudi Arabia , South Africa, Mozambique, Botswana, Namibia, Lesotho, Swaziland, and Tanzania.

Vince has recently been appointed as a Non-Executive Director of specialist recruitment consultancy, CyberOne, to head up a unique CISO-as-service offering that will help businesses safeguard against escalating cyber crime on a flexible basis.

How I Learned How Not To Suck At Docker Security (So You Don’t Have To)

3:10-3:50 Washington Paul Asadoorian, Founder & CEO at Security Weekly

More Info

Information security professionals and software developers often share the same feelings about new technology, skepticism, and sometimes hatred. This is how many of might feel about technologies such as Docker and the entire concept of containers and microservices. However, DevOps teams are integrating this technology into their daily workflow with great success. IT and security teams are using Docker technologies to roll out new solutions and internal tools. Software companies are embracing Docker at an alarming rate. Why is this alarming? Security professionals and developers are not focused on the security of these platforms. This year I took a small software project and applied Docker technology to the development and operations. I laughed, I cried, I learned to hate (briefly) and learned to love. I also found that there are security issues big and small that we all need to be aware of and address as Docker technology is here to stay. So come learn from my mistakes and challenges! You will learn how to implement and secure a Docker deployment, how much more fun could you possibly have in a security talk?

Bio:

Paul Asadoorian spent time “in the trenches” implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. He is the founder of the Security Weekly podcast network, offering several freely available shows on the the topic of information security and hacking. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management. When not hacking together embedded systems (or just plain hacking them) or coding silly projects in Python, Paul can be found researching his next set of headphones

Phishing: It's Not Just for Pentesters - Using Phishing to Build a Successful Awareness Program

3:10 - 3:50 Library Joe Gray, Senior Security Architect, IBM

More Info

Social engineering attacks remain the most effective way to gain a foothold in a targeted organization. When technology holds up to the test of attack, the human element is often exploited for entry into an organization. The frequency and level of training an employee receives can thwart an attack or amplify it. An example is the Google Docs attack that occurred recently. This attack propagated to a status near that of a worm in part because people were not trained to spot the issues. This talk will discuss the dynamics of creating an effective awareness program and teach practitioners how to create and run a successful internal phishing program to measure the efficiency of the training and help keep users on their toes.

Bio:

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.

3:50 - 4:00 Short break - head downstairs

Career Development Track: Attendee Lightning Talks

4:00 - 4:45 Empire Ballroom SOURCE Team

Closing & Raffle

5:30 - 6:00 Empire Ballroom SOURCE Team

$495

Early-Bird - General Admission

Admission to all conference sessions and evening events Coffee breaks, receptions Exhibit Hall access

Buy Now

$499

One-Day Training

InfoSec Train the Trainer Application Security Risk for Managers

Buy Now

Justine Bone | Pre-Conference Interview

Aaron Katz | Pre-Conference Interview

Vince Warrington | Pre-Conference Interview | SOURCE Boston

Walter Williams | Pre-Conference Interview

Ming Fu | Pre-Conference Interview

Paul Asadoorian | SOURCE Boston Pre-Conference Interview

Megan Roddie | Pre-Conference Interview

SOURCE Boston talk. Originally recorded for SOURCE Mesa.

Anurag Dwivedy | Pre-Conference Interview

Nathan Cooprider | Pre-Conference Interview

Pre-Conference Training

InfoSec Train the Trainer

InfoSec Train the Trainer

May 7, 2018 Communication

This course is designed for anyone who wants to improve their ability to present and train on technical topics to both technical and non-technical audiences.

Application Security Risk for Executives and Managers

Application Security Risk for Executives and Managers

May 8, 2018 InfoSec 101

This course is designed for executives and managers who want to better understand the real-world risks that their company deals with on a day-to-day basis.

Platinum

BlackBerry is an enterprise software and services company focused on securing and managing IoT endpoints. The company does this with BlackBerry Secure, an end-to-end Enterprise of Things platform, comprised of its enterprise communication and collaboration software and safety-certified embedded solutions. Based in Waterloo, Ontario, BlackBerry was founded in 1984 and operates in North America, Europe, Asia, Australia, Middle East, Latin America and Africa. The Company trades under the ticker symbol "BB" on the Toronto Stock Exchange and the New York Stock Exchange. For more information visit BlackBerry.com, and follow the company on LinkedIn, Twitter and Facebook.

Gold Sponsor

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally. Its solutions protect customers from cyber-attacks with an industry leading catch rate of malware, ransomware and other types of attacks. Check Point offers a multilevel security architecture that defends enterprises’ cloud, network and mobile device held information, plus the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

IOvations helps protect our customer’s data as a cyber security value added reseller. Our offerings include; - Mobile (Application, Network & Device Protection) & End Point offerings (next gen end point protections, encryption, end point detection & response, forensics, whitelisting) - Network & Data Center offerings including advanced threat protections, DDOS, DLP, IPS, load balancing, next generation firewalls, orchestration & automation, SDWAN, SIEM, SMTP protections, threat intelligence & vulnerability management. - Cloud offerings including Cloud Access Security Brokers for SAAS and traditional security controls extended to Infrastructure as a service including automation, along with micro-segmentation & vulnerability management.

Our Vision Brainbabe empowers women and men to work together in cyber security and directly impacts three statistics. Diversity & Inclusion: 11% of cybersecurity jobs are held by women Attrition: 53% of women leave the industry in under ten years Retention: Only 6% of Fortune 1000 CEOs are women

The Security Weekly network educates a growing audience of global security professionals on the matters of IT security news such as breaches, vulnerabilities and exploits! They covers the latest hacking incidents, security research and interview security luminaries. Paul Asadoorian, whose expertise includes penetration testing and embedded device/IoT security research, is joined by other security professionals to offer a mixture of technical content and entertainment.

Silver Sponsor

Endgame's endpoint protection platform brings certainty to security with the most powerful scope of protections, simplest user experience, ensuring analysts of any skill level can stop targeted attacks before information theft. Endgame unifies prevention, detection, threat hunting to stop known/unknown attacker behaviors at scale with a single agent. Visit www.endgame.com.

Venue (For reservation code e-mail info@sourceconference.com)

Downtown Marriott Boston

275 Tremont St, Boston, MA 02116

(617) 426-1400

Register:

$495

Early-Bird - General Admission

Admission to all conference sessions and evening events Coffee breaks, receptions Exhibit Hall access

Buy Now

$499

One-Day Training

InfoSec Train the Trainer Application Security Risk for Managers

Buy Now

Become a Source Insider

Get promotions and special offers directly to your inbox.