Why can’t we build secure software?

A lot is expected of software developers these days; they are expected to be experts in everything despite very little training. Throw in the IT security team (often with little-to-no knowledge of how to build software) telling developers what to do and how to do it, and the situation becomes strained. This silo-filled, tension-laced situation, coupled with short deadlines and […]

Read more

How identity management is transforming modern business

Identity innovations like zero-trust networks, zero login, and one identity initiatives are transforming today’s most successful organizations from within. Trust boundaries are changing. Find out the technical details behind these innovations and take home a game plan to start transforming your organization today, this week, and in the long run.

Read more

ISO 27001 & The GDPR

ISO 27001 & The GDPR: A Research-Based Approach to Identifying Overlap and Streamlining Efforts Together, security and privacy teams share a common goal: Protect the organization from reputational damage, lawsuits, and regulatory trouble. ISO 27001 focuses on the assessment of risks and protection of the organization while GDPR aims to assess and protect the rights […]

Read more

Power Up/Level Up: Supercharging Your Security Program for Cloud and DevOps

Few things have ever transformed the practice and technology of information technology than the dual impacts of cloud computing and DevOps. In this executive session we will detail specific strategies and tactics for transforming your security organization without orphaning your historical investments. This won’t be generic policy mumbo-jumbo; comes learn the hard-earned lessons from dozens […]

Read more

GDPR for Canadian Organisations – What you need to know!

The General Data Protection Regulation (GDPR) comes in to force on May 25th 2018 and many Canadian organisations are unsure if they even have to comply, let alone how. During this session, Bruce will take you through not only what the GDPR is and how it may impact you, but common questions and scenarios Canadian […]

Read more

Best Practices to Secure Application Containers and Microservices

Containers such as Docker and CoreOS Rkt deliver incredible capabilities to developers and operators and are powering the DevOps revolution in application development and deployment. Docker in particular has taken industry by storm, resulting in over 8 billion downloads and 500,000+ containerized applications in this open source platform. With all this new-found power comes significant […]

Read more

Does a BEAR Leak in the Woods? What the DNC breach, Guccifer and Russian APT’s have taught us about attribution analysis

The June 2016 revelations of the DNC breach by two Russia-based advanced persistent threat groups was only the beginning of a series of strategic leaks and conflicting attribution claims. In this presentation we’ll demonstrate techniques used to identify additional malicious infrastructure, evaluate the validity of “faketivists” like the Guccifer 2.0 persona, and strengths and gaps […]

Read more

Establishing the CSIRT Team for The Rio 2016 Olympic Games

This presentation examines the journey taken to establish the CSIRT team for the Rio 2016 Olympic Games. This large project was executed in a short period of time and posed a lot challenges. Rocha will explain the strategy in getting his team ready for the games, the CSIRT timeline, their preparation using wargames exercise, the […]

Read more

Leveraging Best Practices to Determine Your Cyber Insurance Needs

Dave Millier has created a novel new approach that leverages well known information security frameworks and Chubb’s Cyber COPE®, a well-established property insurance measurement methodology that has been adapted to cyber risks.  In this talk, Dave will present his methodology, including various ways of gathering the information and reporting on the results, providing the audience […]

Read more

Your Chance to Get It Right: 5 Keys to Building AppSec Into DevOps

Security’s goal of minimizing risk can seem at odds with development’s need for rapid change. There is a middle path that allows development to deliver secure code at DevOps speed, but it requires security to adopt principles that have proven successful for DevOps. This session will discuss organizational, process and technology innovations that enable security […]

Read more

Safety Should be the Security Paradigm

The main government approach to cybersecurity has been to think of it through the lens of the military and intelligence community. After all that is where the most expertise lies today. This lens is problematic going forward. We should instead be looking to the way the government thinks of safety: for transportation, disease, consumer products, […]

Read more

How to Rob a Bank or The SWIFT and Easy Way to Grow Your Online Savings

Bank heists make great stories.  This year, we’ve got some really good stories to tell courtesy of a trusted network known as SWIFT, and some banks that believed they were inherently protected by virtue of being connected – except they weren’t. Hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions.  In […]

Read more

Getting Business Value from Penetration Testing

Penetration tests rarely improve a client’s security. We know this because last year’s test feels horribly close to this year’s. In terms of value to the business, they fall flat in most ways – they are misunderstood from the start, during the test, and at the report. We want to dispel the confusion and tie […]

Read more

Data-Driven Computer Security Defense

This talk is focused on some of the biggest problems associated with computer security defenses. Main topics include: Misaligned defenses Lack of focus on root-causes Lack of focus on local current and historical exploits Lack of data in driving computer security defense decisions Roger will discuss how things got this way and how to fix […]

Read more

Introducing G.Tool – A batteries included framework for building awesome GRC tools without wasting money.

Do you need a GRC tool but can’t afford the cost of one? Let’s use a batteries included automation first framework to rapidly assemble our own tools that work in the way you want. We won’t create anything with a web interface but we will be able to manage large amounts of information using existing […]

Read more

Security by Consent, or Peel’s Principles of Security Operations

Are you tired of knowing everything, having people ignore “the security person” because “reasons,” and then having “I told you so” as your only comfort? Sick of the hostile relationship between security and development, security and operations, security and HR, and/or security and everyone not wearing a black t-shirt? There’s a better way. Faced with […]

Read more

Cybersecurity in an era with quantum computers: will we be ready?

Quantum computers will break currently deployed public-key cryptography (RSA, ECC, Diffie-Hellman, etc.) which is one of the pillars of modern-day cybersecurity. Thus we need to migrate our systems and practices to ones that cannot be broken by quantum computers before large-scale quantum computers are built. There are viable options for quantum-proofing our cryptographic infrastructure, but […]

Read more

There’s no such thing as a coincidence – Discovering Novel Cyber Threats

Jim will provide an in-depth background of the changing cyber threat landscape, with specific focus on recent incidents including the cyber attack on Sony Pictures Entertainment, the massive data breach at Anthem Healthcare, and the compromise at the US Office of Personnel Management of nearly every US government employees’ personal information. Jim will share his […]

Read more

Bulletproofing Your Incident Response Plan: Effective Tabletops

The pace of databreaches has reached epic proportions. Organizations large and small, in every industry are falling victim to hackers, hacktivists and nation states. Your intellectual property, data and bank accounts have never been at greater risk – it’s not if, but when your organization will be victimized. Testing and maintaining an effective Incident Response […]

Read more

CISO Survival Guide: How to thrive in the C-Suite and Boardroom

The CISO lives with a target on his/her back, usually lasts a mere 12-18 months and takes the fall for security issues often out of their control. Yet, this is a strategic, C-level position and essential to the success of any organization. The disconnect lies in the CISO being able to elevate their worth with their […]

Read more

The Effective Use of Cyber Ranges for Application Performance and Security Resilience – Train Like You Fight!

Organizations worldwide face a dangerous shortage of Cyber Warriors with the skills required to defend against cyber terrorism. This urgent situation is made worse by the weaknesses and vulnerabilities that continue to pervade critical IT infrastructures – despite billions of dollars invested in cyber security measures. Answering these problems requires Internet-scale simulation environments, along with […]

Read more

Dolla Dolla Bill Y’all: Cybercrime Cashouts

The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the clink. With more and more focus on identifying and stopping credit card fraud, cybercrooks are diversifying their methods for cashing out. While criminals […]

Read more

What does it take to deliver the most technologically advanced Games ever?

This talk will discuss how the team prepared for the largest sporting event held in Canada, the TORONTO 2015 Pan Am / Parapan Am Games. The session will include how we created a Cyber Security Group, staff scheduling, contingency planning, and communications. I will also discuss how we managed the day to day security operations, offer a recap […]

Read more

Make Metrics Matter

Metrics needn’t be meddlesome (alliteration!), as long as you’re measuring something. Focus on the metrics that make the most impact instead of trying to do it all. Regardless of your maturity level, you can still implement a metrics program. It comes down to value over quantity.  Mix straightforward metrics like the overall reduction of incidents […]

Read more

Scaling Security in Agile Scrum

Agile Scrum is here to stay, and security teams aren’t adapting quickly enough. “Best-practice” Agile SDL models aren’t very helpful because they assume a simplified, idealized model of how software is built. In the real world, software development often involves multiple Scrum teams working on various components of a larger product. As a result, application […]

Read more

Quantitative Risk Analysis and Information Security: An OpenFair Case Study from BMO

Risk analysis – nobody wants to do it, but everybody wants the answer when it’s done. Business today is full of qualitative methods for assessing risk, but these tend to fall short of giving Information Security professionals the tools to express risk in a meaningful way. FAIR (Factor Analysis of Information Risk) was recently adopted […]

Read more

FAIL Panel Again! Third time’s the charm

The ugly bastard child of the ugly bastard child of FAIL Panel, in its 3rd year running, a discussion on the cybers and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things, contradict each other (and ourselves), have no clue what Jamie is asking us and generally […]

Read more

Asymmetry in Network Attack and Defense

William will dive in to the fundamental tools and resources needed by network attackers and defenders and look at basic adversary methodology and scaling effects in network attack and defense. After laying this foundation, he will dive deeper into asymmetrical advantages for defenders and how to implement them in your network from an architecture and […]

Read more

Human Metrics – Measuring Behavior

The human element is one of the weakest links, as a result your employees are now the primary attack vector.  From phishing and infected USB drives to lost mobile devices and weak passwords, people represent the greatest risk to most organizations.  Many organizations are now rolling out security awareness programs with the intent of changing […]

Read more

Security Awareness Has Failed: A Suggested New Approach!

For over 30 years, the security community mantra has been to deliver annual or regular security awareness education sessions to staff. And for over 30 years, the “big stick” approach has failed to produce any appreciable results. For the most part security awareness training has become ” a corporate check box” and is used to […]

Read more

Re-Thinking Security Operations

Do your security solutions deliver effective coverage against the challenging new threat environment?  The threat environment has grown to be a too large a problem with protection infrastructures too narrow a solution to cover every possible attack in every circumstance.  Progressive (and costly) concepts like situation awareness, globally integrated intelligence and access to advanced tools […]

Read more

Microsoft Security Intelligence Report, Canadian Edition

Threats have changed in dramatic and unexpected ways around the world over the past year as attackers continue to hone and evolve their strategies and tactics, and Internet-connected devices proliferate. Using the latest data from hundreds of millions of systems around the world and some of the Internet’s busiest online services, this session will provide […]

Read more

FUFW: 5 Steps to Re-architecting Your Perimeter

The hype train around next-generation firewalls (NGFW) continues to race forward, but replacing one device with a new shiny object isn’t going to ultimately solve the security problem. Securosis analyst Mike Rothman will put NGFW into proper context regarding the evolution of network security and give you 5 steps to move your perimeter protection forward.

Read more

SDN : Radically New Network Architecture, Same Old Cyber Security Protection

As Virtual Machines (VM’s) were the disruptive technology at the end of last century for server and storage platforms, Software Defined Networks (SDN) will be (already is) the first industry-changing, disruptive technology for switch and router platforms in this young century. SDN has already gained grass roots momentum as early adopters Google, Goldman Sachs and […]

Read more

Return of the Half Schwartz FAIL Panel w/Tales from beyond the echo chamber

The ugly bastard child of FAIL Panel, in its 2nd year running, a discussion on Malware letters received to our mailbag and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things and generally entertain you. Vendor and FUD free since last we last remembered to wear underwear.

Read more

Data in the Cloud. Who owns it and how can you get it back?

With the rush to take advantage of all “the Cloud” has to offer, many companies are struggling with the new reality that their data is being sent outside the confines of the corporate environment and being stored in multiple geographic locations. With the Cloud comes the challenge of securing your data, understanding where it is […]

Read more

Reacting to Cyber Crime: Preserving Crucial Evidence for Law Enforcement

Evidence handling is of primary importance for the RCMP Tech Crime Unit Members when called upon to investigate a possible cybercrime. When such an incident occurs, it is important that the IT personnel in place is in a position to clearly identify the potential digital-related evidence and to properly preserve it upon the arrival of […]

Read more

Building a Security Operations Center – Lessons Learned

This presentation will go through the various steps required to craft a Security Operations Center; including hiring and managing an array of human resources, monitoring, reporting, and mitigating technology, and covering the definition of repeatable, scalable processes, such as the OODA loop. The presentation will address the fundamental concepts related to training, structuring, and running […]

Read more

How I Learned to Stop Worrying and Love the Cloud

An overview of the risks and mitigations encountered in planning the outsourcing of the United States Mint’s $700 Million a year numismatic ecommerce site. The presentation focuses on how to assess your cloud vendor and specific information and access to request to make sure your data is secure. Many of the mitigations discussed in the […]

Read more

*PT, Chinese cyber-something, the summer of breach and doing it wrong

The ugly bastard child of FAIL Panel, a discussion on Malware letters received to our mailbag and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things and generally entertain you (we may bring chocolates and super secure LiquidMatrix USB keys – as seen as DEFCON). Vendor and […]

Read more

The Defense RESTs: Automation and APIs for Better Security

Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren’t from security vendors, they don’t even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is […]

Read more

Forecast of Data Loss in Canada

How many breaches occurred in Canada last year? And how many might there be by 2015? How much personal confidential Canadian data will be lost next year? Join this session to learn which types of firms are losing data and how. He won’t name names, but Dave will quickly walk you through a cool model […]

Read more

Cybercrime in Canada: a Law Enforcement Perspective

This session will highlight the link and differences between security efforts and criminal interdiction. Cybercrime continues to be a significant concern to industry and the public in Canada. This session will highlight some of the important activities now underway to address this criminal threat. Attendees will become aware of crime trends and priority threats. Industry […]

Read more

Controlling BYOD before it Becomes Your Own Demise

Mobile security is the hottest topic for senior security professionals as organizations struggle with how to support smartphones and other consumer-grade devices connecting to the network. This session will present a process to evaluate the risk of these devices, define appropriate policies, and control the use of these devices. We’ll also discuss (at a high […]

Read more

Binary Risk Analysis

Security risk analysis techniques are either too complex to be understood by the business or too simple to provide repeatable and meaningful results. Without a proper understanding of the risk associated with security events, businesses are likely to misunderstand the risk that security professionals are working to control. This talk will announce a new, peer […]

Read more

It’s Not About the “Warm Fuzzy” – How to Plan for a Comprehensive Penetration Exercise

It’s time for your annual, mandated penetration test. It may not be accurate, but who cares? You passed! Your boss has a “warm fuzzy”! But where is the business value in testing the perimeter if the perimeter is not the target? It’s time we stopped kidding ourselves and started looking at testing that actually does […]

Read more

The Search for Intelligent Life

For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information […]

Read more

Security When Nanoseconds Count

There’s a brave new frontier for IT Security – a place where “best practices” does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed […]

Read more

Everything You Need to Know about Cloud Security (and then some)

Everyone is fired up about the cloud. Per usual, that means most businesses are rushing headlong into the abyss with nary a concern of security or risk management. Yeah, we all know how this ends. And most practitioners don’t even know what they don’t know at this point. Mike will provide the unvarnished truth about […]

Read more

Change Happens: CISO Survival Through Adaptation

The Chief Information Security Officer role is transitioning through unprecedented change in information technology, in both scope and pace. CISOs must learn to adapt in kind and support the four ‘personas’ of the CIO, where the I stands for Infrastructure, Integration, Intelligence and Innovation. This panel will address the trends and adaptation strategies necessary to […]

Read more
Subscribe to the Sector Blog
Enter your contact information below to have future blog posts delivered directly to your inbox!
Fields marked with an * are required