If you cannot or will not click on the button above to register, please use this link: https://www.eventbrite.com/e/south-florida-issa-2015-biennial-conference-tickets-15679931096?ref=eweb
05:30a – 07:00a Conference Setup
07:30a – 08:30a Registration/Networking/Exhibitor Time
08:30a – 08:35a Mission Critical Systems
08:35a – 08:40a Radware
08:40a – 08:45a Citrix Systems
08:45a – 08:50a Cisco Systems
09:00a – 09:50a Breakfast Keynote
- Ira Winkler, ISSA International President, Information Systems Security Association
10:00a – 10:50a 1st Round of Talks
- Cirrus radiatus Room: Integrating Threat Intelligence into Security & Incident Response Programs
- Altocumulus stratiformis Room: API Security for Mobile, IoT, and the Enterprise
- Cumulonimbus mammatus Room: HIPAA for the Security Professional
11:00a – 11:50a 2nd Round of Talks
- Cirrus radiatus Room: A Case for being forgotten
- Altocumulus stratiformis Room: The PCI DSS, A QSA Perspective
- Cumulonimbus mammatus Room: Universal/Central Logging and Monitoring in a Cloud Environment
12:00p – 01:45p Lunch/Keynote/Networking/Exhibitor Time
- Lance James, Head of Cyber Intelligence, Deloitte & Touche, LLP.
02:00p – 02:50p 3rd Round of Talks
- Cirrus radiatus Room: IDS+Honeypots Making Security Simple
- Altocumulus stratiformis Room: Hard Facts on Soft Skills: Develop Your Personal Brand To Advance Your Career
- Cumulonimbus mammatus Room: Using data encryption to achieve HIPAA Safe Harbor in the Cloud
03:00p – 03:50p Security and Risk Officer’s Panel Discussion
04:00p – 06:00p Happy Hour, Prizes and Thank you!
06:00p – 07:00p Breakdown/Teardown
If you cannot or will not click on the button above to register, please use this link: https://www.eventbrite.com/e/south-florida-issa-2015-biennial-conference-tickets-15679931096?ref=eweb
Breakfast Keynote
Secrets of Super Spies – Ira Winkler, President, Information Systems Security Association and Secure Mentem
Spies are unstoppable geniuses who can steal any information they want. North Korean hackers created significant damage at Sony and financial institutions around the world, while mocking the FBI. Russia, China and Iran have infiltrated our entire critical infrastructure. You are at their mercy. Then there are the spy wannabes such as criminals, hackers, and even your employees, all with similar diabolical reputations. However as good as spies are in stealing your information, they are as good at protecting their information. After all, people know who the spies are and target them back. While some spy cases hit the newspapers they are rare when compared with all the people out to get them. The fact is that they know the underlying ways to compromise information, so they know best how to protect immense amounts of information.
Ira Winkler uses actual cases of espionage, including those that he committed, to demonstrate the most cost effective security programs for your organization.
1st Round of Talks
Integrating Threat Intelligence into Security and Incident Response Programs Araceli Treu Gomes, Cybersecurity Strategist, Verizon
Threat Intelligence is the function of understanding your potential adversaries. While you may never be able to stop your adversaries from existing, by acknowledging and understanding your threats, you are better able to repel potential attacks, as well as more effectively mitigate attacks in process. By understanding your likely adversaries, you know what vulnerabilities they are likely to target, you know the format of spear phishing messages to train your employees to detect, you can look for signatures of the malware they are likely to use, etc. And if you are under attack, understanding the attackers’ methodologies and motivations can tell you what other signs to look for, what systems need protecting, what type of information and servers they will target, etc. An effective Threat Intelligence program will allow security resources to be allocated more effectively, while reducing attack-related loss. This presentation will include case studies of notable attacks to highlight how Threat Intelligence could have either prevented the attacks, or significantly reduced loss.
API Security for Mobile, IoT, and the Enterprise Ryan Lackey, CloudFlare
API providers include various infrastructure vendors, Software-as-a-Service applications, and now, hardware manufacturers (the “Internet of Things” is actually an internet of APIs).
Many widely deployed APIs were not built with security in mind. Other APIs have a security model which made sense when they were first deployed, but are unable to be updated in the face of new threats due to a need to retain backward compatibility. Some API endpoints are on hardware deployed in the field, for which software updates may be difficult to distribute and install, or which might not meet with change control procedures where the equipment is deployed, or may simply be unavailable.
Fortunately, the cloud isn’t necessarily doomed by insecure APIs. We will go over various mitigation strategies.
HIPAA for the Security Professional – Michael R Brown, Sr Information Security Consultant-Manager, 24by7Security, LLC
In the last couple of years, HIPAA/HITECH has become more and more important in the healthcare realm as penalties have risen for those who are not in compliance. But what IS HIPAA/HITECH? What does it mean for the security professional to be compliant with it? Is there anything unique about these regulations from standard security practices? Find out this and more from someone who has been working to ensure various healthcare organizations are complaint.
2nd Round of Talks
A case for being forgotten – Moses Hernandez, Security Expert, Cisco Systems
We have enjoyed most of our existence outside of the scrutiny of a true government regulatory agency. In this absence of regulation some argue we have enjoyed explosive growth. What does this mean when the potential consequence is the exposure of everyone’s information potentially with no end in sight? Is regulation inevitable or can we change this?
The PCI DSS, A QSA Perspective – Mark Akins, Managing partner, 1st Secure IT, LLC
This presentation will cover the various Payment Card Industry security programs but will be focused on the Payment Card Industry Data Security Standard, version 3.0. We will discuss the changes in version 3.0 and address how the standard addresses or will address emerging technologies such as Point to Point Encryption and Tokenization. Last we will touch upon the October 2015 deadline for the Europay, MasterCard, and Visa (EMV) standard, which reflect a shift from magnetic-stripe credit cards to chip-and-pin cards.
Universal/Central Logging and Monitoring in a Cloud Environment – Joe Partlow, Chief Information Security Officer at ReliaQuest
Most businesses today have some level of cloud computing in their environment. Getting and centrally monitoring those logs can be challenging, but absolutely necessary for compliance and overall best practices. In this talk we will discuss private, public and hybrid cloud solutions and various options to collect and monitor those logs across the disparate networks. Don’t assume your cloud provider is handling this for you!
Lunch Keynote
Advanced Persistent Marketing: Demystifying APTs and Cyber Attacks – Lance James, Head of Cyber Intelligence, Deloitte & Touche, LLP.
Since the phrase “advanced persistent threat” (APT) was coined nearly ten years ago, it has been the subject of extensive discussion and debate in the IT security community, and terabytes-worth of media buzz. The spotlight on APTs has been critical in bringing the reality of today’s threats to light, but the surrounding hype has sometimes generated more fear than it has practical approaches to solving the actual problems. There is a broad tendency for security programs and regulations to be shaped by the most recent cyber incidents, focused mainly on the tactics and procedures of the attackers. While understanding attacker methodology is critical, it doesn’t necessarily enable pre-emptive response.
This presentation will begin with a detailed look at threat actor motivations as the basis for pre-emptive capabilities. It will present a taxonomy of the underground ecosystem, provide an overview of tactics and procedures behind today’s APTs, and highlight current “advanced” threat trends. Against this groundwork, several important practical issues will be discussed:
- What aspects of APTs and other advanced attacks are really new?
- How are advanced cybercrime groups and other actors leveraging this evolving ecosystem?
- What are the limits of security monitoring? Do we need new tools and technologies, or better blocking-and-tackling using what we’ve got?
- What benefits can we expect from intelligence automation versus human intelligence?
Attendees will take from the session a refreshing view of the landscape, and be reminded that effective response to advanced threats does not necessarily require an ever-expanding security budget, and the adversaries are not always as advanced as we fear.
3rd Round of Talks
IDS+Honeypots Making Security Simple – Gregory Hanis, Information Security Consultant
Everything you really need to know about IDS (Intrusion Detection Systems) Combining with Honeypots. Deployment and usage techniques used in the past and today. How to setup and deploy onto any network including the cloud. Reasons why this should be used in all networks. How to bring BIG DATA down to Small Data that is easy to understand and monitor.
Hard Facts on Soft Skills: Develop Your Personal Brand To Advance Your Career – Christa Pusateri, Director of Member Recruitment, WisegateIT.com
In this presentation, we will discuss the importance of building your brand, enhancing soft skills, business acumen and build key relationships to move ahead in your Information Security Career and get things done.
In this interactive presentation, we will share stories of how leading CISOs have been successful gaining respect and credibility from the business while building their personal brand and influencing others. Attendees will also receive a Wisegate research report and list of resources for developing their own professional leadership development plans.
Using data encryption to achieve HIPAA Safe Harbor in the Cloud – Stan Wisseman, Security Strategist, HP
Healthcare organizations are struggling to manage the complexity, cost and effort when upgrading their IT infrastructure, purchasing new hardware and software, as well as licensing and maintenance of their existing devices and applications. Cloud computing offers significant benefits for healthcare sector such as scalability, resiliency, adaptability, connectivity and virtualization and optimized performance. However, for organizations that store data in the cloud, the HIPAA Security Rule is of particular concern. While the cloud offers many benefits in terms of cost, scale, and business agility, it poses new challenges in terms of security and compliance. Join our boardroom to learn how data encryption can be used to comply with the rule and achieve a safe harbor.
CISO Panelist Speakers
Ken Athanasiou, Chief Information Security Officer, AutoNation, Inc.
Ken Athanasiou is Vice President, Chief Information Security Officer at AutoNation, Inc. Ken has extensive experience in information security and risk management. His career includes senior positions with global companies in the retail and financial service sectors as well as thirteen years of service as an officer in the United States Air Force. Just prior to joining AutoNation he was the Global Information Security Director & Chief Information Security Officer for American Eagle Outfitters. Ken holds a Bachelor’s Degree in Computer Information Systems and a Master’s Degree in Computer Resources Management and is a Certified Information Systems Security Professional (CISSP).
Stan Black, Chief Security Officer, Citrix Systems, Inc.
Stan is the Chief Security Officer for Citrix Systems, where he is in charge of protecting the global supply chain to ensure products and services are delivered to customers securely. At Citrix, Stan defines a dynamic security posture and enumerates the threat landscape to orchestrate vulnerability management and incident response. Mr. Black is a seasoned security veteran with more than twenty years of experience in cyber security, business risk, corporate data protection and crisis management. His experience has provided him the opportunity to deliver durable security and risk solutions to global 1000’s, countries and public agencies around the world. Prior to Citrix, Black has held global positions at EMC2, RSA and Nuance Communications, Inc. At Nuance, he was VP and CSO and facilitated more than 60 acquisitions in six years. Outside of work, Black enjoys riding his motorcycle and spending time with his family.
John Ceraolo, Chief Security Officer, 3Cinteractive, LLC.
John Ceraolo is currently the CSO with 3Cinteractive, the mobile solutions leader that improves business efficiencies by extending operational and CRM processes to the mobile channel. Mr. Ceraolo directs the organization’s enterprise risk management, business continuity, and information security. John has been leading security initiatives within global organizations for over 20 years.
Prior to 3Cinteractive, Mr. Ceraolo has held positions of increasing responsibility with Arise Virtual Solutions, JM Family, Citrix Systems, Siemens, and VNU Publishing. John is an internationally recognized speaker and author on the topic of Information Security. He works directly with C-level/senior management, key stakeholders and clients in maintaining business-centric security programs that contribute to revenue generation. A central focus of his career has been to present the business value of these security programs to prospective and existing clients.
Mr. Ceraolo has created successful, comprehensive security programs from the ground up in large multinational organizations. John has led these organizations in SOX compliance, PCI-DSS certification, SAS70 auditing and HIPAA compliance. His expertise includes enterprise security, risk management, compliance and business continuity.
John earned his Bachelor of Science at the University of Florida and received his Masters degree in Information Assurance from Norwich University. He is a CISM, CISA and CISSP. John has spoken at multiple conferences in the United States and internationally on multiple security topics including social engineering, security services and awareness. John has also taught CISM certification aspirants for ISACA. Mr. Ceraolo is a member of ISACA, ISSA and ISC2 as well as holding a board seat with Crimestoppers.
Bobby Dominguez, Chief Information Risk Officer, PNC Financial Services Group, Inc.
Bobby Dominguez is an accomplished Internet pioneer and a security, risk, and privacy expert. Mr. Dominguez has successfully integrated information security into top-level business initiatives at Home Shopping Network, PSCU Financial Services, and PNC Bank where he is currently the SVP, Chief Information Risk Officer. Under his leadership, the Sykes Global Security and Risk Management team was nominated and selected as one of the 5 best by 2008 SC Magazine “Best Security Team in the US.” Mr. Dominguez was also selected as one of the top 5 Chief Security Officers for the 2009, 2010 and 2013 SC Magazine “CSO of Year.” And in 2012 he was a finalist for (ISC)2 Americas Information Security Leadership Awards.
He is the Vice-President of the Board of Directors for the FBI Infragard Tampa chapter, Board member of ISSA Tampa Bay chapter, and an active member of the US Secret Service Miami Electronic Crimes Task Force. He is a recognized professional in the security field, having contributed to the publication of several ANSI security standards and holding certifications, including ASIS CPP, SANS GSLC, (ISC)2 CISSP, ISACA CRISC, ITIL, EC-Council C|CISO, PMI PMP and Program Management Mastery.
Pete Nicoletti, Chief Information Security Officer, Virtustream, Inc.
Pete has 30 years of experience in the development, implementation, operations and management of a wide array of Information Technology, IaaS/SaaS/PaaS Cloud, Security Technologies and MSSP services.
Pete is the Chief Information Security Officer at Virtustream and is responsible for global compliance, security tool: selection, deployment, and management, incident response, HR security policy, federal security programs, managed security services, security related strategic relationships, and all Virtustream and Customer security challenges.
Prior to joining Virtustream, Pete was the VP of Security Engineering at Terremark and Verizon where he was instrumental in the success of Terremark’s IAAS Federal and Commercial deployments and managed the entire security and MSSP portfolio, security consulting, presales activities, whitepaper authorship and strategic planning. The Terremark Cloud successes contributed to the high valuation and ultimate purchase of Terremark by Verizon.
Before this, Pete was the CSO/CTO of ProtectPoint, Inc. where he designed and implemented 350 MSSP Solutions and CTO/CEO of Promero, a hosted CRM/Telephony Company, where he was directly responsible for 6 patents and the deployment and operations of the world’s most innovative SAAS/PAAS platform for VoIP and Video Teleconferencing and the creation and management of the largest travel video streaming site of its time.
In addition, Pete is internationally regarded as a wireless pioneer having built the world’s first commercially viable Wireless ISP with over 500 antenna locations. Pete was also presented with the “Microsoft Industry Solutions” Award by Steve Ballmer at Comdex 2000 for the most innovative and advanced implementation of Microsoft applications for a large VoIP/CRM travel agent system.
Pete is currently the South Florida Chapter of Information Systems Security Association primary consultant because of this past longevity on the Board. He is also on the Board of Directors for the Cloud Security Alliance-SF, an Advisory Board Member for Arbor, VMWare, Fortinet, Vormetric and Trapezoid, former VP on the Board of Directors of the FBI Infragard, and a member of ISACA, Internet Coast, Honeynet Alliance, Computer Security Institute, IEEE, Secret Service Miami Electronic Crimes Task Force, EFF, Union of Concerned Scientists, and the Anti-phishing Working Group. Pete recently completed updated a chapter on Content Filtering for the IT Masters Level College textbook: “Computer and Information Security Handbook.” (ISBN: 9780123943972) Pete also contributed Chapter 9 “A Cloud Security Reference Design” for the book: “Building the Infrastructure for Cloud Security: A solutions View” (ASIN: B00IGKE2E6)
Security and Risk Panel Moderator
Richie Rodriguez, Chief Information Security Officer, Campus Management Corp.
Richie Rodriguez has been a technology professional for nearly 20 years, and has experience in network engineering, software development, Information Security, and the delivery of SaaS and IaaS platforms. Richie is a Certified Information Security Manager and holds a Bachelor of Science in Management Information Systems from Florida Atlantic University, where he continues to be involved by serving on FAU’s IT Operations Management Advisory Board. Richie is the Chief Information Security Officer and Senior Director, Information Technology, at Campus Management Corp., a Boca Raton based software company focused on delivering student information systems to the Higher Education industry. In this position, Richie has dual responsibility for Campus Management’s global IT department and for the managing the information security program for Campus Management’s CampusNet Cloud platform. Richie has lived in South Florida since 1994, is an active member of the South Florida chapters of ISSA and ISACA, and enjoys spending his time raising his two young children with his wife.
If you cannot or will not click on button above to register, please use this link: https://www.eventbrite.com/e/south-florida-issa-2015-biennial-conference-tickets-15679931096?ref=eweb