Hi [[ session.user.profile.firstName ]]

Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth

We've known for a long time that the idea of a fixed perimeter and trusted internal network doesn't work too well, especially since a successful attacker looks exactly like an insider. The concepts variously known as de-perimeterization, zero-trust, software-defined perimeter and BeyondCorp all try to address this, and they represent a fundamental change in how you architect security for your enterprise.

In this presentation, we talk about what you can do to make your old perimeter less lonely, and most importantly, how to explain this new way of thinking to the rest of the business.
Recorded Feb 1 2018 42 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Wendy Nather, Principal Security Strategist, Duo Security
Presentation preview: Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Marie Curie, Open Source, Kickstarter and Women in Tech Recorded: Jul 12 2018 49 mins
    Mandy Whaley, Director of Developer Experience, Cisco
    Think of Marie Curie. Would you expect to find a fascinating number of similarities between the Curie's treatment of their work in the early 1900's and today's tech industry? I certainly didn't…

    Join Mandy Whaley to explore how the Curie's used an approach similar to modern Open Source licensing to open the process for isolating radium to the scientific community, and how the limitations at the time on the rights of women to own intellectual property influenced this decision.

    Also, learn how Marie Curie also used a strategy similar to Kickstarter to raise funds to buy radium for her own research, and how all of these experiences and lessons can help us today.
  • The Data Behind DevSecOps: Investments, Breaches, and Culture Recorded: Jun 13 2018 59 mins
    Derek E. Weeks, Vice President and DevOps Advocate, Sonatype; Co-Founder, All Day DevOps Conference
    The Sonatype 2018 DevSecOps community survey results are in. Hear how 2,076 professionals revealed mature DevOps organizations ensure automated security is woven into their DevOps practice, early, everywhere, and at scale. Explore changing mindsets, technology investments, and breach patterns.

    Attend this webinar to gain a new perspective on peer benchmarks surrounding DevSecOps adoption.
  • RSA Encore: The Emergent Cloud Security Toolchain for CI/CD Recorded: May 15 2018 55 mins
    James Wickett, Head of Research, Signal Sciences
    Encore of "The Emergent Cloud Security Toolchain for CI/CD" given at RSA Conference 2018 in San Francisco.

    All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.

    Learning Objectives:
    1: Learn the emerging patterns for security in CI/CD pipelines.
    2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
    3: Understand what the real meaning of DevSecOps is without all the hype.
  • The DevSecOps View: Build It, Secure It, Run It Recorded: Apr 26 2018 57 mins
    Jason Hand, DevOps Champion, VictorOps Advisor, Community Pulse Co-Host
    Modern architectures and design patterns challenge developers, security, and operations in a whole new way. Instead of developers building and handing to security for testing, today’s developers are a key part of the security team - and vice versa.

    In this Modern Security Series episode, we look at how security:
    * Shifts left - earlier into the development cycle
    * Shifts right - integrating with operations
    * Adapts to enable app and service owners to respond faster to threats
  • Taking the best of Agile, DevOps and CI/CD into your AppSec Program Recorded: Apr 17 2018 47 mins
    Matt Tesauro, Senior Technical Project Coordinator, OWASP
    How many applications are in your company’s portfolio?
    What’s the headcount for your AppSec team?

    Whatever your situation is, I am sure the numbers are not in your favor. This talk covers the OWASP AppSec Pipeline project which provides real world examples from AppSec programs at several different companies who have seen increases of 5x in productivity. Companies covered include Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk will also cover the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security department by leaving the traditional AppSec program thinking behind.
  • Enhance Your Organization's Security with AuditD Recorded: Apr 12 2018 33 mins
    Ryan Huber, Security Architect, Slack
    AuditD is a very useful feature on the linux kernel. Ryan Huber, Security Architect at Slack, discusses go-audit, the golang-based open source alternative to the auditd daemon.

    He also discusses how he uses go-audit along with a reliable logging pipeline consisting of streamstash, elasticsearch, and elastalert to collect and process data from thousands of hosts.
  • Serverless Security and Winning the DevSecOps Game Recorded: Apr 9 2018 60 mins
    Tom McLaughlin, Founder, ServerlessOps, James Wickett, Head of Research, Signal Sciences
    As shifts to serverless architectures become more common, more of the infrastructure responsibilities are handed to developers. This change significantly impacts both operations and security.

    So, what does this mean for you?

    Join us as Tom McLaughlin, Founder of ServerlessOps and James Wickett, Head of Research at Signal Sciences answer this question and more in our latest webinar, “Serverless Security and Winning the DevSecOps Game”.

    Join us to learn:
    * How security and operations are completely flipped on their heads in a serverless world
    * Why operations engineers will need to become more familiar with application security
    * Why security engineers need to focus up the stack
  • Vulnerabilities in Open Source Software: Standing on the Shoulders of Foo Recorded: Mar 30 2018 36 mins
    Erlend Oftedal, Partner and CTO, Blank AS, Head of OWASP Norway
    Statistics show that our applications are built using an increasing amount of open source code. But what do we actually know about the code we are using, and do we actually know if any of the dependencies have vulnerabilities in them? This talk will focus on the JavaScript space and open source tooling, and present some statistics and findings from deep dives into JavaScript and npm.
  • The Path of DevOps Enlightenment for InfoSec Recorded: Mar 27 2018 48 mins
    James Wickett, Head of Research, Signal Sciences
    Security as we have known it has completely changed. Through challenges from the outside and from within there is a wholesale conversion happening across the industry where DevOps and Security are joining forces. This talk is a hybrid of inspiration and pragmatism for dealing with the new landscape.

    Together we discover that security changes in the modern landscape to:

    * Create Security Feedback Loops
    * Embrace Adversity
    * Enable Speed
    * Much more!
  • Tangled Web: Defense in Deception Recorded: Feb 13 2018 53 mins
    Herb Todd, CISSP, CSSLP, GSEC, GSSP-Java, GPEN, and CRISC
    Our adversaries are skilled in deception -- we as defenders must become
    skilled as well. This talk provides information to defenders on
    the importance of deception as part of our defense in depth strategy.

    Why should the Red Team have all the fun? Let's explore the tools,
    techniques, and processes that Blue Team can utilize to detect,
    deceive, detour, confound, and confuse our attackers.

    What we cover:
    * The goals of deception from the perspective of both the attacker and defender
    * The elements and processes needed to plan, prepare, execute, and
    monitor effective deception
    * The types of deception techniques that are effective and how they translate into actual web
    application capabilities
    * How to identify and respond to various types of attackers.

    Finally, we walk through an example of a deceptive web application that will detect our attacker and sideline them in defense of our web application.
  • Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth Recorded: Feb 1 2018 42 mins
    Wendy Nather, Principal Security Strategist, Duo Security
    We've known for a long time that the idea of a fixed perimeter and trusted internal network doesn't work too well, especially since a successful attacker looks exactly like an insider. The concepts variously known as de-perimeterization, zero-trust, software-defined perimeter and BeyondCorp all try to address this, and they represent a fundamental change in how you architect security for your enterprise.

    In this presentation, we talk about what you can do to make your old perimeter less lonely, and most importantly, how to explain this new way of thinking to the rest of the business.
  • An Automated AppSec Pipeline with Docker and Serverless Recorded: Jan 15 2018 43 mins
    Matt Tesauro, Senior Technical Project Coordinator, OWASP, Aaron Weaver, Application Security Manager
    In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This presentation will provide an overview of key application security automation principles and practices creating an Application Security Pipeline augmented with automation.

    With the rise of docker and serverless patterns, there is a whole new suite of tools available to the pipeline builder. We show you how to get started automating application security tooling and reporting using these new patterns.
  • Modern Approaches to Security for Practitioners Recorded: Dec 14 2017 44 mins
    Alex Rice, CTO at HackerOne; Zane Lackey, CSO at Signal Sciences
    In the DevOps-era, security looks different. Hear from security experts Alex Rice, Co-founder and CTO at HackerOne, and Zane Lackey, Co-founder and CSO at Signal Sciences as they explore how security has changed in today's environments of fast, continuous development and regularly shifting business requirements.
  • Secure Development Lessons from Purposely Insecure Applications Recorded: Nov 8 2017 41 mins
    Jason White, Application Security Consultant, Astech Consulting
    Security pros and developers often use insecure apps to teach or demonstrate application vulnerabilities. The main activity is 'hacking' or showing how exploiting a given vulnerability works. WebGoat was (as far as we know) the first purposely insecure app for teaching web application security. Many other goats' can have also come about and now we even have a Juice Shop. Until now, there is no purposely secure [example] application for developers to model from. So, let's work with what we have and pull out some some secure coding and secure SDLC lessons from the insecure applications.
  • ChaoSlingr: Introducing Security Based Chaos Testing Recorded: Oct 18 2017 51 mins
    Aaron Rinehart, Chief Enterprise Security Architect and Grayson Brewer, Security Engineer, UnitedHealth Group
    This Modern Security episode introduces a security based chaos testing tool and methodology. ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
  • Innovation and the Future of Information Security- One Cool Panel Recorded: Oct 3 2017 57 mins
    Jacob Katz, Signal1; Jess Parnell, Centripetal Networks, Zane Lackey, Signal Sciences
    In this panel, led by three of Gartner's 2017 Cool Vendors in Security for Technology and Service Providers, we dive into where the industry is heading, where enterprises can innovate, and how security can be in the value creation business.

    This panel share their thoughts on the following topics and questions:

    * What larger security trends do you see happening in the industry in 2018?
    * What are the shifts that are creating opportunity for innovation in security?
    * What is the biggest risk in security today?
    * What can enterprises do to solve this risk?

    This lively discussion covers DevOps to digital transformation to cyberwar to the shifting security landscape. Whether you are a senior security pro or new to the industry, you don’t want to miss this panel.
  • Application Denial of Service In Microservice Architectures Recorded: Sep 27 2017 44 mins
    Scott Behrens, Senior Application Security Engineer, Netflix
    This webinar will introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS. Unlike traditional network DDoS that focuses on network pipes and edge resources, this talk focuses on identifying and targeting expensive calls within a micro-services architecture, using their complex interconnected relationships to cause the system to attack itself — with massive effect.
  • Security In The Land of Microservices Recorded: Aug 30 2017 41 mins
    Jack Mannino, CEO, nVisium
    Microservices are a great way to build software, but they bring their own security problems to the table. Compared to monolithic applications, microservice architectures are often significantly more complex, requiring us to think a little differently about how to build security in. Services are highly decoupled and governance is decentralized, often blurring the line for security duties between teams. This makes it really important to build the proper security controls into your architecture early, before things spin out of control (because, they will). Your team is empowered to move faster than ever and your mission is to help them do it securely.

    In this presentation, we will discuss the challenges with securing microservices and present secure design tips to make security a seamless and frictionless part of scaling your architecture. Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.
  • Practical Tips For Defending Web Applications In The Age Of DevOps Recorded: Aug 10 2017 56 mins
    Zane Lackey, Founder and Chief Security Officer, Signal Sciences
    This encore of Zane Lackey's Black Hat presentation covers the most effective application security techniques, helping you avoid development bottlenecks while staying secure.

    The standard approach for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today's world of agile, DevOps, and CI/CD.

    This talk will share practical lessons learned at Etsy on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

    * Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
    * Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
    * Measure maturity of your organizations security efforts in a non-theoretical way
  • Twubhubbook - It’s Like An AppSec Program, But For Startups Recorded: Mar 1 2017 57 mins
    Neil Matatall, Senior Security Engineer, GitHub
    It’s 2025. Many of the problems in appsec in have mitigations, maybe even solutions. The value of an appsec program is widely accepted as a requirement for any successful company. Yet XSS and other common vulnerabilities are still occupying the time of many engineering teams. Twubhubbook, a fictitious startup from the future, has the benefit of being a new startup: it’s mostly a blank slate situation. This is the story of how Twubhubbook rolled out their program without skipping a beat or breaking the bank. The purpose of this imaginary story is to provide practical advice that you can take to a current or future startup (sorry enterprise people) based on the successes and failures of today’s startups.
Top technologists present on everything security-from AppSec to DevOps
The Modern Security Series by Signal Sciences brings the best technologists around to present on modern security practices and approaches ranging from AppSec to DevOps.

Enjoy fun and friendly presentations by some of the world’s foremost experts on topics that are shaping our industry for the future.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth
  • Live at: Feb 1 2018 8:00 pm
  • Presented by: Wendy Nather, Principal Security Strategist, Duo Security
  • From:
Your email has been sent.
or close