Hi [[ session.user.profile.firstName ]]

Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth

We've known for a long time that the idea of a fixed perimeter and trusted internal network doesn't work too well, especially since a successful attacker looks exactly like an insider. The concepts variously known as de-perimeterization, zero-trust, software-defined perimeter and BeyondCorp all try to address this, and they represent a fundamental change in how you architect security for your enterprise.

In this presentation, we talk about what you can do to make your old perimeter less lonely, and most importantly, how to explain this new way of thinking to the rest of the business.
Recorded Feb 1 2018 42 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Wendy Nather, Principal Security Strategist, Duo Security
Presentation preview: Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Tangled Web: Defense in Deception Recorded: Feb 13 2018 53 mins
    Herb Todd, CISSP, CSSLP, GSEC, GSSP-Java, GPEN, and CRISC
    Our adversaries are skilled in deception -- we as defenders must become
    skilled as well. This talk provides information to defenders on
    the importance of deception as part of our defense in depth strategy.

    Why should the Red Team have all the fun? Let's explore the tools,
    techniques, and processes that Blue Team can utilize to detect,
    deceive, detour, confound, and confuse our attackers.

    What we cover:
    * The goals of deception from the perspective of both the attacker and defender
    * The elements and processes needed to plan, prepare, execute, and
    monitor effective deception
    * The types of deception techniques that are effective and how they translate into actual web
    application capabilities
    * How to identify and respond to various types of attackers.

    Finally, we walk through an example of a deceptive web application that will detect our attacker and sideline them in defense of our web application.
  • Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth Recorded: Feb 1 2018 42 mins
    Wendy Nather, Principal Security Strategist, Duo Security
    We've known for a long time that the idea of a fixed perimeter and trusted internal network doesn't work too well, especially since a successful attacker looks exactly like an insider. The concepts variously known as de-perimeterization, zero-trust, software-defined perimeter and BeyondCorp all try to address this, and they represent a fundamental change in how you architect security for your enterprise.

    In this presentation, we talk about what you can do to make your old perimeter less lonely, and most importantly, how to explain this new way of thinking to the rest of the business.
  • An Automated AppSec Pipeline with Docker and Serverless Recorded: Jan 15 2018 43 mins
    Matt Tesauro, Senior Technical Project Coordinator, OWASP, Aaron Weaver, Application Security Manager
    In application security, the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This presentation will provide an overview of key application security automation principles and practices creating an Application Security Pipeline augmented with automation.

    With the rise of docker and serverless patterns, there is a whole new suite of tools available to the pipeline builder. We show you how to get started automating application security tooling and reporting using these new patterns.
  • Modern Approaches to Security for Practitioners Recorded: Dec 14 2017 44 mins
    Alex Rice, CTO at HackerOne; Zane Lackey, CSO at Signal Sciences
    In the DevOps-era, security looks different. Hear from security experts Alex Rice, Co-founder and CTO at HackerOne, and Zane Lackey, Co-founder and CSO at Signal Sciences as they explore how security has changed in today's environments of fast, continuous development and regularly shifting business requirements.
  • Secure Development Lessons from Purposely Insecure Applications Recorded: Nov 8 2017 41 mins
    Jason White, Application Security Consultant, Astech Consulting
    Security pros and developers often use insecure apps to teach or demonstrate application vulnerabilities. The main activity is 'hacking' or showing how exploiting a given vulnerability works. WebGoat was (as far as we know) the first purposely insecure app for teaching web application security. Many other goats' can have also come about and now we even have a Juice Shop. Until now, there is no purposely secure [example] application for developers to model from. So, let's work with what we have and pull out some some secure coding and secure SDLC lessons from the insecure applications.
  • ChaoSlingr: Introducing Security Based Chaos Testing Recorded: Oct 18 2017 51 mins
    Aaron Rinehart, Chief Enterprise Security Architect and Grayson Brewer, Security Engineer, UnitedHealth Group
    This Modern Security episode introduces a security based chaos testing tool and methodology. ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
  • Innovation and the Future of Information Security- One Cool Panel Recorded: Oct 3 2017 57 mins
    Jacob Katz, Signal1; Jess Parnell, Centripetal Networks, Zane Lackey, Signal Sciences
    In this panel, led by three of Gartner's 2017 Cool Vendors in Security for Technology and Service Providers, we dive into where the industry is heading, where enterprises can innovate, and how security can be in the value creation business.

    This panel share their thoughts on the following topics and questions:

    * What larger security trends do you see happening in the industry in 2018?
    * What are the shifts that are creating opportunity for innovation in security?
    * What is the biggest risk in security today?
    * What can enterprises do to solve this risk?

    This lively discussion covers DevOps to digital transformation to cyberwar to the shifting security landscape. Whether you are a senior security pro or new to the industry, you don’t want to miss this panel.
  • Application Denial of Service In Microservice Architectures Recorded: Sep 27 2017 44 mins
    Scott Behrens, Senior Application Security Engineer, Netflix
    This webinar will introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS. Unlike traditional network DDoS that focuses on network pipes and edge resources, this talk focuses on identifying and targeting expensive calls within a micro-services architecture, using their complex interconnected relationships to cause the system to attack itself — with massive effect.
  • Security In The Land of Microservices Recorded: Aug 30 2017 41 mins
    Jack Mannino, CEO, nVisium
    Microservices are a great way to build software, but they bring their own security problems to the table. Compared to monolithic applications, microservice architectures are often significantly more complex, requiring us to think a little differently about how to build security in. Services are highly decoupled and governance is decentralized, often blurring the line for security duties between teams. This makes it really important to build the proper security controls into your architecture early, before things spin out of control (because, they will). Your team is empowered to move faster than ever and your mission is to help them do it securely.

    In this presentation, we will discuss the challenges with securing microservices and present secure design tips to make security a seamless and frictionless part of scaling your architecture. Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.
  • Practical Tips For Defending Web Applications In The Age Of DevOps Recorded: Aug 10 2017 56 mins
    Zane Lackey, Founder and Chief Security Officer, Signal Sciences
    This encore of Zane Lackey's Black Hat presentation covers the most effective application security techniques, helping you avoid development bottlenecks while staying secure.

    The standard approach for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today's world of agile, DevOps, and CI/CD.

    This talk will share practical lessons learned at Etsy on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

    * Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
    * Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
    * Measure maturity of your organizations security efforts in a non-theoretical way
  • Twubhubbook - It’s Like An AppSec Program, But For Startups Recorded: Mar 1 2017 57 mins
    Neil Matatall, Senior Security Engineer, GitHub
    It’s 2025. Many of the problems in appsec in have mitigations, maybe even solutions. The value of an appsec program is widely accepted as a requirement for any successful company. Yet XSS and other common vulnerabilities are still occupying the time of many engineering teams. Twubhubbook, a fictitious startup from the future, has the benefit of being a new startup: it’s mostly a blank slate situation. This is the story of how Twubhubbook rolled out their program without skipping a beat or breaking the bank. The purpose of this imaginary story is to provide practical advice that you can take to a current or future startup (sorry enterprise people) based on the successes and failures of today’s startups.
  • Protect Containerized Applications With System Call Profiling Recorded: Dec 20 2016 40 mins
    Dr. Chenxi Wang - Chenxi Wang - Founder, Jane Bond Project; Startup advisor & Angel investor
    Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container.

    In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.
  • Dangers of DevOps Monotheism Recorded: Oct 27 2016 33 mins
    Jim Manico, Founder, Manicode Security
    The DevOps gods rule the AppSec universe. However, like any form of human worship to divine entities, that worship is often flawed due to the limits of man compared to the perfection of divinity. This was first noted by Plato during his discussion of Platonic Forms, one of the fundamental concepts that drove the philosophy behind western religion and divinity. While acknowledging many of the great things that DevOps has brought to software development and application security, there are giant pitfalls to those who put all of their faith in this man-made construct. This talk will focus on the many challenges DevOps worshipers and implementors will face and what you can do to prepare for and convert those gaps into opportunity for excellent and a piece of divinity in this human existence. You may even learn a tiny bit about Philosophy along the way.
Top technologists present on everything security-from AppSec to DevOps
The Modern Security Series by Signal Sciences brings the best technologists around to present on modern security practices and approaches ranging from AppSec to DevOps.

Enjoy fun and friendly presentations by some of the world’s foremost experts on topics that are shaping our industry for the future.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Multi-Factor Authentication (MFA) and Beyond: Rethinking All the Auth
  • Live at: Feb 1 2018 8:00 pm
  • Presented by: Wendy Nather, Principal Security Strategist, Duo Security
  • From:
Your email has been sent.
or close