Name: Train as You Fight: The Value of Threat Simulations vs. Pen Testing
Start: 2016-04-12T18:00:00Z
End: 2016-04-12T18:58:50.000Z
Location: BrightTALK
Rating: 4.5

Increasing expectations for good data governance, effective risk management and complex demands for legislative and regulatory compliance are presenting a growing challenge for organizations of all sizes. Tune in to live and recorded presentations by respected luminaries in the fields of governance, risk and compliance for insights on how to implement successful GRC strategies and processes for your organization.

According to The Life and Times of Cybersecurity Professionals 2021 report by the Information Security Systems Association, the ongoing cybersecurity skills crisis has steadily continued for over five years. Organizations are consistently on the prowl for talented cybersecurity professionals to combat increasingly prevalent and sophisticated cyber attacks. However, is hiring the “best fit” the only option organizations have to address the ongoing cybersecurity skills shortage? 

After working alongside the constant cybersecurity skills shortage, CISOs understand that only looking to hire talent won’t cure the longstanding problem. So how are security executives addressing the growing need for cybersecurity skills? Join Hosts Dan and Earl with guests as they take a deeper look into the cybersecurity skills shortage and:

- Innovative new strategies organizations are utilizing to tackle the cybersecurity skill shortage from integrated security architectures to partnerships with third party services or vendors
- Investing in IT and security staff through cybersecurity training
- Embracing automation and analytics to streamline security processes

The Cybersecurity Skills Shortage: Why, How, and What To Do About It

The increasingly distributed nature of the modern enterprise is making zero-trust security approaches more relevant than ever. In this research-led session, John Grady, ESG Principal Analyst, will focus on how organizations are thinking about, planning for, and implementing zero trust across their environments.


Join to find out how zero trust can provide a framework to secure even the most complex environments, whether implementing least-privilege tenets for user access or securing the connections to and between the disparate aspects of today’s hybrid multi-cloud deployments. You'll learn exactly what a zero-trust initiative should entail, where to begin, and how best to overcome the organizational obstacles that result from such a cross-functional undertaking.

Zero Trust Security Strategies to Safeguard the Enterprise

As organizations are looking for ways to stay on top of an evolving threatscape, many are
looking towards AI to enhance their security strategies and fend off cyber attacks before they
happen. In the 2022 CIO and Technology Executive Survey by Gartner, 66% of respondents
reported that they expected to increase cyber and information security investments for the
next year. More than half of respondents reported that they planned to heavily invest in
business intelligence and data analytics.

However some security leaders are cautious about adding artificial intelligence into their
security arsenal. Despite rapid advancements in AI, these solutions can also come with their
own unique set of drawbacks. Some skeptics say that AI technology is still immature and
that there may be simpler, more cost-effective solutions. With all the interest surrounding AI
in cybersecurity, it’s important for organisations to establish realistic expectations.

Join this panel to learn more about:
- The current state of AI in security
- What CISOs and their teams should keep in mind about AI
- How AI impacts your workforce strategy
- And more!

Speakers:
- Dan Lohrmann, Field CISO at Presidio
- Earl Duby, CISO at Lear Corporation
- Aidan Walden, Director, Public Cloud Architecture & Engineering at Fortinet
- Warsamé Ahmed, Co-Founder & CEO at BR[AI|YT.ai

Using AI in Cyber Security: Boon or Bust?

Secure access to cloud is broken. By now, you must already know that the traditional VPNs are the weakest links when it comes to secure access into your mission critical infrastructure. This is due to two fundamental flaws. 

VPN aka virtual private network, as it suggests, provides a virtual network extension over a secure link. That means, if the endpoint that is connecting over the VPN, is compromised, an attacker can gain secure access your infrastructure.

Once insider your network, the intruder now has the license to roam within the subnet/VLAN and, unless you have an error free setup, perhaps the intruder has the license to roam across the enterprise.
 
Time and again, we have witnessed VPNs being exploited by the adversaries and, if you want to stay protected, please ensure that you get off the traditional VPN train first.

The modern-day alternative to VPNs is called Zero Trust Network Access (ZTNA). However, the ZTNA solutions lack end to end segmentation. That means, if the attacker somehow gains access to one of your hosts over ZTNA, the attacker will then be able to roam laterally withing your organization. This is the predominant way for Ransomware to spread and compromise most of your assets.

What you need is a combination of modern Secure Access technology coupled with an agentless micro-segmentation solution and a potent incident response tool.
 
This will be the focus of our session. In this session, you’d learn how to
• Provision agentless segmentation at scale across your organization for all your assets – TV, Toaster, Laptops, VMs, Servers, and even containers
• Gain end-to-end visibility and control for all traffic
• Secure high value assets distributed across your organization
• Deploy a Ransomware Kill Switch™ that prevents ransomware spread

The correct way to “Cloud-Access”

Working remotely has become the new normal. This, and many other changes organizations adopted last year in response to the pandemic are likely to stay for the long term. According to Gallup, about two-thirds of U.S. remote workers want to continue to work remotely. So, how can organizations continue to support their growing distributed workforce at a time where reports of security threats have increased by 400% compared to pre-pandemic levels? 

Here is where the zero-trust approach to security comes into play. 

Join this month's episode of The (Security) Balancing Act with Diana Kelley and guests as they discuss the emergence of zero trust (“Trust Nothing, Verify Everything”) and what it helps achieve for enterprises in the age of cloud and remote work.

Viewers will learn about:
- The evolution of the security perimeter and the shift to zero trust
- Why zero trust is an approach and not a product
- Zero Trust Network Access (ZTA) vs. corporate VPN
- Real-world stories and practical hands-on guidance from people who have deployed a ZTA

Speakers:
- Mari Galloway, CEO, Women's Society of Cyberjutsu
- Jonathan Nguyen Duy, Vice President, Global Field CISO Team, Fortinet
- Bob Rudis, Chief Data Scientist, Rapid7

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Zero Trust for the New Normal

Phishing and ransomware attacks continue to rise, according to Proofpoint’s State of the Phish report for 2020. Organizations in the U.S. are at risk, the increase in remote work due to the pandemic has fueled a spike in attacks, and phishing attempts are up by 14 percent compared to the previous year. 

Email continues to be the number 1 delivery vehicle, but other social engineering schemes that rely on social media, voicemail (“vishing"), SMS phishing (“smishing”), and malicious USB drops are also of concern for organizations. Ransom demands are also on the rise, but according to the report, paying the ransom is not guaranteed to work as many companies that paid the ransom failed to receive a decryption key. 

Join this month's episode of The (Security) Balancing Act as Diana Kelley and guests discuss why ransomware is surging again, which sectors are most at risk, the threat to enterprises and how it is being used for more than just ransom (ex: distractionware, destructionware, etc).
- The rise in ransomware under the cloak of the pandemic 
- Why email continues to be the channel of choice 
- The difference between fully automated and human-operated campaigns
- How to decide whether or not to pay or not to pay the ransom
- Why your backups may not be immune to ransomware
- Addressing the threat with best practices

Speakers
-  Nicole Hoffman, Intelligence Analyst, GroupSense 
-  Courtney Radke, CISO for National Retail, Fortinet 
-  Patrick Lee, Senior Incident Response Consultant, Rapid7

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Ransomware in the Remote Work Era

Requiring non-security specialists to describe their posture and informing the management hierarchies on our current security posture is difficult. The language is foreign and does not lend itself to exactness. The eternal question is “Are we secure? The expected answer then cannot be “It depends…”, but rather an aggregated statement, very close to a single “Yes” or “No”. 

In case of a negative response, it is also expected to hear of the gaps and the plans to fill them to become secure again.

 

To accomplish this aggregated statement, a traditional assurance cycle of up to a year is too slow. The product owners need to have security activities in their backlog, they need to know when circumstances change to be able to address them based on risk. The management hierarchy needs to be informed with the current security posture and what implications that brings.


The road to prevent breaches is paved with measurements, a quick feed-back loop and AI assisted decision making. All meant to push security decisions out in the organization.

Here one could add the analogy of driving a car, where the driver, or senior manager, has to take decisions based on situational awareness and information provided by the car. The driver does not need to know the exact oil pressure or the cooling temperature, but rather if it has reached a hazardous level. The driver cannot base decisions on oil pressure solely by dipping the stick before starting the journey, which would be equivalent to classic compliance.

To prevent breaches senior management need to know that circumstances have changed, when they change, and ultimately that they are about to change.


In this webinar you will be inspired by a Proof of Concept and an idea of how to implement and extend it.

Proactive Breach Prevention using Automated Compliance and Continuous Auditing

This month's episode of The (Security) Balancing Act will focus on botnets as a growing threat to the enterprise, examples from the real world, and what enterprises can do to better protect against botnet-fueled state sponsored attacks.

Join this interactive roundtable discussion with security experts and industry leaders to learn more about:
-  How botnets have become a tool for cyber criminals and nation state actors
-  Real-world examples & known botnet attacks 
-  Nation state ransomware attacks
-  DDoS attacks
-  Cyber espionage
-  ATPs
-  The trouble with attribution
-  What enterprises and governments can do to address the threat

Panelists:
-  Johna Till Johnson, CEO and Founder of Nemertes Research
-  Derek Manky, Chief, Security Insights & Global Threat Alliances, Fortinet
-  Craig Harber, Chief Customer Success Officer, Fidelis

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Taking Down Nation State Botnets

Mentoring programs can increase knowledge and build skills for future goals and milestones, allowing your workforce to grow their skills organically and create cultures of collaboration and success. 

Join Part 1 of our series to learn how to design a mentoring program for women and minorities in security that actually delivers for everyone involved. 
- Learn from experts on how to design a mentoring program that delivers
- Understand how to make mentoring meaningful for your organization
- Learn what strategic planning steps are critical to make the plan a success

Speakers:
- Virginia "Ginger" Spitzer, Executive Director | ISACA, One In Tech Foundation
- Joy Harrison, Director, Leadership Development Center for Excellence | NTT DATA Services
- Sushila Nair, VP Security Services, Chief Digital Officer | NTT DATA Services
- Kwasi Mitchell, Chief Purpose Officer | Deloitte
This is Part 1 of our new series on mentorship produced by BrightTALK. Sign up for Part 2 via the link in the attachments.

Design a Mentoring Program That Delivers!

Instead of the traditional "castle and moat" model of the past, today the security perimeter is being defined around the identity of the person or the device requesting access. What are organizations doing to protect digital identities in the age of breaches? How are the current trends in identity and access management helping address this issue?

Join this interactive roundtable discussion with notable security experts to learn more about:
- The shift to identity-centric security
- The zero trust mindset
- What constitutes strong and effective authentication and authorization
- The role of policy orchestration and enforcement
- Best practices for protecting identities and managing access across the enterprise  

Panelists:
- Joseph Carson, Chief Security Scientist and Advisory CISO at Thycotic
- Dave Farrow, VP, Information Security at Barracuda
- Jeremy Snyder, Sr. Director, Corporate Development, Rapid7

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

The Future is Identity-Centric

If you don’t fix your security vulnerabilities, attackers will exploit them. It’s simply a matter of who finds them first. If you fail to prove that your software is secure, your sales are at risk, too. 
 
Whether you’re a technology executive, developer, or security professional, you are responsible for securing your application. However, maybe you’re uncertain about what works, what doesn’t, how hackers exploit applications, or how much to spend. Or, maybe you think you do know, but don’t realize what you’re doing wrong.
 
To defend against attackers, you must think like them. Join Ted Harrington, author of HACKABLE: How to Do Application Security Right and learn:
- how to eradicate security vulnerabilities
- establish a threat model
- build security into the development process 

You’ll leave knowing how to build better, more secure products, gain a competitive edge, earn trust, and win sales.

This episode is part of Cyber Authors, a new series with Sushila Nair. We welcome viewer participation and questions during this interactive interview.

Cyber Authors Ep.3: How to Do Application Security Right

This month's episode of The (Security) Balancing Act will look at how the CISO role has evolved in the last few years, what today's expectations are and what it takes to succeed as a CISO. 

Some of the topics to be covered during this roundtable discussion with security and tech leaders include:
- How has the CISO role evolved over the last few years and what is expected of CISOs in 2021?
- CISO vs BISO 
- How to see ROI on your cybersecurity investment?
- How to get the business to understand risk and care about security? 
- How to keep cyber employees happy. The churn is exhausting and costly for companies, and it’s exacerbated by employee burnout and a “grass is greener” approach. 

Panelists
- Patricia Titus, Chief Privacy and Information Security Officer, Markel Corporation
- Jonathan Nguyen-Duy, Vice President, Global Field CISO Team at Fortinet
- Gerald Mancini, Chief Operating Officer of Fidelis Security

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Succeeding as a CISO in 2021

In the shadow of the global pandemic and the associated economic downturn, organizations are focused on cost optimization, which often leads to impulsive decisions to deprioritize compliance with all nonrevenue programs. 

Regulators have evolved to adapt with the notable increase in data subject complaints and are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine while Equifax agreed to pay a minimum of $575 million for its breach. The US Federal Trade Commission, the US Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories sued over the company’s failure to take “reasonable steps” to secure its sensitive personal data.
 
Privacy and data protection are enforced by a growing number of regulations around the world and people are actively demanding privacy protection — and legislators are reacting. More than 60 countries have introduced privacy laws in response to citizens’ cry for transparency and control. By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today, according to Gartner. There is a convergence of data privacy principles, standards and regulations on a common set of fundamental principles.

The opportunities to use data are growing exponentially, but so too are the business and financial risks as the number of data protection and privacy regulations grows internationally.

Join this webinar to learn more about:
- Trends in modern privacy regulations
- The impact on organizations to protect and use sensitive data
- Data privacy principles
- The impact of General Data Protection Regulation (GDPR) and data transfer between US and EU
- The evolving CCPA, the new PCI DSS version 4 and new international data privacy laws or regulations
- Data privacy best practices, use cases and how to control sensitive personal data throughout the data life cycle

New Opportunities & Business Risks with Evolving Privacy Regulations

2020 was the year that third-party risk management was put under a microscope. How will this change third-party risk management in the year to come?

Tune in to our fireside chat with industry leaders from SecurityScorecard and CybelAngel as they discuss their top 5 predictions for Third-Party Risk Management in 2021, and how to stay ahead of the risks!

Speakers:
● Drew Wilkinson, VP Professional Services and Customer Success at SecurityScorecard
● Camille Charaudeau, VP Marketing & Product Strategy at CybelAngel

Get Ahead of Digital Third-Party Risk Management in 2021

The 2020 US presidential election is behind us, but the key cybersecurity issues surrounding election integrity could linger for years to come. From ransomware attacks on local governments, to the untamed spread of disinformation, to experimenting with online voting apps and the myriad of vulnerabilities uncovered across election infrastructures, cybersecurity had never before taken such a central place in the national conversation as it did in 2020.
  
So, what have we learned in the aftermath? And how can we apply it to better protect upcoming elections as well as enterprises, customers and employees?

Join this interactive panel with security experts and tech leaders to learn the biggest lessons from the election from a cybersecurity and privacy standpoint. Discover what went down, what could have gone better and how to prepare for the midterm elections in 2022.

- Can we build a hack-free election
- Does misinformation on social sites impact how people vote and what can be done to stop the spread
- What was new this time and what should security leaders keep in mind for their organizations
- Would it be safer if we brought the voting process online or in app
- Can nation state actors change voter rolls or polling data
- What the biggest election threats mean for industry
- Key takeaways for cybersecurity leaders

Panelists:
- Jim Richberg, Public Sector Field CISO at Fortinet
- W. Curtis Preston, Chief Technical Evangelist, Druva

This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.

Election Takeaways for Cybersecurity Leaders

Every year top security companies, industry thought-leaders, and tech media publications come out with their predictions for the upcoming year, and every year Dan Lohrmann publishes his roundup of these security industry reports, forecasts, themes and trends.

This BrightTalk webinar will dig into the 2021 prediction report in detail.

In addition to counting down (and referencing) the top 21 security prediction reports from the leading vendors, this webinar will examine:
- Where is their agreement on what’s coming next?
- Where is their major disagreement?
- Where will cyberattacks come from next?
- Which vendors have the best reports (and why)?
- Who are the award-winners for most creative, most likely, most scary and other security industry predictions?

We'll discuss security and tech predictions on Covid-19 and working from home as well as major security incidents such as attacks on global events (like the 2021 Olympics), cyber incident response and much, much more.

We will take your questions at the end, and may even ask you to vote for your favorite predictions (or offer one of your own to share.) Join us now!

CISO Insights - The Top 21 Security Predictions for 2021

This session is Part 10 of the PCI Dream Team series on BrightTALK.

Our panelists are some of the top PCI QSA’s in the country, with decades of combined PCI and card processing experiences. They’ve seen it all: the good, bad and ugly; and lived to tell the tale.

Join Ben Rothke, David Mundhenk, Arthur Cooper, and Jeff Hall for an interactive Q&A session, and get answers to your most vexing PCI questions. No PCI question is out of bounds.

All PCI and NOTHING about PCI DSS v4

The Cloudscape provisions a shared/split model for responsibility. This generally means that the cloud provider is responsible for certain layers of the environment. But the provided graphics are usually more IT focused than Information Security let alone Risk Management. The information security elements of cloud have been improving for years.  However, there are still areas that are light in detail or clarity This presentation will take you on a deeper dive of Cloud GRC. This presentation will use the premise of Platform (PaaS) clouds, as this model provides a clear “bang for the buck”. Other models (Infrastructure IaaS, Software SaaS) are do provide benefits, but at different specialization levels. In this conversation, we will discuss repercussions of the shared/split responsibility model.  In this webinar you will learn:

·         Viewpoint changes
·         To distinguish shared responsibility and shared risk
·         Changes to compliance and continuous monitoring
·         Changes to Risk management and assessment from shared/split responsibility model
·         and what you are (really) protecting

The Cloudscape GRC Landscape

Tools and policy frameworks are only as good as the people who implement and support them. Automated mechanisms can only go so far before they rely on human intelligence to drive the appropriate reaction. The controls required by security frameworks and the data they generate, however, are overwhelming, and finding the right security talent can feel impossible.

Organizations often choose to prioritize the implementation of their security program components on the basis of risk. By identifying potential impacts and attack vectors, it’s easier to identify the controls that produce the biggest return on investment. Training your staff to understand what they see when they see it, and how to respond proactively, will help you build a security organization that is resilient in the face of evolving threats and identify any controls gaps you have while you execute your security roadmap.
This webinar will talk about how organizations can evolve beyond the compliance checklist and overwhelming scanner results by employing threat simulations. We will discuss how threat simulations differ from penetration testing, how they can be used to help make your organization stronger, and how they can replace traditional penetration testing as part of a security program.

We will focus on a discussion of attack chains, mapping methodologies to real world threats, and then look at a sample attack to see how a nominally compliant system can still be compromised.

Train as You Fight: The Value of Threat Simulations vs. Pen Testing

Enterprise Security

Security

Threat

Detection

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

Increasing expectations for good governance, effective risk management and complex demands for corporate compliance are presenting a growing challenge for organizations of all sizes. Join industry thought leaders as they provide you with practical advice on how to implement successful risk and compliance management strategies across your organization. Browse risk management resources in the form of interactive webinars and videos and ask questions of expert GRC professionals.

IT Governance, Risk and Compliance

The unexpected nature of natural disasters and other disruptive events means that preparation is key to managing disaster recovery and business continuity planning. Join the business continuity and disaster recovery community for live and recorded presentations discussing best practices for business continuity planning, disaster recovery programs and business continuity management. Learn from BCDR experts to develop your critical infrastructure and gain insight into tactical solutions to your BCDR issues.

Business Continuity / Disaster Recovery

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Train as You Fight: The Value of Threat Simulations vs. Pen Testing

Presented by

About this talk

More from this channel