Hi [[ session.user.profile.firstName ]]

Stop Patching, for Stronger PCI Compliance

Too many organizations have their administrators running on the Patching Wheel of Death. PCI DSS says all vendor critical patches must be installed within 30 days, right? Wrong. Looking more closely at the PCI standard shows that it actually mandates a risk-based approach to patching.

In this presentation, an experienced PCI QSA discusses how organizations that patch frequently and rely solely on vulnerability scanner or vendor recommendations are actually less PCI compliant. The wasted time spent on unnecessary patching could be better spent on more important ongoing compliance activities and long term fixes. An alternative approach is presented, showing how even applying simple contextual criteria when evaluating patches (in accordance with PCI DSS recommendations) can eliminate over 50% of monthly patch installations.
Recorded Sep 12 2012 46 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Adam Brand, Senior Manager - PCI QSA, Protiviti
Presentation preview: Stop Patching, for Stronger PCI Compliance

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • The State of Cloud Security Jul 20 2017 5:00 pm UTC 75 mins
    Eric Hibbard, Hitachi Data Systems, Mark Carlson, Co-Chair SNIA Tech Council, Toshiba, Alex McDonald, SNIA-CSI Chair, NetApp
    Standards organizations like SNIA are in the vanguard of describing cloud concepts and usage, and (as you might expect) are leading on how and where security fits in this new world of dispersed and publicly stored and managed data. In this webcast, SNIA experts Eric Hibbard and Mark Carlson will take us through a discussion of existing cloud and emerging technologies (such as the Internet of Things (IoT), Analytics & Big Data, and so on) – and explain how we’re describing and solving the significant security concerns these technologies are creating. They will discuss emerging ISO/IEC standards, SLA frameworks and security and privacy certifications. This webcast will be of interest to managers and acquirers of cloud storage (whether internal or external), and developers of private and public cloud solutions who want to know more about security and privacy in the cloud.

    Topics covered will include:

    Summary of the standards developing organization (SDO) activities:
    - Work on cloud concepts, CDMI, an SLA framework, and cloud security & privacy
    Securing the Cloud Supply Chain:
    - Outsourcing and cloud security; Cloud Certifications (FedRAMP, CSA STAR)
    Emerging & Related Technologies:
    - Virtualization/Containers, Federation, Big Data/Analytics in the Cloud, IoT and the Cloud
  • The Not So Same-Origin Policy & Web Security Jul 18 2017 6:00 pm UTC 60 mins
    David Petty, Network Security Analyst at Independent Security Evaluators
    The same-origin policy (SOP) remains one of the most important security mechanisms of the web, protecting servers from malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so our talk aims to show how limitations in the application of the same-origin policy can undermine security.

    Join this talk in the "Threat Hunting" series as David Petty, Network Security Analyst at Independent Security Evaluators, explains in depth how the same-origin policy works and how it can be bypassed to exploit cross-site vulnerabilities, including examples of Java, Flash, Silverlight, and Cross-Origin Resource Sharing (CORS) misconfigurations.

    As the same-origin policy and cross-site request forgery (CSRF) are inherently connected, we will also show both simple and complex cross-site request forgery attacks and how CSRF functions within the context of the same-origin policy. This will include classic CSRF attacks that work within the confines of the same-origin policy and more complicated attacks that utilize server misconfigurations to bypass the same-origin restrictions altogether.

    About the Threat Hunter:
    David Petty is an Associate Security Analyst at Independent Security Evaluators (ISE), a security consulting company in Baltimore, MD. He has recently graduated from Northwestern University with a B.S. in Computer Science, and discovered his interest in security while working for ISE during college. He specializes in breaking web and native applications and uses these skills to conduct custom security assessments of software products. His interests also include reverse engineering and digital forensics.
  • Building Breach Notification into your IR process post-GDPR Jul 12 2017 1:00 pm UTC 60 mins
    Jamie Cowper, Director, IBM Resilient
    The rise in large scale data breaches has been accompanied by a growing number of data privacy reporting regulations across the world. The latest of these, the General Data Protection Regulation (GDPR) will require companies to notify the regulator of a serious incident within 72 hours.

    Companies therefore need to look at their cybersecurity incident response plans and how technology can be leveraged to improve their ability to detect and respond to security incidents faster.

    Join IBM Resilient on July 12 at 2pm to review how organisations can build in data privacy reporting into their incident response strategy whilst using security automation and orchestration tools to enhance their IR processes.

    Attendees will learn:

    •The latest on breach notifications and GDPR; what actions are expected of organisations if data belonging to EU citizens is compromised.

    •How to operationalise GDPR using automation and orchestration to improve IR processes

    • A broader view of global and vertical data breach reporting requirements.

    •What benefits can be achieved through the deployment of an Incident Response Platform (IRP)
  • What You Need To Know About Petya, GoldenEye & Ransomware Attack Protection Jul 11 2017 8:00 pm UTC 60 mins
    May Wang, Co-founder & CTO of ZingBox ***Others currently being selected***
    Another widespread ransomware attack in late June wreaked havoc across businesses, organizations, banks, government agencies, utility companies and even hospitals and power plants. The cyber attack involved a variation of the Petya ransomware called GoldenEye. The malware holds crucial files hostage, demanding $300 in bitcoin before victims can regain access.

    Join this panel of industry leaders and security experts for an interactive session on:
    - The impact of this attack across industries and countries
    - What have we learned from the Wannacry and Petya attacks
    - Why ransomware protection is more crucial than ever
    - Steps your organization should take today to ensure data security in an age of increased ransomware attacks

    Speakers:
    - May Wang, Co-founder & CTO of ZingBox
    - Others currently being selected
  • Why the Petya Ransomware Attack is Deadlier than Wannacry Jul 10 2017 8:00 pm UTC 60 mins
    Joseph Carson (Thycotic), Omri Moyal (Minerva)
    The major ransomware attack that spread across the world in late June struck large pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, an airport, banks, hospitals and government agencies. Is the worst over or is there more to come?

    Join this panel of cybersecurity experts as they go over the details of this attack, what it means for organizations worldwide and how to better protect against ransomware.

    Topics up for discussion:
    - Detailed account of this cyber attack
    - What is Petya? How is it different from Wannacry?
    - What is the impact of this ransomware attack?
    - What you should do today to better protect your organization

    Speakers:
    - Joseph Carson, Chief Security Scientist at Thycotic
    - Omri Moyal, Co-Founder & Vice President of Research, Minerva
    - Others: Currently being selected
  • Using Windows Security Events to Detect Intruders in Your Network Jul 4 2017 9:00 am UTC 90 mins
    Randy Franklin Smith (Windows Security expert), Chris Martin (Security Engineer), Caitlin NoePayne (LogRhythm Sr. TPM)
    Over time, any given computer on your network will establish a pattern of systems it does and doesn’t talk to. If you can properly baseline that behaviour and detect when the computer deviates from normal activity you can produce critical early warnings of a potential incident.

    In this webcast, LogRhythm’s senior technical product manager, Caitlin NoePayne, and principal sales engineer, Chris Martin, join Randy Franklin Smith, Windows Security subject matter expert, to discuss detecting computers on your network talking for the first time using Windows Security Events. They will also demonstrate LogRhythm behavioural analytics rules and case management features that help analysts follow up on suspicious activity alerts.

    Learn how to:

    • Configure your audit policy to generate relevant security events
    • Establish baseline behaviour of the machines on your environment
    • Monitor and detect traffic patterns to detect an attacker embedded in your network using Windows Security Events
    • Speed up investigation and response with Security Automation and Orchestration

    Watch now to learn how to use Windows Security Events and LogRhythm to detect when two computers on your network talk to each other for the first time.
  • Data-Centric Security for GDPR Compliance Recorded: Jun 27 2017 74 mins
    Moderated by Mark Chaplin, ISF; with panelists: Carole Murphy, HPE; Les McMonagle, Blue Talon; Cheryl Tang, Imperva.
    In today’s threat landscape, traditional approaches to securing data are falling short. Since 2015 we have seen some of the largest data breaches ever and it is clear that no industry or organization is immune from cyber attacks. The threat landscape is increasingly dangerous, while new technologies are distributing sensitive data farther across locations, devices and repositories. Starting in May 2018, enforcement will kick in on the European Union’s General Data Protection Regulation (GDPR), a move that could have a stronger privacy/security standardization effect than any technological effort has to date. Globalization efforts will make GDPR compliance essential for global companies wherever they are located.

    The development of a comprehensive data-centric security program, including data discovery, classification, encryption, and file protection, can uniquely position your organization to protect what matters most, and make security move with your data to comply with global regulations such as GDPR. On this webinar our panel of experts will discuss the key points that you should consider when developing such a program for your organization.
  • Your Car Is Betraying You -- Why Robust Security is Essential on the Road Recorded: Jun 22 2017 58 mins
    Toby Weir-Jones, CEO, Weir-Jones and Associates
    Modern vehicles are, as Bruce Schneier recently put it, actually computers with wheels rather than cars with a computer added on. Every part of the vehicle's operation is supervised, logged, and managed by digital signals on a complex vehicle network. If you have a crash, your car will tell investigators if you were speeding or swerved to avoid the impact. If you spend too long dawdling at the convenience store instead of visiting your customers, your employer will know about it. If you waste fuel, drive dangerously, or don't turn your lights on when you should, it'll be recorded.

    This introduces a lot of familiar debates in security circles. Who owns the data? What counts as personally identifiable? What are acceptable standards for logging, retention, and disclosure? What happens if we get it wrong?

    The bad news is the vehicle landscape, like enterprise security, is badly fragmented. The good news is we've learned a lot of useful lessons over the past 20 years which can be brought to bear on the problem, so solving it shouldn't take another 20.

    In this presentation we'll review some of the mechanics of how vehicle data is generated, who can see it, and how it can be used and abused. We'll then talk about points of leverage for the industry, the manufacturers, the owners, and law enforcement, and see what common ground exists. Finally, we'll lay out some basic ideas any fleet operator or concerned individual can use to make decisions about what vehicles to use and how to manage the data footprints they generate.
  • Building Secure Vehicular Software Recorded: Jun 22 2017 36 mins
    Dr. Mark Sherman, Technical Director, CERT / Software Engineering Institute, Carnegie Mellon University
    Software plays an expanding and critical role in the success of future vehicles such as automobiles and trucks. Novel technologies that depend on the flexibility of software create new vulnerabilities and new ways to attack systems. This talk explores the expanding landscape of vulnerabilities that accompany the increasing reliance on software and then examines some key steps to help mitigate the increased risk: development of appropriate requirements from an analysis of risks, techniques that can be applied during development, and evaluation approaches for existing systems. The talk will conclude with a view of emerging approaches to further improve the delivery and sustainment of such critical software.

    About the Presenter:
    Dr. Mark Sherman is the Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
  • Rebooting the Auto Industry: When Security Affects Safety Recorded: Jun 22 2017 55 mins
    Craig Smith, Founder, Open Garages; Research Director of Transportation Security, Rapid7
    We are surrounded by 2-ton IoT devices on wheels. The auto industry has rapidly evolved in the last five years; vehicles now have phone apps for remote control, built-in WiFi hot spots, heads-up displays, lane correction systems, and other Advanced Driver Assistance Systems. These convenience and road safety features are in high demand, but they also introduce cybersecurity concerns.

    Automakers are now software companies, and this talk will address some of the cybersecurity-related issues faced by the transportation industry, including some of the growing pains a “traditional” industry has when it starts to become internet connected to the outside world. Mr. Smith will share techniques currently used by hackers and show some of the security defenses being put into place. You will see the vulnerabilities of vehicles on the road today, as well as take a peek into the future of fully autonomous cars. And if your head isn’t spinning already, learn what it will mean to "own" a car in the future. Key topics will include:
    •What makes car hacking so intriguing?
    •Who are the adversaries in this space and what are they after?
    •How self-driving cars can be used as a model for corporate infrastructure.
    •How IoT can be locked down without locking out the customer.

    About the Presenter:
    Craig Smith is the Founder of Open Garages and Research Director of Transportation Security at Rapid7. Open Garages is a distributed collective of performance tuners, mechanics, security researchers and artists. Craig is also the author of the Car Hacker's Handbook and runs a Security Consulting firm that specializes in automotive reverse engineering. Craig has developed many open source utilities to teach CAN bus to students and well as security penetration tools that can uncover vulnerabilities in vehicle and diagnostic systems. He has worked in the security field for over 20 years with the last 5 years focused on automotive.
  • The Future of Cybersecurity and the Internet of Things Recorded: Jun 21 2017 61 mins
    Demetrios "Laz" Lazarikos (Blue Lava), Mark Weatherford (vArmour), Robert M. Lee (Dragos)
    With the proliferation of the Internet of Things (IoT) into every aspect of our society, cyber attacks on a massive scale are becoming a possibility, and in some cases, a reality. Attackers can take out city grids, hijack control systems and engage in cyber war remotely.

    This panel of top cybersecurity experts will discuss how connected devices are affecting our critical infrastructure security, the IoT and cyber warfare, and what we need to do today to address the security challenges posed by IoT devices.

    Speakers:
    - Demetrios "Laz" Lazarikos, Three Time CISO, Founder of Blue Lava
    - Mark Weatherford, Chief Cybersecurity Strategist at vArmour
    - Robert M. Lee, CEO and Founder of Dragos, Inc.
  • IoT and Critical Infrastructure: Why We Need Intelligence Exchange Recorded: Jun 21 2017 44 mins
    Paul Kurtz, CEO & Co-Founder of TruSTAR
    Today we fight adversaries individually, not collectively. Companies are working in silos to defend their individual infrastructures. Security operators and defense teams do not have visibility into cyber security incident information from their peers, even though they may be seeing the same attack methods or adversaries. The lack of an effective exchange and collaboration between companies is the Achilles heel our enemies continue to exploit.

    Come and join a discussion about a new cybersecurity model that maximizes the use of the network (much like the bad guys) and incentivizes the exchange of actionable threat incident data.

    We'll look at recent critical infrastructure hacks such as Grizzly Steppe, WannaCry and CrashOverride and discuss how we can better protect ourselves for future attacks.
  • When thermostats become critical infrastructure, what will you do? Recorded: Jun 21 2017 57 mins
    Wieland Alge - GM EMEA - Barracuda Networks, Mark Harrison - Consultant - Pen Test Partners
    Would a hack on one Internet connected thermostat stop a nation? Maybe not, but imagine hundreds of connected devices being meddled with in order to cause havoc?

    Join our IOT experts to discuss the real impact of an IOT device hack. Wieland Alge, GM EMEA at Barracuda Networks and Mark Harrison, Consultant at Pen Test Partners, will look into why cyber criminals are interested in hacking IOT devices and the true impact of such an attack to organisations. Join this webinar to learn:

    • The true impact of an IOT hack
    • Methods used by hackers
    • Demos of IOT devices being hacked
    • Major challenges in protecting smart cities
    • How to mitigate these threats
  • [VIDEO] The Influence of AI & Machine Learning on the Security Industry Recorded: Jun 21 2017 13 mins
    Josh Downs, BrightTALK & Giovanni Vigna, Professor & CTO, University of Santa Barbara & Lastline
    BrightTALK caught up with Giovanni Vigna from University of Santa Barbara & Lastline for an in-depth conversation on the current state of information security, today's threatscape and a discussion on the cyber industry.

    Topics up for discussion:

    - The difference between traditional AI & Machine Learning and the tools when applied to cyber security

    - Whether the buzz surrounding the tools is legitimate

    - How the human still needs to fit into the picture when using machine learning based security techniques

    - How AI & Machine learning can be used for threat hunting purposes

    - The WannaCry virus and what it means for the ransomware landscape and how we protect ourselves from attacks

    - The value of security culture in an organisation

    - Trends in the techniques used in cyber warfare

    - The exponential growth of the IoT and what it means for securing the connected devices
  • Why Vendor Liability is Necessary to Secure Consumer IoT Recorded: Jun 21 2017 55 mins
    Tatu Ylonen, Founder & SSH Fellow, SSH Communications Security, Inc.
    We live in an IoT world. Connected devices now include TVs, refrigerators, security systems, phones, music players, smart assistants, DSL modems, cars, and even toothbrushes. Besides privacy and personal security concerns, these devices pose significant risk of cyber attacks. IoT devices have been used in devastating DDoS attacks that have paralyzed key Internet services, emergency services, and heating systems. In addition to run-of-the-mill hackers and hacktivists, they are the first line of attack in any low-to-medium scale cyber conflict between nation states.

    Vulnerable IoT devices represent a direct threat to safety, life, property, business continuity, and general stability of the society.

    This talk will discuss the security challenges surrounding IoT devices, and what is needed for a balanced framework that forces vendors to implement a reasonable level of best practice without causing them undue burden and risk.

    About the Presenter:
    Tatu Ylonen is a cybersecurity pioneer with over 20 years of experience from the field. He invented SSH (Secure Shell), which is the plumbing used to manage most networks, servers, and data centers and implement automation for cost-effective systems management and file transfers. He is has also written several IETF standards, was the principal author of NIST IR 7966, and holds over 30 US patents - including some on the most widely used technologies in reliable telecommunications networks.
  • The State of the Internet of Insecure Things in 2017 Recorded: Jun 20 2017 64 mins
    Jay Beale (InGuardians), John Bambenek (Fidelis Cybersecurity), Mike Hamilton (Ziften), Vince Tocce (VITB Podcast)
    Internet of Things devices are notoriously lacking in security, making them easy targets for attackers to hijack and leverage in DDoS attacks. How have cyber attacks evolved in the last few months? What is the impact of the IoT devices on cybersecurity across organizations and industries? How can we better protect our organizations when it comes to attacks coming from the IoT?

    This panel of security experts will discuss the current state of IoT security and the IoT trends seen across industries. Join this interactive Q&A session and discover where the vulnerabilities lie and how we can improve cybersecurity.

    Moderator:
    - Vince Tocce, Founder of Vince in the Bay Podcast

    Speakers:
    - Jay Beale, CTO of Inguardians
    - John Bambenek, Threat Systems Manager at Fidelis Cybersecurity
    - Mike Hamilton, SVP Product at Ziften Technologies
  • What Is the Value of Your Security Program? Recorded: Jun 20 2017 50 mins
    Joe Moles, Director of Detection Operations
    Many security teams find it challenging to prove their value and effectiveness, especially in the absence of compromise or breach activity. Learn how top-performing security teams take advantage of their visibility across the environment to provide ongoing, deeply insightful measurements and reporting that support broader business decisions. Applying these techniques can exponentially increase the overall value of your security team to the entire organization.

    In this webinar, you will learn:
    - A framework with actionable ways to report the effectiveness of your security program and tools
    - How to translate technical data into business objectives
    - Methods for identifying performance issues and opportunities across your team, processes, and tools
    - A simple calculation to systematically prioritize your alerts
    - Guidelines for driving strategic decisions based on the measurement of security tools

    About the Presenter: Joe Moles, Director of Detection Operations

    An IR and digital forensics specialist, Joe Moles has more than a decade of experience running security operations and e-discovery. As Director of Detection Operations at Red Canary, he leads a team of security analysts to help organizations defend their endpoints against threats. Prior to joining Red Canary, Joe built and led security operations, incident response, and e-discovery programs for Fortune 500 companies like OfficeMax and Motorola. He is regarded as an industry thought leader and regularly contributes to the Red Canary blog.
  • IoT: Security’s Brave New World Recorded: Jun 20 2017 55 mins
    Scott Crawford and Patrick Daly, 451 Research
    The IoT explosion means billions of new, “smart” devices gathering petabytes of data from a host of environments, many new and unfamiliar to IT. How can security possibly keep up with it all? Recent events such as the Mirai botnet suggest we’re already behind the curve – and that the need is not just to defend against threats to IoT, but to protect against threats arising from compromised IoT. In this talk, we’ll explore:

    - The primal forces pulling security in diametrically opposite directions (hint: “the cloud” isn’t everything)
    - The reality of IoT endpoints (many are far more complex than you’d suspect)
    - Breaking it down: Where is security making inroads? What are the areas to watch for innovation?
    - The road ahead: How will the evolution of IoT security impact society?

    About the Presenters:
    As a Senior Research Associate in 451 Research’s Information Security Channel, Patrick Daly covers emerging technologies in Internet of Things (IoT) security.

    Scott Crawford is Research Director for the Information Security Channel at 451 Research, where he leads coverage of emerging trends, innovation and disruption in the information security market. Well known as an industry analyst covering information security prior to joining 451 Research, Scott has experience as both a vendor and an information security practitioner.
  • IoT Devices are a Bargain These Days. Aren’t They? Recorded: Jun 20 2017 62 mins
    Ted Harrington, Executive Partner, ISE | Debra Farber, Founder, Orinoco | Chris Robers, Chief Security Architect, Acalvio
    We live in a world enabled by and surrounded by technology - and each day there's a new device to hit the market designed to make our lives easier, more convenient, and perhaps even healthier. As a society - both as individuals and as organizations serving us - we snatch up these new devices as quickly as they hit the shelves and use them with open arms, unknowingly putting privacy and safety at risk.

    FEATURED EXPERTS
    > Ted Harrington, Executive Partner at Independent Security Evaluators
    > Debra J Farber, Security & Privacy Executive | Founder of Orinoco.io & WISP
    > Chris Roberts, Chief Security Architect at Acalvio Technologies

    YOUR MODERATOR
    > Sean Martin, CISSP, Founder and Editor-in-Chief, ITSPmagazine

    This expert panel will look at a variety of these connected things - from connected cars to automated homes to the IoT-enabled medical devices we will have implanted in our bodies.

    Join us for this expert, engaging conversation where we’ll explore:
    - What personal data must we share with these devices to get the most out of them?
    - What price are we willing to pay for an easier, smarter, connected life? Are we willing to sell our soul for a digital future? Because, willingly or not, we are.

    - Do we actually know that we are doing that? Do we know what are we giving up in return for this streamlined world we live in? Are we able to make an informed, conscious decision? Will we ever be?

    Be sure to join us for this exciting and engaging conversation!
  • Sharing the Data of IoT Security Incidents: 5 Keys to Improved Security Recorded: Jun 20 2017 40 mins
    Jeffrey Ritter
    Bad things happen, but the potential of IoT will be limited if those in any connected system of devices cannot share data of adverse incidents more effectively. This webcast introduces 5 keys to doing so successfully, all toward improving security across those systems.
The latest trends and best practice advice from the leading experts
This channel features presentations by leading experts in the field of information security. From application, computer, network and Internet security to access control management, data privacy and other hot topics, you will walk away with practical advice for your strategic and tactical information security initiatives.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Stop Patching, for Stronger PCI Compliance
  • Live at: Sep 12 2012 4:00 pm
  • Presented by: Adam Brand, Senior Manager - PCI QSA, Protiviti
  • From:
Your email has been sent.
or close