The global COVID-19 pandemic forced us to cancel our conference in 2020, but we offered a series of virtual half-day events through October and November.
November 19 Virtual Presentations
Thursday, November 5th, 2:00 PM
Please join us for the fourth in our series of Fall 2020 virtual events. Our speakers will be Miju Han, Dave Shore, and Marty Poniatowski.
Hacker-Powered Data: The Most Common Security Weaknesses and How to Avoid Them
Security teams often see a deluge of incoming vulnerabilities from scanners, pen tests, and bug bounty programs. Using eight years of never before seen data from 1,800+ bug bounty programs and over 160,000 valid vulnerabilities found, this talk offers a focus for security teams based on analysis of what hackers actually exploit in the wild and what companies actually value. Attendees will discover common weaknesses such as Violation of Secure Design Principles, Information Disclosure, Denial of Service, VPN and Cryptographic Issues, and how attackers could exploit these prevalent vulnerabilities. Walk away with insights into the most common security weaknesses to better defend against them.
Miju Han is the Director of Product Management at HackerOne, the #1 hacker-powered security platform, where she leads a team of product managers, data scientists, and engineers to build and launch practical and actionable tooling for security teams. With a background in both data and security, Miju has a keen eye for spotting increased efficiency and automation in modern security practices. Miju previously served as a Director of Product at GitHub, where she pitched and launched security alerts on top of the dependency graph, one of the first large-scale efforts to embed security best practices into core development tooling. GitHub’s security alerts won a 2018 technology of the year award from InfoWorld, and more importantly, have lead to the patching of almost ten million vulnerabilities. Miju began her career working on data science at content platforms such as YouTube, Beats Music/Apple, and TuneIn.
Dave Shore & Marty Poniatowski
Splunk Container-as-a-Service Powered by HPE GreenLake
Enterprises in all industries and of all sizes leverage solutions to provide insight into machine-generated data. As enterprises grow, so does the volume of such data and the need to analyze, identify data patterns, provide metrics, diagnose problems and provide intelligence for business operations. Until recently, expanding daily ingest rates required significant investment of time and capital. The infrastructure and operational costs associated with industry leading SIEM solutions often increase the investment cost by 4X above the cost of the software.
Hewlett Packard Enterprise (HPE) has developed a breakthrough solution that has helped the third largest bank in the United States (by Total Assets) scale its machine-generated data ingestion rates from 150TB/day, where its legacy system was breaking, to 400 TB/day, with 99.999% system availability and 99.999999999% data durability. This solution is now scalable and available to meet the requirements of enterprises of all sizes.
Join Dave Shore, Director of HPE GreenLake Cloud Services, and Marty Poniatowski, Senior Director and HPE Chief Technologist, to learn about HPE’s optimized solution for Splunk and its feature benefits, including:
- A flexible consumption delivery model available as-a-Service, or hosted, allowing organizations to optimize cash flow and focus on their business
- A unified, scalable solution that eliminates security blind spots with up to 109x the ingestion rate
- An efficient loosely-coupled architecture that optimizes the footprint and cost with the independent scaling of search heads, indexers, cache storage, and permanent storage
- The ability to rapidly add new use cases deploying open-source containerized Splunk indexers and search heads in minutes
- Support for Splunk’s SmartStore architecture of hot as cache and open standard S3 object storage as the system of record
November 5 Virtual Presentations
Thursday, November 5th, 2:00 PM
F. Paul Greene, Esq. & Daniel Altieri, Esq.
The Essential Legal Toolkit for Surviving Your Next Ransomware Attack
F. Paul Greene is a partner and the Privacy & Data Security practice group leader at Harter Secrest & Emery LLP. Paul represents clients in a wide range of industries concerning all aspects of proactive preparation and risk management, including security and vulnerability assessments, policy and procedure review, breach response planning and drills, as well as board and management education on cyber risk and privacy issues. Post-breach, Paul and his team provide a full array of reactive services, including breach coaching and response, crisis management and communication, internal and governmental investigations, breach notification, and potential litigation or regulatory action including under the EU’s General Data Protection Regulation (GDPR), the Personal Information Protection and Electronic Documents Act (PIPEDA), and the upcoming California Consumer Privacy Act (CCPA).
Dan advises clients on all aspects of commercial litigation from pretrial matters through trial and appeal. He has tried several cases to verdict and successfully argued before the Supreme Court of the State of New York Appellate Division. Clients trust Dan to resolve disputes swiftly—both in and out of the courtroom—to achieve their business and legal objectives.
As an integral part of HSE’s growing privacy and data security team, Dan quickly identifies any potential security issues and addresses them before they become a serious problem for the client. He provides guidance on best practices to avoid a data breach, security and vulnerability assessments, post breach response, due diligence in acquisitions, potential litigation or regulatory action, and more.
The Future of Cybersecurity: The Real Ways Data Science Will Transform SecOps
2:30pm – 3:30pm ET
Data science is already transforming many aspects of our business and personal lives, but many in the cyber security do not know how it will change the industry. In this brief talk, I explain how data science is being used to bridge the gap between the threat intelligence typically leveraged by security platforms and the threat intelligence that human experts use. I quickly explore what makes data science-based detection logic different from Boolean-based detection logic, why practitioners will move away from the SIEM event funnel, and how frameworks like MITRE ATT&CK are critical to creating efficiencies for people and machines.
Matt DeMatteo is a Sr. Principal Engineer focused on Secureworks’ Security Products and Services. Matt joined Secureworks in 2007 as a Security Analyst in the Providence, RI SOC. Matt has been working directly with customers for the past ten years as a Presales Engineer, Principal Engineer, Account Manager, and Global Solution Lead for MSS and MDR. His goal is to help customers protect their organizations by aligning threat actor risk with modern SecOps practices. Matt works with Secureworks’ global sales force, product development teams, and partners to promote best practices in solution design. Matt has a passion for understanding customers’ business needs and unique risks. Matt holds a BS in Computer Science from the University of Rhode Island, where he also was the Director of the Digital Forensics Lab.
October 29 Virtual Presentations
Thursday, October 29nd, 2:00 PM
The Zero Trust Challenge for Hybrid Cloud
2:00pm – 2:30pm ET
The hybrid cloud now handles much that was formerly done by the in-house IT organization. From an infrastructure and operations perspective however, oversight and management are more challenging than ever. During this talk, we will discuss the elements of conventional I&O that must remain – although transformed – when migrating increasing portions of an organization’s workload to hybrid cloud. We will focus on information security, and in particular the architectural challenge that zero trust places on conventional information security architectures, procedures, staffing, and audit. We will close with some hints and tips to smooth the passage to this superior cybersecurity approach.
William Malik is VP of Infrastructure Strategies at Trend Micro. As a founder of Gartner’s Information Security Strategies service, Bill has deep expertise in information security matters. He has spoken internationally on information security, identity management, privacy, business continuity, and enterprise architecture. During his IBM career he guided the mainframe operating system zOS (then MVS) through the process leading to a NIST/NSA B1-level security rating. He taught a graduate class on Information Security Policy at Georgia Tech and authored the chapter “Information Security Policy in the US National Context” for the text “Information Security: Policy, Processes, and Practices,” Detmar Straub, et al., editors. M. E. Sharpe, 2008.
Hardening HTTPS and SSH
2:30pm – 3:30pm ET
We will talk about the inner workings of the TLS and SSH protocols and the security properties they offer. Attacks against the TLS protocol versions will be analyzed, along with weak ciphersuites and other options. Similarly, attacks on SSH and various common cryptographic settings will also be discussed. Open-source and free tools will be demonstrated to audit TLS & SSH services. Hardening techniques for achieving optimal security settings for both protocols will be covered in detail.
As a seasoned security consultant, Testa brings over 15 years of experience to the business. He specializes in penetration testing, server & network hardening, source code auditing, and social engineering. A strong supporter of open-source technology, he is the author and maintainer of the Rainbow Crackalack, SSH-MITM, and Bitclamp projects.
Prior to founding Positron Security, Testa excelled as a security researcher and vulnerability test programmer for Rapid7. He holds a Master of Science degree in Computer Security and Information Assurance from the Rochester Institute of Technology, along with a Bachelor of Science degree in Psychology and Computer Science from the University of Maryland at College Park.
October 22 Virtual Presentations
Thursday, October 22nd, 2:00 PM
In lieu of the annual Rochester Security Summit, please join us for the first in our series of Fall 2020 virtual events.
Delving into Digital Fraud – Report Reveals Trends
2:00pm – 2:30pm ET
Digital transformation is making it easier not only for legitimate organizations to expand their reach but also for fraudsters and other bad actors to expand theirs. Hear the results of a research study into the digital developments, market forces and regulatory pressures that are driving this shift in how fraudsters and others commit their crimes, as well as how anti-fraud forces fight them. The session will cover three key trends gleaned from this research and provide an understanding of how digital transformation becomes both a critical contributing factor in the problem of growing cyber risks today.
Angel Grant is CMO, RSA Fraud and Risk Intelligence at RSA Security and current member of the Board of Advisors at the PCI Security Standards Council. Before that, she served as the Director of Product Marketing for the Identity, Fraud and Risk Intelligence at RSA. Grant has more than 20 years of experience in the security, eCommerce and financial services industries and is a visionary leader with a passion for developing security solutions to protect against cybercrime and make our digital world a safer place. She attended Bentley University and holds the CISSP certification.
Data Protection for the Work-From-Home Era
2:30pm – 3:30pm ET
Remember five or more years ago you were scoffing at the people who said the perimeter was gone? Well, now (almost) all your employees work from home, and guess what? Your “perimeter” encloses almost none of where your work gets done. So today we’ll have a survey of methods to protect data that don’t assume or require a perimeter in the traditional sense. DLP, DRM, and Cloud approaches that keep data movement controlled but flexible.
- Manager of IT Governance & Compliance at Constellation Brands …but I speak only for myself, not for my employer!
- Been doing Information Security for fifteen years, in IT of one sort or another for two score plus one
- Avid player of poker, enthusiastic-if-slow rider of a Trek.
- [masked] — also semi-findable on LinkedIn
Joint ISSA Chapter / Rochester Security Community Presentation
Thursday, June 4th, 6:00 PM
Cost: Included in ISSA Membership / Open to RSS Audience at No Cost Where: Please RSVP to email@example.com by Monday, June 1st (see below for Zoom link)
Topic: Accelerating and Securing Applications at the Edge
Presentation Summary: In today’s digital economy, the underlying applications and workflows that power organizations must be agile, secure and perform in an optimal manner. As workloads and data move closer to end users, development teams battle legacy infrastructures that are inflexible and unable to scale – slowing down innovation, constricting development cycles and reducing application security and performance. To accelerate and secure modern web experiences, we must rethink how we deploy end-to-end application defenses, ensuring availability and application layer security. Learn how containerized environments can be service-chained to build out a multilayered security policy, giving organizations the flexibility to customize security stacks across best-in-breed WAF, bot management and API protection solutions while delivering policies tailored to individual workflows.
Who: CenturyLinks’ Peter Brecl (Director of Product Management, Security Services)
Speaker’s Bio: Peter Brecl is director of product management for global security products at CenturyLink. He is responsible for the managed security services portfolio, specifically CenturyLink’s Distributed Denial of Service mitigation, web application protection, Security Log Monitoring and threat intelligence solutions, integral products for customers looking to protect their networks.
Peter has more than 20 years of experience in the telecommunications industry. Prior to joining CenturyLink, Peter held positions at Level 3, Qwest and US WEST, Inc. managing business, wholesale and consumer products. His deep industry experience includes product management and development of CenturyLink’s managed security services, data networking, wireless, Fixed Mobile Convergence, VoIP, broadband and IP products.
DevSecOps – Responsibility by Design
F. Paul Greene
F. Paul Greene is Chair of the Privacy and Data Security Practice Group at Harter Secrest & Emery LLP, a full-service law firm headquartered in Rochester, New York. Paul is a Distinguished Fellow of the Ponemon Institute, a Certified Information Privacy Professional/US, and an adjunct professor at the Rochester Institute of Technology. [more]
Reg Harnish is a serial entrepreneur, nationally-recognized speaker, author and an Executive Vice President at the Center for Internet Security. Reg is also a founder of GreyCastle Security, the cybersecurity industry’s leading provider of risk, compliance, certification and privacy services.
Reg has been practicing cybersecurity for nearly two decades. His experiences, skills and perspectives have established him as a highly-respected thought-leader. [more]
Johnny Xmas is a predominant personality in Information Security, most well-known for his community-building efforts as a founder of BurbSec, and his work on the TSA Master Key leaks. Currently working as a Blade Runner for the Australian bot-hunting firm ‘Kasada’ to defend against the automated abuse of web infrastructure, he was previously a Security Researcher for Uptake’s Industrial Cybersecurity Platform. [more]
RSS:2019 Presentation Slides >>
Agile Security – Adapting to Change
Samy Kamkar is an independent security researcher, best known for creating The MySpace worm, the fastest spreading virus of all time. His open source software, hardware, and research highlights the insecurities and privacy implications in everyday technologies, from the Evercookie which produces virtually immutable respawning cookies, to SkyJack, a drone that wirelessly hijacks and autonomously controls other drones. [more]
Mark Weatherford is SVP and Chief Cybersecurity Strategist at vArmour. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world. Prior to vArmour, he was a Principal at The Chertoff Group and in 2011 was appointed by President Obama as the DHS’s first Deputy Under Secretary for Cybersecurity. [more]
Rich Smith is the Director of Duo Labs, supporting the advanced security research agenda for Duo Security. Prior to joining Duo, Rich was Director of Security at Etsy, co-founder of Icelandic red team startup, Syndis, and has held various roles on security teams at Immunity, Kyrus, Morgan Stanley, and HP Labs. Rich has worked professionally in the security space since the late 90’s in a number of roles including building security organizations, security consulting, penetration testing, red teaming, exploit development and attack tooling. [more]
Deborah A. Snyder serves as Chief Information Security Officer (CISO) for New York State, in the Office of Information
Technology Services (ITS). In her role, she oversees the Enterprise Information Security Office, and directs a
comprehensive program of governance, risk management and compliance functions, vulnerability management, threat
intelligence, cyber incident response, and training and exercise services. [more]
RSS:2018 Presentation Slides >>
Building Cyber Deterrence
David started TrustedSec and Binary Defense Systems (BDS) with the vision of helping companies with information security. TrustedSec provides information security consulting services for organizations all around the world. BDS is a global Managed Security Service Provider (MSSP) and software security company which detects attackers in the early stages and prevents large-scale attacks.[more]
Kelly Shortridge is currently the Product Manager for security ratings platform, SecurityScorecard. In her spare time, she conducts research into the applications of behavioral economics and behavioral game theory to information security, on which she has spoken at international conferences including Black Hat, Troopers, and Hacktivity. [more]
Russ McRee is Group Program Manager of the Blue Team for Microsoft’s Windows & Devices Group (WDG). He writes toolsmith, a monthly column for information security practitioners, and has written for other publications including Information Security, (IN)SECURE, SysAdmin, and Linux Magazine. [more]
Presentation Slides >>
Program Brochure >>
Technology, Privacy and Security: Evolving to Meet Modern Challenges
Founder of WhiteHat Security. World-Renowned Professional Hacker. Brazilian Jiu-Jitsu Black Belt. Published Author. Influential Blogger. Off-Road Race Driver.
Jeremiah Grossman’s career spans nearly 20 years and he has lived a literal lifetime in computer security to become one of the industry’s biggest names. And since Jeremiah earned a Brazilian Jiu-Jitsu black belt, the media has described him as “the embodiment of converged IT and physical security.” Preventing attacks from the scariest cyber-criminals is all in a day’s work for Jeremiah, but staying a keystroke ahead of the bad guys isn’t easy. In 2001, Jeremiah founded WhiteHat Security, which today has one of the largest professional hacking armies on the planet. [more]
Diana Kelley is Executive Security Advisor to IBM Security and manages the IBM Security Newsroom. As ESA she leverages her 25+ years of cyber risk and security experience to provide advice and guidance to CISOs and security professionals. She is a regular contributor to SecurityIntelligence, X-Force Research and a co-author of IBM’s “Securing the C-Suite” study. She is a faculty member with IANS Research and serves on the Advisory Board for InfoSec World, Structure Security and the Content Committee for the Executive Women's Forum. She was an IEEE “Rock Star of Risk” in 2016 and speaks frequently at major conferences including: TED, RSA, CyberTech, CompuTex, and InfoSec World [more]
A Look at Cybersecurity from a Professional Fusion: Panel Discussion w/ Q&A
Not your average Cybersecurity Panel: This panel steers away from the standard CISO panel, and gives us the experiences & perspectives of various walks of professional lives. From technical engineer, security advisor, CISO, and more, this panel will share their individual points of view on today’s cybersecurity challenges, and how their role affects their organization’s response to these challenges. There will also be a Q&A session to allow attendees to chime in with their pertinent questions.
Also featuring Keynote speaker Diana Kelley
The Right to Privacy: Balancing Privacy and Security
CTO SANS Internet Storm CenterAs Dean of Research for the SANS Technology Institute, Johannes is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. [more]
VP & Chief Information Security Officer - XeroxMark Leary is an Information Technology security professional in the government and commercial sectors, and has held successive positions of corporate security oversight in Defense, Aerospace, Manufacturing and Services industry segments. [more]
Vice President - Portfolio Marketing - IBM SecurityCaleb Barlow is an enterprising hi-tech executive with global experience in product management, marketing, software development and services. He has led multiple software product portfolios at IBM Security including Application, Data, Mobile, and Critical Infrastructure Security. [more]
Director - Field Marketing - Kaspersky LabMark Villinski brings more than 20 years of technology sales, marketing experience and channel leadership to Kaspersky Lab. As Director, Field Marketing, Mark is responsible for field marketing efforts in the United States and for increasing awareness of Kaspersky Lab as a thought leader in the online security industry. [more]
No Borders: Expanding Chains of Trust
Veteran industry expert and SANS Senior Instructor
Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. (more)
ISSA President and security luminary
Ira Winkler, CISSP is President of Secure Mentem. He is considered one of the world’s most influential security professionals, and has been named a “Modern Day James Bond” by the media.
Ms. Jaime L. Daley is an Assistant Director with the New York State Division of Homeland Security and Emergency Services, Office of Counter Terrorism (OCT), where she manages a group of analysts focused on homeland security and cyber threats. (more)
Michael Pinch is an experienced healthcare technology executive, currently the Chief Information Security Officer for the University of Rochester Medical Center. (more)
Bruce Jones is the Chief Information Security Officer (CISO) for Excellus BlueCross BlueShield and is a Director for the Gates Volunteer Ambulance Service (GVAS). (more)
Dwayne Foley is the Security Manager for Global Information Services at CooperVision. (more)
Eric is presently the IT Director/Leader for Byrne Dairy, a Central New York food process manufacturer. (more)
Renowned Security Technologist and CSTO of BT.
Training Director, SANS Securing The Human Program.
Director for Software and Supply Chain Assurance, Cyber Security and Communications, U.S. Department of Homeland Security.
- Business Security
- Technical Security
- Mobile / Cloud Security
- InfraGard / Cybercrime
- Threat Landscape
- Solutions & Demonstrations
Our 2012 Key Note speakers were Dr. Gary McGraw, CTO of Cigital, Inc. and Jeff Williams, CEO & Co-Founder, Aspect Security.
Each year, during National Cyber Security Awareness Month, the Rochester Security Summit features education opportunities for executives, CFO, CIO/CSO, business managers, security professionals, IT managers, technical specialists, help desk staff, and developers.
In 2012, the Summit gathered more than 200 attendees for 28 outstanding technical presentations -- along with three Ethical Hacking training sessions