December 10 - 12, 2018
The Ritz-Carlton, Amelia Island, FL

Tuesday, December 11, 2018

8:00 am - 8:30 am Networking Breakfast

8:30 am - 9:15 am Case Study: Automating Security Controls Using Models and Security Orchestration

Kurt Lieber - VP, CISO, IT Infrastructure, Aetna
Many organizations have adopted machine learning and data analytics to help them identify security anomalies. However, mere identification isn’t good enough in a world where Petya and other modern attacks can take down 15,000 servers in a single organization in under two minutes. To combat these new types of malware, organizations need to be looking at Model-Driven Security Orchestration, where the security responses to emerging threats and attacks are automated and driven at machine speed. In this presentation, Aetna will provide an overview of our security orchestration program, including what worked, what didn’t and lessons learned.

Kurt Lieber

VP, CISO, IT Infrastructure

9:15 am - 9:45 am The Future Of Authentication: Customizable, Frictionless And Secure

Will Summerlin - Founder and CEO, Pinn
Authentication has become a critical part of security strategy. Over 81% of data breaches were perpetrated using compromised credentials. Traditional means of authenticating users - passwords and OTPs - are no longer sufficient. Users expect authentication to be frictionless and secure. That sounds great, but how do you make it happen? We’ll discuss the leading forms of authentication including biometrics, PKI and behavioral analytics and explore ways to orchestrate these authenticators with risk-based adaptive authentication.
•Discuss the different types of authentication technologies available
•Explore the orchestration of authenticators with risk-based adaptive authentication
•Highlight best-practices that balance security with user experience 


Will Summerlin

Founder and CEO

9:45 am - 9:55 am Ignite: Do You Want To Fall In Love With PAM?

Kenny Cushing - Chief Marketing Officer and Product Lead, General Dynamics Mission Systems
As a Security Leader, you  worry constantly about your organization's "Keys to the Kingdom" and how to protect them. Attackers and insider threats are increasing their focus on critical business applications through compromising privileged credentials to get the "Keys". You  may have a PIM/PAM solution to try and manage this risk; however, most of your on-premise (and even cloud) applications are still vulnerable because the solution either does not integrate with your applications or requires costly (time and money) custom engineering or manual processes to fix. 
In this session, GDMS’ Chief Marketing Officer will guide you on how to fall in love with PAM by:
•Maximizing privileged access management utility and coverage by intuitively and quickly integrating PAM to your on-premise and cloud applications
•Maximizing return from your privileged access management budget  by reducing application integration costs and time, downtime and risks, and vendor lock-in
•Increasing your security team’s productivity and satisfaction by refocusing best talent on highest priority problems versus manually managing policies surrounding regulatory compliance


Kenny Cushing

Chief Marketing Officer and Product Lead
General Dynamics Mission Systems

9:55 am - 10:05 am Ignite: Defend Against Magecart-Style Website Supply Chain Attacks

Joshua Jones - Senior Director, Technical Solutions, Source Defense
We’ve seen an acceleration of client-side attacks from threat actors leveraging JavaScript vulnerabilities to launch credit card and personal information skimming attacks. In the past 3 months many large E-Commerce vendors including Ticketmaster, British Airways, Feedify, Newegg, Shopper Approved and Umbra have revealed that they have been compromised by Magecart.
This threat vector leverages a universal vulnerability to launch attacks that affect websites and consumers on a massive scale. Compromised third party JavaScript code is used by threat actors to modify, read or extract any information entered or rendered on a webpage. This includes personal and financial data. In addition to introducing elevated website security risk, third party JavaScript introduces significant compliance and data privacy concerns since JavaScript grants access and privileges to third parties that operate entirely outside of the security controls that website owners can implement and monitor.


Joshua Jones

Senior Director, Technical Solutions
Source Defense

10:05 am - 10:20 am Networking Break

10:20 am - 10:50 am Business Meetings

10:50 am - 11:20 am Business Meetings


11:25 am - 12:10 pm Zero Trust: A New Model to Secure Access to Corporate Resources in Cloud and Hybrid Environments
Michael Dubinsky - Head of Product, Luminate
The enterprise environment is going digital and becoming hybrid and distributed. As a result, the traditional network perimeter solutions such as VPNs, DMZs and NACs can no longer provide the security, flexibility and agility required for the modern business and adequately protect the organizations’ servers, applications and workloads. 
To address these business needs, the security architecture must shift from the network level focus to the identity, device and applications level, and in fact – implement a Zero Trust Access model.
By leveraging the Zero Trust model, an organization can enforce an easy-to-manage access policy that is unified regardless of where the users, devices or resource are located. 
With this shift, you can also govern the activities of standard or privileged accounts, across any resource with full audit trail of the user’s action leading to simplified data governance and compliance.
Leveraging the Zero Trust access model also significantly limits the network attack surface and the attacker’s ability to move laterally across the environment.
The discussion will include:
•What are the building blocks of a Zero Trust architecture? How can you combine identity-as-a-service and device management with network level security? What are the alternatives and the related pros and cons? 
•How can a Zero Trust access model support the modern organization’s security, flexibility and agility requirements?
Real world case studies of: operations team access (DevOps), third party access, M&A IT integration and cloud migration based on user, device and application context.


Michael Dubinsky

Head of Product

Master Class

11:25 am - 12:10 pm Identifying and Classifying Your Regulated Data Risk
Joe Carusillo - Program Director of Client Initiatives, IBM
With new regulations and privacy mandates such as the California Consumer Privacy Act (CCPA) and updated New York State Cybersecurity Requirements (23 NYCRR 500) emerging across North America, it's more critical than ever to have a proven process to identify and classify your organization's risk score for regulated data. 
Across all industries, this process needs to enable you to automatically: 
•Discover sensitive or regulated data
•Classify the data
•Scan for vulnerabilities 
•Begin remediating risk


Joe Carusillo

Program Director of Client Initiatives

12:15 pm - 1:00 pm Analyzing the Endpoint Security Landscape

Les Correia - Director, Global Information Risk & Security, The Estée Lauder Company
Digital technology is a seamless aspect of daily life, giving the impression that the security of these transformative technologies is up to date within the enterprise risk management plans. However, given the evolving-nature of these emerging technologies, including Artificial Intelligence (AI), Machine Learning (ML), and Internet of Things (IoT), the digital risks we all face are only going to increase as more and more devices share data around the world. The endpoint security landscape has changed dramatically with increased cyber threats that regularly circumvent traditional risk management measures. There are many vendors in this space that tout unique angles and protection of your networks that can seem confusing with potentially overlapping solutions. This case study will discuss the drivers, selection criteria and evaluation of these solutions.

Les Correia

Director, Global Information Risk & Security
The Estée Lauder Company

1:00 pm - 2:00 pm Networking Lunch

Roundtable Discussions- Engage in two 30-minute targeted discussions enabling open exchange amongst industry peers.

2:00 pm - 3:05 pm Email Attack Vectors
Wes Dobry - Sales Engineer, Agari
A discussion around the advanced email attack vectors getting delivered through existing security architectures, mitigation tactics, and providing leadership accurate information regarding breadth of exposure. Email is the number 1 attack vector into organizations.  Not having a comprehensive, defense-in-depth, architecture will result in a breach.  Organizations need to regularly evaluate their email security architecture to ensure they are following the latest best practices and have the latest generations of technologies to eliminate the risk of the most advanced email attacks. Email is still the largest threat to an organization's security.  This session will dive into thought leadership on the types of attacks hammering enterprises, the technologies and techniques used to mitigate the risk involved, and how knowledge can be gained from existing operational processes to increase efficiency in breach response times and rapid response to an ever present changing threat landscape.


Wes Dobry

Sales Engineer

Roundtable Discussions- Engage in two 30-minute targeted discussions enabling open exchange amongst industry peers.

2:00 pm - 3:05 pm Application Security In An Ever Changing Digital Landscape
Stan Wisseman - Security Strategist and Business Development leader, Micro Focus
Enterprises are challenged to find the right balance of speed and depth for application security testing activities.  While a business goal is to minimize friction in their development processes and tool chains, application security programs need to drive security testing accuracy while scaling to cope with the explosion of applications and number of releases.


Stan Wisseman

Security Strategist and Business Development leader
Micro Focus


3:10 pm - 3:55 pm Adversary Oriented Security
David McGuire - CEO, SpecterOps
In modern environments, the corporate security program utilizes an increasingly complex inter-relationship of people, processes, and technology in detection and response operations. However, incident response capabilities must be balanced against budgetary constraints and other requirements the security program must meet. How do you measure the effectiveness of your incident response program, and the investments your organization has made? What measure of confidence do you have in your organization’s ability to detect and respond to the worst of circumstances? These are not questions that can be answered by yet another technical solution, yet are critical in understanding how your organization is oriented against the adversary.

This discussion will include:
  • Programs that can be utilized to measure the efficacy of the security and incident response technology, people and processes.
  • Identifying deficiencies in enterprise adversary detection programs, and pursue continuous improvement in organization-wide detection capability.
  • Methods to determining new investments to be made in incident response capabilities.


David McGuire


Master Class

3:10 pm - 3:55 pm Can Cybersecurity be Easy?
Rene Kolga - Sr. Director of Product, Nyotron
Back in 2005, Marcus Ranum wrote in his  “The Six Dumbest Ideas in Computer Security” article that, “sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness”. So why are we still focused on chasing “badness”? This approach might have been sufficient in the 1990s and arming ourselves with just an antivirus and a firewall gave us a sense of security, but this is definitely no longer the case.

•Understand the definition of Negative Security and Positive Security models, with examples, advantages and disadvantages
•Describe the attack kill chain and intentions behind most attacks
•See demos of advanced attacks that bypass the majority of existing security controls
•Learn how to correctly implement defense-in-depth best practices


Rene Kolga

Sr. Director of Product

3:55 pm - 4:10 pm Networking Break

4:10 pm - 4:40 pm Business Meetings

4:40 pm - 5:10 pm Business Meetings

5:10 pm - 5:40 pm Business Meetings

5:45 pm - 6:25 pm Risk and Compliance: Are you Singing the Red, Yellow, and Green Blues?

Mark Tomallo - Chief Information Security Officer, Ascena Retail Group
If you’ve ever felt your risk analysis or red/yellow/green risk register needs a shot of adrenaline, you’re not alone. Supercharge it with a punch of quantitative analysis! This session will provide suggestions on how to quantify loss in order to gain buy-in, report to your Board of Directors, and prioritize your security investment—all in an effort to help communicate and calculate risk throughout the organization.

Mark Tomallo

Chief Information Security Officer
Ascena Retail Group

6:30 pm - 7:00 pm Networking Reception