1. Tracks

    Security

    Audit

    Governance

    Legal/Privacy

  2. Members - $175.00

    Cost

    Non Members - $225.00

    Heading 3

  3. NEACS 2017
    North East Annual Cybersecurity Summit
    October 17, 2017 
    8:00 AM – 5:00 PM
    Trumbull Marriott Merritt Parkway
    180 Hawley Lane, Trumbull CT 06611

NEACS
A Security Conference for Business & Security Leaders

Day Layout

Time - 8:00 AM - 6:00 PM   

8:00 - 9:30 AM

Training

MORNING WORKSHOP 1 : Cyber Security – Making it Better by the Numbers

Presenter: Brian Barnier, Managing Member/Principal - ValueBridge Advisors

Debate is getting louder over whether models can accurately capture risk. Some CISOs say new threats and vulnerabilities make it too hard to quantify risks and prioritize action, and worry that current modelling techniques are too limited to be reliable. Do control-based approaches to responding to risk actually work? Why are controls so difficult to implement, maintain, fix or use, and add so much overhead to a business? Why do problems still happen? Sharp security, risk and other professionals can help answer these questions for their organizations.

Different from other controls workshops, this one is:
• For pros who feel labored under the burden of: risk model muck, and managing risk to compliance reporting more than managing risk to business performance.
• Based on proven practical experience from dynamic situations such as aviation, manufacturing, gaming or sports, rather than compliance methods.
• For advancing personal career by growing business benefit.
• Based on The Operational Risk Handbook by Brian Barnier, uniquely designed to apply practical, proven lessons learned from across a range of industries, countries and professional disciplines.


MORNING WORKSHOP 2 : Implementing the NIST Cybersecurity Framework

Presenter: Jayson Ferron, CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM, CEO - Interactive Security Training, LLC

In 2013, US President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” The CSF was developed through an international partnership of small and large organizations, including owners and operators of the nation’s critical infrastructure, with leadership by the National Institute of Standards and Technology (NIST).

In this session we will discover how the framework works, how to implement it and what the proposed changes as it frameworks moves to version 1.1 This session will be an overview of what the frame work is , who need to follow it, why you company may decide this framework is a good solution for your company to use. We also demo a free tool to help you understand where you current weakness are and how you can improve your compliance to the framework.

Benefits of Sponsorship

9:30 - 10:10 AM

Registration, Breakfast, Welcome

Registration for NEACS conference
Continental Breakfast
Welcome and Introductions

Networking

10:10 - 11:00 AM

Keynote

Keynote :Steve Reynolds - Deputy Chief for Cybersecurity, National Security Division, U.S. DOJ

Steve Reynolds serves as the Deputy Chief for Cybersecurity in the Justice Department’s National Security Division (NSD).

Steve provides legal and policy advice on efforts to investigate, disrupt and deter malicious cyber activity by nation-state actors or their proxies, including cyber-enabled espionage, hacking of U.S. businesses to steal sensitive information, and malware, ransomware and distributed denial of service (DDoS) attacks against U.S. organizations and critical infrastructure.

Steve serves as one of the Justice Department’s primary liaisons on cyber matters with the Federal Bureau of Investigation, the Department of Homeland Security, the Department of Defense, the Intelligence Community, and White House National Security Council staff. Steve has worked on matters involving the Cybersecurity Information Sharing Act (CISA), the 2017 Cyber Executive Order, the “PATCH Act,” the U.S.-U.K. cross-border data sharing agreement, encryption challenges and the “Going Dark" issue, the Internet-of-Things, foreign stored data issues, and efforts to counter terrorists’ use of the internet.

Steve also serves as the Justice Department’s representative for the Vulnerability Equities Process.

More information about Steve is available on the Speakers page.

11:05 - 11:45 AM

Session 1

SESSION 1A: Mobile Security

Presenter: David P. Trollman, Senior Manager – Ernst & Young

More and more, Internal Audit teams ask EY to provide consulting services to teams gearing up or trying to understand mobile security audits.
Customers, employees, and other stakeholders expect flexibility in light of the reality of how people work in today's digital economy. Many organizations move too quickly and increase their risk exposure, or move to slowly and risk disruption in the race for talent, customers, and innovation.

This talk will discuss the drivers and threat landscape of the mobile workforce while providing examples from recent mobile security audits we have supported at our clients.

SESSION 1B: The Unhealthy State of Healthcare IoT

Presenter: Xu Zou, CEO and Co-Founder - ZingBox

IoT has the potential to improve patient outcomes, but most of the integration and adoption of electronic health records have focused exclusively on patient data security, leaving much of the connected medical devices vulnerable. Based on real-world case studies and rich data sets from large U.S. hospitals, this session, led by Dr. May Wang, will delve into the challenges of healthcare IoT and why the current solutions are failing.

Healthcare has the most attacked IoT devices and security breaches, even beyond the financial sector. Each electronic health record is worth more than 20 times more than a financial record or credit record. Health records contain your social security number, insurance number, and a wealth of personal data. In the past, thieves would focus on the record. However, now they are moving toward medical devices to disrupt critical service. Ransomware attacks across both data and service are a growing trend, as well.

The viruses that compromise servers and ransomware that encrypts important data can also run amok in IoT devices. Encrypting critical data on an IV pump can render the device inoperable or lock in an incorrect medication dosage. X-ray machines may not be able to transmit images and heart rate monitors may give false readings. As if these situations are not dire, the same devices can be used to launch attacks such as DDoS.

In the past, healthcare professionals attempted to minimize the risk to connected medical devices by segmenting their networks. This segmentation unfortunately hindered visibility into the devices. It became much more difficult for organizations to track devices across multiple networks, often losing sight of where the devices are. It also did not address the core issue of identifying compromised devices or devices under attack.

There is a light at the end of the tunnel, however. IoT devices are purpose-built to perform specific tasks. As such, their behaviors can be analyzed by select analytics tools to detect compromise or malfunction. When these behavior analytics tool interoperates with solutions such as firewalls and SIEMs, they can effectively quarantine and isolate the suspect device.

SESSION 1C: Building an Effective Threat Intelligence Program
Presenter: Muhammad Kashif, Technical Account Manager - Deloitte

Cybersecurity, once a technology-centric issue, has become a multi-faceted business issue. The ability to manage cyber risk must become integral across all aspects of business operations. Learn about threat intelligence and the core components along with maturing it from a tactical to strategic state.

SESSION 1D : GDPR—Are You Ready?

Presenter: Monique M. Ferraro, JD, CISSP, CIPP/US Counsel, Cyber Practice – The Hartford Steam Boiler Inspection and Insurance Co.

Any business that offers goods or services to European Union citizens will be subject to the General Data Protection Regulation (GDPR) set to take effect on May 18, 2017. It applies to any entity that processes or maintains private information regarding EU citizens, and that includes American companies that sell products or services online or employ EU citizens.
While most states have data breach laws, the European Union did not have a clear, unified regulation until the GDPR. Under the new regulation, companies will be expected to notify data subjects in the event of a data breach, and, in the event of a failure to comply with the regulation’s mandates, companies face fines of between 10 million Euros or 2% of yearly profits to 20 million Euros or 4% of yearly profits.

The definition of personal data is much broader under the GDPR than in most state data breach laws. Personal data is defined as, information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly to identify a specific person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or an Internet Protocol address. So, if your organization processes or retains any of this information regarding people who reside in the European Union, your organization will likely be subject to the GDPR.

Key Privacy Protections in the GDPR include:
• Breach Notification
• Right to Access
• Right to be Forgotten
• Data Portability
• Privacy by Design
• Data Protection Office

11:45 - 01:15 PM

Sponsored sessions

Sessions on solutions, 15 minutes for each vendor

LUNCH and Presentations

01:20 - 02:20 PM

DOJ Panel

SESSION 2 US Dept of Justice Panel: Guide to Successful Law Enforcement Cooperation and Partnership
Moderated by the United States Department of Justice


Panelists: David T. Huang, Assistant U.S. Attorney - U.S. District Attorney's Office State of Connecticut
Andrew Dodd, Special Agent - Federal Bureau of Investigation
Additional Panelists TBA


Staying ahead of the risk, learn how to work with Law Enforcement on prevention through information sharing.  The risk landscape constantly changes and this panel sponsored by the Department of Justice will bring leading government experts to the table to discuss the latest trends in partnering.  If you suspect your company has been breached, don’t delay in bringing in your law enforcement resources as they can advise your company how best to protect the valuable information that can be gained from proper breach management.  Learn from real world examples in this very insightful session.

02:30 - 03:15 PM

CISO Panel

SESSION 3 Cyber Insurance Panel: CISO, CRO and CAE Perspectives
Moderated by Sean Letz, AVP & E&O Placement Specialist, FINPRO Practice - Marsh

Panelists:
William E. Feher, Vice President, Internal Audit and Chief Risk Officer - ITT Inc.
Peter Rosario, Information Security Officer - USI

Robert Joseph Mannarino, CEO, Boardroom Associates

Learn how Chief Risk Officers and Chief Audit Executives view risk associated with Cybersecurity events, plus the key role of the insurance broker in this process.  This session explores the CRO role, specifically explaining to insurance carriers how risk is assessed and monitored, benchmarking of coverages and retention and understanding what is and is not covered.  Additionally, the panel will share of management and Board expectations and how Internal Audit independently assesses and communicates potential financial and reputational risk.

03:15 - 03:30 PM

Break, Networking, Refreshments

Networking

03:30 - 04:15 PM

4 Sessions

SESSION 4A: Information Security Risk Assessments in the world of NIST/Cyber, GDPR and NY-DFS

Presenters:
Mike Money, Security & Privacy Director - Protiviti
David Lehmann, Managing Director Technical Auditing - Protiviti


With the introduction of the NY-DFS Cybersecurity, GDPR and similar regulations, many organizations are finding out that their existing Information Security Risk Assessment process may not be robust enough to comply with these new laws. This session will highlight information security risk assessments in the current NY-DFS and NIST cyber environments, how to evaluate any identified risks and set up your cybersecurity program to meet regulatory standards. Join this session to get an overview of the concepts and methodology for implementing a risk assessment. Discover road maps that will deliver the right combination of people, process, technology and governance needed to meet compliance and future challenges.

1. Introduction of NIST-CSF, GDPR, and NY-DFS Cybersecurity regulation and the requirement for information security risk assessment
a. Technical controls, frameworks and standards
b. Setting up your cybersecurity program to reduce risk and meet regulatory requirements
c. Information Security Risk Assessment Frameworks


2. Cybersecurity Risk Assessment Strategy and Conceptual Overview
a. Know your company’s risk perspective from operational risk, enterprise risk, regulatory risk and other risks measurement and reporting processes impacting your risk measurement
b. Cyber Risk Models
c. Developing a risk assessment process
d. Applying a risk based approach in your cybersecurity practice
e. Identifying, evaluating, and categorizing cybersecurity risks
f. Roles and responsibilities


3. Creating your Cybersecurity Program in alignment with your organization’s risk appetite
a. Establishing risk based cybersecurity program
b. Examples of successful cybersecurity programs that are risk
driven
c. Using risk assessments to tailor-guide your cybersecurity program


4. Key Takeaways

SESSION 4B: IoT Security for the Enterprise

Presenters:
Babak Pasdar, CEO/CTO - Acreto Security
Thad Eidman, CFO/COO - Acreto Security


In this session, leading IoT security experts will address three important questions:
- Why is IoT security so critical?
- Why is IoT security so hard?
- What are key strategies that can be executed today to reduce the risk of breach?


SESSION 4C: Cyber Sexy Apoplexy – Research in Cybersecurity and Forensics

Presenter: Ibrahim (Abe) Baggili PhD, Co-Director & Founder, Cyber Forensics Research and Education Group, University of New Haven, Tagliatela College of Engineering

This talk will present how cybersecurity and forensics have become a mainstream topic of critical importance (sexy). The talk will then delve into the various areas of research and disciplines involved in conducting leading edge scientific inquiry in this domain. The talk will then shed light on areas of research that should be pursued to improve the state of the art in this discipline, and explain why a multidisciplinary approach is unavoidable when studying this massive problem. Lastly, the talk will shed light on hurdles one encounters when attempting to learn and collaborate in different domains to solve a problem that requires multiple viewpoints (apoplexy).

Some of the topics that we will talk about are: Datasets for experimentation, process improvement through data science, drone forensics, IoT forensics, VR Security and Forensics., 


SESSION 4D: Cyber Risk Oversight in the Boardroom

Presenter: Glenn A. Siriano, Principal – KPMG Cyber Services

Board oversight of Cyber risk is no longer a leading practice, but has become a required imperative. Investors, governments, and global regulators are increasingly challenging board members to actively demonstrate diligence in this area. Regulators expect personal information to be protected and systems to be resilient to both accidents and deliberate attacks. The implications of not getting it right from a management operational perceptive as well as from the board’s oversight and governance responsibility include the risks of:
• Intellectual property loss
• Fines and penalties, regulatory sanctions
• Property loss
• Reputational loss
• Time loss in remediation efforts
• Administrative burden
• Loss of revenue


This session will provide the attendees with the latest leading practices surrounding board oversight of Cyber risk. Based on KPMG’s board outreach and education programs, the most common questions asked by board members include:
1. What are the new cybersecurity threats and risks and how do they affect our organization?
2. Is my organization’s cybersecurity program ready to meet the challenges of today’s (and tomorrow’s) cyber threat landscape?
3. What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?


The session will answer fundamental questions on leading practices, and will provide a framework for how Boards should come up to speed around their organization’s Cyber controls ecosystem utilizing KPMG’s framework for oversight. Areas that the session will go into detail will include:
• Legal and Compliance considerations
• Leadership and governance frameworks
• Operations & Technology
• Human Factors
• Business Continuity & Incident Response
• Information Risk Management
• Security Metrics and Reporting
• The changing privacy & regulatory landscape

04:20 - 05:00 PM

4 Sessions

Session 5A Blockchain Panel: The Potential Impact of Blockchain on Businesses
Moderator: Neeraj Sahni, Senior Vice President, FINEX - Cyber/Technology E&O – Willis Towers Watson

Panelists:
Gail Gottehrer, Tech Attorney , Addressing Legal & Regulatory Issues Relating to Existing & Emerging Technology,Akerman LLP 
Pamela Gupta, Security expert, OutSecure, helping companies create Strategic and Efficient Security Programs
Additional Panelists TBD


• What is blockchain technology?
• Disruptive use cases across industry sectors
• FI decentralized ledgers using blockchain with other banks
• B2B Payment transaction infrastructure
• Manufacturing trusted supply chain with vendors providing traceability
• Smart contracts
• Security and Scalability
• Potential regulatory impact
• Cyber insurance impact to transfer risk

Panelists will include: FinTech advisor; Attorney on Big Data; Security Professional

SESSION 5B: Hands-on Cybersecurity Risk Assessment

Presenter: Peter Chang, Chief Audit Executive – Steve Madden

While many organizations build their cybersecurity program around the latest preventative tools and security services, a robust program demands a thorough risk assessment to identify the key risks around cybersecurity-related activities.

This session will cover key aspects of a thorough cybersecurity risk assessment:
• Selling the risk assessment to management: Why a cybersecurity risk assessment is need for every organization.
• The objective of the risk assessment: Determine the end-goal of the assessment, level of review, and who should get involved.
• Choosing the framework: What are the differences among the different risk assessment frameworks, and how to choose the best one for your organization.
• Compliance requirements: Determine the level of inherent and acceptable risks, as well as any regulatory requirements.
• Key risk areas determination: Ascertain the focus areas based on the organization’s business model and practices. In addition, determine the scope and depth of the assessment.
• What’s next: How to report findings, and define business and operational relevance.
• Continuous monitoring: Follow-up on existing findings and action plans, as well as any emerging risks and system changes.

In addition to going through key aspects of a cybersecurity risk assessment, the session will feature a hands-on walkthrough of a risk assessment questionnaire and risk functions, using the NIST/ISO Cybersecurity Framework:
• Identify: Classify relevant people, processes, and systems as related to cybersecurity
• Protect: Information security and change management policies, procedures, and relevant controls
• Detect: Monitoring tools and escalation procedures
• Respond: Incident response plan and mitigation procedures
• Recover: Post-event analysis and related action plans, such as disaster recovery and business continuity plans


The walkthrough will include key questions to cover during the assessment, evidence to demonstrate compliance with set policies and procedures, and potential impact due to a lack of properly implemented control. Furthermore, the session will cover ways to address any residual risks identified through the assessment, while preserving existing security posture and infrastructure.

SESSION 5C: Preemptive Cyber Intrusion Detection in Corporate and Space Assets with Big Data Analytics

Presenter: Sam Adhikari, Stanford University, Rutgers University and Sysoft Corporation

Protection of Space Assets is one of four key objectives identified by U.S. Space Command (USSPACECOM) that must be achieved to gain control of Space. Space cyber assets are vulnerable. Operational Capability Elements defined for protection of Space Assets consists of: Detection and report threats/Attacks; Identify, locate and classify threats; Withstand and defend; Reconstitute and Repair; and assess mission impact. Similarly, in corporate environments, similar Preemptive Cyber Intrusion Detection (PCID) is critical for optimal performance, security, and growth.

To achieve the desired level of protection for the critical space as well as corporate cyber assets, a multiphased approach is envisioned. Improved threat warning and a comprehensive effort to improve cyberspace surveillance and situational awareness is required. Use of big date analytics, machine learning techniques, and artificial intelligence dramatically improves preemptive cyber intrusion detection in space as well as corporate assets.

In this session we describe the various supervised and unsupervised machine learning algorithms implemented in intelligent preemptive cyber intrusion detection in space and corporate assets. Specific case studies will be discussed to show similarity between cyber defense techniques in protecting space as well as corporate assets. Concepts of locally weighted regression, logistic regression, decision trees, support vector machines, principal and independent component analysis, clustering, and probabilistic interpretations provide the initial insight to preemptive intrusion detection mechanisms.

The key issue becomes fast convergence of errors and that is well addressed with Newton's methods. The quadratic convergence model produces fast results in twelve or less iterations with a reasonably sized training datasets and reasonable number of threat features. Generalized linear models cover most of the threat situations and its parameterized features covers the environment that encounter fast changing parameters.
As preemptive threat features change, parameterized exponential family distribution can change from one distribution to another within the algorithmic setup like Gaussian, Multivariate Gaussian, Bernoulli, Mutinomial, Poisson, Gamma or Exponential.

SESSION 5D: Raising Internal Audit’s Game IT Audit Trends in the Digital Age

Presenter: Khalid Wasti, Partner - PwC Internal Technology Audit Solutions Practice

This session will focus on trends in Information Technology Audit and will focus on the impact of evolving technologies on Internal Audit and Risk Management.
Learning Objectives:
• Understand areas where internal audit functions can elevate their maturity to help the business identify risks and opportunities How to formalize a roadmap to develop an innovative an technology audit capability
• Understand the differences between continuous auditing and continuous monitoring
• Effectively utilize analytics in a comprehensive audit automation strategy
• Recognize the impact of emerging technologies on your audit strategy (i.e. cybersecurity, social media etc.)

05:00 - 06:00 PM

Networking, Refreshments

Thank you for participating in NEACS 2017!
Join your fellow NEACS attendees for informal networking. Relax and unwind before making your way home.