Cloud & Data Security Summit

Securing the Cloud: Offensive Security Strategies for Risk Mitigation

Jessica Stinson
Bishop Fox, Security Consultant III

×

Jessica Stinson

Jessica Stinson is a Security Consultant III at Bishop Fox focused on Application Security, Cloud Security, and Source Code Review. In her role at Bishop Fox, Jessica tests applications, internal and external networks, and cloud-based infrastructures for current threats and vulnerabilities with an emphasis on application and cloud security. Jessica is skilled at conducting source code review, analyzing system architecture and threat models while using internal and external tools to identify vulnerabilities within applications and networks.

According to recent statistics, 81% of organizations experienced a cloud-related security incident over the last 12 months, with almost half (45%) suffering at least four incidents during the same period. These incidents often culminate in data leakage, privacy violations, and unintentional exposure, posing a serious threat to businesses. There’s no shortage of cloud security testing options designed to mitigate these risks; however, many only scratch the surface without accurately assessing how controls stand up against real-world cyber-attacks. Adversaries are experts at finding and exploiting cloud defense blind spots. Beating them to their targets requires preparing against the same sophisticated and precise methods that they use. Join Jessica Stinson, Security Consultant III at Bishop Fox, as she provides a glimpse into your cloud environment through a hacker’s eyes – depicting how they can access restricted portions of your environment, locate sensitive data, and compromise your trophy targets. Importantly, she will also discuss offensive security strategies that go beyond misconfiguration reviews with realistic and targeted cloud attack simulations to identify likely attack pathways and help you prioritize remediation where it matters most.

Five Keys for Creating a Successful Disaster Recovery Plan

Jack Bailey
11:11 Systems, VP, Channel & Sales Enablement

×

Jack Bailey

Jack Bailey has 20 years of experience in the IT world, with a career that has focused on virtualization, data protection, and security. His skill set includes a blend of leadership positions in technical administration, technical sales, product, and enablement roles at companies such as 11:11, Zerto, and Rubrik. In his current role, he is focused on teaching technology and solving customer challenges with the value of the cloud and managed security.

One of the most important keys to security is having an effective disaster recovery (DR) plan. Preventive risk controls are incredibly important, but there is absolutely no world where you can keep catastrophes from ever happening to your organization. Which is why you absolutely, positively must have a DR plan. But if you’ve never created one, where do you start? During our presentation, we’ll walk you through the steps you and your team need to formulate an effective DR plan. Whether you’re a seasoned IT pro or a novice, we’ll share best practices that you can tailor to your needs. We’ll discuss:

• A step-by-step approach to building your plan
• The technology available and whether or not it addresses your unique business needs
• Things you can do to get buy-in from key stakeholders
• The best ways to build, implement, and test your disaster recovery plan

Security is as Critical as Quality

Galen Emery
Lacework, Senior Manager, Sales Engineering

×

Galen Emery

Galen Emery is a Cloud Security Professional focusing on Audit and Security’s role in DevSecOps pipelines and teams. He has extensive background in building hardened systems and implementing efficient & secure development methodologies to ensure delivery of a continuous and evolving security posture. At Lacework, Galen manages a team of Solutions Engineers focused on helping Large Enterprises achieve secure and compliant infrastructure by design by following DevSecOps practices.

This session dives into the fundamental link between quality and security, and challenges the perception that security is an addition rather than a key building block. Galen will also explore the impact of migrating to the cloud, how to align security to larger business goals, and how to select the right tools and processes.

The Journey to Security Through Identity

Alexandria Hodgson
Okta, Sr. Solutions Product Marketing Manager

×

Alexandria Hodgson

Alexandria Hodgson is a Senior Solutions Product Marketing Manager, Workforce at Okta specializing in Identity. Alexandria has spent the majority of her career in Cybersecurity, focusing on the ways in which organizations can better leverage their people, processes, and technologies to address the ever-evolving threat landscape.

With business needs outpacing security, and an ever-changing macroeconomic environment driving the need to do more with less, it's never been more challenging to keep your organization moving in the right direction - efficient and secure. While there is no one clear path to success, one thing is clear - Identity is the control plane of the modern organization and is a central component to driving valuable business outcomes. Join this session to learn how Identity can support your organizations’ cybersecurity goals, improve operations, and drive topline impact; and leave with a clear structured framework to help you along your Identity maturity journey.

BREAK

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

Penetrating the Cloud: Uncovering Unknown Vulnerabilities

Seth Art
Bishop Fox, Principal Security Consultant

×

Seth Art

Seth Art (OSCP) is a Principal Security Consultant at Bishop Fox, where he currently focuses on penetration testing cloud environments, Kubernetes clusters, and traditional internal networks. Seth is the author of multiple open-source projects including CloudFox, CloudFoxable, IAM Vulnerable, Bad Pods, celeryStalk, and PyCodeInjection. He has presented at security conferences, including fwd:cloudsec, DerbyCon, and BSidesDC, published multiple CVEs, and is the founder of IthacaSec, a security meetup in upstate NY.

Nate Robb
Bishop Fox, Operator

×

Nate Robb

Nate Robb is a Security Associate at Bishop Fox, where he works as an Operator for Cosmos (formerly CAST). Prior to coming to Bishop Fox, he held roles as a security consultant and spent time as a full-time bug bounty hunter, where he worked to secure Fortune 500 companies, state and Federal Agencies, and small and medium-sized businesses

As cloud infrastructure grows, so do vulnerabilities and misconfigurations. While many organizations spend a lot of time fixing issues they can easily identify with tools, those tools have limitations and don't operate the way a real-world attacker does. Luckily, an offensive security approach can help surface high-value attack paths so you can proactively identify, understand, and mitigate the most impactful vulnerabilities lurking in your cloud environment. Join offensive security experts Seth Art and Nate Robb as they explore:

• How hackers gain access to cloud environments (even when they aren’t targeting them)
• Methodologies for exploiting vulnerabilities through cloud penetration testing with an assumed breach mindset
• Actual Bishop Fox findings and real-world examples that will help you sharpen your cloud security strategy
• Recommendations for reducing risk in your cloud environment

Inside the Microsoft 365 Zero-Day Attack and the Cost of Cloud Visibility

Ryan Naraine
SecurityWeek, Editor-at-Large

×

Ryan Naraine

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Steven Adair
Volexity, Founder & President

×

Steven Adair

Steven Adair is the founder and President of Volexity, Inc, an information security firm specializing in assisting organizations with incident response, digital forensics, threat intelligence, network security monitoring, and trusted security advisory. Steven currently leads a team of experts that frequently deal with advanced and complex cyber intrusions from nation-state level intruders targeting everyone from small think tanks to large global defense contractors.

In June 2023, a U.S. government agency noticed suspicious activity in their Microsoft 365 (M365) cloud environment and reported the activity to Microsoft and the CISA. After an investigation, Microsoft determined that an APT group with roots in China had forged authentication tokens to steal Exchange Online Outlook data from government agencies. In this fireside chat with SecurityWeek editor-at-large Ryan Naraine, Volexity president Steven Adair discusses the intricacies of the M365 zero-day attack, the "head-scratching" dead-end when investigating a confirmed hack against an organization, the controversy over Microsoft licensing and the cost of logs, and the many blind spots that make it difficult to mitigation cloud attacks.

Editorial Fireside Chat: Mick Baccio, Global Security Advisor, Splunk

Ryan Naraine
SecurityWeek, Editor-at-Large

×

Ryan Naraine

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Mick Baccio
Splunk, Global Security Advisor

×

Mick Baccio

Mick Baccio fell in love with the idea of cyberspace around 9-years-old after reading “Neuromancer,” thinking "I could do that."

Before joining Splunk, Mick Baccio held the title of chief information security officer at Pete for America, holding the honor of being the first CISO in the history of presidential campaigns. Mick was also the White House threat intelligence branch chief in both the Obama and Trump administrations, and helped create a threat intelligence program during the rollout of the Affordable Care Act at the Department of Health and Human Services.

He is still trying to do “that.”

As a global security advisor at SURGe, Baccio leverages his background and expertise to help customers solve complex security problems. In his spare time, when not posting pictures of his muppet or Air Jordans to social media, Baccio is a Goon at DefCon and teaches lockpicking

In this editorial fireside chat, SecurityWeek editor-at-large Ryan Naraine is joined by veteran cybersecurity leader Mick Baccio for an honest conversation about why security problems seem to be escalating with each passing day. Baccio is expected to discuss his time as the first ever CISO for a political campaign, his time as a threat intelligence practitioner in the White House, ongoing zero-day attacks in the cloud and why it's becoming near impossible to do reliable forensics after cloud data breaches.

Cloud Penetration Testing: Cloud Testing Should Go Beyond the Baseline

Fortify your cloud defenses with a complete testing methodology that extends beyond configuration reviews to illuminate high-risk entry points, overprivileged access, and susceptible internal pathways that are commonly targeted by attackers.

Lacework: Data-Driven Security at Scale

See Lacework in action. Discover how you can automate security and compliance across AWS, Azure, Google Cloud, and private clouds with Lacework.

Defend Your Workforce with Phishing Resistant MFA

Large organizations continue to fall for credential-based phishing attacks, which often lead to costly breaches. Traditional multi-factor authentication (MFA) methods are increasingly under attack and are especially prone to phishing. Join us to learn about the journey Okta and its customers are taking to phishing resistant authentication.

Take 30 with a Techie: Disaster Recovery

Go beyond protecting your business. Make it resilient. 11:11 Disaster Recovery for Zerto offers customized runbook functionality, optimized RTOs, near-zero RPOs, and automated recovery. Built on 11:11’s award-winning cloud platform with direct integration into Zerto’s industry-leading replication software, our solution gives you complete control of your disaster recovery plan. So when you need it most, it’ll be ready.

[On-Demand] Lacework: Data-Driven Security at Scale

See Lacework in action. Discover how you can automate security and compliance across AWS, Azure, Google Cloud, and private clouds with Lacework.

[On-Demand] Cloud Penetration Testing: Cloud Testing Should Go Beyond the Baseline

Fortify your cloud defenses with a complete testing methodology that extends beyond configuration reviews to illuminate high-risk entry points, overprivileged access, and susceptible internal pathways that are commonly targeted by attackers.

[On-Demand] Defend Your Workforce with Phishing Resistant MFA

Large organizations continue to fall for credential-based phishing attacks, which often lead to costly breaches. Traditional multi-factor authentication (MFA) methods are increasingly under attack and are especially prone to phishing. Join us to learn about the journey Okta and its customers are taking to phishing resistant authentication.

[On-Demand] Take 30 with a Techie: Disaster Recovery

Go beyond protecting your business. Make it resilient. 11:11 Disaster Recovery for Zerto offers customized runbook functionality, optimized RTOs, near-zero RPOs, and automated recovery. Built on 11:11’s award-winning cloud platform with direct integration into Zerto’s industry-leading replication software, our solution gives you complete control of your disaster recovery plan. So when you need it most, it’ll be ready.