Supply Chain Security Summit

Software Supply Chain Security Event

March 20, 2024

Register for Virtual Events

The recent surge in high-profile software supply chain attacks has exposed a soft underbelly of modern computing and prompted a major global response to address security defects and third-party risk management.

Join us as SecurityWeek’s editorial team moderate an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Gold Sponsors

eclypsium

ReversingLabs

Binarly

 

Sponsorship Information

This virtual event will provide an overview of current trends and challenges with securing open-source software, hard-to-mitigate risks associated with software dependencies, how identities have become the new perimeter (people, services and devices), demanding new defensive approaches.

Hear from CISOs and corporate defenders on assessing and managing third-party vendor risks, mitigating exposure from service providers and best practices for due diligence and continuous monitoring.
Discussion topics will include:

  • Identity as the new security perimeter and the risk of cascading supply chain problems.
  • Best practices for evaluating third party vendors and tools and techniques for continuous monitoring.
  • Innovations in identity verification and authentication.
  • Compliance and legal considerations.
  • Case studies and real world discussions of managing supply chain and third party risks.
  • Crisis management and response during major incidents.
  • Future trends and predictions.

Event Agenda

March 22, 2023 11:00

Trust in Software has Eroded

Charlie Jones
Reversing Labs, Director of Product Management

The global trend of digitization and the rapid transition to remote working has created an increased reliance on an organization's software supply chain. Malicious actors are exploiting the complexities and interconnectedness of this modern supply chain ecosystem to expand their reach. To keep pace with the evolving threat landscape, a new approach to establishing security and integrity within the supply chain must be adopted to regain trust and transparency amongst software publishers and consumers. During my talk, I will outline key actions that both software publishers and consumers can take to uplift software supply chain security and protect against software tampering.

March 22, 2023 11:30

From CEO Fraud to Vendor Fraud: The Shift to Financial Supply Chain Compromise

Lane Billings
Abnormal Security, Group Product Marketing Manager

The tactics that worked for your business five years ago likely aren’t still working today, and cybercrime is no different. The CEO fraud that dominated the last few years is not nearly as successful as it used to be, partially because employees understand that their CEO isn’t emailing them about gift cards at 2:00 in the morning. Not to be outdone, cybercriminals have shifted their tactics, now relying more on vendor impersonation and vendor email compromise to run their scams. Join us for this webinar with Lane Billings, Group Product Marketing Manager at Abnormal Security, where she’ll answer your questions about this new threat, including: What are the various types of financial supply chain compromise? How do threat actors use impersonation and account compromise to run invoice fraud, aging report fraud, and blind third-party attacks? Why have threat actors shifted tactics, and what do your employees need to know? How can you stop these evolving attacks before they reach your inboxes? The average invoice fraud attack costs $183,000 and Abnormal has seen attacks that request upwards of $2.1 million. Attend the session to make sure you’re prepared to defend against them.

March 22, 2023 12:00

BREAK

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

March 22, 2023 12:15

How to Leverage SBOMs to Reduce Software Supply Chain Risk

Jason Ortiz
Finite State, Lead Engineer

In today’s software supply chains, how do SBOMs help detect vulnerabilities and support vulnerability management programs? How do SBOMs bolster our response to new threats? Most importantly, how can enterprise security teams bridge the gap between AppSec and Product Security to reduce friction with developers, but still shift right to ensure products are secure prior to release? In this talk hosted by Finite State Engineering Manager Jason Ortiz, we will examine why attackers love the huge attack surface presented by OT/IoT and the key challenges facing stakeholders in today’s software supply chains. In this session, Jason will explore the value, visibility, and confidence that a shift-right methodology can bring to vulnerability management and your software supply chain through dynamic SBOM management.

March 22, 2023 12:45

Securing The Digital Supply Chain: Do You Trust Your Devices?

Paul Asadoorian
Eclypsium, Security Evangelist

The global device supply chain is complex and difficult for any one team to tame. Unfortunately, the software that supports the devices in your supply chain (endpoints, servers, network devices) is riddled with device-level vulnerabilities that are rapidly being exploited by today’s cyber adversaries. Join Eclypsium Security Evangelist, Paul Asadoorian, as he discusses 5 practical steps to take to identify, prioritize and mitigate the vulnerabilities that exist “below-the-OS” attack surface. Key Learnings:

  • What should be prioritized in shoring up your digital supply chain, and what can wait
  • How to secure hardware-based vulnerabilities against modern attacks that are missed by traditional EDR and VM tools
  • Examples of real-world firmware attacks and how to mitigate the risk

March 22, 2023 13:15

Tech Session - Compromised Enterprise-Grade Routers and Downstream Supply Chain Risks

Danny Adamitis
Lumen Technologies, Principal Security Engineer

In the 2023 threat assessment, the U.S. government's ODNI noted one of the largest threats from Chinese actors derives from “cyber-espionage operations include compromising providers of… managed services, and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.”

What does that look like in the real world, and how do we abstract that concept into tangible actions? This talk will discuss two real-world examples of threat actors targeting networking equipment to facilitate supply-chain style attacks against downstream customers:

1. In the case of HiatusRAT, the threat actors passively collected email transmitted to IT services and consulting firms by sitting directly outside their network. This could have enabled them to obtain information about the security posture of their customers and potentially even credentials from the IT provider.

2. Our second case study will focus on another threat called ZuoRAT. This campaign target SOHO routers, rather than the larger enterprise devices targeted in the HiatusRAT campaign. The capabilities of ZuoRAT could enable threat actors to gather credentials and deploy trojans.

Lastly, we will discuss possible ways to mitigate these threats moving forward.

March 22, 2023 14:00

Panel Session TBD

TBD

Solutions Theater (On-demand)

ON-DEMAND: An Abnormal Approach to Email Security

The open design of cloud email platforms provides new opportunities for collaboration and extensibility, but it has also opened up new channels for attackers to exploit.

Only Abnormal Security leverages advanced behavioral data science to stop the full spectrum of email attacks, including phishing, impersonation, and vendor fraud while providing direct visibility into your security posture.

Watch the Abnormal demo to discover how you can:

  • Stop the socially-engineered attacks that other solutions miss.
  • Detect and disable compromised internal accounts.
  • Automate your SOC workflows and save time.
  • Discover misconfiguration risks across your cloud environment.

See for yourself why customers love the platform and why more than 10% of the Fortune 500 trust Abnormal to protect their email environment.

ON-DEMAND: Software - The hidden threat in your third-party risk management program

The inescapable blast radius of recent supply chain attacks (CircleCI) demonstrates the reliance of modern enterprises on the open-source ecosystem. Software provides threat actors an enticing vector to hide and distribute malicious artifacts to unsuspecting enterprises. ReversingLabs discusses the shortcomings of existing application security toolchains and how their Software Supply Chain Security Platform can assist software consumers to combat this threat.

ON-DEMAND: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

ON-DEMAND: Finite State Platform Demo

Event Details
  • Days
    Hours
    Min
    Sec
  • Start Date
    March 20, 2024 11:00 am

    EST

  • End Date
    March 20, 2024 4:00 pm

    EST