Supply Chain Security Summit

Trust in Software has Eroded

Charlie Jones
Reversing Labs, Director of Product Management

×

Charlie Jones

Charlie is a Director of Product Management with a deep understanding of the competitive market landscape for supply chain security solutions. As a previous cyber consultant at PwC, he has experience providing strategic transformation services for cyber security, supply chain risk, and IT audit programs of both Fortune and FTSE 100 companies across all three lines of defense. Charlie specializes in helping organizations assess and manage the security risks presented by the software supply chain, to help prevent software tampering. An accomplished speaker, Charlie provides thought leadership within the digital trust domain. Drawing from his global consulting experience, Charlie aims to provide his audience with pragmatic solutions to uplift the cyber security posture of small, medium, and large businesses.

The global trend of digitization and the rapid transition to remote working has created an increased reliance on an organization's software supply chain. Malicious actors are exploiting the complexities and interconnectedness of this modern supply chain ecosystem to expand their reach. To keep pace with the evolving threat landscape, a new approach to establishing security and integrity within the supply chain must be adopted to regain trust and transparency amongst software publishers and consumers. During my talk, I will outline key actions that both software publishers and consumers can take to uplift software supply chain security and protect against software tampering.

From CEO Fraud to Vendor Fraud: The Shift to Financial Supply Chain Compromise

Lane Billings
Abnormal Security, Group Product Marketing Manager

×

Lane Billings

Lane Billings is Group Product Marketing Manager at Abnormal, where she leads messaging, positioning and external-facing content creation focused on Abnormal's cloud email security products. Cybersecurity is a complicated but critical discipline; as an experienced product marketer with prior roles at IBM Security and Cloudflare, Lane enjoys supporting security professionals with compelling, simple, and helpful information about strategic initiatives like email security. Lane is based in Austin, Texas.

The tactics that worked for your business five years ago likely aren’t still working today, and cybercrime is no different. The CEO fraud that dominated the last few years is not nearly as successful as it used to be, partially because employees understand that their CEO isn’t emailing them about gift cards at 2:00 in the morning. Not to be outdone, cybercriminals have shifted their tactics, now relying more on vendor impersonation and vendor email compromise to run their scams. Join us for this webinar with Lane Billings, Group Product Marketing Manager at Abnormal Security, where she’ll answer your questions about this new threat, including: What are the various types of financial supply chain compromise? How do threat actors use impersonation and account compromise to run invoice fraud, aging report fraud, and blind third-party attacks? Why have threat actors shifted tactics, and what do your employees need to know? How can you stop these evolving attacks before they reach your inboxes? The average invoice fraud attack costs $183,000 and Abnormal has seen attacks that request upwards of $2.1 million. Attend the session to make sure you’re prepared to defend against them.

BREAK

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

How to Leverage SBOMs to Reduce Software Supply Chain Risk

Jason Ortiz
Finite State, Lead Engineer

×

Jason Ortiz

Jason Ortiz is Lead Engineer at Finite State and has over 10 years of experience in the US Intel Community and more than five years in commercial cyber security services. In his role, Jason develops necessary interfaces between the Finite State Platform and data for use by customers and partners in their business context. Jason joined Finite State from Pondurance, a managed detection and response company, where he served most recently as a senior product engineer. Prior to joining Pondurance in 2017, Jason was a research engineer and R&D lead for Fortego, LLC. Jason began his career as a software engineer with Chiron Technology Services, Inc. Jason is President of the Indiana InfraGard Members Alliance, a partnership between the FBI and the private sector that facilitates public-private collaboration and information sharing. Jason also serves on the Indiana Executive Council on Cybersecurity as a co-chair for economic development and a contributing member for defense. In 2020, Jason co-founded Edjro, an IoT edtech product provider that supports teachers in the classroom. He also holds a personal membership to the Indiana IoT Lab. Jason earned a B.S. degree in computer science from Purdue University.

In today’s software supply chains, how do SBOMs help detect vulnerabilities and support vulnerability management programs? How do SBOMs bolster our response to new threats? Most importantly, how can enterprise security teams bridge the gap between AppSec and Product Security to reduce friction with developers, but still shift right to ensure products are secure prior to release? In this talk hosted by Finite State Engineering Manager Jason Ortiz, we will examine why attackers love the huge attack surface presented by OT/IoT and the key challenges facing stakeholders in today’s software supply chains. In this session, Jason will explore the value, visibility, and confidence that a shift-right methodology can bring to vulnerability management and your software supply chain through dynamic SBOM management.

Securing The Digital Supply Chain: Do You Trust Your Devices?

Paul Asadoorian
Eclypsium, Security Evangelist

×

Paul Asadoorian

Paul Asadoorian is currently the Security Evangelist for Eclypsium. Paul is also the founder of Security Weekly, a security podcast network (acquired by CyberRisk Alliance in 2020) and now serves as a podcast host for Paul's Security Weekly. Paul's previous roles have been spent “in the trenches” coding in Python, testing security products, and evaluating and implementing open-source software. Paul's career began by implementing security programs for a lottery company and then a large university. Paul is offensive, having spent several years as a penetration tester. As Product Evangelist for Tenable Network Security, Paul built a library of materials on the topic of vulnerability management

The global device supply chain is complex and difficult for any one team to tame. Unfortunately, the software that supports the devices in your supply chain (endpoints, servers, network devices) is riddled with device-level vulnerabilities that are rapidly being exploited by today’s cyber adversaries. Join Eclypsium Security Evangelist, Paul Asadoorian, as he discusses 5 practical steps to take to identify, prioritize and mitigate the vulnerabilities that exist “below-the-OS” attack surface. Key Learnings:

• What should be prioritized in shoring up your digital supply chain, and what can wait
• How to secure hardware-based vulnerabilities against modern attacks that are missed by traditional EDR and VM tools
• Examples of real-world firmware attacks and how to mitigate the risk

Tech Session - Compromised Enterprise-Grade Routers and Downstream Supply Chain Risks

Danny Adamitis
Lumen Technologies, Principal Security Engineer

×

Danny Adamitis

Danny Adamitis is a principal information security engineer at Black Lotus Labs, the threat research division within Lumen Technologies. He is responsible for tracking advanced actors that pose a significant risk to the telecommunications and ISP verticals. Danny has a passion for research on DNS hijacking, and router-oriented malware. He has almost a decade of experience performing threat analysis and reporting on nation-state campaigns, most notably while at Cisco Talos.

In the 2023 threat assessment, the U.S. government's ODNI noted one of the largest threats from Chinese actors derives from “cyber-espionage operations include compromising providers of… managed services, and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.”

What does that look like in the real world, and how do we abstract that concept into tangible actions? This talk will discuss two real-world examples of threat actors targeting networking equipment to facilitate supply-chain style attacks against downstream customers:

1. In the case of HiatusRAT, the threat actors passively collected email transmitted to IT services and consulting firms by sitting directly outside their network. This could have enabled them to obtain information about the security posture of their customers and potentially even credentials from the IT provider.

2. Our second case study will focus on another threat called ZuoRAT. This campaign target SOHO routers, rather than the larger enterprise devices targeted in the HiatusRAT campaign. The capabilities of ZuoRAT could enable threat actors to gather credentials and deploy trojans.

Lastly, we will discuss possible ways to mitigate these threats moving forward.

Panel Session TBD

TBD

ON-DEMAND: An Abnormal Approach to Email Security

The open design of cloud email platforms provides new opportunities for collaboration and extensibility, but it has also opened up new channels for attackers to exploit.

Only Abnormal Security leverages advanced behavioral data science to stop the full spectrum of email attacks, including phishing, impersonation, and vendor fraud while providing direct visibility into your security posture.

Watch the Abnormal demo to discover how you can:

• Stop the socially-engineered attacks that other solutions miss.
• Detect and disable compromised internal accounts.
• Automate your SOC workflows and save time.
• Discover misconfiguration risks across your cloud environment.

See for yourself why customers love the platform and why more than 10% of the Fortune 500 trust Abnormal to protect their email environment.

ON-DEMAND: Software - The hidden threat in your third-party risk management program

The inescapable blast radius of recent supply chain attacks (CircleCI) demonstrates the reliance of modern enterprises on the open-source ecosystem. Software provides threat actors an enticing vector to hide and distribute malicious artifacts to unsuspecting enterprises. ReversingLabs discusses the shortcomings of existing application security toolchains and how their Software Supply Chain Security Platform can assist software consumers to combat this threat.

ON-DEMAND: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

ON-DEMAND: Finite State Platform Demo