Program Overview

This event brings together PSIRT and incident response leaders on a wide range of topics interesting to anyone in a PSIRT role.

• Advisory Day: From reactive to more proactive?

  Marcel Kulicke

  Working for Siemens CERT since 2016 and ProductCERT in particular since 2017 as part of the Incident and Vulnerability Handling Team based in Munich, Princeton and currently Fredericton.

  In any big organization there are many divisions/departments working on different products and solutions and on the other hand, researchers, hobbyists and the ecosystem of conferences bring new insights about the state of the security of our devices to the light of day. By establishing specific, reoccurring synchronization points and an accompanying process, the ProductCERT team established an approach to harmonize the handling of these time relevant steps. This enables us to collaborate with the solution units and downstream product teams so they can evaluate the security update for their product upfront and on a fixed schedule. The communication, customer service and solution departments can prepare for potential customer inquiries and customers can plan and reserve resources for patch management. We were able to significantly reduce the coordination effort and the potential for automation was increased. However, this process wasn't without challenges. In particular the scheduling and coordination effort among different internal departments and the enforcement of common deadlines with respect to the need for out-of-band advisories was and is a challenge. In this talk we will present our experiences in setting up an advisory day process with its various phases. We will present the challenges and compromises that lead to the status quo and where we see its strengths, weaknesses, opportunities and threats.

  April 3, 2019 14:00-14:45

•  US

  Choose Your Own Disaster!

  C RobC Rob (Red Hat Inc, US)

  Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

  CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.

  It started off like every other normal day. No one plans to have a bad day, but they sometimes happen. After entering the datacenter you gasp in horror! The server racks are empty! What do you do? Race around in a panic - turn to page 200 Call Physical Security! - turn to page 98 Oh wait, we moved all our servers to the cloud last week - turn to page 25

  Based upon a popular series of books, join Red Hat Product Security and decide with your peers how a cyber incident gets resolved. This is an exciting twist on a traditional Mock Incident or tabletop walkthrough you might participate in back in your office.

  Attendees will learn:

  Common attack patterns for cyber-incidents today How to apply a battery of controls to help detect and prevent those attacks from being successful To live, laugh, and learn

  April 3, 2019 16:00-16:45

• Free Fish Aren't Free...and other stories about working with OSS

  Christopher Robinson, RedHat

  Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

  CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.

  Avast ye scurvy dogs! Set sail to ADVENTURE with a recap of the year's Open Source security as shared by Red Hat Product Security. Don't walk the plank of jumping into OSS without understanding what ye'er in for!

  April 3, 2019 13:00-13:45

  Free-Fish-Aren-t-Free.pdf

  MD5: 3c370d5716b314b494fee39ece2ecafc

  Format: application/pdf

  Last Update: June 7th, 2024

  Size: 6.18 Mb

•  US

  How a severity 2.2 issue can cost us so much

  Lisa Bradley (NVIDIA, US)

  Dr. Lisa Bradley is the Senior Manager for NVIDIA’s PSIRT. Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. Lisa has 20 years of Enterprise-class engineering and leadership experience including 6+ years of experience leading PSIRT programs as she previously ran IBM’s. Lisa is part of FIRST’s PSIRT committee and contributed to the FIRST PSIRT Services Framework and training and PSIRT Maturity document. Lisa has spoken at many tech-related events including FIRST, BSIMM, DerbyCon, ISACA and Security Journey White Belt modules.

  So you think you are doing pretty good with your vulnerability management practices and then wham a severity 2.2 turned your world upside down. Yup I said a CVSS score of 2.2. This talk will tell an interesting story of a severity 2.2 issue that not only cost our company tons of hours of work, but caused our CEO to come asking about it. Stories of real situations are always great to learn from. We at NVIDIA learned a pretty good lesson about a third party reported issue and how better to handle it next time. Come walk through this story to learn about the mistakes we made and how we now have a better approach to all third party reported issues regardless of the score. Let our story be your story to better improve your PSIRT practice.

  April 3, 2019 15:00-15:45

•  US

  Lunch / 2018 CVD Lessons Learned

  Peter G. AllorPeter G. Allor (Honeywell, US)

  Share your thoughts on CVD in 2018. How could the industry improve? What would you like to see different in the industry? What would you like to see the Vulnerability Coordination SIG focus on to improve the industry?

  April 3, 2019 12:00-13:00

•  US

  Multi-Party Vulnerability Coordination: What’s Next?

  Chandan Nandakumaraiah (Palo Alto Networks, US)

  Chandan Nandakumaraiah is a senior manager of incident response at Juniper Networks, co-founder and director of OpenGrok Foundation for the advancement of human understanding of complex software and systems and a member of the CVE Automation Working Group. He has served in various software engineering and security incident response roles for large corporations since the start of this millennium. Chandan is a member of the FIRST Vulnerability Coordination SIG, Vendor SIG and Ethics SIG, and has been attending FIRST annual conferences since 2005. He has actively participated in many ICASI working groups and USIRPs since 2009. Chandan holds a master's degree in Computer Science and Engineering from the Indian Institute of Science.

  The value and importance of Coordinated Vulnerability Coordination is widely understood, yet there remain many barriers to fully implementing coordinated vulnerability disclosure programs within industry. In this session, ICASI will discuss coordinated vulnerability disclosure successes and challenges based on its experience coordinating vulnerability disclosures among its members and partners, with a particular focus on the WPA/WPA2 KRACK ATTACK vulnerabilities. This session will also discuss how this topic has received attention from policymakers and what impact this increased public could have on vulnerability coordination. It will conclude with a group discussion on potential industry led models to enhance and improve coordinated vulnerability disclosure.

  April 3, 2019 10:15-11:00

•  US

  Under the Tent - Who gets to know early and why?

  Bruce Monroe (Intel/Intel Product Security and Assurance PSIRT, US)

  Bruce Monroe is the Lead Engineer for Intel Product Security Incident Response Team (Intel PSIRT) as part of the Intel Product Security and Assurance organization. The PSIRT team is responsible for leading Intel’s product security response efforts for potential vulnerabilities in our shipping products and services. Bruce started with Intel in September 1996 and has held numerous roles throughout Intel including working in IT Operations and Product Security. Bruce was a founding member of Intel Security Operations Center following 9/11 and was the first full time hire for Intel’s PSIRT team in 2007.

  Bruce was a twelve year USN military veteran before joining Intel. He worked on Mainframe computers, RADAR, Weapons Designation Systems, and Missile Systems. Bruce’s areas of expertise include incident response, project management, operating systems, computer hardware, computer forensics, and network monitoring. Bruce is very interested in all areas of security research and how that research relates Intel’s infrastructure and products.

  He is currently Intel’s technical representative to the Internet Consortium for the Advancement of Security of the Internet, and to the Forum of Incident Response Team’s Vendor Special Interest Group. Bruce helped to draft the Common Vulnerability Scoring System Version 3 that is an industry standard for vulnerability scoring. He’s very active in industry incident response circles and has a broad network of security minded professionals both internally and externally. He’s helped develop a number of industry standards on computer forensics, vulnerability, and incident response. Bruce’s hobbies include golf, tennis, ping pong, computer gaming, music, target shooting, cooking, and all forms of BBQ. He’s very happily married with three grown children and is fortunate to have two of them living locally in Oregon.

  In this talk I plan to cover how large industry vendors handle vulnerability information as part of Multiparty Coordinated Vulnerability Disclosure. This will include how partners are informed, when they are informed, and industry best known methods for determining whether, how and why to bring particular partners “into the tent” early in the process The intent of this talk is to document some industry best known methods that could then be leveraged as part of continued evolution of Multiparty Coordinated Vulnerability Disclosure.

  Areas to be covered:

  • How pre-mitigated vulnerability information is handled from intake, to storage, to NDA dissemination, and finally public disclosure.
  • Decision Matrix and high level timeline for how it is determined when and what peers, business partners, customers, and consumers are notified of the vulnerability and mitigation.
  • Backing details on how and why these choices are made.
  • How to handle feedback from the community on how the event was handled.
  • Continuous Improvement: How to take the learnings from each response event and continuously improve the process.
  • How tenting ties into the greater Multiparty Coordinated Vulnerability Disclosure discussion.

  April 3, 2019 11:15-12:00

• PSIRT Technical Colloquium 2019
  • Program Overview
  • Registration
  • Call for Papers
  • Location
  • Hotel Information