Program Overview

This event brings together PSIRT and incident response leaders on a wide range of topics interesting to anyone in a PSIRT role.

Wednesday, April 3^rd
Plenary Day April 3rd
Thursday, April 4^th
Plenary Day April 4th

Wednesday, April 3^rd

	Plenary Day April 3rd
08:00 – 09:00	Check In -- Breakfast
09:00 – 09:15	US Welcome Josh Dembling (Intel, US)
09:15 – 10:00	US Why Now Matters Donald Parker (Intel, US)
10:00 – 10:15	Coffee Break
10:15 – 11:00	US Multi-Party Vulnerability Coordination: What’s Next? Chandan Nandakumaraiah (Palo Alto Networks, US)
11:00 – 11:15	Break: Q&A, Meet People
11:15 – 12:00	US Under the Tent - Who gets to know early and why? Bruce Monroe (Intel FIRST Team – Intel/Intel Product Security and Assurance PSIRT, US)
12:00 – 13:00	US Lunch / 2018 CVD Lessons Learned Peter G. Allor (Honeywell, US)
13:00 – 13:45	Free Fish Aren't Free...and other stories about working with OSS Christopher Robinson, RedHat
13:45 – 14:00	Break: Q&A, Meet People
14:00 – 14:45	Advisory Day: From reactive to more proactive? Marcel Kulicke
14:45 – 15:00	Coffee Break: Q&A, Meet People
15:00 – 15:45	US How a severity 2.2 issue can cost us so much Lisa Bradley (NVIDIA, US)
15:45 – 16:00	Coffee Break: Q&A, Meet People
16:00 – 16:45	US Choose Your Own Disaster! C Rob (RH-ISIRT – Red Hat Inc, US)
18:00 – 20:00	Social Event at Coyote's Bar and Grill

Thursday, April 4^th

	Plenary Day April 4th
08:00 – 08:30	Check In -- Breakfast
08:30 – 09:15	Tool for vulnerability management Umair Bukhari (Ericsson)
09:15 – 10:00	Lessons Learned When Investigating and Disclosing Third-party Software Vulnerabilities in Modern Environments Omar Santos (Cisco)
10:00 – 10:15	Coffee Break
10:15 – 11:00	US Tooling: Linking OSC/SW Vulns to HW Products Beverly Miller (Lenovo PSIRT – Lenovo, US)
11:00 – 11:15	Break: Q&A, Meet People
11:15 – 12:00	US Beyond sticky notes and spreadsheets Chandan Nandakumaraiah (Juniper SIRT – Juniper Networks, US)
12:00 – 13:00	Lunch US Panel: How has the PSIRT framework impacted us? C Rob (RH-ISIRT – Red Hat Inc, US); Lisa Bradley (NVIDIA, US); Marissa Quebbeman (Microsoft, US); Pete Allor, Peter Capelluto (Honeywell, US)
13:00 – 13:45	CA Automating Security Bulletins at NVIDIA Anton Bondarenko (NVIDIA, CA)
13:45 – 14:00	Break: Q&A, Meet People
14:00 – 14:45	Tales from the Crisis - A fireside chat with the Crisis Keepers Crob (RedHat), Jerry Bryant (Microsoft)
14:45 – 15:00	Break: Q&A, Meet People
15:00 – 15:45	CA PSIRT New Experience Managing Cloud Vulnerabilities Angela Lindberg (SAP Global Security, CA)
15:45 – 16:00	Closing Josh Dembling, Intel

Advisory Day: From reactive to more proactive?
Marcel Kulicke

Working for Siemens CERT since 2016 and ProductCERT in particular since 2017 as part of the Incident and Vulnerability Handling Team based in Munich, Princeton and currently Fredericton.

In any big organization there are many divisions/departments working on different products and solutions and on the other hand, researchers, hobbyists and the ecosystem of conferences bring new insights about the state of the security of our devices to the light of day. By establishing specific, reoccurring synchronization points and an accompanying process, the ProductCERT team established an approach to harmonize the handling of these time relevant steps. This enables us to collaborate with the solution units and downstream product teams so they can evaluate the security update for their product upfront and on a fixed schedule. The communication, customer service and solution departments can prepare for potential customer inquiries and customers can plan and reserve resources for patch management. We were able to significantly reduce the coordination effort and the potential for automation was increased. However, this process wasn't without challenges. In particular the scheduling and coordination effort among different internal departments and the enforcement of common deadlines with respect to the need for out-of-band advisories was and is a challenge. In this talk we will present our experiences in setting up an advisory day process with its various phases. We will present the challenges and compromises that lead to the status quo and where we see its strengths, weaknesses, opportunities and threats.
April 3, 2019 14:00-14:45
CA
Automating Security Bulletins at NVIDIA
Anton Bondarenko (NVIDIA, CA)

Anton Bondarenko is a former Software Security Intern at NVIDIA’s PSIRT. His focus has been to develop new security tools that increase the capacity of PSIRT and executive reporting of PSIRT metrics at a company-wide scale. The impact has been a prioritization of security, and an understanding of the risk environment at NVIDIA. Currently, Anton is earning a Bachelor of Computer Science (BCS) from University of Waterloo and a Bachelor of Business Administration (BBA) from Wilfrid Laurier University.

The goal of this talk is that you can gain some insight and guidance when dealing with your own bureaucracy with respect to security bulletins and some tips in nailing down the right questions to ask your product teams so that you too could automatically create Security Bulletins. This talk covers the challenges that NVIDIA has faced with bulletins, including educating management on the importance of proper and timely disclosures. We will start with a background on the company’s evolution of the security bulletin process and stakeholders. We will also talk how we improved our bulletin template and request system, education about why bulletins are important, bulletin processes, and a tool to automate the creation of NVIDIA’s security bulletins. We will conclude with a demo of our own bulletin request tool.
April 4, 2019 13:00-13:45
US
Beyond sticky notes and spreadsheets
Chandan Nandakumaraiah (Juniper Networks, US)

Chandan Nandakumaraiah is a senior manager of incident response at Juniper Networks, co-founder and director of OpenGrok Foundation for the advancement of human understanding of complex software and systems and a member of the CVE Automation Working Group. He has served in various software engineering and security incident response roles for large corporations since the start of this millennium. Chandan is a member of the FIRST Vulnerability Coordination SIG, Vendor SIG and Ethics SIG, and has been attending FIRST annual conferences since 2005. He has actively participated in many ICASI working groups and USIRPs since 2009. Chandan holds a master's degree in Computer Science and Engineering from the Indian Institute of Science.

Title: Beyond Sticky Notes and Spreadsheets - Data, tooling and automation required for an efficient PSIRT.

A product security team is often responding to many vulnerabilities in various stages of a vulnerability life cycle, across multiple products and versions, dealing with different people and tools.

In this talk we will walk through key pieces of information required for incident handling, discuss how to gather that information and demonstrate tools and techniques available to get the big picture and stay ahead in managing incidents and response. As the number of incidents and vulnerabilities handled keeps increasing, automation and prioritization are key to scaling and efficiency. We hope that the methodologies and tools described here can help build a new PSIRT program as well as help mature incident response teams improve their operations and efficiency.
April 4, 2019 11:15-12:00
US
Choose Your Own Disaster!
C RobC Rob (Red Hat Inc, US)

Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.

It started off like every other normal day. No one plans to have a bad day, but they sometimes happen. After entering the datacenter you gasp in horror! The server racks are empty! What do you do? Race around in a panic - turn to page 200 Call Physical Security! - turn to page 98 Oh wait, we moved all our servers to the cloud last week - turn to page 25

Based upon a popular series of books, join Red Hat Product Security and decide with your peers how a cyber incident gets resolved. This is an exciting twist on a traditional Mock Incident or tabletop walkthrough you might participate in back in your office.

Attendees will learn:

Common attack patterns for cyber-incidents today How to apply a battery of controls to help detect and prevent those attacks from being successful To live, laugh, and learn
April 3, 2019 16:00-16:45
Free Fish Aren't Free...and other stories about working with OSS
Christopher Robinson, RedHat

Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.

Avast ye scurvy dogs! Set sail to ADVENTURE with a recap of the year's Open Source security as shared by Red Hat Product Security. Don't walk the plank of jumping into OSS without understanding what ye'er in for!
April 3, 2019 13:00-13:45
Free-Fish-Aren-t-Free.pdf
MD5: 3c370d5716b314b494fee39ece2ecafc
Format: application/pdf
Last Update: April 29th, 2019
Size: 6.18 Mb
US
How a severity 2.2 issue can cost us so much
Lisa Bradley (NVIDIA, US)

Dr. Lisa Bradley is the Senior Manager for NVIDIA’s PSIRT. Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. Lisa has 20 years of Enterprise-class engineering and leadership experience including 6+ years of experience leading PSIRT programs as she previously ran IBM’s. Lisa is part of FIRST’s PSIRT committee and contributed to the FIRST PSIRT Services Framework and training and PSIRT Maturity document. Lisa has spoken at many tech-related events including FIRST, BSIMM, DerbyCon, ISACA and Security Journey White Belt modules.

So you think you are doing pretty good with your vulnerability management practices and then wham a severity 2.2 turned your world upside down. Yup I said a CVSS score of 2.2. This talk will tell an interesting story of a severity 2.2 issue that not only cost our company tons of hours of work, but caused our CEO to come asking about it. Stories of real situations are always great to learn from. We at NVIDIA learned a pretty good lesson about a third party reported issue and how better to handle it next time. Come walk through this story to learn about the mistakes we made and how we now have a better approach to all third party reported issues regardless of the score. Let our story be your story to better improve your PSIRT practice.
April 3, 2019 15:00-15:45
Lessons Learned When Investigating and Disclosing Third-party Software Vulnerabilities in Modern Environments
Omar Santos (Cisco)

Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities.

Third-party software (including open source) security is not trivial. Vendors of all sizes face a very dynamic and complex environments. Using open source software saves developers time and companies money. In other words, it's here to stay. According to industry reports, open source components are now present in 96 percent of commercial applications. The average application had 147 different open source components -- and 67 percent of the applications used components with known vulnerabilities. The industry is also trying to address the accuracy of software bill of materials (SBOMs). In this session, we will cover different lessons learned when trying to address these monumental challenges in traditional products and modern multi-cloud services. We will go over different software decomposition, SBOMs, vulnerability investigation, and disclosure strategies.
April 4, 2019 09:15-10:00
US
Lunch / 2018 CVD Lessons Learned
Peter G. AllorPeter G. Allor (Honeywell, US)
Share your thoughts on CVD in 2018. How could the industry improve? What would you like to see different in the industry? What would you like to see the Vulnerability Coordination SIG focus on to improve the industry?
April 3, 2019 12:00-13:00
US
Multi-Party Vulnerability Coordination: What’s Next?
Chandan Nandakumaraiah (Palo Alto Networks, US)

Chandan Nandakumaraiah is a senior manager of incident response at Juniper Networks, co-founder and director of OpenGrok Foundation for the advancement of human understanding of complex software and systems and a member of the CVE Automation Working Group. He has served in various software engineering and security incident response roles for large corporations since the start of this millennium. Chandan is a member of the FIRST Vulnerability Coordination SIG, Vendor SIG and Ethics SIG, and has been attending FIRST annual conferences since 2005. He has actively participated in many ICASI working groups and USIRPs since 2009. Chandan holds a master's degree in Computer Science and Engineering from the Indian Institute of Science.

The value and importance of Coordinated Vulnerability Coordination is widely understood, yet there remain many barriers to fully implementing coordinated vulnerability disclosure programs within industry. In this session, ICASI will discuss coordinated vulnerability disclosure successes and challenges based on its experience coordinating vulnerability disclosures among its members and partners, with a particular focus on the WPA/WPA2 KRACK ATTACK vulnerabilities. This session will also discuss how this topic has received attention from policymakers and what impact this increased public could have on vulnerability coordination. It will conclude with a group discussion on potential industry led models to enhance and improve coordinated vulnerability disclosure.
April 3, 2019 10:15-11:00
US
Panel: How has the PSIRT framework impacted us?
C RobPete AllorC Rob (Red Hat Inc, US), Lisa Bradley (NVIDIA, US), Marissa Quebbeman (Microsoft, US), Pete Allor (Honeywell, US), Peter Capelluto (Honeywell, US)

Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.

Dr. Lisa Bradley is the Senior Manager for NVIDIA’s PSIRT. Her responsibilities include the management and resolution of product security vulnerabilities involving all NVIDIA products. Lisa has 20 years of Enterprise-class engineering and leadership experience including 6+ years of experience leading PSIRT programs as she previously ran IBM’s. Lisa is part of FIRST’s PSIRT committee and contributed to the FIRST PSIRT Services Framework and training and PSIRT Maturity document. Lisa has spoken at many tech-related events including FIRST, BSIMM, DerbyCon, ISACA and Security Journey White Belt modules.

Listen to some of the contributors to the PSIRT Services Framework describe their journey in helping articulate what makes a PSIRT different from a CSIRT. Hear about how they've applied the Framework within their organizations. This lively panel will interact with the audience to help share others' experiences for the benefit of the larger PSIRT community.
April 4, 2019 12:00-13:00
CA
PSIRT New Experience Managing Cloud Vulnerabilities
Angela LindbergAngela Lindberg (SAP Global Security, CA)

Angela Lindberg is a Security Response Analyst working for SAP, who joined the Product Security Response Team (PSRT) in February 2018. The PSRT manages the responsible disclosure of vulnerabilities reported by security researches and hackers. In addition, the team facilitates the release of quality security fixes, monthly, for SAP’s Security Patch Day. Angela’s main responsibility is to oversee the handling of the reported cloud vulnerabilities and to provide a leadership role to the team members in Vancouver and Bangalore. Prior to joining SAP, Angela worked for a Global Banking and Financial Institution in an IT Risk Management role overseeing information security, technology and operational risk.

In 2018, the SAP Product Security Response Team, took over the responsibility of handling the reported cloud vulnerabilities by our customers. This was a new experience for the team moving from traditionally supporting an on-premise environment dealing with external researchers, to moving to the cloud environment supporting our customers. SAP would like to share our experience and the challenges associated with taking over the responsibility of supporting the cloud.
April 4, 2019 15:00-15:45
Cloud-Presentation-2019_Angela-Lindberg.pdf
MD5: 318391d292ce7cb5b45ce671302e25e8
Format: application/pdf
Last Update: April 29th, 2019
Size: 2.25 Mb
Social Event at Coyote's Bar and Grill
5301 W Baseline Rd, Hillsboro, OR 97123 | www.coyotesrestarant.com
April 3, 2019 18:00-20:00
Tales from the Crisis - A fireside chat with the Crisis Keepers
Crob (RedHat), Jerry Bryant (Microsoft)

Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals. CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He enjoys herding cats and moonlit walks on the beach.

Jerry Bryant is a Principal Security Program Manager with the Microsoft Security Response Center (MSRC). Jerry has 17 years of incident response and vulnerability management experience at Microsoft and is the senior strategist for the MSRC’s government and security partner threat information exchange programs including the Microsoft Active Protection Program (MAPP) and the Government Security Program (GSP). He contributes to the FIRST organization through deep involvement in the PSIRT Services Framework and by driving Microsoft sponsored educational opportunities for the FIRST community.

Join Jerry and CRob for an insightful dialog about the triumphs and challenges PSIRTs will meet as they are working "crisis's". Be regaled with shocking and horrifying tales of vulnerabilities gone very, very wrong, about amazing heroics, and a constant focus on serving stakeholders and customers.
April 4, 2019 14:00-14:45
Tool for vulnerability management
Umair Bukhari (Ericsson)
In a large company with hundreds of software products, following up and fixing vulnerabilities in open source and commercial components is a big and complex task. Co-ordination of accurate vulnerability information between the vulnerability information sources, product development units, product management, customer support organizations, customers and sometimes even executives and public relations would be impossible without automated tools.

This talk presents the Ericsson Vulnerability Management Service (EVMS), a full-fledged vulnerability management system developed in-house. Various Ericsson employees globally use the service in different roles: Ericsson PSIRT provides the vulnerability management service through EVMS, product development submits their mitigation plans into EVMS, customer support searches for information about specific products and managers search for recently created security alerts to keep up with the security landscape. EVMS is the place where all the above information can be found.
April 4, 2019 08:30-09:15
US
Tooling: Linking OSC/SW Vulns to HW Products
Beverly MillerBeverly Miller (Lenovo, US)

Beverly Miller has been the program manager for Lenovo's PSIRT since its inception over 4 years ago, leads FIRST's Vendor SIG, serves on MITRE’s CVE Board and was involved in the PSIRT Framework effort last year.

Scott Kelso currently manages Lenovo's Corporate Product Security Office. Prior to this, Scott was responsible for triage of new vulnerability reports, authored our security advisories and was heavily engaged in our tools development.

There is a common problem across many PSIRTs that Lenovo has struggled with since day one: Linking software/firmware vulnerabilities to hardware products. Our PSIRT supports hardware products that are made up of firmware and software components. Each of these components include 3rd party components and open source code where the vulnerabilities actually occur. How can we match the reported vulnerability to the software package and then to the hardware product so we know what to communicate to our customers?

We tried managing our inventory through spreadsheets…BUT it aged quickly as new products were launched and old products went end of support. AND it was time-consuming to maintain across multiple business units which are segmented into many brands and development teams.
Not scalable or sustainable!

Thanks to new skills on the team, we took another stab at solving the problem. We call it the Product Attribute Database, or PAD for short. PAD links with Lenovo Support’s knowledge management database and allows us to view all Lenovo supported products as well as the supported firmware and software components for each of those products. A large part of the problem is solved with this step!

To resolve the issue of which 3rd party components and open source code are included in each firmware and software component, we took it a step further.
Development scans their components and reports the 3rd party components and open source used. We call these ‘attributes’ and load them into PAD.
The attributes are then linked to the applicable hardware or software component.

What all this means is that when we receive a vulnerability report for glibc, for instance, we don’t have to scrub spreadsheets trying to determine what products may be affected. Instead, we create a case and PAD returns a list of products and their supported components which include glibc. Each product + component combination becomes a task that is assigned to an owner.
Because we track and assign this way, we know who we need responses from and can follow up as needed.

The end result is streamlined case creation, accurate assignment, product inventory management including 3rd party components/open source software, reduced time in preparing security advisories and improved SLA metric reporting.
April 4, 2019 10:15-11:00
FIRST-TC-2019-PSIRT-Tools-final_Beverly-Miller.pdf
MD5: 2c7a2ebb8af9db51140a47023bd68f37
Format: application/pdf
Last Update: April 29th, 2019
Size: 1.26 Mb
US
Under the Tent - Who gets to know early and why?
Bruce Monroe (Intel/Intel Product Security and Assurance PSIRT, US)
Bruce Monroe is the Lead Engineer for Intel Product Security Incident Response Team (Intel PSIRT) as part of the Intel Product Security and Assurance organization. The PSIRT team is responsible for leading Intel’s product security response efforts for potential vulnerabilities in our shipping products and services. Bruce started with Intel in September 1996 and has held numerous roles throughout Intel including working in IT Operations and Product Security. Bruce was a founding member of Intel Security Operations Center following 9/11 and was the first full time hire for Intel’s PSIRT team in 2007.

Bruce was a twelve year USN military veteran before joining Intel. He worked on Mainframe computers, RADAR, Weapons Designation Systems, and Missile Systems. Bruce’s areas of expertise include incident response, project management, operating systems, computer hardware, computer forensics, and network monitoring. Bruce is very interested in all areas of security research and how that research relates Intel’s infrastructure and products.

He is currently Intel’s technical representative to the Internet Consortium for the Advancement of Security of the Internet, and to the Forum of Incident Response Team’s Vendor Special Interest Group. Bruce helped to draft the Common Vulnerability Scoring System Version 3 that is an industry standard for vulnerability scoring. He’s very active in industry incident response circles and has a broad network of security minded professionals both internally and externally. He’s helped develop a number of industry standards on computer forensics, vulnerability, and incident response. Bruce’s hobbies include golf, tennis, ping pong, computer gaming, music, target shooting, cooking, and all forms of BBQ. He’s very happily married with three grown children and is fortunate to have two of them living locally in Oregon.

In this talk I plan to cover how large industry vendors handle vulnerability information as part of Multiparty Coordinated Vulnerability Disclosure. This will include how partners are informed, when they are informed, and industry best known methods for determining whether, how and why to bring particular partners “into the tent” early in the process The intent of this talk is to document some industry best known methods that could then be leveraged as part of continued evolution of Multiparty Coordinated Vulnerability Disclosure.

Areas to be covered:
- How pre-mitigated vulnerability information is handled from intake, to storage, to NDA dissemination, and finally public disclosure.
- Decision Matrix and high level timeline for how it is determined when and what peers, business partners, customers, and consumers are notified of the vulnerability and mitigation.
- Backing details on how and why these choices are made.
- How to handle feedback from the community on how the event was handled.
- Continuous Improvement: How to take the learnings from each response event and continuously improve the process.
- How tenting ties into the greater Multiparty Coordinated Vulnerability Disclosure discussion.
April 3, 2019 11:15-12:00