Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, June 15
 

08:00

Registration and Coffee
Come early, meet and greet! 
Coffee, light breakfast and nice people!  

Monday June 15, 2015 08:00 - 09:00
Main Hall

09:00

Opening Notes and Welcome
Monday June 15, 2015 09:00 - 09:15
Main Hall

09:15

Keynote: The CSA Story and Future
Speakers
avatar for Jim Reavis

Jim Reavis

Co-founder & Chief Executive Officer, Cloud Security Alliance
For many years, Jim Reavis has worked in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. Jim’s innovative thinking about emerging security trends have been published and presented widely throughout the industry and have influenced many. | | Jim has been an advisor on the launch of many industry ventures that have achieved a successful M&A exit or IPO. Jim is widely quoted... Read More →


Monday June 15, 2015 09:15 - 09:45
Main Hall

09:45

Keynote: CSA Guide to Cloud Computing: Implementing Cloud Privacy and Security
Speakers
avatar for Raj Samani

Raj Samani

Intel Security
VP, CTO for McAfee EMEA Raj is currently working as the VP, Chief Technical Officer for McAfee EMEA, having previously worked as the Chief Information Security Officer for a large public sector organisation in the UK. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In addition, Raj was previously the Vice President for Communications in the... Read More →


Monday June 15, 2015 09:45 - 10:15
Main Hall

10:30

Cloud Catalog. The Next Frontier.
By attending this session, insights will be gained on how to provide value for the business, through technology, in a changing security landscape.

Speakers
avatar for Ramsés Gallego

Ramsés Gallego

Dell / ISACA
Responsible for strategy development and execution of the security portfolio at Dell Software. Oversees the deployment of services and designs the vision for the IAM discipline. Evangelizes on the security management ecosystem around the world.


Monday June 15, 2015 10:30 - 11:15
Main Hall

10:30

Actionable Threat Intelligence, ISIS, and the SuperBall
When adding a new threat intelligence feed into your threat model and security practice, one always has to ask: “what is the value?” Unfortunately, over the past couple of years, organizations have struggled with showing true value from standard threat intelligence feeds for several reasons, most of which coincide with the fact that the feeds are too generic, and do not directly relate to the operating environment of the organization.
In this talk, we will discuss how to create a customized, organization-specific threat intelligence feed, that in turn will be used to actively increase the security posture of the organization in a measurable way. Some of the examples we will address include dealing with DDoS attacks & social media account takeovers and adjusting to finding threats and threat actors in order to proactively tune defenses before an attack.

Speakers
avatar for Ian Amit

Ian Amit

Iftach (Ian) Amit, Vice President at ZeroFox, has over a decade of experience in hands-on and strategic roles, working across a diversity of security fields: business, industry, marketing, technical and research. At ZeroFOX, Ian leads the company’s customer solutions offerings and runs ZeroFOX’s New York offices. Previously, Ian served as Director of Services at IOActive. His career also includes time at Security-Art, Aladdin, Finjan... Read More →


Monday June 15, 2015 10:30 - 11:15
Room 2

10:30

“CUMULUS” Research Project Investigates Certification Infrastructure for Multi-Layer Cloud Services
Limited Capacity seats available

Cloud technology offers a powerful approach to the provision of infrastructure, platform and software services without incurring the considerable costs of owning, operating and maintaining the computational infrastructures required for this purpose.
Join this track to learn how the Cumulus Project propose to solve these challenges, and how you can use the input from the Cumulus Project in your own systems. 

Monday June 15, 2015 10:30 - 15:00
Up in the Sky Conference Floor

11:15

Lifecycle management of cloud technology
The adoption of Cloud technologies elevates the role of security leadership while elevating the threat to our technology. Cloud allowed us to step away from infrastructure tasks and freed us to focus on strategic activities; applying security controls to the lifecycle rather to the individual equipment. Using Cloud services as an example, this session provides guidance on advancing our security posture, building our security culture, and increasing our influence with stakeholders. We will walk through the entire lifecycle: building the business case, shaping the deployment project plan, executing, shifting into operations, and finally retiring the Cloud service. At each stage, we will share guidance on incorporating security activities and integrating the new service with existing security programs. The resulting lifecycle will take advantage of our new role to better protect our technology. 


Speakers
avatar for J. Wolfgang Goerlich

J. Wolfgang Goerlich

Cyber Security Strategist, Creative Breakthroughs, Inc. (CBI)
Influential leader and IT management executive with the ability to act as a cultural change agent, drive security initiatives, and raise security postures. Leverages background in systems engineering, software development, and information security. Results-driven and focused on execution. | | 2012 - InfoWorld Technology Leadership Award | 2008 - IDG Best Practices in Infrastructure Management Award


Monday June 15, 2015 11:15 - 12:00
Main Hall

11:15

Incident Handling in the cloud

Hva gjør vi når vi har sikkerhetshendelser i skyen? Hvordan tar man et RAM image utav en SaaS (Software as a service) tjeneste? Man gjør det ikke! Håndtering av sikkerhetshendelser i skyen er en ny problemstilling som mange av oss blir tvunget til å ta stilling til når flere og flere tjenester blir provisjonert i skyen.

I foredraget vil jeg ta opp tema som:

- Hvilke utfordringer ser man i med å håndtere hendelser i skyen
- Hvordan kan noen av disse utfordringene løses
- Hva bør man tenke på før man velger en sky-leverandør.
- Hvordan håndtere utfordringene.


Speakers
avatar for Chris Andre Dale

Chris Andre Dale

I'm Chris Dale from Norway, currently the technical lead for penetration testing & incident handling at Netsecurity. Along with my security expertise, I have a background from system development and application management. Having a vast and broad experience in IT certainly help a great deal when working penetration tests and incidents. | | I'm an open, sharing and engaging person to be around, some even think I'm funny. Enthusiastic and... Read More →


Monday June 15, 2015 11:15 - 12:00
Room 2

12:00

Lunch
Grab a bite! Feed the belly! Roam the exibitions and talk to a stranger!

Monday June 15, 2015 12:00 - 12:45
Main Hall

12:45

Threat trends related to cloud
Speakers

Monday June 15, 2015 12:45 - 13:15
Main Hall

12:45

NextGen Pentesting: Mobile, Cloud and Internet of Things
Cloud backups and getting access to enterprise information on smartphones and tablets (now even watches and sunglasses) adds a ton on convenience, but as a slew of celebrities recently found out, the added functionality doesn’t come without its share of risk. If the door locks are hooked up to the network such that the head of physical security can let someone in in an emergency from the comfort of his home, that will be awesome for his home life, but what does having physical controls in Active Directory mean for an attacker? As penetration testers, we are tasked with simulating an attack and discovering vulnerabilities from missing patches to employees who click on weird links in emails. What are the new risks that our new enterprise network landscapes bring with them? And how can we effectively test for them? In this talk we will look at some of the vulnerabilities introduced by the introduction of mobile, cloud, and Internet of Things as well as testing techniques and methodologies to bring these pieces into our enterprise security assessments.  The talk will include demonstrations of attacks and suggestions for remediation. 

Speakers
avatar for Georgia Weidman

Georgia Weidman

Bulb Security
Georgia Weidman is a penetration tester, security researcher, and trainer. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has presented her research at conferences around the world including Shmoocon, Hacker Halted, Security Zone, and Bsides. Georgia has delivered highly technical security training for conferences, schools, and corporate clients to excellent reviews.


Monday June 15, 2015 12:45 - 13:15
Room 2

13:15

CSA STAR: The Future of Cloud Trust and Assurance

Although the popularity of cloud computing is increasing rapidly, it appears that potential customers are still facing some problems that are inhibiting a wider adoption of cloud services. While businesses are still having concerns about security, privacy and data management in the cloud, those can be attributed to lack of trust in cloud computing services. We will look into the industry’s most powerful program for assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards and eventually continuous monitoring.

Speakers
avatar for Damir Savanovic

Damir Savanovic

Senior Analyst and Researcher, Cloud Security Alliance
Damir Savanovic is a Senior Analyst and Researcher at Cloud Security Alliance. In past Damir worked as Chief Information Security Officer and IT Quality Manager in SKB, Société Générale Group, where he had a key role in planning, organising, managing and controling the functions of information security in the bank. He developed standards, recommendations and guidelines for information security based on ISO... Read More →


Monday June 15, 2015 13:15 - 13:45
Main Hall

13:15

How to Kill a Patient! Medical Device Security
In the last few years we have seen an increase of high tech medical devices, including all flavors of communication capabilities. The need of hospitals and patients to transfer data from devices to a central health information system makes the use of a wide range of communication protocols absolutely essential. This results in an increasing complexity of these devices which also increases the attack surface of the equipment. Vendors of medical devices put a lot of effort into safety. However, it is often forgotten that the security of these devices is a crucial part in also providing safety. An attacker who is able to gain unauthorized access to these devices may be able to endanger the health of patients. In this presentation, we will provide threat scenarios for medical devices (e.g. how to inject overdoses or steal patients while the vital signs are still displayed) incl. vulnerabilities which we discovered in the course of our research emphasizing the need for more thorough security assurance in the field of medical devices.

Speakers
FG

Florian Grunow

Security Analyst, ERNW GmbH
Security Analyst at ERNW GmbH


Monday June 15, 2015 13:15 - 13:45
Room 2

13:45

Popping the Bubble

A lot of the time we security types - yes, you and me - don’t actually know what the rest of the departments within the business actually do on a day-to-day basis.  We know they exist and what their purpose is but we don’t appreciate their pain points.  We’ve all heard, way too many times, the quotation from Sun Tzu’s “The Art of War”: “If you know the enemy and know yourself you need not fear the results of a hundred battles.”

I would argue that a lot of us don’t know our own organisation as well as we should, let alone the enemy. 

In this talk I’ll look at how you can step out of your bubble and help build more effective and positive relationships within your organisation.


Speakers
avatar for Mo Amin

Mo Amin

Independent InfoSec Consultant
Mo Amin is a London based information security professional. He started out in the world of desktop support where he honed his communication skills from there he transitioned into information security. Since then he has acquired a broad range of experience across the field ranging from operational security through to consultancy. He has always had an interest in information security awareness and over the last couple of years has become more... Read More →


Monday June 15, 2015 13:45 - 14:15
Main Hall

13:45

The Analogies Project
Speakers
avatar for Bruce Hallas

Bruce Hallas

Founder, The Analogies Project
I’m an enthusiastic advocate, consultant, trainer and speaker in the field of information security awareness, behaviour and culture, governance, risk and compliance. | | Over 17 years I have worked as an information security manager, practise manager and consultant to lead or support positive change within organisations towards managing risks associated with information and information systems. | | This support has been delivered... Read More →


Monday June 15, 2015 13:45 - 14:15
Room 2

14:30

Tools of the Trade: Lessons learned from (C)ISOs desks
Google provides 183 million hits for 'IT Security Best Practice'. However, IT operation in very large enterprise environments results in daily security challenges for which best practices either cannot be applied (due to the VUCA attributes of the environment) or do not provide the 'best' benefit. In this talk, we will present several challenges from both the daily life and the strategic decisions of (C)ISOs which can not or only partially be solved by applying best practices or security blue prints. Main areas will be efficient GRC/risk management, network segmentation/classification, and the handling of Cloud services.

Speakers
avatar for Matthias Luft

Matthias Luft

Matthias Luft is a security researcher and pentester working for | the German security company ERNW. He is interested in a broad range of | topics (such as DLP, virtualization, and network security) while trying | to keep up with the daily consulting and assessment work.


Monday June 15, 2015 14:30 - 15:00
Room 2

14:30

So, You Want to be an Accountable Cloud Provider?
In order to be an accountable organisation, Cloud Providers need to commit to being responsible stewards of other people's information. This implies demonstrating both willingness and capacity for such stewardship. This presentation outlines the fundamental requirements that must be met by accountable organisations, and sketches what kind of tools, mechanisms and guidelines can support this in practice.

Speakers
avatar for Martin Gilje Jaatun

Martin Gilje Jaatun

Vice President, CSA Norway Chapter
Mr. Martin Gilje Jaatun received his MSc degree in Telematics from the Norwegian Institute of Technology in 1992, and has been a research scientist at SINTEF ICT since 2004. Previous positions include Senior Consultant for the Norwegian computer security firm System Sikkerhet AS (now: Secode Norway), and Scientist at the Norwegian Defence Research Establishment (FFI). Mr. Jaatun is an expert in computer and communications security, security... Read More →


Monday June 15, 2015 14:30 - 15:00
Main Hall

15:00

The CISO Perspective
Once you have reached the heady heights of a CISO or head of security you are now in the position to create the exemplary security environment for your organisation. Now if you could just deal with those pesky users everything will be perfect. Of course in reality you are also in a position where you could wreak havoc on your business’ ability to operate effectively and profitably.
Thom will look at not only the positioning of the CISO in the organisation and it’s subsequent impacts but also the CISO’s approach to risk and the affects on the business, and finally an attitude and approach that can helps CISO’s use risk as a competitive advantage.
Join Thom as he shows that the CISO perspective from the business mountain doesn’t have to be so windy, and comes with spectacular views!

Speakers
avatar for Thom Langford

Thom Langford

An information security professional, award winning blogger, industry commentator and international speaker. Available as a speaking head and presenter on topics relating to information security, risk management and compliance. Lives in the beautiful countryside of Chippenham in Wiltshire (UK) with his wife and two children.


Monday June 15, 2015 15:00 - 15:30
Room 2

15:00

Mister vi kontrollen ved å bruke eksterne leverandører av IKT-tjenester?
Kjenner du på usikkerheten ved bruk av ekstern leverandør av IKT-tjenester? En sentral aktivitet for å opprettholde tilfredsstillende informasjonssikkerhet er å føre kontroll med sikkerhetsarbeidet. Når hele eller deler av IKT-tjenestene leveres av ekstern leverandør må kontrollspennet utvides til også å inkludere leverandøren. Denne utfordringen gir usikkerhet ved vurderinger om bruk av eksterne leverandører, men kan det være slik at en ekstern leverandør kan bidra til økt kontroll og dermed en styrking av informasjonssikkerhetsarbeidet?

Speakers
avatar for Preben Gustavsen

Preben Gustavsen

Rådgiver innen informasjonssikkerhet, internkontroll og styring, Sopra Steria / ISACA
I am highly motivated to help others achieving their goals through adequate and efficient risk management, control and governance. By combining theory with practical experience from earlier positions and projects, I am able to assist in bringing theoretical frameworks to a usable and practical form. This will enables you and your organization to establish and maintain a comprehensive, effective and efficient management system. | | With a... Read More →


Monday June 15, 2015 15:00 - 15:30
Main Hall

15:45

End Keynote
Application Security and the Cloud: A Double-Edged Sword

This talk will be divided into two sections that are not particularly related to one another.

In the first part, we’ll share some statistics on software security trends as observed through our cloud-based application scanning service. By aggregating and anonymizing vulnerability results from tens of thousands of applications submitted by companies of all shapes and sizes, we have a unique view into the state of software security at a scale that is unmatched.

In the second part, we’ll talk about cloud-deployed apps themselves. Specifically, we’ll discuss some coding vulnerabilities that are historically not a big deal in normal apps but can be devastating when those apps are deployed in a cloud environment.


Speakers
avatar for Chris Eng

Chris Eng

Chris Eng is vice president of research at Veracode.  In this role, he leads the team responsible for integrating security expertise into all aspects of Veracode’s technology.  Throughout his career, he has led projects breaking, building, and defending web applications and commercial software for some of the world’s largest companies.   Chris is a frequent speaker at premier industry conferences, where he has... Read More →


Monday June 15, 2015 15:45 - 16:15
Main Hall

16:15

Closing Remarks
The CSA Norway Chapter President Kai Roer summarizes the day.

Speakers
avatar for Kai Roer

Kai Roer

Senior Partner, The Roer Group AS
Kai is a well known expert on security culture and behaviors. He is the creator of the free and open Security Culture Framework, the author of several books, a university guest lecturer in Europe and Asia, a Fellow to the National Cybersecurity Institute in Washington DC, and a Ron Knode Service Awardee 2015 by Cloud Security Alliance. He is located in Norway, travels a lot, and have a passion for making security a people skill.


Monday June 15, 2015 16:15 - 16:30
Main Hall
 
Tuesday, June 16
 

09:00

CCSK - Cloud Computing Security Knowledge - Foundation
Limited Capacity seats available
A separate ticket is required for attending the CCSK Training. 

Cloud Computing Security Knowledge - Foundation
The CCSK - Foundation course is based on V3.0 of the CCSK exam and the CSA Security Guidance for Critical Areas of Cloud Computing V3.0.

The Cloud Computing Security Knowledge- Foundation class provides students a comprehensive one day review of cloud security fundamentals and prepares them to take the Cloud Security Alliance CCSK v3.0 certificate exam. Starting with a detailed description of cloud computing, the course covers all major domains in the Guidance v3.0 document from the Cloud Security Alliance, and the recommendations from the European Network and Information Security Agency (ENISA).

This class is geared towards security professionals, but is also useful for anyone looking to expand their knowledge of cloud security. (We recommend attendees have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity management). 


Speakers
avatar for Lars Neupart

Lars Neupart

Founder, CEO, Member of Board of Directors, Neupart
Information security expert with a decade of company leadership experience. Business Developer with focus on innovative information security solutions. | | Interests and expertise include information security governance, IT risk management, cloud security, compliance, international standards e.g. ISO 27001, 27002, 27005, data protection, security awareness training and business continuity planning. | | Special attention on easy to deploy and... Read More →


Tuesday June 16, 2015 09:00 - 17:00
Training Center