Agenda

Wednesday September 9, 2015
7:30 AM -
8:30 AM
Registration
Washington Convention Center
  • Salons ABC Prefunction Area (Street Level)
8:30 AM -
8:45 AM
Welcome and Opening Remarks
Room 202
  • Dr. Charles Romine, Director of the Information Technology Laboratory, NIST
8:45 AM -
9:30 AM
Keynote: Cybersecurity Headline News - Changing the Story
Room 202
  • Dr. Zulfikar Ramzan, Chief Technology Officer, RSA, The Security Division of EMC

    Abstract

    Cybersecurity attacks and data breaches are too often headline news. How can we change the story? Our industry is faced with an ever-changing landscape as the diversity and quantity of connected endpoints increases. Yesterday's solutions are not sufficient for tomorrow. In order to successfully secure our information and systems, we must candidly address what's working and where we need to improve. To start, we must appropriately assess risk, educate our users, exercise discipline when securing every endpoint, and embrace innovative solutions built for tomorrow.

9:30 AM -
10:30 AM
General Session: It’s Complicated. Three perspectives on the tough issues: Privacy, Risk Management, Liability, and more
Room 202
  • Host
  • Matt Scholl, Chief of the Computer Security Division, NIST
  • Guests
  • Malcolm Harkins, Global Chief Information Security Officer, Cylance Inc.
  • Donna Dodson, Chief Cybersecurity Advisor, NIST
  • Andy Ubel, Chief Intellectual Property Counsel & Chair of Information Security Council, The Valspar Corporation

    Abstract

    Balancing mission with customer requirements, security requirements, and a myriad of conformance requirements is challenging as we deal with competing priorities while ensuring the organization's mission stays in the forefront. Leaders representing three very different perspectives candidly discuss the natural tension associated with addressing cybersecurity issues while maintaining focus on their organization's mission.

10:30 AM -
11:00 AM
Break / Expo Opens
11:00 AM -
11:50 AM

Trusted Computing

Disrupting the Revolution of Cyber-Threats with Revolutionary Security
Room 204
  • Rick Engle, Principal Windows Technologies Specialist, Microsoft Federal

    Abstract

    Disrupting the revolution of cyber-threats requires a platform with revolutionary security capabilities, and Windows 10 is rising to the occasion. In this session, we talk about technologies that can truly end the use of passwords and make multi-factor authentication the default, provide an easy to use and deploy, data loss prevention (DLP) capability right in the platform, and highlight technology that enables organizations to virtually eliminate malware threats to the Windows platform including those that come by way of the browser.

Security Automation

Security Automation Challenges
Room 202
  • Cloud
  • John Banghart, Microsoft

    Abstract

    Cloud computing continues to challenge traditional ways of thinking about information technology and organizational boundaries. Balancing the flexibility, scale, and efficiencies of the cloud against the increasing needs of information security is crucial to long term success.

  • Open Source
  • Steve Grubb, Senior Principal Engineer, Red Hat

    Abstract

    This talk will explore issues confronting security automation from the point of view of the open source world. In the open source community, code and content is shared between distributions. Open Source also depends on equal access to standards so that the community can create and maintain tools and guidance. It is from this perspective that we explore some challenges and issues.

Information Sharing

Legal Issues in Sharing Cyber Threat Intelligence: What Are The Real Concerns?
Room 201
  • Kim Peretti, Partner, CISSP, Alston & Bird, LLP

    Abstract

    While a growing number of companies across industry segments are recognizing the benefits of sharing cyber threat intelligence, many remain reluctant to engage in such sharing because of legal concerns. A closer look into these issues helps companies understand which concerns are more theoretical and which may present an actual risk, allowing them to make informed decisions about sharing information at appropriate and critical times. This session outlines the evolving legal landscape around sharing cyber threat intelligence and provides practical guidance for companies in establishing their sharing programs within the organization.

Research

A Secure Toolchain Competition
Room 206
  • Lee Badger, Group Manager, Computer Security Division, Information Technology Laboratory, NIST

    Abstract

    Many security weaknesses in Federal information systems stem from software security vulnerabilities present in current-generation software products. One approach to reducing the number of security vulnerabilities in software is to identify languages and software development tools that make it easier to create software with fewer security vulnerabilities, and to stimulate the development of new and better tools. While it is impossible to assure the total absence of security vulnerabilities in this way, it might well be possible to rule out specific, significant classes of vulnerabilities that today provide the basis for many serious exploits.

    NIST is developing an empirical, competitive approach to finding the most effective and usable combinations of tools to produce software systems that are relatively free of exploitable vulnerabilities. The participants in the planned competition will implement software systems to solve challenge problems using software development tools ("toolchains") of their own choosing, within specified time periods. Through a competitive process, NIST seeks to stimulate the development of more effective tool chains. Through the demonstration of security flaw avoidance in a time-constrained setting, NIST seeks to show that security can be improved without sacrificing time-to-market, and therefore to stimulate a wide-scale improvement in how security is provided in software products throughout the economy.

  • Shawn Webb, Security Engineer, G2, Inc

Demonstration

Sowing seed in the Identity Ecosystem
Room 203
  • Phil Lam, Trusted Identity Strategist, National Strategy for Trusted Identities in Cyberspace, NIST
  • Greg Cavalli, Program Specialist, Virginia DMV
  • Michael Farnsworth, Senior Architect and Program Lead, HealthIDx
  • Matthew Thompson, President, HealthIDx
  • Andrew Nash, CEO, Confyrm, Inc
  • Adam Migus, Security Director, Confyrm, Inc

    Abstract

    Catalyzing a marketplace of identity solutions is no simple task. Responding to the challenge of advancing privacy, security, interoperability, and usability requires a multitude of technologies garnering market share and displacing usernames and passwords. This is precisely what the NSTIC Pilots Program at NIST aims to do. This presentation will describe the program and its goals moving forward and it will be followed up by NSTIC Pilot demonstrations.

11:50 AM -
1:00 PM
Lunch on your own / Expo
  • Food cart available in the registration area. The exhibit hall and Room 102 are available for sitting, eating, and networking.
1:00 PM -
1:50 PM

Trusted Computing

System Firmware: the emerging malware battlefront
Room 204
  • Jim Mann, Distinguished Technologist, HP

    Abstract

    As attackers look to gain more powerful and persistent control over systems, they are increasingly turning their attention to the very foundation of those systems. Firmware represents an ideal opportunity for attackers because it exists at the core of a system, executing well before the operating system loads, and is persistent. Additionally, it can be difficult to detect a successful attack, and even if detected it can be hard to eradicate. This talk will discuss the new system firmware threat landscape, why you should care, and an example of how HP is providing system BIOS/UEFI firmware resiliency with Sure Start.

Security Automation

Guidance and Usage Scenarios for Implementers and Users of Software Identification Tags
Room 202
  • Brant Cheikes, Principal Cybersecurity Engineer, The MITRE Corporation

    Abstract

    International Organization for Standardization (ISO)/International Electrotechnical Commission (ISO/IEC) 19770-2 specifies an international standard for software identification tags, also referred to as SWID tags. A SWID tag is a formatted set of data elements that collectively identify and describe a software product. Although SWID tags were originally motivated by the desire to enhance software asset management (SAM) processes, they also have the potential to enhance a wide range of cybersecurity processes, including vulnerability management, software whitelisting/blacklisting, and detection of software tampering. To that end, NIST is developing detailed tag implementation guidance and usage scenarios to promote creation and use of SWID tags for cybersecurity in addition to traditional SAM usage. This session will present an overview of the cybersecurity-focused guidance and usage scenarios, and will help prepare participants not only to contribute to further clarification and refinement of the guidance and usage scenarios, but also to create and consume conforming tags for cybersecurity purposes.

Information Sharing

Cyber Threat Intelligence - Lessons Learned Across Industry and Government
Room 201
  • Bob Gourley, Partner, Cognitio Corporation

    Abstract

    Cyber Threat Intelligence is the fastest growing discipline in the computer security industry, with good reason. Knowing your adversary and their capabilities and intent is proving to be key to mounting a vigorous defense. In this session, pioneer of cyber threat intelligence Bob Gourley will share lessons learned from across government and industry which can inform your approach to cyber threat intelligence.

Research

FIPS 140, Quo Vadis?
Room 206
  • Apostol Vassilev, Technical Director, Cryptographic Module Validation Program, NIST/ITL/Computer Security Division

    Abstract

    FIPS 140 has been in use by the Federal Governments of US and Canada for more than two decades. While this standard has been successful in its original and largely unchanged form by many measures, it applies to a technology domain of incredibly fast evolution. Is there a risk then that the standard and its domain of application may diverge to a point they become irrelevant for one another? If such a risk exists what directions should the standard and the NIST cryptographic validation programs around it move to help keep them close to the trajectories of cryptography and its applications? In this talk we consider some of the problems facing the existing standard, the likely new version of FISP 140, the current NIST cryptographic validation programs around it, and propose ideas for improvements.

1:50 PM -
2:00 PM
2:00 PM -
2:50 PM

Trusted Computing

The Whole Is Greater: Firmware Security Initiatives
Room 204
  • John Loucaides, Security Researcher, Intel

    Abstract

    We have certainly seen "interesting times" in the area of platform security, recently. In this presentation, Intel will present a variety of firmware security threats and initiatives. Users can observe platform security mitigations using the CHIPSEC open source project (https://github.com/chipsec/chipsec), and these same tests are useful for firmware developers when testing their mitigations. Intel will also discuss client/server differences and other efforts centered around improving firmware assurance, including design reviews, static analysis, and continuous integration. This multi-pronged approach to security improvement should be relevant to audiences interested in any stage of the development/deployment lifecycle.

  • Sugumar Govindarajan, Security Architect, Intel

Security Automation

Making SWID Tags Successful in the Marketplace
Room 202
  • Moderator
  • Brant Cheikes, Principal Cybersecurity Engineer, The MITRE Corporation
  • Panelists
  • Eric Eskam, Program Manager, Integrated Technology Services, General Services Administration
  • Steve Klos, Executive Director, TagVault.org
  • Joe Wolfkiel, Secure Configuration Management Branch Engineering Lead, DISA
  • Brian Turner, Program Manager, IBM BigFix Development

    Abstract

    The act of specifying a clear, unambiguous technical standard is typically a tremendous creative effort by a committed engineering team, but is nevertheless only a first step. Even well-designed standards may face uphill battles to achieve broad adoption and implementation in the marketplace. The software identification (SWID) tag standard was originally published in 2009 (ISO/IEC 19770-2:2009), and has just recently reached its second revision. A small yet significant number of software vendors-including some major market leaders-are already distributing tags with their products, or have committed to doing so in the near future. Nevertheless, use of SWID tags remains relatively early in the adoption curve, and broader adoption is needed. In this panel discussion, panelists representing a wide range of perspectives will discuss and debate what "success" looks like for the SWID standard, and what SWID tag advocates-both producers and consumers-will need to do in order to make SWID tags successful in the marketplace.

Information Sharing

A Funny Thing Happened on the way to OASIS: STIX?TAXII - From "Specifications" to "Standards"
Room 201
  • Richard Struse, Chief Advanced Technology Officer, U.S. Department of Homeland Security

    Abstract

    This presentation will explain the process of transitioning the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) from technical specifications sponsored by the US Department of Homeland Security into formal international standards, explaining decisions made along the way and discussing lessons learned during the development, refinement, and transition process.

    As pivotal ingredients in the future of automated, structured information exchange between CSIRTs, STIX and TAXII need to "land" in the right standards body with the right amount of support from public and private sector partners to help shepherd them through the process of becoming international, voluntary standards while preserving their functionality and compatibility. Nothing good comes easy, and the path to transition was full of difficult decisions.

    In this session, participants will learn key considerations for engaging with international standards bodies; different roles and governance models for the various standards organizations that CSIRTs may interact with; and how to ensure international standardization of our common practices and tools has a positive and lasting impact on the CSIRT community and the constituencies we serve.

Research

Cryptography for Future Cybersecurity
Room 206
  • Host
  • Tim Polk, Assistant Director for Cybersecurity, Office of Science and Technology Policy, The White House
  • Guests
  • John Kelsey, Cryptographic Technology Group, NIST/ITL/Computer Security Division
  • Kerry McKay, Computer Scientist, NIST
  • Dustin Moody, Mathematician, NIST
  • Rene Peralta, Computer Scientist, NIST

    Abstract

    This panel introduces major efforts made by the NIST cryptographic technology group in cryptography research, standards, and applications. The panel addresses impact of quantum computing techniques to the widely deployed cryptography mechanisms and discusses challenges for today's cryptography tools to serve for future cybersecurity needs.

Demonstration

Implement NIST Frameworks with RSA Archer
Room 203
  • Chris Hoover, GRC Strategist, RSA

    Abstract

    See demonstrations of how many risk management processes can be implemented and managed in one common environment. The NIST Risk Management Framework (RMF) and Cybersecurity Framework (CSF) will be covered as well as Continuous Monitoring and Ongoing Authorization capabilities. RSA's GRC Strategist Chris Hoover will demonstrate the RSA Archer suite of tools which enable federal employees and contractors to manage FISMA and OMB compliance and enable the Critical Infrastructure community to utilize the NIST CSF.

2:50 PM -
3:00 PM
3:00 PM -
3:30 PM
Break / Expo
3:30 PM -
4:20 PM

Trusted Computing

Why TPM 2.0? Reasons for Upgrade: Use Cases for the Latest Release of the TPM Specification
Room 204
  • Dave Challener, Johns Hopkins University- Applied Physics Laboratory

    Abstract

    An overview of TPM 2.0, including why the specification was upgraded from 1.2, and a number of ways that TPM 2.0s can be used to help solve pressing security problems.

Security Automation

TCG TNC: Automating End-to-End Trust
Room 202
  • Lisa Lorenzin, Principal Solutions Architect, Pulse Secure

    Abstract

    Enterprises today are secured by a variety of technologies from many vendors, each in its own silo, with disparate communication protocols. Sharing information in real time across heterogeneous appliances enables security automation: dynamic, coordinated information gathering and response to environmental change, requiring little or no human intervention. Standards-based security automation facilitates endpoint compliance assessment, seamless user access across multiple access control solutions, and coordinated threat control - increasing visibility while building a foundation for attack detection and remediation.

    The Trusted Computing Group (TCG) has defined a framework for multi-vendor, interoperable collection of endpoint health and state reports to facilitate endpoint compliance assessment, and standard interfaces and metadata for security automation to facilitate intelligent active defense. We'll review the TCG's Trusted Network Communications (TNC) architecture and standards for endpoint compliance assessment, automated sharing of endpoint posture information, network access policy enforcement, and security automation. Technologies using these standards can reduce the security exposure of your network by confirming that all endpoints are uniquely identified, authorized to be on the network, running up-to-date software, and exhibiting behavior that conforms to security policies and expectations.

Information Sharing

Challenges and Opportunities in Cyber Information Sharing
Room 201
  • John Wunder, Lead Cybersecurity Engineer, The MITRE Corporation

    Abstract

    Much progress is being made in improving cyber defense through information sharing, but much remains to be done. This presentation will go through some of the biggest challenges we at MITRE have seen organizations face in developing their cyber information sharing programs, with a particular focus on those challenges that remain unaddressed. Some examples include how to determine what type of information to collect, ensuring shared information is not sensitive or private, and integrating threat intelligence into operations.

Research

Derived PIV Credentials Proof of Concept Research
Room 206
  • Jeffrey Cichonski, IT Specialist, NIST
  • Hildegard Ferraiolo, HSPD-12/PIV Program Lead and Senior Computer Scientist, NIST/ITL/Computer Security Division
  • Paul Fox, Architect, Microsoft
  • Ryan Holley, Sales Engineer, Intercede

    Abstract

    This panel summarizes the Derived PIV Credentials Guideline and Proof of Concept Research presented in NIST SP 800-157 and NISTIR 8055.

    The 800-157 publication provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable PKI-based identity credentials that are issued by Federal departments and agencies to individuals who possess and prove control over a valid PIV Card. The scope of this document includes requirements for initial issuance and maintenance of these credentials, certificate policies and cryptographic specifications, technical specifications for permitted cryptographic token types and the command interfaces for the removable implementations of such cryptographic tokens.

    The 8055 report documents proof of concept research for Derived Personal Identity Verification (PIV) Credentials. Smart card-based PIV Cards cannot be readily used with most mobile devices, such as smartphones and tablets, but Derived PIV Credentials (DPCs) can be used instead to PIV-enable these devices and provide multi-factor authentication for mobile device users. This report captures existing requirements related to DPCs, proposes an architecture that supports these requirements, and then demonstrates how such an architecture could be implemented and operated.

Demonstration

ABAC: Run-time Access Control for Federated Identities
Room 203
  • William (Bill) Fisher, Senior Engineer, National Cybersecurity Center of Excellence at NIST
  • Roger Wigenstam, NextLabs

    Abstract

    Enterprises rely upon strong access control mechanisms to ensure that corporate resources (e.g. applications, networks, systems and data) are not exposed to anyone other than an authorized user. As business requirements change, enterprises need highly flexible access control mechanisms that can adapt. The application of attribute based policy definitions enables enterprises to accommodate a diverse set of business cases, to include identities federated from external security domains. The NCCoE is publishing an NIST SP 1800 Practice guide, detailing an approach that the NCCoE took in developing an ABAC reference architecture and build. This demonstrate will showcase commercially available technology used by the NCCoE to federate identity and attributes information and to make access decision utilizing attribute based policy definitions.

4:20 PM -
4:30 PM
4:30 PM -
5:00 PM

Trusted Computing

Managing Encryption in Your Enterprise
Room 204
  • Amy Nelson, Engineering Technologist and Security Architect, Dell

    Abstract

    With the proliferation of Self-Encrypting Drives (SEDs) and other endpoint encryption options, and an increasingly complex regulatory and security landscape, it is more important than ever to have a robust solution for managing encryption within the IT enterprise environment.

Security Automation

Using Context to Allow for Better Security Automation
Room 202
  • Michael Stone, Senior Security Analyst, NIST

    Abstract

    In order for security automation to be widely adopted security automation actions must be surrounded by their context. Take for example the following alert:

    11/05-22:08:59.705515 [**] [1:469:3] ICMP PING NMAP [**]

    [Classification: Attempted Information Leak][Priority: 2] {ICMP}

    192.168.206.129 - 192.168.100.5

    Taken by itself, it would be difficult to take meaningful action based on just this alert. But it would be much easier to act if you knew the following: this alert came from a trusted Snort IDS, 192.168.206.129 is outside of you organization, 192.168.100.5 is inside your organization as well as being company's web server, running Apache 2.4.7 (vulnerable to CVE-2014-0098), located in the server room, owned by the IT department and the latest scan shows 2 category 1 vulnerabilities. Additionally, there have been 10 such alerts in the past hour.

    Security automation can now make informed decisions such as automatically blocking 192.168.206.129 at the firewall, sending the web server owner an email to patch his system and upgrade the Apache web server. An additional email can be sent to the security and business teams notifying them of the increased risk. The action along with the alert and its context can be also recorded and possibly shared with other organizations.

    The NCCoE's IT Asset Management for the Financial Services Sector project demonstrates many of the capabilities listed above. The upcoming Situational Awareness for the Energy Sector project will demonstrate even more security automation features.

Information Sharing

Case Studies in ISAC Information Sharing
Room 201
  • Denise Anderson, Executive Director, National Health Information Sharing and Analysis Center

    Abstract

    Cyber threats are constant and incidents are increasingly becoming global. This session will look at several recent examples: for example the DD4BC extortion campaign, to illustrate how information sharing amongst ISACs and critical infrastructure owners and operators helps uncover the TTPs and trends seen as cyber actors spread their malware across the globe. This session will then show how the information can be used to build cyber threat intelligence using security automation tools to help prevent further incidents.

Research

DevOps and Containers Security
Room 206
  • Mike Bartock, NIST
  • Paul Cichonski, Cloud Architect, Lancope
  • John Morello, Chief Technology Officer, Twistlock
  • Raghu Yeluri, Principal Engineer, Intel Corporation

    Abstract

    As organizations are continuously innovating and developing Webscale applications and services targeting on-premise and Cloud environment, they are fusing together software development and operations practices to make their workload more agile and portable. This session will provide insights about the DevOps usage model leveraging Containers technology and it will highlight the security considerations and practices.

Demonstration

Derived PIV Credentials Proof of Concept Research
Room 203
  • Jeffrey Cichonski, IT Specialist, NIST
  • Paul Fox, Architect, Microsoft
  • Ryan Holley, Sales Engineer, Intercede

    Abstract

    This session demonstrates the Derived PIV Credentials implementation as documented in the NIST IR 8055 which was discussed in the corresponding session in the Research track.

5:00 PM -
5:30 PM

Security Automation

Collaborating on Security Automation for Continuous Diagnostics and Mitigation
Room 202
  • Tim McBride, NIST
  • Martin Stanley, Department of Homeland Security

    Abstract

    The Department of Homeland Security and the National Institute of Standards and Technology have a long history of collaboration in cybersecurity. The NIST National Cybersecurity Center of Excellence and The Department of Homeland Security's Cybersecurity and Communications division are teaming on a number of efforts. The focus of these initiatives are collaboration on Security Automation, leveraging NIST and NCCoE resources to develop technical guidance, developing capabilities assessment methodologies and applied research on Continuous Diagnostics and Mitigation.



Thursday September 10, 2015
8:00 AM -
8:30 AM
Registration
  • Salons ABC Prefunction Area (Street Level)
8:30 AM -
8:45 AM
Remarks
Room 202
  • Matt Scholl, Chief of the Computer Security Division, NIST
8:45 AM -
9:30 AM
Keynote
Room 202
  • Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, The White House
9:30 AM -
10:30 AM
General Session: USG Research Focus
Room 202
  • Host
  • Hemma Prafullchandra, NIST
  • Guests
  • Dr. Douglas Maughan, Director of the Cybersecurity Division, DHS S&T
  • Lee Badger, Group Manager, Computer Security Division, Information Technology Laboratory, NIST
  • Grant Wagner, Technical Director of Trusted Systems Research, NSA
  • Greg Shannon, Office of Science and Technology Policy, The White House

    Abstract

    As our world becomes more connected, traditional cybersecurity solutions may leave gaps in coverage. Much research is being done to address these gaps and community innovation of solutions that effectively secure our connected world provides opportunity f

10:30 AM -
11:00 AM
Break / Expo
11:00 AM -
11:50 AM

Trusted Computing

Haven: Shielding applications from an untrusted cloud
Room 204
  • Marcus Peinado, Architect, Microsoft Research

    Abstract

    Today's cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider's staff and its globally-distributed software/hardware platform not to expose any of their private data. We introduce the notion of shielded execution, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator's OS, VM and firmware). Our prototype, Haven, is the first system to achieve shielded execution of unmodified legacy applications, including SQL Server and Apache, on a commodity OS (Windows) and commodity hardware. Haven leverages the hardware protection of Intel SGX to defend against privileged code and physical attacks such as memory probes, but also addresses the dual challenges of executing unmodified legacy binaries and protecting them from a malicious host. This work motivated recent changes in the SGX specification.

Security Automation

Evolving Standards to Meet the Cyber Threat
Room 202
  • Jessica Fitzgerald-McKay, NSA

    Abstract

    The increasing variety and volume of threats to enterprise networks has placed a severe burden on the administrators of those networks. This talk describes how gathering information about the state of the network, sharing threat information with others who face the same problems and taking appropriate actions can go a long way toward alleviating that burden. To ensure that this can all be done seamlessly, across a heterogeneous environment, standards must be created to gather, share and take action on the necessary data.

Information Sharing

SHARKSEER Overview
Room 201
  • Ron Nielson, Technical Director/SHARKSEER Program Manager, Department of Defense

    Abstract

    The SHARKSEER briefing will provide an informational overview of the system with focus on how SHARKSEER detects and mitigates web-based malware, Zero-Day and Advanced Persistent Threats using COTS technology. Discussions will cover SHARKSEER's ability to provide reliable automated sensing and mitigation capabilities along with SHARKSEER's contributions to Cyber Situational Awareness and Data Sharing.

Research

Overview of ITL's Public Safety Cybersecurity Efforts
Room 206
  • Sheila Frankel, Senior Computer Scientist, Computer Security Division, NIST
  • Nelson Hastings, Electronics Engineer, NIST

    Abstract

    This session will provide an overview of ITL's involvement with public safety communication research including a brief description of the joint NIST/NTIA Public Safety Communications Research (PSCR) program. The session will provide insight into ITL's approach toward cybersecurity research for public safety communication networks based on Long Term Evolution (LTE) technology, a brief description of current research, and participation in the LTE security standardization efforts.

Demonstration

NIST Randomness Beacon and Entropy as a Service Prototypes
Room 203
  • Larry Bassham, Computer Scientist, NIST
  • Rene Peralta, Computer Scientist, NIST
  • Robert Staples, IT Specialist, NIST
  • Apostol Vassilev, Technical Director, Cryptographic Module Validation Program, NIST/ITL/Computer Security Division
11:50 AM -
12:00 PM
12:00 PM -
1:00 PM
Lunch on your own / Expo
  • Food cart available in the registration area. The exhibit hall and Room 102 are available for sitting, eating, and networking.
1:00 PM -
1:50 PM

Trusted Computing

GlobalPlatform Root of Trust
Room 204
  • Olivier Van Nieuwenhuyse, Senior R&D Engineer, STMicroelectronics

    Abstract

    This presentation will describe "Root of Trust" as being defined by GlobalPlatform.

    The first part will provide a high level description, including the Root of Trust concept, the security services and the requirements. The second part will introduce the high level mapping with the GlobalPlatform technology.

Security Automation

Evolving Security Operations: Sharing and Mitigating at Net Speed
Room 202
  • Moderator
  • D. Renee Tarun, Deputy Chief of the Cyber Task Force, National Security Agency
  • Panelists
  • Dr. Peter Fonash, Chief Technology Officer for the Office of Cybersecurity and Communications (CS&C), Department of Homeland Security
  • Philip D. Quade, Special Assistant to the Director for Cyber and Chief of the Cyber Task Force, National Security Agency

    Abstract

    Our nation's cyber defenses require not just real-time information sharing, but real-time mitigations to counter increases in the quantity and sophistication of cyber attacks. We must identify ways to unify at scale the various components for sensing, sense making, decision making, acting, and messaging, to address continuous mitigation through messaging fabric, automation, and orchestration advancements

Information Sharing

The Cyber Threat Intelligence Sharing Exchange Ecosystem Program
Room 201
  • Dr. Eric Burger, Research Professor of Computer Science and Director of the Georgetown Site of the Security and Software Engineering Research Center I/UCRC, Georgetown University

    Abstract

    The Georgetown site of the NSF Security and Software Engineering Research Center has been working on identifying and removing the barriers to cyber threat intelligence sharing. Some believe the barrier is technology: if only we had a technology that would enable us to share intelligence in a standard, accepted format, we would see robust information sharing. Others believe the barrier is law: if only the law would allow us to share intelligence with our competitors, or at least without liability, we would see robust information sharing. Our research is showing the answer is a mixture of technology, law, policy, and, most important, economics. This discussion will examine the insights we have gleaned so far, as well as the avenues we are pursuing to help secure America's networks.

Research

Mobile Identity Management for Public Safety
Room 206
  • Kristen Greene, Cognitive Scientist, NIST
  • Josh Franklin, IT Specialist, NIST

    Abstract

    This session will present ITL's research efforts on mobile identity management for public safety that support the Public Safety Communications Research (PSCR) program. The session will provide an overview of NISTIR 8014 Considerations for Identity Management in Public Safety Mobile Networks and discuss the next steps of this research.

File-Sharing through ABAC for Secure Collaboration
Room 203
  • David Ferraiolo, Manager of the Secure Systems and Applications group, NIST
  • Serban Gavrila, Computer Scientist, NIST
  • Gopi Katwala, NIST

    Abstract

    A redefinition of Access Control and Data Services in terms of their common and underlying elements, relations, operational primitives, and functions; enabling an enterprise-wide, file sharing, operating environment (OE). The OE is object-type agnostic-users can create, manage, share, consume and manipulate files, regardless of their type, in a manner consistent with tailored policies, under a single authenticated session. The approach is different from other file sharing tools: It is not meant to be an alternative to distributing files and documents through applications such as email, records management, and workflow, but rather a means of achieving these same Data Services through Attribute-based Access Control.

1:50 PM -
2:00 PM
2:00 PM -
2:50 PM

Trusted Computing

Device Identity and Health Panel
Room 204
  • Jessica Fitzgerald-McKay, NSA
  • Lisa Lorenzin, Principal Solutions Architect, Pulse Secure
  • Greg Kazmierczak, Chief Technology Officer, Wave Systems
  • Steve Hanna, Senior Principal, Infineon

    Abstract

    Join industry technical experts as we discuss the role of device identification in cybersecurity use cases, current device identification standardization efforts, and recent successes in device discovery capabilities.

Security Automation

IACD Assessment and Demonstration Results
Room 202
  • Wende Peters, Johns Hopkins Applied Physics Laboratory

    Abstract

    Integrated Adaptive Cyber Defense (IACD) is the secure integration and automation across a diverse, changeable set of cyber defense capabilities. It is intended to dramatically change the timelines needed to defend computer enterprises, while maintaining operational and acquisition freedom by allowing `plug and play'-type use of capabilities as they emerge. IACD applies the construct that commercially available solutions can be interconnected to greater impact and effectiveness than the individual parts, and that a gradual, industry-influenced transition towards interoperability can be achieved.

    As trusted agents for DHS and NSA, JH-APL leads the IACD agile architecture, capability demonstration and assessment efforts within the Federated Innovation, Integration and Research Environment (FIIRE). In capability-driven spirals, commercial technologies are integrated and deployed across live and virtualized environments, demonstrating their applicability and effectiveness for improved network operations efficiency and more rapid cyber defense operations. The results, challenges, and gaps are communicated to Government and vendor communities at engagement sessions following every spiral.

    This presentation summarizes the results of the first several IACD spirals and describes the challenges targeted for future spirals. It also introduces the options for partnering with network owners and operators to allow them to leverage lessons from these spirals within their own enterprises.

Information Sharing

Crowdsourcing Intelligence - Friend or Foe?!
Room 201
  • Ryan Trost, Co-Founder and CIO, ThreatQuotient, Inc.

    Abstract

    Crowdsourcing cyber indicators is the `newest detection strategy' to help dismantle adversarial assaults but as the sharing floodgates open it leads some teams into a tailspin of operational chaos. Historically, an ad-hoc spreadsheet combined with a day of analyst muscle was the unspoken sacrifice needed to consume and integrate shared IOCs. But unfortunately, those days are long gone as the volume of shared IOCs grows exponentially turning the spreadsheet firedrill into a bottleneck of operational inefficiencies amongst the typical workflows within a SOC. This presentation will take a peek into the past, present, and future of sharing and integrating threat information to help make the determination - friend or foe?!

Research

Security Capabilities of LTE and Their Implementation
Room 206
  • Mike Bartock, NIST
  • Jeffrey Cichonski, IT Specialist, NIST
  • Josh Franklin, IT Specialist, NIST

    Abstract

    This session will present ITL's research efforts into protecting a broadband mobile network based on Long Term Evolution (LTE) technology in support of Public Safety Communications Research (PSCR) program's 700MHz demonstration network. The session will provide an overview of LTE technology, standards, and protection mechanisms; present initial findings of implementing the standard IPSEC protection of the communication link between a base station (eNodeB) and core network; and discuss the next steps of this research.

Demonstration

Graphic File Carving Tools Testing
Room 203
  • Richard Ayers, Computer Scientist, NIST
  • Jenise Reyes-Rodriguez, Computer Scientist, NIST

    Abstract

    The Computer Forensic Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) has researched and tested forensic tools capable of reassembling files from fragments in the absence of file system metadata, typically accomplished by searching an input for files based on content or header/footer file signatures. This demonstration provides an overview of the CFTT testing process as applied to graphic file carving tools while providing information on file carving, and scanning unallocated space enabling the recovery of specific file types with a based upon file signatures and various carving schemes.

2:50 PM -
3:00 PM
3:00 PM -
3:30 PM
Break / Expo
3:30 PM -
4:20 PM

Trusted Computing

What’s the Right Security for IoT
Room 204
  • Steve Hanna, Senior Principal, Infineon

    Abstract

    Everyone agrees that security is essential for the Internet of Things. The hard part is figuring out what's needed and practical. Fortunately, many IoT security technologies, standards, and products are available. But how can you choose among them?

    Steve Hanna (leader and spec editor in IETF and TCG, Senior Principal at Infineon) will provide a roadmap to IoT security options. What's most appropriate and when? What's coming over the horizon and what's available now?

Security Automation

NIST Security Automation Program Update
Room 202
  • David Waltermire, Lead Standards Architect, NIST

    Abstract

    The Security Automation Team at NIST is focused on providing reference data, tools, standards, and guidelines to support automation of software inventory, configuration management, vulnerability management, and continuous monitoring capabilities. The team maintains the National Vulnerability Database (NVD), which provides repository of standardized vulnerability information, the National Checklist Program (NCP) and United States Government Configuration Baselines, which provide secure configuration checklists for a number of operating system platforms and applications, and the Security Content Automation Protocol (SCAP) and SCAP Validation Program, which integrates a number of standards to enable the exchange and automation of security information.

    This presentation will highlight recent advancements worked on by the NIST team in the security automation area to include efforts related to the NVD, NCP, USGCB, SCAP, and related standards and guidelines. This session will include information about initial plans for a future SCAP 1.3 revision, work around the use of Software Identification (SWID) Tags for cybersecurity use cases, planned revisions to related publications, and other insights into current and future work.

Information Sharing

DHS Automated Indicator Sharing (AIS) Initiative
Room 201
  • W. Preston Werntz, Chief, National Cybersecurity and Communications Integration Center (NCCIC) Technology Services Section, U.S. Department of Homeland Security

    Abstract

    A key requirement of recently proposed legislation designates the Department of Homeland Security's National Cybersecurity and Communications Integration Center (NCCIC) as the single civilian cybersecurity center for the private sector to share cyber threat indicators and requires the development and implementation of a near-real-time sharing capability while providing robust protections to safeguard Personally Identifiable Information and other sensitive data. In this session, participants will gain an understanding of what AIS aims to achieve, initiative milestones, technical approach and how the privacy analysis was conducted.

Research

Public Safety Mobile Application Security
Room 206
  • Michael Ogata, Computer Scientist, NIST

    Abstract

    This session will present ITL's research efforts on mobile application security for public safety that support the Public Safety Communications Research (PSCR) program. The session will provide an overview of NISTIR 8018 Public Safety Mobile Application Security Requirements Workshop Summary, the workshop on Identifying and Categorizing Data Types for Public Safety Mobile Applications held in San Diego on June 2nd, and discuss next steps of this research.

Demonstration

Firmware Integrity Verification, Monitoring and Reporting Tool with Mapping to NIST Guidelines
Room 203
  • Robert Rounsavall, President, Trapezoid Inc.
  • Michael Dyer, VP Software Development, Trapezoid Inc.

    Abstract

    Based on requests from federal and financial customers dating back to 2009, the Trapezoid team has been developing a Firmware Integrity Verification Tool to detect unauthorized changes in firmware. The team has deep understanding of the current, best-available technology as well as the challenges and opportunities for firmware integrity verification, continuous monitoring and reporting. This interactive presentation and demonstration will highlight the problem space based on today's real world threats and how the team is trying to solve for platform integrity overall. It will also show how different functionalities in the tool map to multiple NIST standards dealing with firmware integrity. The audience is encouraged to actively participate and ask questions throughout session.

4:20 PM -
4:30 PM
4:30 PM -
5:30 PM

Trusted Computing

Intel Identity Protection Technology
Room 204
  • Hormuzd Khosravi, Principal Engineer, Intel

    Abstract

    Identity Theft or compromised credentials has been the most common reason for many of the large cybersecurity breaches in the last few years. This talk will provide an overview of security technologies that are built-in to Intel platforms at the hardware level. It will focus on technologies that can be used to defend against such breaches under Intelr Identity Protection Technology (IPT) umbrella.

Security Automation

Security Automation and Continuous Monitoring in the IETF
Room 202
  • Lisa Lorenzin, Principal Solutions Architect, Pulse Secure

    Abstract

    The Security Automation and Continuous Monitoring (SACM) working group of the IETF has been working toward defining information and data models suitable for performing endpoint configuration assessment continuously, as well as the interfaces and operations required to communicate this information within an enterprise ecosystem of SACM components. This presentation will provide an overview and status update on this working group's progress.

Information Sharing

Threat-Based Cyber Operations Readiness
Room 201
  • Dr. Lindsley Boiney, Principal Cybersecurity Researcher/Engineer, The MITRE Corporation

    Abstract

    Many organizations face challenges in leveraging threat intelligence, relying predominantly on static defensive measures and compliance-oriented processes. Transitioning to a more threat-oriented posture is not easy, and change needs to occur across the triad of people, processes and technologies. MITRE has developed and piloted a lightweight methodology to identify areas in cyber security defensive practices where organizations can make improvements in the collection, utilization, and sharing of cyber threat information. The questionnaire and interview methodology has been piloted with organizations of different sizes, industries, and capabilities to identify focus areas for improving threat intelligence utilization and exchange. Examples of key discriminators include log data accessibility and searchability, indicator and incident tracking, leadership threat awareness, and integration between IT and cyber groups.

Research

Usable Security at NIST
Room 206
  • Yee-Yin Choong, Cognitive Scientist, NIST/ITL
  • Mary Theofanos, Computer Scientist, NIST/MML

    Abstract

    Policy makers and implementers currently have security data based on both empirical and theoretical data but little or no empirical usability data is readily available to support these decisions. Our goal is to provide policy makers and systems implementers with usability data to make better informed decisions about security policies and system implementations. This talk will provide an overview of the five primary usable security research areas at the National Institute of Standards and Technology: passwords, multi-factor authentication, user perceptions of cyber security and privacy, and usable security frameworks. As a use case to demonstrate our research approach we will focus on a large-scale (4,573 respondents) survey performed across the Department of Commerce to investigate the relationships between the organizational password policies and employees' password behaviors. The key finding of this study is that employees' attitudes toward the rationale behind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respect for need to protect passwords and system security. The results from these studies will inform updates to NIST security documents.

Demonstration

SARD: A Software Assurance Reference Dataset
Room 203
  • Paul Black, Computer Scientist, NIST

    Abstract

    The Software Assurance Reference Dataset (SARD) allows access to over 140,000 software assurance test programs in Java, C, and other languages. The test programs include both complete applications with dozens of precisely documented bugs and small, synthetic programs, and cover over 100 weakness classes (CWEs). We will demonstrate searching, selection, and use of the test cases.



Friday September 11, 2015
8:00 AM -
8:30 AM
Registration
  • Salons ABC Prefunction Area (Street Level)
8:30 AM -
9:20 AM
Keynote: Cybersecurity: Not Just a Sprint, a Marathon
Room 202
  • Tony Scott, Federal Chief Information Officer, Office of Management and Budget, The White House
9:20 AM -
9:30 AM
9:30 AM -
10:20 AM

Trusted Computing

Hardware Trust and Integrity - The First Step Toward Securing Computer Systems
Room 204
  • Presenter
  • Yier Jin, University of Florida
  • Additional credit to:
  • Mark Tehranipoor, University of Florida
  • Swarup Bhunia, University of Florida
  • Domenic Forte, University of Florida

    Abstract

    Modern cybersecurity solutions are often constructed based on the assumptions that the underlying hardware infrastructures are trusted. The latest trend of hardware-assisted security protection mechanisms such as TrustZone even relies on hardware for security policies enforcement. However, the trustworthiness and the integrity of the "root-of-trust" is rarely discussed despite the fact that the integrated circuit supply chain is equally vulnerable when encountering malicious attacks. In this talk, we will discuss hardware threats which may compromise software protection schemes. Then we will present hardware assurance methods from a wide spectrum ranging from testing to formal verification. These methods, if integrated into the modern circuit design flow, will help mitigate and/or solve the hardware security issues.

Security Automation

The Cyber OODA Loop:How Your Attacker Should Help You Design Your Defense
Room 202
  • Tony Sager, Senior VP and Chief Evangelist, The Center for Internet Security

    Abstract

    Cyber Defenders today face a constant stream of threats. Attackers are motivated, creative, and persistent and there is no perfect defense. If you want to be a successful defender and get out of the Reactive Rut, you'll need to have a strong Threat Model - an actionable means to represent how Attackers plan, implement, and execute attacks. And this needs to be part of an automated, operational "machine" to constantly look for new information, assess its relevance and value, and then take action. This information-centric approach to cyber defense is more like a military planning "OODA loop" than a traditional computer security Castle-Moat, Defense-in-Depth approach.

    In this talk, we'll describe how the Center for Internet Security is applying this thinking at very large scale, in a very public way, and using volunteers from across the entire cyber community. Through relationships with numerous threat intelligence vendors, we develop an open, shared model of what Attackers are doing today, and translate that into positive defensive actions and controls. This enables Defenders to create automated security processes that reduce response time to attacks, and more importantly be proactive in the development of key defenses that will protect against the most common attack profiles.

Information Sharing

Sharing Actionable Windows Artifacts Using SCAP
Room 201
  • Moderator
  • Stephen Quinn, Senior Computer Scientist & Program Manager, NIST
  • Panelists
  • Thomas Millar, Communications Chief, US-CERT, DHS
  • Ronald L. Nielson, Technical Director/SHARKSEER Program Manager, Department of Defense
  • Paul Green, CEO/President, G2, Inc
  • Jim Hanson, Director of Engineering and Development, Cyber Engineering Services, Inc.

    Abstract

    This presentation shows the utility and benefits of sharing actionable, machine-readable indicators using SCAP constructs among cooperating parties. The panel discussion focuses on research that demonstrates the efficaciousness using SCAP to positively identify threat indicators on Windows based systems. The research is highlighted in a demonstration by a team of researchers that shows how indicators, including those of malware compromise, can be leveraged from large repositories, and be automatically converted to relevant, machine-consumable content for protecting end systems at network speeds.

Research

Perspectives on Augmenting Federal FISMA Practices with Cybersecurity Framework
Room 206
  • Host
  • Kevin Stine, Manager, Security Outreach and Integration Group, NIST
  • Guests
  • Matt Barrett, Program Manager, NIST Cybersecurity Framework
  • Ron Ross, NIST Fellow, NIST
  • Adam Sedgewick, Senior IT Policy Advisor, NIST

    Abstract

    The NIST suite of FISMA guidance continues to provide a comprehensive set of information risk management approaches, methodologies, and practices that are required for Federal agencies and often adopted based upon business value within private sector. The recently published Cybersecurity Framework to Improve Critical Infrastructure Cybersecurity (Executive Order 13636) was chartered as a voluntary guidance for critical infrastructure, and may have business value for Federal use. This panel will evaluate ways in which Federal agencies can augment their FISMA-based risk management, with the Cybersecurity Framework. The panel will also explore the value proposition of private sector organizations applying the FISMA suite of guidance along with the Cybersecurity Framework.

10:20 AM -
10:35 AM
Break
10:35 AM -
11:25 AM

Trusted Computing

Cryptographic Module Validation Program
Room 204
  • Mike Cooper, Manager, Security Testing, Validation and Measurement Group, NIST

Security Automation

Developments in Community-Driven Automation Standards
Room 202
  • Bill Munyan, Center for Internet Security
  • David Ries, Co-founder, Joval Continuous Monitoring

    Abstract

    Recently, the OVAL community has taken steps to improve the OVAL Repository and language moderation processes to make them significantly more transparent, responsive, community-driven and independent of direct U.S. Government sponsorship. This talk will summarize these changes, explain how to engage with the new initiatives and present a roadmap for the expansion of OVAL's capabilities.

Information Sharing

DARPA ICAS - Developing a Rich, Open-source Cybersecurity Ontology to Assist Cyber Defenders in Hunting for Adversaries on Enterprise Networks
Room 201
  • Chris Greamo, Vice President and General Manager, Invincea Labs

    Abstract

    The DARPA Integrated Cyber Analysis System (ICAS) program aims to make security relevant system information readily available for attack forensics and tactical cyber defense. Under this effort, researchers from Invincea Labs in collaboration with the other performers on the program have developed a rich common ontology for representing and linking together all security relevant information in the enterprise. This presentation will describe the ontology, compare and contrast it with other popular security ontologies such as CyBOX, STIX, and MAEC, and discuss plans to release it opensource.

Research

NIST Privacy Risk Management Framework
Room 206
  • Sean Brooks, Privacy Engineer, NIST

    Abstract

    Expanding opportunities in cloud computing, big data, and cyber-physical systems are bringing dramatic changes to how we use information technology. While these technologies bring advancements to U.S. national and economic security and our quality of life, they also pose risks to individuals' privacy. In May, NIST released a draft of its report "Privacy Risk Management for Federal Information Systems," which describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems. This presentation will review the contents of the framework, discuss how it can be (and has been) applied in real, operational environments, and answer questions and take feedback on the content of the draft report.

Demonstration

Sharing Actionable Windows Artifacts Using SCAP
Room 203
  • Stephen Quinn, Senior Computer Scientist & Program Manager, NIST
  • Jim Hanson, Director of Engineering and Development, Cyber Engineering Services, Inc.
  • Bradley J. Wood, Senior Scientist, G2, Inc.

    Abstract

    The research team will show how indicators, including those of malware compromise, can be leveraged from large repositories, and be automatically converted to relevant, machine-consumable content for protecting end systems at network speeds.

11:25 AM -
11:30 AM
11:30 AM -
12:20 PM
Closing Keynote: War Stories from the Cloud
Room 202
  • John Summers, Vice President Security Business Unit, Akamai Technologies
12:20 PM -
12:30 PM
Closing
Room 202
  • Bill Newhouse, NIST, National Initiative for Cybersecurity Education (NICE), National Cybersecurity Center of Excellence (NCCoE)