Choose from a range of workshops which delve into topics like blockchain, using deception to detect cyber attacks, and engaging research and industry in cyber security.
Friday 29 September 2017
Morning Workshops: 9:00am – 12:00pm
Afternoon Workshops: 1:00pm – 4:00pm
Full Day Workshops: 9:00am – 4:00pm
UNSW CBD Campus
Level 6, 1 O’Connell Street
Sydney NSW 2000
Morning/afternoon Workshop: $450 | $350 with Summit registration
Full Day Workshop: $850 | $700 with Summit registration
- Inclusions: All workshop materials, morning tea/afternoon tea and lunch.
- Registering for the Summit and a workshop will entitle you to discounted registration.
- All prices shown include GST and are Australian Dollar amounts.
Automating security for DevOps
Workshop Leaders: Murray Goldschmidt, Chief Operating Officer, Sense of Security
Duration: Half-Day Morning (9:00am – 12:00pm)
The rise of DevOps is marginalising security, but there are ways to integrate security into Agile environments. With the rise of DevOps (Agile development and deployment environments) a chasm has emerged as it becomes evident that superfast and continuous software development is marginalising “traditional” security teams. Security teams need to catch-up with this disruption, and fast. Security automation is vital, and this workshop discusses practical solutions that make sense.
In this workshop, we’ll discuss security automation techniques that can overcome the challenge of implementing security in an Agile environment. This two-hour learning lab is designed to cover several high-level topics relevant to the implementation of security in a DevOps environment, and with a focus on the role that automation can play. The interactive nature of this learning lab means it is designed to encourage active participation and feedback from the audience so that the discussion is productive, inventive and enjoyable.
This workshop will cover topics including:
- an overview of a DevSecOps stack (that we have used in a lab environment as a typical understanding of a generic model)
- Defining a common understanding of the modern Service Delivery Life-Cycle (SDLC)
- Why DevSecOps matters, and how automation is a central theme to its success
- Key concepts such as the need to need to “shift left” and identify issues and defects earlier in the SDLC cycle
- Practical solutions available – achieving automation with continuous scanning, static and dynamic code analysis
- Emerging technologies such as run-time application self-protection techniques (RASP) and behaviour driven development (BDD)
- A live demo of an attack scenario
- Low-cost self-healing controls to identify attacks and automatically defeat them
Automating Security for DevOps is designed to teach security automation techniques that can be used in a modern software engineering “DevOps” environment. This workshop is aimed at ensuring security teams remain relevant in their enterprise by providing practical knowledge to achieve it – for example, by using automation wherever possible, freeing up brilliant security minds to tackle the “higher-hanging-fruit” problems. Attendees will learn to implement and automate security in Agile production environments – without becoming a bottleneck in the process.
While this workshop is directly relevant to IT managers and security professionals, it may well be of interest to stakeholders representing the broader interests of developers and operational teams looking to embrace security.
Murray is an industry recognised expert for achieving security in a DevOps environment (putting the “sec” into DevSecOps), having developed, enhanced and presented on this topic at several events with the objective of rapidly enhancing the capability within our region.
Frequently invited to present at conferences, workgroups and seminars and asked to provide expert comment for editorials and publications. Murray has presented on security topics to many audiences at conferences including AusCERT, the Australian Cyber Security Centre (ACSC), RSA Conference, and the Australian Information Security Association (AISA).
Along with a degree in Electrical Engineering, Murray is a Certified Information Systems Security Professional (CISSP), IRAP Assessor and a Payment Card Industry Qualified Security Assessor (PCI QSA) and an active member of the Australian Information Security Association (AISA).
Blockchain security: understanding and securing the new disruptive force
Workshop Leader: Ajit Hatti, Founder, SecurityMonx
Duration: Half-Day Morning (9:00am – 12:00pm)
The technology which is set to disrupt the entire world of finance and economics is Blockchain.
This workshop is especially designed for fintech organisations, and will introduce you to the technical base of Blockchain in an accessible way. We will examine how the world has been adopting it so far, as well as its potential innovations, developments and future opportunities. We will also explore the security challenges of this technology and how we can address them.
The workshop will incorporate the following:
1. Introduction to the principal and philosophy of Blockchain
2. How it started: history of Blockchain
3. Cryptography and building blocks of BlockChains: a demonstration
4. Blockchain in action: executing smart contracts
5. The present and the future of the Blockchain
6. Security threats applicable to Blockchain
He also co-founded Null Open Security Community and has worked with Symantec, Emerson, ZScaler, IBM and Bluelane as a security researcher in the past. Ajit has also presented his work at conferences including BlackHat, DEFCON and Nullcon.
Detecting cyber-attacks with deception
Workshop Leader: Sahir Hidayatullah, Co-founder and CEO, Smokescreen Technologies
Duration: Half-Day Afternoon (1:00pm – 4:00pm)
Deception is one of the most successful strategies in military history. Just as armies used deceit to conquer continents, cyber-deception exploits the modern hacker’s greatest weakness – they’re only human.
This session deconstructs recent attacks from a hacker’s perspective and shows how companies can use deception technology to predict upcoming threats, detect stealthy attacks, illuminate network blind spots, and minimise breach detection time.
Sahir is a serial cyber security entrepreneur. His past ventures have investigated numerous high-profile data breaches, with clients spanning critical infrastructure, global financial institutions, and Fortune 500 companies.
His work has been highlighted in a cover feature story in Fortune India magazine, and his thoughts on technology risk management appear regularly in the print and television media.
Research-industry engagement in cyber security
Workshop Leader: Surya Nepal, Data61
– Dr Liming Zhu – Research Director, CSIRO Data61
– Federico Bettini – CEO, Aizoon Australia
– Daniella Traino – Business Leader, Cyber Security (GAICD) CSIRO Data61
– Dr Praveen Gauravaram – Tata Consultancy Services Limited
Duration: Half-Day Afternoon (1:00pm – 4:00pm)
The engagement between research (universities and research organisations) and industry is key to building an innovation ecosystem in cyber security that can contribute to the national economy and security as well as provide enormous societal benefits.
This engagement has many facets, for example:
- universities can produce cyber graduates to fill the skills gap;
- industries can integrate graduates into their workforce to tackle problems they are facing now;
- existing research IP can be transferred to industries to create new technologies and products;
- key research breakthroughs can seed new industries;
- industries can specify research challenges for the research ecosystem to tackle;
- industries can partner with research organisations for their research & development needs.
What are the pathways or models for research-industry engagement and what are the models of success?
The workshop brings cyber security researchers and industry practitioners to share their experiences through successful research-industry collaborative projects and models. This includes models and projects from startup/SMEs space to large corporations.
This workshop will run as a series of interactive lightning talks. All participants may also choose to use a three minute lightning pitch or a 10 minute short talk to highlight specific industry problems and challenges, existing off-the-shelf research IP and capabilities and preferred engagement models.
Participants who would like to do a 3-5 minute pitch or lightning talk are asked to please email your short bio and title to Surya Nepal at firstname.lastname@example.org.
Federico has an innovative approach to digital transformation and business in general, and he always brings a different perspective to the table. He is passionate about building capabilities and developing leaders for the future.
Praveen has a PhD in Cryptology from Queensland University of Technology, Brisbane. Praveen has held scientific positions in India, Europe and Australia and published several scientific papers and technical reports. Praveen has made significant scientific contributions to the analysis and design of standard cryptographic designs, in particular cryptographic hash functions. He is a co-designer of Grøstl hash function and a finalist in the SHA3 competition conducted by NIST USA. Praveen is also an Adjunct Senior Lecturer at University of New South Wales, Australia.
Daniella is a member of the Research Advisory Committee for the Internet Commerce Security Laboratory (ICSL) – a cyber security research unit of Federation University Australia. She was a judge at the 2017 Finnies (Fintech Australia awards), a contributor to the 2017 report ‘Startup secrets: How Australia can create new businesses with fintech and cyber security industry collaboration‘, and Cyber Track leader for the 2016 Spark Festival (formerly Startup Week Sydney). Daniella also volunteers some of her time to advise Australian cyber security startups on innovation pathways and product-market strategies.
Prior to Data61, Daniella has held executive roles including General Manager Security & Risk (Chief Information Security Officer) for a NSW government department, responsible for the effective management of all ICT risk, security and continuity practices; and executive management roles in banking and finance and management consulting.
Daniella holds a Bachelor of Commerce (Accounting, Computer Science) from the University of Sydney, and is a Graduate Member of the Australian Institute of Company Directors (GAICD). She is motivated to help industry and government tackle the growing and challenging cyber security implications and opportunities of operating in the emerging digital economy.
Workshop Leader: Barry ‘Fish’ van Kampen, Managing Director, The S-Unit and Dirk ‘Perzik’ van Veen
Duration: Full-Day (9:00pm – 4:00pm)
At the live hacking village you will learn how to tinker (play with technology) with hardware and software. Playing with hardware, protocols and the software behind it is one of the goals. A collection of ESP’s, Arduinos, sensors, hardware sniffers and SDR’s (Software Defined Radio) will be used (available at the village). Barry ‘Fish’ van Kampen is an enthusiast hacker known from Hack in The Box, and will let you learn and tinker within these hardware environments. Attendees will also have access to a collection of IOT hardware, like remote controlled switches, camera’s, etc to research and hack. If you PWN it, you will OWN it 🙂 The main goal is to bridge the gap with the software hacking world and show you how easy it is to start hardware hacking.
A mini CTF (hacking competition) will be held alongside the IOT and hardware hacking. Dirk ‘Perzik’ van Veen, lead organiser of the CTF for Hack in The Box Amsterdam, will bring a collection of basic and intermediate challenges and guide the visitors in solving the hacking puzzles. Of course, there will be a scoreboard and a prize for the one who finishes the most challenges during the village/workshop.
Participants in this workshop will need to bring:
- Technical skills
- A computer with rights to install software. Pre-installed (virtual) Kali and Arduino is useful.
- Some basic hardware materials like USB cable’s, network cables/adapters, power adapters.
What to expect?
Depending on your current skillset, you can expect to learn hacking and tinker techniques, both hard and software based, on different levels. At the end of the day you can expect to have at least basic knowledge about the subjects or to have a higher skill set than when you started.
Using red teaming to succeed in security
Workshop Leaders: Simon Treadaway, Head of Ethical Hacking, Shearwater Solutions and Damian Grace, General Manager, Phriendly Phishing
Duration: Half Day Morning (9:00am – 12:00pm)
Red teaming is a key buzzword in modern cyber security, but it can have vastly different meanings to different organisations. For one, it might be a supported offensive security exercise; for another, it might mean letting a “security ninja” loose in your network with little to no supervision. It is often conducted without a true understanding of an organisation’s threat landscape, the attack possibilities, and what an organisation is really trying to achieve as an end result.
Understanding your threat landscape is extremely important in modern environments, and can dramatically affect the success of a red teaming engagement and the cost associated with it.
Join Damian Grace and Simon Treadaway in a collaborative workshop that will explain the whats and hows of red teaming in a practical, jargon-free environment.Attendees will work through the following:
- Map out the possible threat vectors and attack scenarios that need to be considered when red teaming
- Build a comprehensive framework to evaluate your environment against the vast array of daily attacks
- Highlight specific ways to defend against common red team attacks
The key outcomes of this workshop include a solid understanding of red teaming as a practice and a framework for making decisions regarding what’s most important to your organisation.
This workshop is specifically targeted at a managerial level and no deep technical skills are required.
On Minimum Viable Security
Workshop Leaders: Scott Herdman, Independent security consultant and researcher and Norman Yue, Director, Platypus Initiative
Duration: Half-Day Morning (9:00am – 12:00pm)
In today’s business environment, security is often a costly and cumbersome investment, out of reach of many small and startup-scale businesses. However, you don’t need the latest and greatest Enterprise Firewall 5000 to implement a reasonable level of cyber security across your business, and into your product. This workshop will cover some ways of thinking which can be used to reduce the attack surface of a system or network without greatly impacting the bottom line.
Attendees at this workshop will delve into topics including:
- Threat Modelling 101
- Applied Principle of Least Privilege
- Smart Policy-Driven Security
- Low-cost Security Awareness
- And more!
In his spare time Scott focusses on independent cyber security research projects covering such areas as physical system security, cyber weaponisation and device reverse engineering in an effort to educate the public and wider security community on the ever evolving threat landscape.