Session Listing

A-ISAC Membership Meeting: Past Accomplishments, Trend Analysis, and Future Planning (A-ISAC)

A-ISAC board and staff will lead this "state of the ISAC" conversation. Meet A-ISAC staff and board members, provide input into planning for 2016 and beyond, give feedback on your experience as an A-ISAC member so far, and help guide the future direction of the A-ISAC. Closed to nonmembers.

Best Practices: Cyber Threat Intelligence and Data Analytics Like You Have Never Seen Before (A-ISAC)
Facilitator: Roger Alvillar, Aviation ISAC; Panelists: Bill Hubbard, The Boeing Company; Dave Ockwell-Jenner, SITA

The threats we face are both temporal and spatial. While some of these threats evolve into intrusions, they can have significant impact to operations and even the bottom dollar to organizations across the globe. In many cases, preparing and sharing Best Practices can be the most effective tool to mitigate against an ever-changing and robust adversary. As information turns into intelligence and machines yield positive results, operational and strategic approaches toward the opposition must be coordinated. Come find out how some of these efforts are being orchestrated.

Blocking the Big Breach: An Overview of Standardized Security Systems and How They Protect Pharmaceutical and Healthcare Data
Terence Rice, Merck & Co.; Mollie Shields Uehling, SAFE-BioPharma Association

Globalization and digitization of the drug development and clinical trial process and healthcare interactions with life sciences rely on the Web to share information. Patient and other data is at risk of being hacked, opening the process to HIPPA violations and leaks of scientific intellectual property to competitors. The proposed session is an overview of how standardized identity and access management is being used in the pharmaceutical industry to protect sensitive data and intellectual property, to improve clinical trial efficiency, and to improve healthcare interactions with the life sciences.

A Bull Black Market – The Dynamics of Cybersecurity and the Expanding Illicit Market for Medical Records
Stan Byers, EY

Medical records have become the most valuable personably identifiable information on the black market. What is driving this demand, and what does the future of the market hold? This talk will look at the often unintuitive economic, geopolitical and policy dynamics that are currently shaping illicit medical data markets; how these are likely to evolve; the impact of new technologies; and the leading practices for improving protection and mitigating risks in a highly challenging environment.

Current Cyber Threat Landscape
Brett Leatherman, FBI

This session will cover the current cyber threats seen with a particular emphasis on the health and aviation sectors. The speaker will look at the tactics, techniques and procedures malicious actors are employing currently and what particular trends will be seen in the future.

Cyber Actors Exfiltering Your Profits? Arrest Security Breaches Without Achieving Complete Business Catastrophe (A-ISAC)
Facilitator: Terrance J. Kirk, Aviation ISAC; Panelists: Conner Hagan, Southwest Airlines; Tim Lemm, The Boeing Company; Krista McGee, GE Aviation

Why do you need an incident response plan? What makes a good incident response plan? What items should be considered when building a successful plan? What outside resources should be leveraged? An international panel of presenters will discuss the answers to these questions.

Dell SecureWorks Healthcare Threat Intelligence – Actionable Information for NH-ISAC Members
Jon Ramsey, Dell SecureWorks

Through the partnership between NH-ISAC and Dell SecureWorks, information is exchanged on latest threats targeting the healthcare sector. Dell SecureWorks' intelligence enables the Counter Threat Unit and healthcare specific researchers to provide information via multiple channels to NH-ISAC. Dell SecureWorks further partners with the healthcare industry in our Center of Excellence in Bucharest, Romania to advance security specifically within the customers it serves. This presentation discusses what happens behind the scenes at Dell SecureWorks in support of NH-ISAC.

The Evolution of Third Party Security Risk Management
Sam Kassoumeh, Security ScoreCard

Sam will discuss how third party security risk has evolved over the last five years. He will walk through why the attackers target third parties and the methodologies and strategies available to reduce risk from ecosystem partners. Discussion will include how the industry addresses this challenge and new techniques to scale out an effective third party security risk management program.

Five Steps to Managing Business Associate Risk
Chad Peterson, Optiv

While internal management of business activities present a level of risk, business associate relationships bring increased challenges to the overall healthcare organization's risk and HIPAA compliance management. Healthcare organizations must balance information risk management against the cost of mitigating business associate risk to remain competitive and meet their obligations under the HIPAA regulations. As a result, business associate oversight is placing increased burdens on healthcare organizations to manage and mitigate the external risk.

How to Balance Yourself on the Intelligence Tightrope and Overcome Information Pitfalls (A-ISAC)
Facilitator: Philip L. Potts, The Boeing Company; Panelists: Sunny Ahluwalia, The Boeing Company; Michael Caimona, Boeing Integrated Information Systems; Adam Klickovich, National Cyber-Forensics & Training Alliance; Brian Markus, Aerojet Rocketdyne; Blake Moore, Splunk; Michael Oppenheim, National Security Agency Threat Operations

Cyber threat analysts are inundated with information from multiple sources on a daily basis. With the explosion of cyber threat information available in the past few years from private security companies, government information sharing initiatives, and improved detection technologies, how does one decide what is truly useful? How do analysts define the difference between "information" and "intelligence"?

Key Strategic Considerations for Hardening the Aviation Sector Against Today's Leading Threats (A-ISAC)
Facilitator: Fred Schwien, The Boeing Company; Panelists: John Craig, The Boeing Company; Dan Johnson, National Aviation Intelligence Integration Office; Craig Maccubbin, Southwest Airlines

The Aviation ISAC's vision is to improve aviation's security posture by providing a trusted environment for sharing timely and actionable information. This panel will discuss the framework, policy, and governance of how industry and government working together can leverage intelligence resources and private sector members for building a resilient global air transportation system.

Managing Security for Your Healthcare Supply Chain Partners – Strengthening the Weakest Link
Rick Reybok, Brightpoint

Most healthcare companies are focused on the security of their perimeters, networks, and endpoints and forget that their supply chain partners pose the same–if not greater–risk to their IT infrastructure. The 2013 Target breach is just one example of a third-party being the weakest link in security. A trusted business partner was authorized to use the retailer's external billing system, and its access credentials were stolen in a phishing attack. Organizations need to realize that their perimeter is greater than their walls, and in fact extends into and around their supply chain partners. In this session, a panel of industry leaders will cover how and why your supply chain partners can be protected, describe the value they received from the BrightPoint solution, and explain how they expect to participate with in the NH-ISAC Trusted Circles going forward.

Mapping Controls Across Multiple Authority Documents
Tam Woodrum, Unified Compliance

Complying with regulations and standards in Health IT can be a complex undertaking even for relatively small organizations. This presentation will demonstrate how to identify and track the controls a healthcare organization needs to implement to achieve their compliance goals.

Medical Device (In)Security: A Serious Case of Catch-22
Tim Erlin, Tripwire

Modern technology has made interconnected medical devices a catch-22 – they play a vital role in healthcare's current and future landscape, while potentially exposing patients and healthcare providers to safety and cybersecurity risks that pose catastrophic consequences. As more and more medical devices become embedded to the IoT, the risks will only multiply. Panelists will discuss how providers should approach these challenges, offering industry best practices to protect organizations, and the safety and privacy of patients.

The New CISO Mandate: Ensuring Data Security and User Privacy in a Mobile-First World
Sinan Eren, Remotium

Mobile first is the mantra of many organizations today, and healthcare is no exception. Driven by patient and employee demands, the benefits of mobile applications to patient care and corporate administration are undeniable. The modern CISO is tasked with trying to strike a balance between innovation, new security risks, and regulatory mandates. In this talk, cybersecurity expert Sinan Eren will discuss the challenges of mobile-first in the highly regulated healthcare environment, including maintaining patient and user privacy. He will also outline a security-by-objective strategy for healthcare CISOs. Mobile applications are not all of equal importance. Creating a security program that matches the business criticality of your mobile applications is possible and highly effective. Learn best practices for securing mobile apps while maintaining user and patient privacy, including lessons learned from network and web app security.

Next Generation Authentication for Healthcare
Jim Routh, Aetna

Binary authentication controls don't work so well when the criminals have the credentials. Behavioral based authentication uses mathematically proven algorithms to define behavioral patterns for customers and criminals. Perhaps it's time for healthcare companies to deploy a similar capability for providers.

Protecting Our Patients by Staying Ahead of Security Threats
Kevin Hemsley, Idaho National Labs; Katie Moussouris, HackerOne; Suzanne Schwartz; FDA

This session will discuss the current and emerging cyber threat landscape from the perspective of DHS/ICS-CERT, including current and anticipated impact on healthcare; the role of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in investigating reported vulnerabilities in medical devices and hospital equipment; and, how healthcare constituents can connect with Federal law enforcement and ICS-CERT for assistance as well as informational and educational resources.

Quantifying Cloud Risk for Your Organization's Leadership
Bob Gilbert, Netskope

The "move to the cloud" has long been considered a key initiative by enterprises worldwide. This move has created unprecedented competitive advantage for all kinds of organizations, but with it also comes risk - risk of data exposure, non-compliance, and user account compromise. Join Netskope's Chief Evangelist Bob Gilbert in this discussion about how enterprises can quantify risk from cloud app usage and how both risk and its mitigation strategy can be communicated to your organization's leadership and board.

Recognizing Value Proposition Across Industry Partnerships and Assessing Information Sharing Models (A-ISAC)
Facilitator: Faye I. Francy, Aviation ISAC; Presenters: Jeffrey J. Apolis, Carnegie Mellon University Software Engineering Institute; Frank J. Grimmelmann, Arizona Cyber Threat Response Alliance; Frederick Laury, Air New Zealand

Cyber security is a team sport requiring a new paradigm for working together. Situational awareness and vigilance is needed to combat this nefarious and ubiquitous threat. A fundamental principle in building sector resilience is realizing that one company's detection is another company's prevention. This panel will explore models of information sharing and discuss the value proposition occurring across different partnerships.

Reducing Risk One SSN at a Time
John Lenhart, Aetna

A company's ability to compete in the digital consumer marketplace requires the ability to protect sensitive information. One of the most sensitive of data points is the Social Security Number (SSN). If organizations don't stop the unnecessary processing of SSNs, the number of information security breaches of SSNs will continue to increase resulting in significant medical fraud, brand damage and potentially severe health issues for consumers where medical identify theft occurs. Aetna has invested in a multi-year effort to be an agent of change for the industry around the use, or lack of, of the SSN. Our initiative, SPEaR (SSN Protection, Elimination and Remediation) is looking to reduce our dependencies on the SSN and the footprint of the SSN within our Organization and across industries. Our approach is to place every use of the SSN into one of three profiles; Remove, Replace or Protect. Priority #1: Remove SSN: Remove SSN from applications and associated processes where it is not a regulatory requirement Priority #2: Replace SSN: Replace the use of the SSN as the unique identify with an alternate identifier Priority #3: Protect SSN: Protect the SSN in cases where there is a regulatory requirement to maintain it through application of controls (encryption, PUM, two factor, etc.) SPEaR consists of eight work streams, that together, are going to fundamentally change the risk posture of Aetna and our business partners as it relates to the use of the SSN. The targeted outcome for this initiative is not only to materially reduce risk within the Aetna environment, but also to be an agent of change in the industry so we can all begin to reduce our dependencies on the SSN.

Sentinels - Security Awareness Program
Nick Razum, Amgen

Have you ever thought how to engage your organization to support security initiatives? Have you always thought that InfoSec is the only organization in the company that understands what Information Security is and the perils of not doing it right? Sentinels program is an innovative way to engage your company and make it act as part of Information Security to protect your organization, intellectual property and effectively leverage all means to advance Information Security.

Software Security – Why, What, & How
Jonathan Bittle, KP; Nikolay Chernavsky, Amgen; Jim Routh, Aetna; Mike Ware, Cigital

An on-going, seven year industry study called the Building Security In Maturity Model (BSIMM) that describes the software security maturity of 78 organizations, including ten healthcare companies, recently found that the relative maturity of the healthcare industry lags behind other industries such as financials and independent software vendors. In this session, a panel of industry leaders will discuss why software security is a priority, strategies for selling the benefits of software security to executives and the board, and how they are dealing with the challenges they face in securing not only the software they develop internally but also the software they acquire from vendors.

STIX & TAXII - The Download On These Industry Leading Standards
Greg Barnes, BC/BS; Nikolay Chernavsky, Amgen; Aharon Chernin, Soltra; Brian Heemsoth, Aetna

STIX and TAXII are industry standards for threat intelligence, but why should you care? Panelists in this session will present:

Why the future of threat intelligence depends on standards
The current state of automation and sharing
How automation can help you reduce the time you spend analyzing threat intelligence
How automation, through NH-ISAC's Threat Intelligence Platform, helps turn threat
What the future of threat intelligence sharing holds data into action

A Tactical Assessment of the Aviation Sector's Performance and Intel Solutions in the Security Environment (A-ISAC)
Facilitator: Doug Blough, Aviation ISAC; Panelists: Michael Dierickx, Panasonic Avionics Corporation; Greg Seipelt, GE Aviation; Becky Selzer, United Airlines

As the Aviation Community continues to face claims and threats from a variety of spectrums across the globe, how do we derive solutions to mitigate against this ever-changing environment? Answering the threat through technical and collaborative means provides not only greater awareness across the community but shapes a more secure environment.

Turning Aviation Industry & Government Tabletop Exercises and Use Case Studies into Aviation ISAC Excellence (A-ISAC)
Facilitator: Joseph T. "Tom" McGoogan, Boeing Commercial Airplanes; Panelists: Dan Johnson, National Aviation Intelligence Integration Office; Paul Kurtz, National Security Council; Emilian Papadopolous, Foreign Affairs Canada

Questions to be addressed by the panel include:

To date, what have we learned from ongoing AIAA and other industry use cases and tabletop exercises?
Are there consistent cyber security themes seen to date that impact the entire aviation industry?
What are the key roles and levels that need to be involved in exercises?
How do we transition from individual corporate and government-led efforts into a better functioning A-ISAC?
What do we do next?

User Behavior Analytics for Insider Threat and Identity Access Management
Saryu Nayyar, Gurucul

User Behavior Analytics is changing the way enterprises protect themselves against fraud, insider threats and external intruders both on premise and in the cloud. User behavior analytics and identity access intelligence technology uses machine learning and predictive anomaly detection algorithms to reduce the attack surface for accounts, unnecessary access rights and privileges, and identify, predict and prevent breaches. This technology is used globally by organizations to detect insider fraud, IP theft, external attacks and more.

Utilizing Open Source Intelligence to Protect the Enterprise
Aaron Goldstein, Amgen

This talk will outline Open Source Intelligence (OSINT) techniques used to identify sensitive information about individuals, companies, as well as their data. This presentation will outline how the adversaries gather information and use it to their advantage. Learn to identify areas of risk by simply using common searching tools such as Google, Bing, and others. Lastly, discover techniques for mitigating these threats and securing your data.

Vendor Response Governance – Preparing an Effective Response to Vendor Compromises
Brenda Ward, Aetna

Security breaches involving third-parties are on the rise. Many companies are responding by adopting processes associated with sound vendor risk management to facilitate the identification, evaluation and enforcement of industry-recognized security and privacy practices. Moreover, they are conducting due diligence before sharing sensitive data with third-party vendors to limit the exposure of a security breach. Brenda Ward and Rocco Grillo will share leading edge techniques that help organizations recognize that without established effective risk management practices for working with vendors, it is difficult to ensure third parties have applied and implemented security processes and controls necessary to preserve the confidentiality of shared data.

Managing Security for Your Healthcare Supply Chain Partners – Strengthening the Weakest Link
Rick Reybok, Brightpoint

Most healthcare companies are focused on the security of their perimeters, networks, and endpoints and forget that their supply chain partners pose the same—if not greater—risk to their IT infrastructure. The 2013 Target breach is just one example of a third-party being the weakest link in security. A trusted business partner was authorized to use the retailer's external billing system, and its access credentials were stolen in a phishing attack. Organizations need to realize that their perimeter is greater than their walls, and in fact extends into and around their supply chain partners. In this session, a panel of industry leaders will cover how and why your supply chain partners can be protected, describe the value they received from the BrightPoint solution, and explain how they expect to participate with in the NH-ISAC Trusted Circles going forward.

Why the future of threat intelligence depends on standards
The current state of automation and sharing
How automation can help you reduce the time you spend analyzing threat intelligence
How automation, through NH-ISAC's Threat Intelligence Platform, helps turn threat
What the future of threat intelligence sharing holds data into action

To date, what have we learned from ongoing AIAA and other industry use cases and tabletop exercises?
Are there consistent cyber security themes seen to date that impact the entire aviation industry?
What are the key roles and levels that need to be involved in exercises?
How do we transition from individual corporate and government-led efforts into a better functioning A-ISAC?
What do we do next?

Using the BSIMM-V to Measure Healthcare Security
Jonathan Bittle, KP; Nikolay Chernavsky, Amgen; Jim Routh, Aetna; Mike Ware, Cigital

The Building Security In Maturity Model (BSIMM) is the result of a multi-year study of real-world software security initiatives. The model is built directly out of data observed in sixty-seven software security initiatives, from firms including: Adobe, Aetna, Bank of America, Box, Capital One, Citibank, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase & Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga. We have used BSIMM-V to measure more than ten firms in the healthcare space, including: Aetna, McKesson, Siemens, The Advisory Board, and Zephyr Health. The BSIMM is a measuring stick for software security. The best way to use the BSIMM is to compare and contrast your own initiative with the data presented in the BSIMM, including data from your vertical. You can then identify goals and objectives of your own and look to the BSIMM to determine which further activities make sense for you. The BSIMM data show that high maturity initiatives are well rounded—carrying out numerous activities in all twelve of the practices described by the model. The model also describes how mature software security initiatives evolve, change, and improve over time.