You could win
a Cadillac CTS


Attend and get the chance to win a Cadillac CTS!

Register today!

Conference Sessions

Information Security Decisions is a customized educational conference designed by the editors of Information Security magazine and SearchSecurity.com. The conference offers you a soup-to-nuts agenda focused on the latest security trends, technologies and tools. Delivered over two days, the conference features daily keynotes, emerging technology showcases and breakout sessions (each accompanied by live "how-to" tutorials) that span the following:

General Sessions

Can Good Security Be Measured? A Debate on Security Metrics

Sure to be a lively debate, Yankee Group senior analyst and author of Security Metrics: Replacing Fear, Uncertainty and Doubt, Andrew Jaquith debates Burton Group senior analyst, Pete Lindstrom about how an organization can measure, quantify and analyze security effectiveness. Are there metrics that make sense or is security a cost center, plain and simple? Find out the answers and join the debate by posing your own questions to these security-metrics experts.

Crystal Ball Panel: Predictions for 2008 and Beyond

In honor of the 10th anniversary of Information Security magazine to be published in December, we've invited the top information security "insiders" to discuss the last 10 years and where they expect the industry to be in 2017. Bruce Schneier, Howard Schmidt and Eugene Spafford reflect on key events over the past decade, how threats have evolved, what needs to be addressed sooner rather than later, and what trouble lies ahead that we can plan for in advance -- to avoid being caught off guard in 2008.

Why Security Should Embrace Disruptive Technologies

IT departments have spent the last 10+ years enabling users by delivering revolutionary technology and delegating ownership and control of intellectual property and information in order to promote agility, innovation and competitive advantage on behalf of the business. Meanwhile IT Security has traditionally focused on reigning in the limits of this technology in a belated compliance-driven game of tug-of-war to apply control over the same sets of infrastructure, intellectual property and data that is utilized freely by the business. Christofer Hoff, chief architect for Security Innovation at Unisys and former Security 7 winner, will highlight several areas of emerging and disruptive technologies and practices that should be embraced, addressed, and integrated into the security portfolios and strategic dashboards of all forward looking, business-aligned risk managers. Many of these topics are contentious when discussing their impact on security:

  • Outsourcing
  • Consumerization of IT
  • Software as a Service (SaaS)
  • Web 2.0
  • Virtualization
  • De-perimeterization
  • Mobility

Hoff will discuss what you ought to already have thought about and how to map these examples to predict what is coming next. Explore this classical illustration of the cyclical patterns of how history, evolving business requirements, technology and culture repeatedly intersect on a never-ending continuum and how this convergence ought to be analyzed as part of the strategic security program of any company.

Database Security: A Christmas Carol

In 2006 there were 335 publicized data breaches in the U.S. With the 5th anniversary of the SQL Slammer worm drawing near, now is a good a time as any to look back on the past of database security and ask how far have we come since then and is our data any more secure today? And what of tomorrow? How will our database systems fare in a world of emerging threats? Have we learned our lesson or will we be consigned to the graveyard of statistics?

Security Seven Awards Presentation

The corporate world is full of security heroes. This is our opportunity to honor several of them. In this interactive session you meet the winners of our third-annual Security Seven Awards, which honor the top infosec practitioners in seven vertical industries. Each was nominated by his/her peers and selected by a panel of industry luminaries and editors of Information Security magazine and SearchSecurity.com. This year, we recognize security managers from the manufacturing, retail, telecommunications, financial services, education, government and healthcare markets. Our winners are fighting many of the same battles that you face -- keeping pace with new attacks and emerging technologies, engaging senior management in security issues and educating business leaders and end users. In a panel discussion following our awards presentation, you hear about the successes they've achieved and gain insights into why their approaches have worked. You also have a chance to join the conversation and pose your questions to the Security Seven to determine which of their best practices could be put to work in your organization.

Best in Show Awards 2007

Save time and avoid making "guestimates" of which security vendor will have the best product or solution for you. Attend our Best in Show presentation, the ultimate "smart shopper" buyers guide review of top vendors and their best-of-breed solutions. The following awards will be announced live to recognize the outstanding products at this year's conference. All conference attendees will have the chance to vote for the vendor they deem "best and brightest". Our 35+ exhibitors present during the exhibit hall hours. Categories include:

  • Best of Show
  • Innovation Award
  • Best Practical Solution

Track 1: Compliance/Governance

Regulatory compliance can't be ignored in today's corporate environment, but many security pros are still struggling to keep one step ahead of auditors and regulations. This track helps you determine frameworks, build a compliance roadmap and set expectations within your organization.

Building a Framework-Based Compliance Program

Compliance is constantly evolving and there are various updates that you need to get your hands around. One way to help deal with the updates and track your progress is by using compliance frameworks such as COSO and COBIT. In this session our compliance guru, Richard Mackey, vice president, SystemExperts helps you build your compliance program based on various frameworks and helps you build a more effective risk assessment program. Attend this session to find out:

  • Themes that are common to all compliance activities
  • ISO 17700 process
  • How to identify and control risk through a well-defined risk assessment process
  • The components of the compliance process: Policy enforcement, provisioning and data protection
  • How to deal with the frameworks associated with PCI
  • Standards based on security assessments

Case Study: How to Map Compliance to Risk

When you were first faced with the reality of compliance, you spent your time dealing with and interpreting the various regulations, and may have even brought in auditors to help with this often daunting task. Today, the realization is that compliance is an ongoing process that you must tie to your risk management strategy. But how much is all this going to cost? In this session, Jeff Reich, information security officer, CompuCredit shows you what has worked for his company and how such solutions could play out for you in terms of:

  • How to determine your risk
  • When to use standards to help you achieve your objectives
  • Where the cost of compliance should intersect with your security strategy
  • Where the correct level of compliance makes good business sense

How to Navigate Regulations Both in the U.S. and Abroad

There are 51 countries, 8 U.S. agencies and 35 U.S. states with privacy laws on the books. Needless to say, figuring out if your organization is adhering to the appropriate privacy regulations is increasingly difficult. The complexity and inconsistencies are forcing companies to approach compliance in a holistic manner. In this session David Mortman, CSO in-residence, Echelon One shows you:

  • The latest insights into U.S. state regulations and the possibility of a federal law
  • Details of overseas initiatives including the European Union's Data Protection Directive and the Asia-Pacific Economic Cooperator forum's Privacy framework
  • How companies can tackle compliance using a multidisciplinary approach
  • And much more

Stop the Madness! Key Technologies That Bring Compliance Under Control

With more than 35 state disclosure laws and new industry regulations, mapping controls to technology is more important than ever. A technology fix for SOX compliance may be different than a solution for PCI. And there's no lack of vendor hype claiming the silver bullet for solving compliance woes. But what technologies really work? In this session Trent Henry, senior analyst, Burton Group reveals:

  • What solutions bring essential controls to organizations
  • How to manage information flow
  • How you can piggyback your organization's existing infrastructure to save yourself time and money while satisfying the regulators
  • How technologies such as identity management, encryption, system management, database auditing and monitoring can provide a mix of preventive and detective capabilities to lay a firm compliance foundation

Track 2: Emerging Threats

Today's national headlines continue to prove that companies are not only losing their data, but they are losing money when it comes to security breaches (just ask TJX, Monster.com, The Gap, etc.). And with Web 2.0, wireless technologies and internal employees are becoming much more savvy with technology. This track reveals why you can't afford to limit security to within your organization and provides specific steps to safeguard against emerging threats.

Attacking and Defending Web 2.0

The Web is the new fertile ground for researchers and attackers as the old world of single-entity Web sites has given way to Web 2.0 social networks, syndication, mashups and "rich" Web clients. But what does that mean for you, the security professional? It means you better be gearing up to protect your Web environments, including both clients and servers. In this session, Pete Lindstrom, senior analyst, Burton Group provides you with a strategic structure to how the Web is vulnerable to the nature of attacks from this new Web 2.0 environment.

Why Botnets Have Evolved Into Your Worst Nightmare

Everyone is still talking about botnets, yet distributed attack tools were first seen in 1999 and have steadily grown in size and capability ever since. What was once a hobby, and then an annoyance, is now a profitable criminal activity. Breaking into computers has gone from an end in itself, to just the beginning. Today, groups take control of over a million computers at a time and use them for spamming, click fraud, identity theft, and industrial espionage, on top of good old DDoS. In this session, infoSec researcher Dave Dittrich explains:

  • Recent advances in distributed attack tools/methods - and what can be done to stop them
  • Case studies of recent major events and how they are made easier through automation
  • Rethinking your AV strategy (they don't use chewing gum to plug dam cracks, do they?)
  • Striking back: Is it an option?

Reality Check: Emerging Threats in 2008

Financial incentives are encouraging attackers to invest significant money and efforts in powerful techniques designed to breach our defenses. Now that fortune rather than fame drives a large number of Internet attacks, it is critical that we stay 3 steps ahead of the current information threat landscape. In this presentation, Lenny Zeltser, information security practice leader at Gemini Systems explores today's most pressing emerging threats and those you can expect further down the road -- so that you can fine-tune your security architecture accordingly. Learn about the recent attack patterns and the security of data and Internet communications including:

  • Targeted email attacks
  • Client-side infection campaigns
  • Advanced malware features
  • Powerful bot networks
  • Browser-based malware

Security in the Real World: How Barclays Handles Insider Threats

As head of information risk management at Barclays and 2006 Information Security magazine Security 7 winner, Stephen Bonner explains how Barclays deals with insider threats. Find out what Bonner has discovered and how to adopt Barclay's risk management initiatives at your own organization. This session provides:

  • Key highlights on the increasing focus on insider threats
  • Lessons learned from case studies of recent high-profile incidents
  • Advice and guidance to identify and resolve issues that lead to insider threats
  • A framework to reduce the risk of insider threats
  • And more

Track 3: Data Protection

A company's biggest asset is its data. It's the intellectual property that defines the worth of the company, and it's your job to make sure all that information is secure, right down to the database level. Be sure at least one person in your organization attends the sessions within this essential data protection track.

How to Lock Down Data in Motion

In this session security guru Tom Bowers, managing director at Security Constructs LLC shows you the vulnerabilities of data in motion. Review the top 5 techniques on how to best protect your data once it leaves the confines of its archive or storage device. He specifically reveals:

  • How regulations play a key role in how you protect your data
  • The ins and outs of content monitoring and classification
  • Where Digital Rights Management (DRM) fits into the equation
  • How identity management needs to be addressed
  • What the new eDiscovery rules mean to your organization's stored information
  • Why metadata can not be ignored when looking at database protection
  • How to lock down your web applications to protect your intellectual property

Hype vs. Reality of Windows Server 2008 and Vista - Are They More Secure?

The successor to Windows Server 2003 is set to launch this fall. And because Windows Server 2008 (previously code-named Longhorn) is built on the same code base as Vista, it will contain many of the new security enhancements found in Vista (and perhaps many of the gaps). In this session Elizabeth Quinlan, technical lead, HynesITe reviews some of the newest features and the opportunities and challenges they present in terms of implementation. In particular she addresses:

  • Windows Firewall and Advanced Security (WFAS)
  • IPSec Improvements and Integration with WFAS
  • Network Access Protection (NAP)
  • New Methods of Security and Policy Enforcement Server and Domain Isolation
  • Active Directory Domain Services Auditing
  • Read-Only Domain Controllers
  • BitLocker Drive Encryption
  • Removable Device Installation Controls
  • Enterprise PKI Improvements

Creating a Proven Data Protection Strategy

Breaches, compliance and the growth of unstructured data leaving an enterprise have fueled the need for organizations to create a data governance policy. By creating a data protection framework, security professionals are able to control valuable data and make more effective use of the assets within a company. Attend this session and let Russell L. Jones, principal, Security Services Group, Deloitte & Touche LLP give you the fundamentals required to create a plan, organize and implement policies and procedures and secure your data. In particular he explains how to:

  • Determine the types of data that would fall within the scope of the framework such as PII, PHI and intellectual property
  • Identify and select the controls that are the base of the framework
  • Go through an iterative process of rationalizing which controls remain in the framework and which ones do not
  • Determine how the remaining controls, which don't map to any of the index controls, are then included in the framework where they address unique requirements within the organization

Five Principles of Integrated Network Security

Pushing security into a network can mean a bewildering array of possible techniques, tools, products and technologies. In this session, Joel Snyder, senior partner, Opus One reveals 5 key principles of integrated network security that you can use to help design an integrated and holistic strategy that won't over emphasize any one specific area or risk leaving gaps in another. Specific benefit to this session include how to:

  • Understand the importance of having multiple managed control points and visibility into the security postures of networks and systems
  • The necessity to push protection deep into the network, while partitioning the network into different security zones
  • Add authentication and authorization of network users and an effective change control process in order to help round out your security strategy

Track 4: Network Security

With network perimeters melding, how do you secure all your endpoints? You need to go beyond the security settings in your routers and switches and worry about monitoring and access control. You need to secure everything from your VPN to your wireless endpoints. This track reveals A-Z network security tactics to lock down your perimeter.

 

Case Study: How SIMs Saved the Day

Security information management systems automate the process of looking through logs to help produce effective reports, issue alerts and provide a bird's eye view into the network. In this session, Interval International CISO, Sasan Hamadi explains the reasons he opted for SIMs and gives you a frank presentation on the lessons learned so you can avoid the pitfalls he encountered. Understand:

  • Making a business case for SIMs: How he sold the project to upper management
  • His RFP process, testing and how he honed down the offerings
  • Integration and deployment: successes and setbacks
  • Managing the technology and customizing reports to best meet his needs
  • Message rates, man hours spent on tuning, filtering messages and number of false positives

Answering the Hard Questions About Network Access Control (NAC)

This session focuses on 9 hard questions that you should be able to answer when trying to integrate NAC into your enterprise LAN. Joel Snyder, senior partner at Opus One answers these questions (and be sure to bring plenty of your own as we've allocated plenty of time for audience Q&A with Dr. Snyder):

  • Deal with lying clients?
  • Are you ready to add another 'P1' critical service?
  • Extend to remote, branch and wireless environments?
  • How much does NAC depend on the security of your infrastructure?
  • How well does NAC interact with the world around it?
  • How does NAC change how everyone thinks about the network?
  • And many more

How to Make IDS (More) Useful

Intrusion Detection Systems (IDS) are not dead, at least not yet. However, pulling an IDS out of the box and plugging it in can be a big waste of money. In this sessionJoel Snyder, senior partner, Opus One, shows you how to make IDS useful along with:

  • The different types of IDS and where they excel and fail at conveying security posture information
  • The 5 steps you must take before any IDS deployment
  • Essential processes in the IDS analysis cycle, a critical part of making the IDS a useful part of your smart defense strategy
  • And more

Track 5: Secure Messaging

Not only is regulatory compliance telling you how long you need to keep e-mail stored, you also need to set policies within your organization on e-mail usage. And not only are you dealing with policy issues, but you need to worry about the security flaws in IM and there's no way you'll be able to ignore the newly released Vista. Sessions within this track cover secure messaging from soup-to-nuts.

 

Locking Down The Messaging Platform: Exchange 2007

Exchange/Outlook is the email platform of choice for most organizations, but has Microsoft done enough to secure this platform? Beyond the patches, Lee Benjamin, messaging architect, ExchangeGuy Consulting reviews the ins and outs of the Exchange 2007 security improvements and gives you tips on:

  • Determining the best practices for securing Exchange 2003
  • What Microsoft is doing in the security space
  • Client Connectivity Options including Outlook Anywhere (formerly RPC/HTTPS)
  • Security Improvements in Exchange 2007 including Edge Transport, Opportunistic TLS, Protocol Analysis, and more