Who’s Vulnerable in YOUR IT Supply Chain?

Presenter: David Barnscome (Microsoft)

“Compromise one to compromise many.” More and more frequently, nation-state attackers leverage the trusted relationships in an organization’s IT supply chain to achieve compromise of downstream targets. How can you take steps to protect against this type of activity?

In this discussion, we’ll look at some interesting examples of how supply chain compromise has been achieved, and what it eventually led to. More importantly, we’ll talk about how you can assess your IT suppliers so that you can have confidence that they are taking the right steps to protect your organization’s data estate.

Threat Intelligence Integration

Presenter: George Alves (Defense Acquisition University)

George Alves discusses how being “threat informed” is critical in the execution of your Zero Trust capabilities and activities whether on-prem or in the cloud. From the Zero Trust Capability Roadmap: this capability requires integration of threat intelligence information and streams about identities, motivations, characteristics, as well as tactics, techniques, and procedures (TTPs). This capability will assist Cyber Defenders be more proactive rather than reactive.

Cloud Adversarial Vectors, Exploits, and Threats (CAVEaT™): An Emerging Threat Matrix for Industry Collaboration

Presenter: Dr. Mari J. Spina (CSA DC Chapter and MITRE)

Cloud security practitioners agree there’s a need for comprehensive threat-informed security guidance to address system assessment, secure design, cyber analytics, and threat mitigation. Due to the rapid development of cloud technologies and service offerings, it is also necessary to develop a forward-looking adversary perspective that identifies emerging cloud service risks along with detailed detections and mitigations for practitioners to implement. The Cloud Security Alliance (CSA) and the MITRE Corporation have established the Cloud Adversarial, Vectors, Exploits, and Threats (CAVEaT™) collaboration to bring relevant content to the cloud security practitioner. This research explores today’s available frameworks with relevance to cloud systems and proposes a course of action to advance the state of the art in threat-informed security by collaborating with cloud service providers (CSPs), international security researchers, and key subject matter experts.

Continuous Compliance – Security Assessments the Cloud-Native Way

Presenter: Michael Wasielewski (Capgemini)

Security assessments for cloud environments have and continue to evolve at a dramatic rate. Just a few years ago security standards for cloud environments were difficult to understand and even more difficult to audit against. Since then, cloud service providers and their partners have built tools to simplify auditability for their customers and auditors alike; but the pace of change in and of modern cloud environments still vexes many traditional assessment practices. In this talk, we’ll cover how the next generation of audit tools are adopting a continuous compliance approach for evaluating cloud environments in near-real time, and how to think differently about what artifacts can demonstrate real risk management as opposed to point in time theater. By the end of the session you’ll better understand how to approach security assessments for modern cloud environments.

David Barnscome
Global Partner Solutions Architect for Security, Compliance, and Identity @ Microsoft

David is a Global Partner Solutions Architect for Security, Compliance, and Identity at Microsoft. In this role, David is responsible for training and supporting Microsoft partners on the latest security compliance and identity solutions, including Microsoft 365, Azure and Windows.

George Alves
Professor, Enterprise Cybersecurity @ Defense Acquisition University (DAU)
CISSP, CEH

George Alves has over 35 years of DOD and Acquisition experience. Currently he is a Defense Acquisition University (DAU) Cybersecurity Professor. He holds a Master of Science in Cybersecurity along with various professional certifications such as CISSP and CEH. Before coming to DAU, he served as the Information Systems Security Manager (ISSM) at the Office of the Comptroller of the Currency under Department of Treasury overseeing IT/Cyber acquisitions and compliance throughout several platforms to include public and private cloud environments. He is a former Navy Civilian of 10 years to include being the Deputy CIO for Cybersecurity at Naval Sea Systems Command HQ in Washington Navy Yard, DC. There he oversaw the entire NAVSEA enterprise comprised of over 2000 operational, developmental, and RDT&E networks, systems, and applications both on-premise and in cloud environments. He had a team of almost 40 civilians and contractors to include the first NAVSEA Cyber Scientific & Technical Intelligence Liaison Officer (STILO) in a position he created to integrate intelligence within Cybersecurity. He also spent two years as an Army civilian supporting the Program Manager of DOD Biometrics as the Cybersecurity Lead under the Program Executive Office Intelligence Electronic Warfare and Sensors (PEO IEW&S). There he was involved in the early stages of acquisition supporting the designs, engineers, deployment, and sustainment of enterprise biometric solutions in multiple operating environments enabling identity dominance on the battlefield and across the Department of Defense to include migrating tactical systems into the cloud. He is also a proud veteran retiring after 20 years of Navy active-duty service. Some of his assignments includes serving as the Automated Data Processing Division Officer onboard the USS NASSAU, and as a Computer Network Defense Leading Chief Petty Officer within Joint Forces Command where he stood up a Global Command, Control, Communications, Computers, and Intelligence (C4I) Coordination Center after the 9/11 attack.

Dr. Mari J. Spina
Cloud Security Alliance-DC Chapter Research Committee Chair
Principal Cybersecurity Engineer @ the MITRE Corp
PMP, CISSP, ISSEP, CCSP

Dr. Mari J. Spina is the Cloud Security Alliance-DC Chapter Reasearch Committee Chair. In this capacity, she has been leading the charge to develop critical research to advance the state of practice in cloud security for highly regulated industries represented by the CSA-DC Chapter membership. Dr. Spina is also a Principal Cybersecurity Engineer at the MITRE Corp. supporting a multitude of MITRE Federal sponsors including DoD and the IC in the area of Cloud Security. At MITRE, she leads the Cloud Security Capability Area, and teaches Cloud Security for the MITRE Institute. She has taught many Information Technology courses for the George Washington University schools of engineering and business. Before joining MITRE, she worked for government engineering firms including Hughes Aircraft, SAIC, ManTech, NJVC, and DMI since 1988 where she provided IT systems engineering to a variety of Federal agency missions including those of the Intelligence Community and the DoD. Mari holds a D.Sc. in Engineering Management from the George Washington University, a MSEE from the University of Southern California, and a BSME from California State University Northridge. She is also PMI PMP and ISC2 CISSP, ISSEP, CCSP certified.

Michael Wasielewski
Capgemini

Moving from outside of Washington D.C. in the US, Michael moved to Paris joining Capgemini in December of 2021. Responsible for global cloud security and next-gen secure architecture portfolio development, Michael brings a robust background ranging from Network Operations and Engineering, running global Information Security teams and modernizing enterprises through their cloud and workplace journeys, and executing as a global Cloud Security specialist. When not playing video games with his two kids or struggling to learn French, Michael wishes he could play more golf or do some more skydiving.