Richmond, VA

June 2nd - 3rd, 2016


Wendy Nather (Keynote) Trey Ford (Keynote)
Karen R. Jackson (Keynote) Andrea Matwyshyn
Joshua Cole Steve Christey
Ben Smith Andrew McNicol & Zack Meyers
Evan Johnson Juan Carlos
Brenton Kohler & Jacob Ewers Troy Wojewoda
Chris Romeo Mark Weatherford
Rockie Brockway David Sirrine
Joey Peloquin Dawn-Marie Hutchinson
Michelle Schafer & Tim Wilson Inga Goddijn & Becky Swanson

Wendy Nather (Keynote)

Wendy Nather

Wendy Nather

Retail Cyber Intelligence Sharing Center (R-CISC)
Wendy Nather is Research Director at the Retail Cyber Intelligence Sharing Center (R-CISC), where she is responsible for advancing the state of resources and knowledge to help organizations defend their infrastructure from attackers. She was previously Research Director of the Information Security Practice at independent analyst firm 451 Research, covering the security industry in areas such as application security, threat intelligence, security services, and other emerging technologies.

Wendy has served as a CISO in both the private and public sectors. She led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), as well as for the Texas Education Agency. She speaks regularly in locations around the world on topics ranging from threat intelligence to identity and access management, risk analysis, incident response, data security, and societal and privacy issues. Wendy is co-author of The Cloud Security Rules, and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014. She is an advisory board member for the RSA Conference, and serves on the board of directors for Securing Change, an organization that helps provide free security services to nonprofit groups. She is based in Austin, Texas.

We Need to Talk…
How do you move threat intelligence sharing from Gossip to Grownup? It takes more than technology: it takes social engineering on a massive scale. Wendy Nather will talk about the process of standing up a new ISAC, the barriers to intel exchange, the Wacky Races of platform and feed providers, and the role government has to play (spoiler: it’s not what you think). The future of threat intelligence is going to be fewer steak dinners and pew-pew maps; it’s going to look more like the Neighborhood Watch on social media. Grab a cup of coffee and let’s meet at the firewall.

Trey Ford

Trey Ford

Trey Ford (Keynote)

Trey Ford is a security executive, industry strategist and research advocate. Over the last 15 years, Trey ran Black Hat events worldwide as General Manager, and provided services ranging from global security strategy, incident response, product management, PCI QSA and security engineering for a variety for industry leaders including Rapid7, Zynga, McAfee, FishNet Security and WhiteHat Security.

Karen Jackson

Karen Jackson

Karen R. Jackson (Keynote)

Virginia Secretary of Technology
Karen Jackson serves as the Secretary of Technology for the Commonwealth. Prior to her appointment, she served as the Commonwealth’s Deputy Secretary of Technology and Vice President of Broadband Programs for the Center for Innovative Technology.

Ms. Jackson serves as a senior advisor to the Governor on technology matters including innovation, data analytics, telecommunications, cybersecurity, and unmanned systems. She is also responsible for overseeing the Commonwealth’s IT infrastructure.

As Secretary, she is responsible for policy and legislative initiatives as well as developing programs to facilitate innovation, entrepreneurship, technology development and adoption. Ms. Jackson also serves as the Virginia lead for the Mid-Atlantic Aviation Partnership (MAAP) and co-chair of the Virginia Cybersecurity Commission.

Ms. Jackson has been actively engaged in the federal policy initiatives including the development of the National Broadband Plan. She received a 2009 IP3 award from Public Knowledge for her work in information policy, and was named to Government Technology’s 2010 list of the top 25 Doers, Dreamers, and Drivers. She was recently named to The Governing Institute Women in Government Leadership Program Class of 2015.

Ms. Jackson serves on a number of Boards including the Virginia Economic Development Partnership, the Center for Innovative Technology, and serves as Governor McAuliffe’s representative to the FCC’s Intergovernmental Advisory Committee.

She holds a bachelor’s of science in business management from Christopher Newport University and a master’s of business administration from The College of William and Mary.

Inga Goddijn & Becky Swanson

@AnalogGirl11 / &

Risk Based Security / Markel

Becky Swanson

Becky Swanson

Becky Swanson
Becky Swanson is the Managing Director of Miscellaneous E&O at Markel; this includes the Misc. Professional Liability, Information Technology Professional and Data Breach Liability coverage. She began her insurance career in 1996 and is an experienced miscellaneous professional, technology professional and cyber liability specialist with experience in all professional liability insurance coverages. Managed a team of underwriters providing training and leadership with a focus on misc./technology professional and employment practices liability risks. Her focus has been on Miscellaneous and Technology Professional and Cyber liability coverage for the past 10 years. As the Managing Director of Misc. E&O, Technology and Cyber Liability products at Markel Corporation, she is responsible for policy language analysis and development, creation and implementation of underwriting guidelines, rate strategy analysis, training and continued education. Presentations including continuing education instructor on Cyber and Misc. Professional Liability insurance, coverage panels sponsored by brokerage firms, Data Privacy and Security Exposures for public entities, Panel discussions for ACI’s Cyber & Data Forum, NetDiligence Cyber Forum, PLUS panel discussions on Emerging Trends in Professional Liability and What’s New in the Realm of Real Estate and Cyber Security World panel on cyber insurance.

Inga Goddijn

Inga Goddijn

Inga Goddijn
Inga has been involved with technology risk and specialty insurance coverages since 1993 and has a wealth of experience with information risk identification and transfer. Her focus is the strategic management of data privacy and security exposures, with an emphasis on leveraging data-driven risk assessment to build sustainable and scalable programs.

As the leader of the insurance practice group at Risk Based Security, Inga is responsible for a variety of client advisory services including management and mitigation of data security and privacy risk, policyholder risk reduction programs and the development and implementation of cost effective breach response solutions. As a strong advocate for sharing knowledge, Inga has presented at a variety of industry forums and has led many continuing educations sessions throughout the U.S. She currently holds a CIPP/US designation.

Show Me The Money! Uncovering The True Cost of a Breach
It’s become the quintessential million dollar question, how much does a data breach cost? Unfortunately reliable open sources for answering that question are few and far between. With budgets under a microscope and resources stretched thin, being able to reasonably estimate breach costs is an import part of gaining buy-in for new security initiatives and defining acceptable levels of risk. This session will demystify the process of estimating breach costs by taking a closer look at the different factors that drive event expenses. Using real case examples taken from actual breaches, the session will break down the various elements that contribute to the cost of a breach and include ideas for calculating these expense factors. We’ll round out the session with a discussion of how the breach, along with the response effort, influences “soft” costs as well, such as reputation damage and lost business.

Joey Peloquin

Joey Peloquin

Joey Peloquin

@jdpeloquin /

Joey has more than 20 years of experience in the information technology industry, specializing in information security for over 15 years. Prior to joining the Citrix Security team, he served as the director of professional services for GuidePoint Security, heading up the security assessments, application and mobile, and cloud security consulting practices. Joey is an active member of the information security community, speaking frequently at conferences and events such as BSides, RVAsec, OWASP, and TakeDownCon. He has also written, or appeared in, articles by Hakin9, SC Magazine, SD Times, and Network World.

Deceptive Defense: Beyond Honeypots
Everyone knows malicious hackers utilize deception all the time. Maybe it’s a tactical DDoS attack, meticulously timed to misdirect defenders from an initial intrusion, or perhaps a data exfiltration event. Attackers reuse competitors’ code, and compile malware in languages other than their own to encourage false attribution. The examples are endless. Quarterbacks are masters of deception, too. This talk compares deceptive practices of top NFL quarterbacks with practical deception in the Enterprise, and offers suggestions on how security practitioners can utilize ruses, disinformation, misdirection, and other techniques to increase the cost of targeting an organization to the point that the risk no longer justifies the reward. The presentation covers effective recommendations deployed in production environments today that don’t require purchasing expensive deception systems.

Joshua Cole

Joshua Cole

Joshua Cole

@joshua_a_cole /

Joshua Cole is co-founder and Chief Technical Officer for Assura, Inc., an IT Risk Management consultancy based in Central Virginia. Prior to joining Assura, Josh held security leadership positions with a healthcare company and was a senior security consultant with Booz Allen Hamilton where he supported U.S. Federal clients in the civilian, military, and intelligence sectors. Josh has 20 years of expertise in security governance, risk, compliance, security testing, application security, network security, and applied cryptography.

Probability in Cyber Risk Assessment: Holy Grail or Red Herring?
If you’ve been performing security risk assessments on IT systems for any length of time, you know that one of the elements of risk that shows up time and again is probability or likelihood. Getting to the point of being able to firmly predict the likelihood that a risk will occur is the holy grail of risk assessment. Whether you’ve tried to compute an Exposure Factor in Single Loss Expectancy, used adjectival-based descriptions, run Monte Carlo simulations, or tried to use predictive analysis tools, you know that each has its limitations in the world of cyber risk assessment.

This talk poses the question: what if we quit trying to answer the unanswerable in cyber risk assessment? Join this lively, interactive where the question is postulated, debated, and examined by the presenter and the audience.

Ben Smith

Ben Smith

Ben Smith

@Ben_Smith /

Ben Smith is Field Chief Technology Officer (Field CTO – US East) with RSA, The Security Division of EMC. He is a trusted advisor and consultant to RSA’s global financial services customers, as well as customers in other vertical markets. With over 25 years’ experience in the networking, information security and telecommunications industries, he is responsible for consulting on RSA’s strategic vision around architecture and technical roadmaps for the company’s security and risk management solutions. Prior to joining RSA, he held senior technical positions at UUNET, Intuit, CSC, and the US Government, along with a string of technology-oriented startups. He holds a number of professional technical certifications, including the Certified Information Systems Security Professional (CISSP) certificate, and has presented on RSA’s behalf, both domestically and internationally, at cybersecurity events sponsored by Gartner, FS-ISAC, ISSA, ICI, (ISC)2, ISACA, InfraGard, HTCIA and other organizations.

Measuring Security: How Do I Know What a Valid Metric Looks Like?
There is no universally accepted method to measure security. So how do we translate operational measurements into meaningful security metrics for the business? Doing so effectively is essential, because you can’t manage what you don’t measure. This session will touch on the following general questions: Why are security metrics important, from both a compliance and an operational perspective? What are some best practices to keep in mind when selecting security metrics? Does your audience(s) dictate which metrics to select? What behaviors are you trying to influence with these metrics? What are some unexpected sources of security metrics? How should you communicate those metrics internally within your organization for maximum impact? Are there any examples of poor metrics which should be avoided in most cases?

Andrew McNicol & Zack Meyers

@PrimalSec / @b3armunch McNicol

BreakPoint Labs
Andrew McNicol is driven by his passion for helping organizations identify exploitable vulnerabilities before an adversary. He is currently the CTO at BreakPoint Labs specializing in offensive security services, mentor for SANS, and one of the founders and lead authors of Primal Security. Previously, he lead a penetration testing team and worked on an incident response team focusing on malware analysis and network forensics for DoD, Law Enforcement, and Commercial companies.

Andrew holds an M.S. in Information Assurance, and variety of InfoSec qualifications (OSCE, OSCP, OSWP, GICSP, GCFA, GCIA, GCIH, GPEN, GREM, GSEC, GWAPT, GWEB, CISSP, CEH, etc.)

Zack Meyers is a business oriented guy that then became a motivated InfoSec geek after getting started as a continuous monitoring vulnerability analyst. Shortly after, he took an interest in the offensive side of security work and currently works as an Offensive Security Engineer at BreakPoint Labs. Today he is always looking to learn about new techniques and tools that can help him identify his next big vulnerability finding. He is currently a member of Primal Security Blog | Podcast and holds several security certifications including OSCP, CISSP, GWAPT, GPEN, GCIH, etc.

Beyond Automated Testing
Have you ever run a vulnerability scan and thought “Okay… now what?” This talk is all about how to go beyond automated testing to find vulnerabilities that scanners miss. The goal of the talk is to help inspire others to reach beyond Nessus and Burp Suite scans to help their organization identify vulnerabilities that expose high impact risk.

Evan Johnson

@ejcx_ /

Evan Johnson is an engineer at CloudFlare in San Francisco. He previously worked at LastPass and can distinguish diet coke from diet pepsi by taste.

Staying Above A Rising Security Waterline
Security is not a destination, it’s a journey. At CloudFlare, the journey is taking place daily at light speed. More products, more features, more services, more attack surface. I’ll talk about the technical work and process we created to maintain a high standard of security internally without burdening our developers.

Juan Carlos

Juan Carloskongo_86

Enjoys long walks with a debugger. As well as profound conversations with IDA. All while eating tacos and drinking redbull.

Reversing for humans.
This talk is about reversing malware in the easiest way possible. While the tactics and procedure for doing so are not new the goal is to show you how you can get the simple things out and quickly identify the ‘things’ you need to asses its threat in your environment. This talk is for those that like to get dirty

Brenton Kohler

@kohlerbn & @J_ewers /

RVA locals with an AppSec obsession, Brenton Kohler and Jacob Ewers.

Brenton Kohler is a Managing Consultant with Cigital, a software security company. Brenton has a MS degree from James Madison University in Secure Software Systems. He has professional experience as a developer, researcher, and consultant. Brenton’s security expertise includes software security group management, penetration testing, security assessments, and secure code reviews in a diverse set of technologies. In his spare time Brenton enjoys being active and spending time with his family.

Jacob Ewers, a Senior Consultant with Cigital, has over five years of experience working with clients to implement and optimize their security initiatives. After performing and leading countless dynamic and static assessments, Jacob began to focus on tackling the harder problems of how organizations can make sure that they’re doing AppSec “right” as solving the AppSec puzzle never looks the same for each type of organization.

So you’ve purchased a SAST tool
Despite the marketing, deployment of static application security testing (SAST) tools is much more than a point and click adventure. If you have purchased a SAST tool, you’ve undoubtedly had the thoughts, “Are we more secure?” “Are we done?” “Was that successful?” We will discuss the path for a successful SAST tool deployment, attempt to cut through the FUD in the industry regarding SAST, and highlight the real potential pitfalls you may face along the way through case studies.

Troy Wojewoda

@wojeblaze /

Newport News Shipbuilding A Division of Huntington Ingalls Industries
Troy has been in the IT and Infosec industry for over 10 years working in a wide array of roles such as application and system administration, network intrusion detection, wireless security, host and network digital forensics and incident response. Today, he leads the incident response team at his current employment and is also focused on cyber intel processing, IOC hunting, advanced adversary tracking, malware analysis and custom tool development. When Troy is not cybering the things, he enjoys being in the outdoors, taking things apart, home brewing and spending time with his wife and children.

Troy currently holds a B.S. in Computer Engineering and Computer Science from Christopher Newport University and has multiple certifications, including: GSEC, GCIA, GCIH, GAWN, GREM, GCFA, GNFA, CISSP

Bro’s before Flows
During an incident response, acquired network activity is critical in attempting to fully identify the what, when, where and how of a given incident. Security practitioners often find themselves losing “the full picture” over time and therefore constrained to context-less logs to help explain an already complex problem. This talk will explore multiple levels of network data acquisition; from full packet capture solutions to rudimentary network logs such as routers and firewalls. We will attempt to find the acquisition “sweet spot” using tools such as the Bro IDS platform and how such tools can be tailored to your organization.

Chris Romeo

edgeroute /

Security Journey
Chris Romeo is CEO, Principal Consultant, and co-founder of Security Journey. His passion is to bring application security awareness to all organizations, large and small. He was the Chief Security Advocate at Cisco Systems for five years, where he guided Cisco’s Secure Development Life Cycle program, empowering engineers to “build security in” to all products at Cisco. He led the creation of Cisco’s internal, end-to-end application security awareness program launched in 2012.
Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris is a sought after conference speaker, with experience speaking at the RSA Conference, ISC2 Security Congress, AppSec USA, and many others. Chris holds the CISSP and CSSLP certifications.

AppSec Awareness: A Blue Print for Security Culture Change
How does an individual change the application security culture of an organization? By deploying an application security awareness program with engaging content, humor, and recognition. See the blue print for how you can build an application security awareness program based on real life experience. Change the security DNA of everyone in your organization.

Mark Weatherford

Mark Weatherford

Mark Weatherford

@marktw /

Mark Weatherford is Chief Cybersecurity Strategist at vArmour. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world including roles as:

• Principal at The Chertoff Group
• Appointed by President Obama as DHS’s first Deputy Under Secretary for Cybersecurity
• VP and Chief Security Officer at the North American Electric Reliability Corporation (NERC)
• Appointed by Governor Arnold Schwarzenegger as California’s first Chief Information Security Officer
• Chief Information Security Officer for the State of Colorado
• US Navy Cryptologic Officer

In addition, Mark was:

• Selected as SC Magazine’s “CSO of the Year” award in 2010
• Named one of the “10 Most Influential People in Government Information Security” by GovInfoSecurity in both 2012 and 2013
• Selected for the 2013 CSO Compass Award for leadership achievements in the security community

(Your) Inevitable Path to the Cloud
Like the switch from steam to electric power a century ago, the shift to cloud computing is inevitable—in fact, it’s already here. But what this brings in efficiency, it misses in security as the lack of visibility in the virtual environment allows too much room for malicious activity. This presentation details the structure and blind spots of data centers and cloud environments and addresses ideas for companies to consider in securing their data assets.

Rockie Brockway

Black Box Network Services
Rockie Brockway serves Black Box as Information Security and Business Risk Director and Senior Engineering Director. With over two decades of experience in InfoSec/Risk, he specializes in Information Security Risk Management and the inherent relationship between assets, business system and process, adversary and threats. For the past 6 years he has served in a vCISO role for a F500 manufacturing organization creating and improving their global Enterprise Security Architecture while building teams of trained red team killers and risk analysts for Black Box.

Enterprise Threat Management Like a Boss
Attribution is hard. And in most business cases unnecessary. Threat Management, like Vulnerability Management, is a core pillar in most Enterprise Security Architectures (ESA), yet is a very different beast with completely separate functions, processes and skillset requirements. Similar to my previous talk on Enterprise Class Vulnerability Management, this talk takes the framework of the OWASP ASVS 2014 framework and applies it to Enterprise Threat Management in an attempt to make a clearly complicated yet necessary part of your organization’s ESA much more manageable, effective and efficient with feasible recommendations, based on your business’ needs.

David Sirrine


Red Hat, Inc.
Dave is a career Open Source security advocate, evangelist, and problem solver. Working closely with the product and platform security teams at Red Hat, developing skills and knowledge of not just ensuring the Linux host is secured, but ensuring this level of security is maintained over time.

Open Source Identity Management: From Password to Policy
Learn how Open Source technologies such as FreeIPA
(IdM) and SSSD can provide intelligent policy management and access
control for your Linux environment, tighter Active Directory
integration through cross forest trusts, and a variety of methods by
which one can authenticate using Smart Cards, SAML, and OTP among
others to systems and services. This session will also cover how to
use the additional features and functionality of FreeIPA to provide a
robust PKI infrastructure and DNS management to your environment.

Dawn-Marie Hutchinson

Dawn-Marie Hutchinson

Dawn-Marie Hutchinson

@CISO_Advantage /

Dawn-Marie Hutchinson brings 15 years of enterprise information technology experience to her role as a senior consultant in the Office of the CISO at Optiv. She is an innovative business partner with extensive
experience serving on Enterprise Risk Management teams. She is an expert in providing data privacy and security solutions to manage information risk, improve IT governance and strengthen internal controls.

Beyond the Security Team: The Economics of Breach Response
Breaches are expensive. So expensive that cyber insurance coverage is often lacking. This presentation explores the economics of breaches, the differences between breach and incident response and how you can align your security team’s goals with company values.

Steve Christey

Steve Christey

Steve Christey

@sushidude /

Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential “Responsible Vulnerability Disclosure Process” IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST’s Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security
methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.

Toward Consistent, Usable Security Risk Assessment of Medical Devices
“CVSS? For *my* medical device?” It’s more likely than you think.

With so many different stakeholders in the medical device ecosystem – including manufacturers, hospitals, researchers, third-party coordinators, and patients – it’s no wonder that risk assessment is looking kind of discombobulated right now. When a new medical device vulnerability comes out, rarely is there any agreement about how bad it is. It can be very difficult for health care providers to use existing information to make appropriate, defensible risk decisions

If only there were a common vulnerability scoring system to stop the madness! Enter CVSS. But how can this IT-oriented system be used for evaluating medical device vulnerabilities, and should it? Fortunately, FDA’s CDRH has tasked MITRE to work with the medical device community to find out, so I’ll tell you all about it.

Michelle Schafer & Tim Wilson


Merritt Group
Michelle Schafer is Senior Vice President and runs the cybersecurity team at Merritt Group, an integrated marketing and public relations firm based in the DC area. Over the past decade, Michelle has represented more than 50 security companies including BlackHat, CrowdStrike, Mandiant, Netwitness, Venafi, MACH37, PhishMe, (ISC)2, PGP and Fortify Software, among others. She is a MACH37 mentor and frequently presents at conferences like RVASec and Security B-Sides about the role of media in cybersecurity.

Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech’s online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

The Changing Mind of the Security Pro — How Hype and Media Shape Infosec Priorities
One of the most difficult jobs of today’s security professional is setting priorities in a storm of news reports, vulnerability disclosures, and product announcements. With so much hype and misinformation on the Web and in the media, how can infosec pros determine which problems to tackle first? In this informative session, top experts in the fields of security PR and media will discuss the various ways that threats and technology are overhyped — and how you can sort through the noise to determine what really matters to your organization.

Andrea Matwyshyn

Andrea Matwyshyn

Andrea Matwyshyn

@amatwyshyn /

Michelle Schafer is Senior Vice President and runs the cybersecurity team at Merritt Group, an integrated marketing and public relations firm based in the DC area. Over the past decade, Michelle has represented more than 50 security companies including BlackHat, CrowdStrike, Mandiant, Netwitness, Venafi, MACH37, PhishMe, (ISC)2, PGP and Fortify Software, among others. She is a MACH37 mentor and frequently presents at conferences like RVASec and Security B-Sides about the role of media in cybersecurity.

This talk challenges the underlying assumptions of the “cyber” or “cybersecurity” legal and policy conversation. It argues that the two dominant paradigms – information sharing and deterrence – reflect last century’s policy approaches that channel our security energies in misguided directions: in their current form, they will neither thwart technology-mediated attacks on our national security nor meaningfully bolster consumer protection. Drawing insights from the work of seminal philosopher of science Michael Polanyi, this talk first identifies four analytical flaws that plague the legal and policy analysis of information security. It then offers a new policy paradigm – reciprocal security inducement. Reciprocal security inducement reframes the legal and policy security conversation around two key elements: information vigilance infrastructure and defense primacy. The talk concludes with a list of concrete legal and policy suggestions reflecting the reciprocal security inducement paradigm.*

*This talk contains bacon.