An unfortunate number of enterprises build their foundations on a false sense of security. They’ve implemented technical defensive measures, written policies, and have procedures for response – and they feel ‘secure’. The problem is – until they’ve actively tested these out in real-world scenarios much like disaster recovery drills, they have no idea how well-prepared they really are for when the worst strikes. Perhaps more importantly, they have no idea where things will strain and break and as a result cannot compensate.
As Information Security leaders often find themselves playing whack-a-mole with compliance, business requirements and resource challenges it can be easy to fall into a sense that everything is under control because on paper the security posture looks good – but how certain are you? Validating human and technical controls, policy elements and response procedures is vital to the prepared enterprise. It is true that the only way to design a safe vehicle is to repeatedly crash and re-design it until it meets minimum safety requirements, but all of this must be done before the car is allowed to crash in a real wreck. Unfortunately, most enterprises simply go by what they’ve planned on paper and it’s not until they wreck in the real world do they find out how poorly prepared they are.
This talk exposes the massive gaps in typical corporate “security” and discusses a step by step approach to making the most of Red Team exercises and a non-restrictive approach to security posture validation. Whether you’re a security manager, executive, or someone who just really cares about their security posture – you will hear how, what, and when on real security testing.
Rafal Los, Chief Security Evangelist for Hewlett-Packard Software, combines nearly 15 years of subject-matter expertise in information security with a critical business risk management perspective. From technical research to building and implementing enterprise application security programs, Rafal has a track record with organizations of diverse sizes and verticals. He is a featured speaker at events around the globe, and has presented at events produced by OWASP, ISSA, Black Hat, and SANS among many others. He stays active in the community by writing, speaking and contributing research, representing HP in OWASP, the Cloud Security Alliance and other industry groups. His blog, Following the White Rabbit, with his unique perspective on security and risk management has amassed a following from his industry peers, business professionals, and even the media and can be found at http://hp.com/go/white-rabbit. Prior to joining HP, Los defined what became the software security program and served as a regional security lead at a Global Fortune 100 contributing to the global organization’s security and risk-management strategy internally and externally. Rafal prides himself on being able to add a ‘tint of corporate realism’ to information security. Rafal received his B. S. in Computer Information Systems from Concordia University, River Forest, Ill.