Tuesday, 12 September

Keynote Address ─ DIE Triad: Rethinking our approach to security
Sounil Yu, CISO & Head of Research, JupiterOne

The onslaught of ransomware has undermined our ability to maintain the confidentiality, integrity,
and availability (CIA) of our data. As attackers refine and mature their techniques to drive irreversible
outcomes, we must look at how we can become more resilient. But is securing everything by design
the best way to go about it? This session advocates that we need to move away from the traditional
borders of the CIA Triad to a new paradigm, called the DIE Triad (Distributed, Immutable, Ephemeral),
which enables us to truly be resilient against irreversible attacks.

Keynote Address ─ GLASS: Citizen Digital Wallets and Borderless Security
Bill Buchanan, Professor of Applied Cryptography, Edinburgh Napier University

The EU supports the unrestricted movement of people and goods throughout Europe as well as the
standardization of public services. The creation of the GLASS digital wallet and the incorporation of a
distributed e-Government application are both covered in this talk. With the use of a distributed ledger,
dApps, a wallet as a service (WaaS), and a trusted signature infrastructure, this strategy helps citizens
collect the necessary electronic identification and authorisation for paperwork.

[Track 1]
Sustaining Security and Privacy Efforts - How do we make security and privacy last?
Jassim Happa, Lecturer in Information Security, Royal Holloway, University of London

Sustainability is a multifaceted term with different meanings across disciplines. While commonly associated with environmental and economic aspects, it can also be applied to security and privacy. This presentation explores sustaining security and privacy efforts in both macro (organizational) and micro (software/hardware) contexts. Findings from a questionnaire of cyber security experts and workshops highlight the need for further study and clearer definitions. The purpose is to initiate a discussion rather than provide a definitive framework, as the concept of sustainable security has varied interpretations, including environmental, green, and financial aspects. The focus is on the capacity of security and privacy efforts and how properties like financial stability and environmental impact contribute to sustainability.

Takeaways:
1. A new perspective on security and privacy - one that prioritises how we make any security/privacy solution last for the long term.
2. An examination of the intersection between security and privacy with this new perspective.

[Track 2]
Machine Readable Indicators of Adversary Behavior
Charles Frick, Principal Staff, Johns Hopkins University Applied Physics Laboratory

APL, in collaboration with CISA and the OCA, has developed a reference implementation of shareable objects for representing adversary behaviors, detections, analytics, and correlation workflows. This talk will give an overview of the concept and provide access to the reference implementations, inviting open collaboration. The presentation will address the gap in Cyber Threat Intelligence sharing that arises when the focus is solely on Indicators of Compromise (IOCs), which have limited actionable timeframes. The IOB (Indicator of Behavior) Sub-Project, established by the Open Cybersecurity Alliance, will be introduced, highlighting how it extends the ATT&CK framework. The use of STIX and Knowledge Graphs will be explained, followed by an example illustrating the threat narrative of APT 37 REAPER and its translation into an IOB Bundle and STIX knowledge graph. The talk will showcase technical details, shared detections, and the incorporation of Open Standards by multiple organizations. An overview of the IOB Sub-Project and opportunities for collaboration will be presented, concluding with a summary of the efforts, links to relevant GitHub repositories, and a call for participation in the OCA and/or OASIS to contribute to further development.

Takeaways:
Attendees will be able to take away new insights on the concept and will be provided access to several reference implementations and analysis capabilities shared through the Open Cybersecurity Alliance Indicator of Behavior Working Group. They will also be invited to participate with government, academia and industry on future development of the concept and prototypes through open forums.

[Track 1]
Operationalizing Privacy (and Security) By Design: Strategies & Challenges in Shifting Left
Taylor Beck, Staff Privacy Architect, Uber

Privacy and Security by Design make a lot of sense from a risk mitigation and software development cost perspective. Risks can be addressed before coding, treated consistently across architectures, and enable business to operate with confidence. Article 25 of the General Data Protection Regulation further requires it. It has, however, remained a struggle to operationalize effectively. This session will cover strategies organization’s can employ to operationalize Privacy and Security by Design, the gaps that remain to be solved, and where automation and even generative AI can facilitate scalability.

[Track 2]
Automated Classification of Threat Actors in Intelligence Analysis
Ryan Hohimer, Senior Ontologist, Semantic Arts

Our method aims to automate the analysis of complex intelligence data sets about threat actors by capturing and applying the knowledge and experience of intelligence analysts. This automation expedites the analysis process, improves consistency, and enhances confidence in the results, augmenting current software tools and providing actionable intelligence. Despite the extensive knowledge possessed by human cyber threat analysts, the complexity of the cyber threat ecosystem surpasses human comprehension. While automation tools like aggregators, visualization techniques, and machine learning tools offer quick summarizations and conclusions, there is no consensus on their reliability. To address this, we propose Knowledge Representation and Reasoning (KR&R) methods that embed analysts' knowledge into an ontology and knowledge graph, enabling computers to automate threat analysis tasks. This capability benefits both new analysts for training purposes and seasoned analysts as assistance in their analytical processes. The presentation will demonstrate the application of this approach.

Takeaways:
1. Sample STIX 2.1 knowledge graphs from the OASIS Threat Actor Context Ontology (TAC Ontology).

2. How a STIX 2.1 Knowledge Graph can use KR&R methods to infer new logical findings such as further classifying threat actors in industry-specific threats.

3. How the OASIS TAC Ontology can be extended with industry specializations, e.g., Intel’s Threat Agent Library.

[Track 1]
Bits and Bytes of Wisdom on the Challenges of Researching Cyber Security and Privacy
Keith Martin, Director of Centre for Doctoral Training in Cyber Security, Royal Holloway, University of London

Cyber security and privacy (whatever these terms mean) are relatively recent fields of research endeavour. In this talk we reflect on some of the challenges involved in researching cyber security and privacy, as well as some of the opportunities presented by engaging with such an inherently multidisciplinary field. These perspectives are informed by 10 years and 100 cyber security and privacy PhD projects-worth of experience in running a multidisciplinary doctoral training research centre focused on cyber security and privacy at Royal Holloway, University of London.

[Track 2]
Revolutionizing Cyber Threat Intelligence: Leveraging Unstructured Data through Innovation and Automation
Shawn Hank, Vice President, EclecticIQ

Join the presenter as he delves into the challenges faced by the Cyber Threat Intelligence (CTI) function in processing and analyzing vast amounts of unstructured data from various sources. We will explore a unique approach that provides innovative solutions to tackle this complex task. The presentation is divided into three parts. First, he'll present a compelling real-world case study involving a modified Cobalt Strike variant, showcasing how unstructured data was transformed into structured intelligence to uncover associated Tactics, Techniques, and Procedures (TTPs). Next, examine the role of Structured Threat Information Expression (STIX) in transporting CTI data across different components of a typical CTI workflow. Finally, will share insights into the automated extraction of data from unstructured sources, enhancing the efficiency and effectiveness of the CTI workflow and maximizing the impact of the CTI function. Don't miss this opportunity to gain valuable insights into addressing the challenges of processing and utilizing CTI data effectively.

Takeaways:
1. Better understanding of STIX 2 and how it aligns with the shifting needs of the CTI practitioners and contributes to effective threat intelligence practices.

2. Recognizing how transforming data from unstructured sources can identify and combat threats through a real-world use case.

3. Appreciation and impact that automation has on data extraction and collaboration in the CTI field. Appreciation of the impact that automated data extraction has on the expediting cyber threat intelligence and the increased value it brings to CTI practitioners.

[Track 1]
What’s Private about a Public Private Partnership?
Stuart Murdoch, Founder & CEO, Surevine

The UK’s Cyber Security Information Sharing Partnership (CiSP), launched ten years ago, was the world’s largest cyber public-private partnership, with almost 20,000 members.  CiSP was the result of a private sector initiative, not Government mandate, and had distinctive characteristics making it a case-study, being cross-sector and having free and voluntary membership. Members include all thirteen sectors of Critical National Infrastructure; NCSC analysts and UK law enforcement. Conceived as collaboration environment for sensitive technical information, the objectives evolved as membership grew. Challenges arose relating to the “segmentation” of an increasingly broad membership. Privacy has been a crucial consideration: CiSP provided a secure place to share sensitive information which could be anonymized, and had certain Freedom Of Information Act exemptions. The platform’s data represents a globally unique repository of information for researchers and data scientists to derive invaluable insights into the evolution and effectiveness of national cyber public private partnerships.

[Track 2]
Global Frontiers of Cybersecurity: NIEMOpen's Expanding International Reach
Michael Phillips, Member of the NIEMOpen Cyber Project, Partner and VP of Cybersecurity Solutions for Cycurion

Cybersecurity criminal networks are international, sophisticated, and are rapidly developing next-generation threats to take your critical data and hold you to ransom. Embark on a journey through the dynamic realm where the NIEMOpen, formerly National Information Exchange Model (NIEM), intersects with international cybersecurity landscapes. This enlightening presentation will discuss some of these threats and unveil NIEM's role in bridging cross-border information exchange challenges to improve your cybersecurity posture and to establish secure and standardized data flows on a global scale. Explore the strategic partnerships and collaborative initiatives that empower NIEMOpen to extend its influence across international communities, fortifying cyber defense strategies and championing harmonized data protection practices worldwide.

[Track 1]
Universal Interoperability Framework for Innovation, Competition & Sustainability: Working together to unlock the identity market
Debora Comparin, Operations, Communication and International Relations, Secure Identity Alliance

The focus of this presentation is on the OSIA initiative, a transformative public-private partnership aimed at establishing an open standard for national identification infrastructures. OSIA offers a digital public good through its open standard interfaces (APIs), fostering seamless connectivity among all components of the identity management ecosystem, regardless of technology or vendor. Witness how the collaboration between the government and ID industry is unlocking the identity market, creating a universal interoperability framework to drive innovation, competition, and sustainability. Discover the potential of OSIA to revolutionize the identity landscape, enabling a future of secure, inclusive, and interoperable identification solutions for all.

[Track 2]
Defending against disinformation: Knowledge graph modelization and tooling
Samuel Hassine, Member of Defense Against Disinformation Project (DAD) and CEO/Co-Founder of Filigran

Adversarial influence, disinformation, and digital harm are on the rise and are endangering our public sphere in large part due to the power of today's web and platform technologies. With analysts, researchers and journalists, from public and private organizations, we strongly believe there is a continuum between cyber and information offensive operations. This talk is aimed to present a common on-going work involving a large number of organizations (what is already here and what is under construction) about adapting existing standards such as STIX / TAXII (Defending against disinformation OASIS Open Project) and tools (open source platform OpenCTI) to fill the gap of tooling and common taxonomies in this field.

[Track 1]
Critical New Data Privacy Standards: Achievements and obstacles
Antonio Kung, CEO, Trialog

Privacy engineering is a practice which is now further established, with the publication of standards such as OASIS-PMRM (privacy management reference model and methodology) in 2016, ISO/IEC 27550 (Privacy engineering for system lifecycle processes) in 2019, ISO/IEC 27555 (Guidelines on Personally Identifiable Information Deletion) in 2021, ISO/IEC 27556 (User-centric privacy preferences management framework), ISO/IEC 27559 (Privacy-enhancing data de-identification framework), and IEEE Standard for Data Privacy Process in 2022, ISO 31700-1 (Consumer Protection - Privacy-by-design for consumer goods and services - High level requirements), ISO 31700-2 (Consumer Protection - Privacy-by-design for consumer goods and services - Use cases) in 2023, and ISO/IEC 27561 (Privacy operationalization model and method for engineering or POMME) which is planned in 2024.

This presentation will leverage the advance on model-based system engineering standards, privacy model standards, interoperability standards to explain how they can be used to address data privacy in future digital twins, data spaces and metaverse, covering privacy threat models , privacy enhancing technology models and policy and behaviour models.  It will present the initiative to create a community on privacy models.

[Track 2]
Managing AI regulation in a world of open source
Amanda Brock, CEO, OpenUK

This presentation will explore the topic of managing AI regulation in the context of the open-source ecosystem. We will discuss the concept of Open Source AI, its rapid ascent on the political agenda, and the security concerns surrounding it. Additionally, we will examine how governments are approaching the regulation of AI in the open-source realm and delve into the responses from open-source communities. Lastly, we will focus on the specific direction the UK is taking in navigating this landscape. Join us for a comprehensive discussion on the challenges and strategies involved in regulating AI within the world of open-source technology.

[Track 1]
WhatsApp Key Transparency
Sean Lawlor, Software Engineer, WhatsApp, Meta

Earlier this year, WhatsApp announced their plans to launch key transparency for all WhatsApp users. Key transparency solutions help strengthen the guarantee that end-to-end encryption provides to private, personal messaging applications in a transparent manner available to all. In this presentation, we will cover how key transparency works, what the improved end user experience is for those wishing to verify their contacts’ public keys, and various deployment challenges and considerations we encountered when building our key transparency system. We also have released an open-source library called Auditable Key Directory (AKD) which we use in our deployment and can potentially serve as a reference point for others that wish to deploy key transparency in the future.

[Track 2]
How to Trust AI
Daniel Riedel, Executive Director GenLab, Digital Garage

During this captivating talk on "How Do You Trust AI?," the speaker will delve into the critical aspects of AI in cybersecurity, misinformation, and privacy. He'll explore the dark side of AI, including its potential for attacks on trust, society, and privacy, and the weaknesses it exposes in cybersecurity systems. Discover how the TrustedAI and ResponsibleAI methodologies play a crucial role in building trust and resilience in AI systems. The speaker will also delve into the importance of secure software development and its contribution to fostering trust in AI-powered systems. Learn about effective defense strategies against AI-powered cyber threats and privacy violations, leveraging standards such as MITRE ATT&CK, STIX/TAXII, and CTI. Additionally, he'll discuss the establishment of ethical AI principles and the safeguarding of privacy. Understand the significance of global collaboration in defining and implementing TrustedAI and ResponsibleAI, and explore the future implications of trustworthy AI applications. Don't miss this engaging discussion on the future of trust in AI, emphasizing the need for collaborative efforts and ongoing developments to ensure AI safety and trust.

Takeaways:
1. How to build trust and defenses around this AI new technology.
2. Why does the way we approach building AI matter, and why its secure software design 2.0.

[Track 1]
Lets Talk ABC’s: Global Security Policy Outlook
Taylor Roberts, Director, Global Security Policy, Intel Corporation

With the seemingly constant evolution of the cybersecurity threat landscape, global policymakers are increasingly turning to the private sector to elevate foundational cybersecurity capabilities through both carrot and stick policies. One needs only to look at the Cyber Resilience Act in the EU and the National Cybersecurity Strategy Implementation Plan in the US to get the sense that product security, secure by design/default, secure supply chains, and other industry-specific topics are clearly the key areas of security policy shaping the current regulatory agenda. Issues like Artificial Intelligence (AI), Bill of Materials (BoM), and Cyber Resilience will serve as the jumping-off point for our ABC exploration of the evolving trends in cybersecurity policy worldwide. While there is clearly no single one-size-fits-all approach to security regulations, understanding the differences in national/regional approaches to cybersecurity policy making will better inform engineers, developers, and researchers of how government security priorities could impact the technology marketplace moving forward.

(Panel Discussion) Collaboration and Innovation:
Advancing Research and Development in Cybersecurity and Privacy
Mark Mastrangeli, Co-Chair, Open Cybersecurity Alliance and Cloud Engagement Director, Palo Alto Networks
Alex Leadbeater, Chair, ETSI Cyber Security Technical Committee and Technical Security Director, GSMA
Ioannis Agrafiotis, Cybersecurity Expert, ENISA

This panel session brings together standardisation experts to discuss the crucial need for collaboration and joint efforts in advancing the state of R&D in cybersecurity and privacy. The session will begin with an overview of the current landscape of collaboration and standards opportunities. The panelists will share their insights on the existing gaps and challenges in R&D, funding, emphasising the need for government, industry and academia to work together.

Experts will highlight the role of standards and best practices, and outline ongoing efforts and discuss the potential for collaboration between standardisation bodies and other stakeholders. The panel joined for a forward-looking discussion on emerging opportunities for collaboration and innovation in the field. Specifically, the panelists will identify areas where joint efforts can lead to breakthroughs, such as the development of new technologies, fostering potential R&D programs, and creating public-private partnerships. Attendees will gain valuable insights from experts across various domains and leave with a deeper understanding of the importance of collaboration and emerging opportunities for joint advancements in the field.

Closing Remarks & Audience Feedback

Informal Happy Hour
The Packhorse Pub
(not covered  in registration package)

[Pre-recording of presentation will be available soon.]

Rhetoric and Reality: Privacy, E2EE and the UK’s Online Safety Bill
Dr. Konstantinos Mersinas, Senior Lecturer, Royal Holloway, University of London
Dr. Jane Marriott, Senior Lecturer, Department of Law and Criminology at Royal Holloway

The UK Online Safety Bill aims to minimize online harms and interpersonal offences, but concerns arise regarding its balance and effectiveness. The bill focuses more on offences involving Child Sexual Abuse Materials (CSAM) and grants increased powers to Ofcom, including potential circumvention of end-to-end encryption (E2EE). This intensifies the privacy vs. policing debate. The government claims to value privacy while implying the use of direct content moderation and bypassing E2EE, creating a contradiction. The discussion focuses on detecting problematic content and ensuring user awareness of providers' mechanisms and powers. Privacy is linked to freedom of speech, and encryption has heightened the debate. This presentation explores the contentious aspects of the Online Safety Bill and scrutinizes the UK government's rhetoric surrounding online safety and privacy.

An Integrated 'Intelligence-led' Purple Teaming Programme to Rapidly Reduce Risk and Generate Value
Nebu Varghese, Senior Director - EMEA Offensive Security Operations Lead, FTI Consulting LLP

Threat actors continually develop advanced tactics to bypass security defenses, posing challenges for SOC analysts. Reactive solutions like SIEM and firewalls struggle to proactively address modern threats. Red team assessments and penetration tests are limited or resource-intensive. To address this, we propose a quantifiable approach that prioritizes intelligence-led improvements through threat intelligence scenarios and 'purple teaming' operations. This continuous program challenges incident response, exercises the SOC, and enhances existing security functions. The goal is to rapidly reduce risk, protect value, and demonstrate return on security investments to the board and senior leadership.