ScotSecure West Summit 2024 - Glasgow 11th Sept

Reducing Risk Through Threat Profiling Automation
Serge Palladino ~ Intelligence Services Consultant (EMEA)

Threat
Landscape
Prioritize Actors &
Malware
Prioritise TTPs
Detection & Mitigation
Ways To Reduce Risk:
●Detections & Mitigations
●Security Control Assessments
●Drive Threat Hunting
Threat Hunting
Control Assessment
Overview: Collect Intelligence ->Prioritize -> Reduce Risk!
Gather Intelligence:
●Frame the Threat Landscape
○Prioritise Actors & Malware
●Leverage MITRE ATT&CK
○Build Threat Profiles &
Prioritise TTPs
Automate

Benefits of Automated Threat Profiling
Identify threat actors, malware and vulnerabilities relevant to your organization
●Vast amount of information
●Need to parse for applicability to your
industry & organization
●Need a method to track, monitor &
update threat information as landscape
changes
Why is it challenging?
●Threat landscape is constantly changing; automation
helps identify objectives of actors that may target you in
a more dynamic way
●Prioritize threat actors & malware most likely to target
your organization
●Understanding relevant threats allows you to make
better budget and security resource allocation
decisions
Why do it?

The Threat Landscape is Busy!

Expect the Unexpected

•Brands
•Domains
•IPs
•Executive Leadership
•Industry & Industry Peers
•Suppliers
•Threat actor methods of concern
•Tech Stack & Vulnerabilities
Asset Discovery & Collection

Vulnerabilities = Potential Opportunities!
Highlights the importance intelligence-led vulnerability management and continuous monitoring
Top vulnerabilities used in cyber attacks over the past six months
★36 vulnerabilities across 21 different products leveraged in
ransomware operations!
★These vulnerabilities represent a wide array of CVEs ranging from
zero-days to existing vulnerabilities that should have long since been
patched in their operating environments.
★ CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks
★ Microsoft Patches Zero-Day Flaw Exploited by North Korea's Lazarus Group
(Attacks targeted Aerospace & Defence)
More recently:

Threat Map Malware Map
● Automated monitoring of the threat landscape tailored to your industry and organisation using the Recorded Future
threat/malware maps; analysis is performed on a running window of one year of events.
● Powered by the Recorded Future cyber attack collection using machine-learning based Natural Language Processing and Insikt
research analysis for targeting of your organisation and associated tech stack, vulnerabilities and third-parties as well as your
industry to identify threat actors and tradcraft.
Automated Threat Landscape

Machine: Natural Language Processing
Human: Insikt Group

A correlation between the threat
actor's capabilities and an
organization’s vulnerabilities.
Threat Map Methodology: Calculating Opportunity

Threat Map Methodology: Calculating Opportunity

Threat Actor Sophistication
Default values are given to Opportunity for several threat actors (not all) based on their
sophistication as assessed by Insikt Group. Additional evidence based on the Watch Lists is
aggregated on top of the default value for the overall level of opportunity.
•High Sophistication - Opportunity = 75
•Moderate Sophistication - Opportunity = 50
•Basic Sophistication - Opportunity = 25
•Limited Sophistication - Opportunity = 5

Threat Actor Sophistication

•The threat actor has presented previous
interest (expressed or manifested)
against elements that are relevant to an
organization
•Tracked using Recorded Future Watch
Lists
Threat Map Methodology: Calculating Intent
IP
Domain
Brand
Industry Peers
Industry
Location
Targets
Executives
3rd Party

Threat Map Methodology: Calculating Intent

Automated Threat Profiling
Prioritise Threat Actors
Top 10 threat actors with
highest levels of intent
and opportunity

Automated Threat Profiling
Prioritise Threat Actors
Attackers Watch List

Automated Threat Actor Profiling
Filtering Threat Actor TTPs

Automated Malware Profiling
Prioritise Malware
Estimated Opportunity

Automated Malware Profiling
Calculating Malware Opportunity

Automated Malware Profiling
Filtering Malware TTPs
Even more sources!

Collective Insights for Threat Intelligence Module
Analytic for the data collected from Collective Insights:
●Malware families reported/detected recently, in the last 30 days, will be reported with high level (75+) of
prevalence and opportunity.
●Malware families reported/detected historically, in the last 31 days up to 90 days, will be reported with medium
level (50+) of prevalence and opportunity.
●The evidence related to a malware family will age out of the threat map after 90 days if no new detection are
being reported.
The above values of prevalence and opportunity will be aggregated with any additional evidence related to the
malware family, from other sources, with the logic presented in the Analytics section.

Automated Malware Profiling
Understand the evidence and take action!
Evidence
Actions to Consider
MITRE Matrix Output

Threat Profiling with MITRE ATT&CK
Source: MITRE ATT&CK Navigator
MITRE ATT&CK Heatmap based on Threat Map Actors and TTPs extracted from Recorded Future
This visual shows you techniques actors relevant to you are likely to perform
Next steps: test and strengthen controls around these techniques

Operationalize & Reduce Risk

Reduce Risk… Driven by Intelligence
●Understand security posture &
validate controls against
threats
●Red teaming to test & validate
existing security controls in
prioritized manner
●Find technical & procedural
gaps in coverage
●Where to start:
Atomic Red Team
Control Assessments
●Improve preventative controls
to keep threats out
●Strengthen detections and
controls most abused by
adversaries
●Focus on TTPs most used by
threat actors/malware
●Where to start: MITRE ATT&CK
recommendations
Detections & Mitigations
●Find & mitigate threats within
to disrupt actions on objectives.
●Search for malicious activity in
your environment based on
common adversary TTPs
●Hunt for tools & techniques,
not IOCs
●Where to start:
Sigma Rules
Threat Hunting

Improve Detections & Mitigations
Source: MITRE ATT&CK
●Get more value out of existing
security tools & controls
●Use threat actors TTPs to
inform prioritized process for
building better detections
●Track threat updates and IOCs
for priority threat actors
Detections &
Mitigations
Why?
How?

Filter Top Priority Threat Actor TTPs

Control Coverage & Gaps

MITRE ATT&CK Framework with Splunk Enterprise Security

Assess Security Controls
Source: Atomic Red Team
Source: VECTR
●Develop deeper understanding
of security posture to make
informed decisions about risk
mitigation.
●Validate your existing security
controls based on relevant
threat activity
●Use Red and Purple team to
test technical & procedural
controls & find gaps
Control
Assessments
Why?
How?

Threat Hunting
Source: Pyramid of Pain: David J Bianco
Source: Recorded Future
Source: Recorded Future Splunk App
●Minimize impact of intrusions by
detecting post-compromise
activity prior to action on
objectives
●Proactively hunt for malicious
activity based on gaps in coverage
and common threat actor TTPs
●Elevate threat hunting by looking
for malicious TTPs rather than
IOCs
●Use Sigma and Yara rules to
detect Tools & TTPs
Threat Hunting
Why?
How?

Putting it all together
Monitor the threat landscape more dynamically
➢Automate the threat landscape based on your assets
➢Filter top priority actors & associated TTPs
➢Filter top priority malware & associated TTPs
Operationalise and take action!
●Ensure you have mitigations and detections in place for associated TTPs
●Test your controls - Use Atomic Red Team tests
●Run threat hunts using the resources under “Actions to Consider”

Questions?

SPONSORED BY

Harriet Rogers
Strategic Cyber Threat Intelligence Specialist,
BAE Systems
#ScotSecureWest

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Strategic Threat Intelligence

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Geo-politics and the cyber threat landscape
?
?

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Strategic Threat Intelligence
Strategic
Operational
Tactical
Strategic
Operational
Tactical

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Results
•Anticipate change and Impacts
•Transition from reactive to proactive
•Identify trends
•Support long term planning
•Define security posture
•Understand security impacts of organisational
decisions
•Prioritise resources
Insight enables anticipation
Provides context to threats
Understand impacts
Define posture

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Collaborative process
Strategic
Threat
Intelligence
S.O.C.
S.L.T
Users
Industry
Partners
RFIs
Risk
Supply
Chain
OSINT
Business
Develop
ment
PhysicalS
ecurity
Horizon
Scanning
Dissemination
Analysis
Inputs
Direction
Feedback

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Activities and outputs
Annually
•Strategic threat landscape reports
•Regional, industry-specific, threat actor specific, OT, supply chain
6 monthly
•Deep dive reports
•Eguse of open-source AI models, collaboration with research institutes
Quarterly
•Joint quarterly threat review
•Security council briefing
•Cyber security steering committee
Monthly
•Cyber threat working group
•Security operations working group
•Incident response and security testing
•Executive dashboard
Security, business stakeholders or leadership
focused
•SOC engagement
•OSINT reviews
•Special risk events
•Country specific
threat reviews
•Education and
awareness support
•Physical security
•Supply chain security
•Cyber risk team
•Joint security updates
brief
FortnightlyWeekly
Daily
As
required

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Practical scenarios
In-country threat assessment-
On-going threat
Overseas footprint
Highly contested cyber
environment
Critical technologies
In country activity reported to
cyber team
cyber risk & physical security
teams engaged
Enchanced Cyber Risk Assessment
process enacted.
Country threat profile and cyber
landscape analysis.
Technical analysis of infrastructure.
Advise and mitigations put in place
M&A -
Dynamic threat
Pre-identified threat to M&As
Integration of existing security
Target of interest to threat actors
Engaged stakeholders
Network configuration and
vulnerability surveys conducted
Rapid change in landscape
Very high threat
Protection already in place
Additional defenses immediately
activated
Supply Chain -
Long term threat
Wide engagement reveals a
critical supplier has been taken
over by foreign company.
Raised at cyber threat working
group.
Affected sectors and supply chain
security notified.
Supply chain threat event process
enacted:
Initial impact and risk assessment
Continued assessment
recommendations
Future impact and actions.

© 2022 BAE Systems. All Rights Reserved.
BAE SYSTEMS is a registered trademark.
Questions

Celine Pypaert
Security Transformation Manager,
Johnson Matthey
#ScotSecureWest

MORE THAN MONITORING
Proactive security made simple and human

ABOUT
Celine Pypaert, CISSP
Security Transformation Manager,
Johnson Matthey
Women in CyberSecurity UK &
Ireland Ambassador

MONITORING IS NOT
ENOUGH
Can security be more than a Sisyphean
catch-up game?

TOOLS DO NOT EQUATE
“SECURITY”
Buying shiny bullets while still
running XP or not patching, is like
putting a gold-plated roof on
top of a crumbling house. Oh,
and the house is on fire.

“We believe that the nature of
this legacy infrastructure
contributed to the severity of
the impact of the attack.”
“
- The British Library
”
bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf/

•Dependencies!
Blockers to modernisation
•“If it ain’t broke, why fix it?”
•Not understanding the impact
•Too expensive. Tactical at the
expense of strategic
•Lacking accountability,
governance, communication

“A BALANCE BETWEEN THE
PREVENTATIVE MEASURES
AND ALSO YOUR RECOVERY
MEASURES”
“
- Lewis Woodcock,
Maersk ”
The Maersk cyber attack - How malware can hit companies of all sizes (kordia.co.nz)

CYBER RISK IS
BUSINESS RISK
More than a cost centre:
how to get the Business on board with
security & communicate

ALIGN CYBER GOALS
WITH BUSINESS
GOALS
Read your Annual reports
and look at the overall
business risks
Overall objectives: this will
help you align your cyber
strategy to them

IT’S NOT AN
OVERNIGHT PROCESS
Anticipate and plan
before End of Life with
sustainable asset
lifecycle management.
Start small.
Plan strategically in
phases, until you
reach the north
star!
FY25
Fit
FY26
into
FY27
it
FY30+
the Pipeline!
Here’s What You Can Do To Manage Your Technical Debt (forbes.com)

USER
PEOPLE-CENTRIC
SECURITY
Make it relatable (why should they care?)
More trust = more business
Persona-based identity & access, end user
compute

Boards speak
differently about risk
than cyber folks talk
about risk
And yet, cyber risks are
an intrinsic part of many
business risks,
but this link is not always
communicated effectively

MAKING THE CASE
FOR CYBERSECURITY
1.Explain in business terms the impact if
materialized. Ask what is the biggest overall risk?
Budget will not be allocated in the right priority if
they don’t understand why.
2.Get sponsorship from the Executive Team, and
(hot take!) if needed, auditors are your friend
3.More than a risk repository: hold people
accountable and see that logged Risks get
actioned upon
“Cyber
transformers excel
at integrating
cybersecurity
risks into
Enterprise Risk
Management”
- Accenture

Normalise security
accountability and responsibility
throughout the organisation
Zero Trust Overview and Playbook Introduction[Book] (oreilly.com), 2023

BEYOND PROTECTING THE
BUSINESS
Security as enabler

“Aligning cybersecurity to
business objectives helps
drive revenue growth and
lower costs of breaches”
State of Cybersecurity Report 2023 |
Accenture

NOT JUST STOPPING THE BAD: SECURITY
ALSO ADDS POSITIVES
Better user
&
customer
experience
Smoother
Joiner Mover
Leaver
process
Secure
third-party
access
Innovation
unlocked
Readiness
for Gen AI*
*This wasn’t
going to be a
cyber talk if I
didn’t mention AI
at some point! ;)

THANK
YOU
Celine Pypaert, CISSP
[email protected] | linkedin.com/in/cel-py

Elliott Went
Senior System Engineer
SentinelOne
#ScotSecureWest

Adapting to the
Cybersecurity Revolution:
Unleashing AI for Effective
Defence
Elliott Went
Solutions Engineer

Presentation
Agenda
■A(I) New Attack
Surface
■AI as a Defence
■AI Use Cases &
Approach
■AI Integration
Roadmap

A(I) New
Attack
Surface

AI Attacks
Deep Locker
•Targeted Identification
•Logic Detonation Mechanism
•Facial and Voice Recognition
Black Mamba
•ChatGPT Polymorphic Malware
•Dynamically Generates Code
•Unique Malware Payloads
MalGAN
Extensible. Targeted. Covert.
•Generates Adversarial Malware
•Bypass ML-based Detections
•Feed-forward Neural Networks

t t t t
t t t t
Social
Engineering
Data
Poisoning
Spear
Phishing
Deepfake
Attacks
PassGAN
Jailbreaking
DDoS @
Internet Scale
Adversarial
Attacks
AI Weaponising Frameworks

A(I) New Attack Surface – LLM
TTPs
Optimized Payload Crafting
Informed Reconnaissance
Anomaly Detection Evasion
Supported Social Engineering
Enhanced Scripting
Techniques
Security Feature Bypass
https://atlas.mitre.org/matrices/ATLAS/ https://atlas.mitre.org/mitigations

AI as a
Defence

Gifts of Generative AI
Creation
Creates artefacts of value given a
(multimodal) specification.
Detection Code
Incident Summaries
Interaction
Supports fluent, context driven
dialogue (with knowledge).
Step by Step Guidance
Self-documenting Work
Prediction
Offers a completion, given a
sequence and constraints.

Attacker Activity
Remedial Action

Meshed ML Engines
•Static & Dynamic ML
•Policy based
remediation
•Massive alert volume
reduction
•Multi surface
coverage
TTP Attribution
•Aligned to MITRE
ATT&CK
•Sequenced TTPs to tell
the ‘story’ of the attack
•Visualisation of the
attack processes
Intelligent Policy
•Auto remediation
•Inherited best practice
policy
•Break inheritance for
special surface
populations
NextGen AI Defences
Detection. Attribution. Auto-remediation.

Fighting AI with AI
Automated Investigations
Correlating Attack Patterns
Applied Machine Learning
Prioritize Critical Defences
Adaptive
Responses
Breach
Risk
Prediction
Tactical
AI Defences

AI Use Cases
& Approach

SecOps Assistant
Automated
Analyst
AI as an Assistant
Configuration
Assistant
AI should be a ‘security assistant’ that empowers every
analyst to detect earlier, respond faster, and stay ahead of
attacks.

80

81

82

AI
Integration
Roadmap

84
Security AI Platform
Simplified Ingestion
Best ingestion by
normalizing data (OCSF) for
1st and 3rd-party data.
Advanced Detection
Rapid detection in real-time.
Advanced detections
engines to create Event and
Graph-based detections.
Investigation
Industry-leading threat
intelligence and blazing fast
event search across all data
for deep investigations.
Advanced Analytics
Access all your data while
leveraging pre-built
dashboard templates or
create and manage your own
dashboards.
Analyst Experiences
Optimized workflows with
risk-based prioritization to
improve security posture,
respond to alerts, and
manage incidents.
Response
Stop cyber threats, no matter
the impacted asset, through
1-Click mitigation actions and
orchestration integrations for
customized automated
playbook responses.

In
Summary…

Key Takeaways
Immense
Potential for
Attacking
Potential Enhancements
Significantly
Enhances
Cybersecurity
Continually
Advance
Defensive AI
Defensive
Collaboration
is Vital for
Effectiveness
Capabilities
86
Humans
Augmented
with AI
Holistic

Thank You
Sentinelone.com
[email protected]

Iain Dougan
SSEN Transmission Head of OT & Cyber
Scot Secure West
Wednesday 11
th
September
IT & OT –
Collaborating to
Protect Critical
Infrastructure

Scot Secure West99
Who we are
We are SSEN Transmission, the trading name for Scottish Hydro
Electric Transmission.
We are responsible for the electricity transmission network in the north of
Scotland, maintaining andinvesting in the high voltage 132kV, 220kV, 275kV
and 400kV electricity transmission network.
Following a minority stake sale which completed in
November 2022, we arenow owned 75% by SSE plc and
25% byOntario Teachers’ Pension Plan Board.
We are one of the fastest transmission network operators in Europe,
delivering critical national infrastructure, our Regulated Asset Value (RAV) is
forecast to grow from £5.7bn currently to at least £10bn by March 2027.

Scot Secure West
10
0
IT & OT – A Perfect Marriage?
•IT and OT ‘Convergence’ at a Digital/Technology level is
happening/has happened
•Whilst systems and infrastructure are converging people
and teams remain separate
•To make collaboration more effective SSEN Transmission
have taken a decision to bring IT and OT together under a
single Digital function
•IT and OT need to collaborate in a way that recognises the
individual attributes of each function
•These strengths/differences can be leveraged to create a
stronger whole than the individual parts
•Having a better defined IT/OT ‘centre’ helps to then define
RACI with wider Engineering and Ops functions – paving
the way for better collaboration on topics like Cyber Security

Scot Secure West
10
1
Defining the IT/OT Boundary
•Utilising the Purdue Model we have defined
where the boundary around an expanded
IT/OT organisation sits
•This sets a clear demarcation where the CIO
function stops and we move into Engineering
(Protection marks the boundary)
•From here a set of RACI’s can be developed –
Hand In’s and Off’s properly understood
•The boundary will be different for different
businesses however it is key that a shared
understanding of where it lies is defined
“I need my own space…”

•Within SSEN-T, IT didn’t have the greatest reputation – initial
efforts to collaborate were met with suspicion
•RACI in some areas will naturally be blurry – Networks and
Telecoms
•Relationships that are now ‘internal’ still need work – OT apps
and infrastructure
How did we overcome these?
•Look for quick wins – where are areas you can deliver benefit
quickly to prove your worth? Lockdown gave some great
examples…
•Top down leadership and role modelling is key
•Setting some principles for how we collaborate gives something
for teams to use when conflicts arise
•We have a huge pitch to cover – no point in arguing over who
owns the corner flag…
Challenges
“You keep hogging all the bed covers”
Scot Secure West
10
2

Scot Secure West
10
3
Benefits
•Able to remove duplication – OT teams taking an ‘SME’
role with Engineering/Ops being ‘hands and eyes’ in
the field
•Working collaboratively on shared challenges
•Different perspectives bring different/better solutions
•New problems require blended skillsets – securing
Digital Substations needs blend of IT infrastructure,
Networking, Security and Electrical Engineering skills
•Scaling is a massive challenge for SSEN Transmission
– not having to butt up against RACI challenges helps
with this
“Communication is the key to every successful
relationship”

Scot Secure West
10
4
A Services Approach to Everything
•Shared challenge across OT and Engineering to achieve Basic CAF profile by end of 2023 – and now Enhanced Profile by end of 2027
•Embedding strong service management disciplines within OT was a significant accelerator in achieving Basic CAF
•Strong Governance and Risk Management coupled with adherence with ITIL V4 Practices stands SSEN Transmission in good stead to
continue to demonstrate the Basic profile and the further demands of the Enhanced profile
•Adopting Software Development Lifecycle principles has assisted in understanding where obsolescence exists within OT apps and
extending this boundary out to devices
“My life was a bit chaotic until I met you”
CAF Objective CAF Principle ITIL V4 Practice Mapping
Objective A - Managing Security Risk Asset Management IT Asset Management
Objective B - Protecting Against Cyber Attack Secure Configuration Service Configuration Management
Change Enablement
Objective C - Detecting Cyber Events Monitoring Coverage Monitoring and Event Management
Securing Logs Incident Management
Identifying Security Incidents
Objective D - Minimising the Impact of Cyber Security IncidentsResponse Plan Service Continuity Management
Response and Recovery Capability
Governance Risk Management

Scot Secure West
10
5
Security Team
•Securing the estate is only something that can be done with
all parts of the organisation operating in concert
•Identity and Access Control is done by the IT support
teams
•Asset management is done by the IT teams and the
field services teams
•New joiners, leavers and clearances is done by HR
•Supply chain security is operated by procurement and
audit & compliance
•In order to succeed we need to be surrounded by teams
that are clear on their responsibilities.
•Good cyber security is not just about a good cyber
security team – it’s about lots of functions operating
effectively
“Finding friends that ‘gets us’ as a couple”

Scot Secure West
10
6
Infrastructure Modernisation & Cloud
•IT Infrastructure Modernisation and Cloud are coming to
Operational Technology
•NCSC paper on SCADA in Cloud moves things forward -
‘no longer a no’
•Key recommendations
•There are Security benefits IF deployed in the right way
•Readiness needs to be considered across People,
Process and Technology
•Modern infrastructure approaches give more diversified
resilience that traditional on premise solutions
•The skills needed are mainly found within the IT side of the
org – collaboration will be even more critical moving forward
•Fuse lit on a slow burning platform…
“I don’t know where I’d be if I hadn’t met you”

Scot Secure West
10
7
Is this a match made in
Heaven?
•Divorce will be VERY expensive – and possibly not an
option (who gets custody of the Digital Substations?)
•Marriage counselling is healthy – we need to talk!!
•Speak to other couples – what works well for them?
Steal with pride!!
•Definitely better together – but there will be big bumps
on the road to navigate

Scot Secure West
10
8
We are hiring!!!
•Significant volume of both OT
and Cyber roles being
recruited over the next two
years
•Careers - SSEN Transmission
(ssen-transmission.co.uk)

Classification: Unclassified
Classification: Unclassified
From quishing to deepfakes: The
latest phishing threat trends in
James Dyer
Threat Intelligence Lead, Egress
September 11th, 2024

110
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Agenda
The threat
landscape
in 2024
Four trends Detection
Key
takeaways

111
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
•Consistent volume of attacks…
•…but sophistication is increasing
•Focused, targeted attacks are becoming the norm
versus bulk campaigns
•Continued rise in the use of legitimate systems
The threat landscape in 2024

112
Classification: Unclassified
Classification: Unclassified
Four key trends in 2024

113
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Quishing and
payload evolution
Four key trends
AI in the hands of
cybercriminals
Multi-channel attacks Evading SEG
detection

114
Classification: Unclassified
Classification: Unclassified
Quishing and payload
evolution

115
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
•Familiarity breeds complacency
•10-15% of attacks are quishing
•Trusted technology by reputable
organisations
•Cheap and readily available
•Harder to detect using traditional
capabilities
•Move people away from email
and onto mobile
Quishing
72.7
21.9
5.4
0.8
35.7 36.3
17.3
10.8
0
10
20
30
40
50
60
70
80
AttachmentsPhishing
hyperlinks
'Payloadless'
social engineering
QR codes
%
The evolution of phishing email payloads since
2021
20212024

116
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Quishing: Other attachments

117
Classification: Unclassified
Classification: Unclassified
AI in the hands of
cybercriminals

118
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
• Processing information at incredible
speeds
• Aggregate and correlate data across
numerous data breaches to uncover
different platforms for multi-channel attacks
• Correlate any identifying information from
these breaches
AI: Reconnaissance

119
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
• LLMs and NLG used to create well-
written and convincing attacks
•Create and refine both message body
and payloads
• Deepfakes: the use of Zoom and
mobile phone calls as the second step
in multi-channel attacks has increased
•Increasingly “commoditised” and don’t
require significant resources to access
AI: Scale
7.25%
8.68%
17.98%
19.01%
0 5 10 15 20
2020
2021
2022
2023
Volume of phishing emails relying solely on
social engineering

120
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
•Cybercriminals don’t even need to
be at their computers to generate
advanced phishing attacks
•Automate research, creation, and
sending of highly targeted attacks
at scale
AI: Automation

121
Classification: Unclassified
Classification: Unclassified
Multi-channel attacks

122
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
•Increase in multi-channel attacks
•Teams and Slack are most common
followed by SMS
•Adds legitimacy and moves people
into potentially less secure
channels
Multi-channel attacks
30.8%
19.2%
18.6%
12%
8.9%
4%
6.5%
0 10 20 30 40
Teams
Slack
SMS
LinkedIn
Zoom
Mobile phone call
Other
The mechanisms cybercriminals use to contact their
targets following an initial phishing email in multi-
channel attacks

123
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Multi-channel attacks
1. Initial phishing email sent to victim in multi-
channel attack, with Egress Defend anti-
phishing banners visible.
2. Interaction via Microsoft Teams between
cybercriminal (impersonating David) to
deliver a phishing hyperlink.

124
Classification: Unclassified
Classification: Unclassified
Evading SEG detection

125
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
•52% increase in attacks getting through signature-based and
reputation-based detection
•Top three tactics used:
•Compromised accounts
•Phishing hyperlink payloads
•Technical obfuscation
Evading SEG detection

126
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Threats get through the SEG
43.9%
4.4%
38.7%
13%
Compromised account
Vendor email compromise
Webmail
Phishing domain
Sources of phishing emails that got through SEG detection
between Jan 1
st
– March 31
st
, 2024
Phishing payloads that bypassed SEG detection
between Jan 1
st
– March 31
st
, 2024
43.6%
36%
11.9%
8.5%
Phishing hyperlink
Attachment
'Payloadless' attack
QR codes

127
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Threats get through the SEG
Primary obfuscation techniques used to get through SEG detection between Jan 1
st
– March 31
st
, 2024
24.9%
19.6%
16.2%
14.4%
9.4%
8.5%
6.9%
3.6%
2.5%
Hijacking legitimate websites
Phishing hyperlinks contained within attachment image
HTML smuggling
Homoglyphs
Image-based
QR codes
Encoding
Whitespace
Left-ro-right

128
Classification: Unclassified
Classification: Unclassified
Detection

129
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
•Go beyond traditional detection capabilities
•Use AI-powered tools
•Linguistic analysis (NLP and NLU)
•Machine learning to develop baselines
•Link rewriting and time of click analysis
•Security of AI!
•Holistic detection
•Real-time teachable moments for continuous
education
Key considerations for detecting advanced attacks

130
Classification: Unclassified
Classification: Unclassified
© Egress Software Technologies. All rights reserved.
Analyse your
current policies and
tech
Key takeaways
Be aware that the
landscape is evolving
Email isn't the
only channel
Intelligent technology to
detect advanced attacked

Classification: Unclassified
Classification: Unclassified
www. eg ress. com/website-priv a cy
Our presentations and webinars are for information only and don’t constitute advice. Professional advice should always be obtained. No liability is accepted for the use of the
contents (or any errors or inaccuracies). Please read our privacy policy at www.egress.com/website-privacy.By reading this presentation or attending our webinar you confirm that
you’ve read and agree to this disclaimer.All intellectual property rights in this presentation are retained by Egress Software Technologies Limited (or its licensors). This
presentation or webinar was provided on behalf of: Egress Software Technologies Limited (12th Floor, The White Collar Factory, 1 Old Street Yard, London, EC1Y 8AF, UK.
Registered in England and Wales, 06393598) or Egress Software Technologies Inc. (a Massachusetts corporation, 268 Summer Street, Level 3, Suite 2, Boston, MA 02210). Both
are part of the Egress Software Technologies group of companies. Egress is a trademark of Egress Software Technologies Limited.
Thank you for your time

David McKenzie
Ethical Hacker & Blue Team Specialist
#ScotSecureWest
BREAKOUT I

What are the odds of ....
Somewhere between 78 minutes
and 8.5 million computers

Who do you think you are?

Housekeeping…

The Content
The CrowdStrike outage in July 2024 was a significant incident caused by a faulty update to their
Falcon sensor software, specifically related to Channel File 291. This update introduced a logic error
that led to widespread system crashes, particularly affecting Windows devices running Falcon sensor
versions 7.11 and above. The error caused Blue Screen of Death (BSOD) errors, and systems entered
a reboot loop, making recovery particularly challenging.
This outage had a global impact, affecting approximately 8.5 million devices across various sectors,
including financial services, transportation, healthcare, and government services. For instance, major
airlines had to ground flights, and hospitals faced delays in critical services. The financial sector also
saw disruptions in online banking and stock exchange operations.
CrowdStrike and Microsoft worked together to mitigate the issue, but the recovery process required
manual intervention, which was time-consuming and complex, especially for large organizations. The
economic impact of this outage was severe, with estimated losses for Fortune 500 companies
potentially exceeding $5 billion.

Show of Hands

The Good

The Bad
The fix, had to be manually done at every station

The Bad

The Ugly

Never waste the opportunity offered by a good crisis
(Machiavelli not Churchhill)

And finally…

Dave McKenzie co-founder
[email protected]
@_davewm_
Scot-Secure West 2024
What are the odds of .... Somewhere between 78 minutes and 8.5
million computers
Thank you.

Lena Smart
CISO & Business Consultant
#ScotSecureWest

So you’ve been
hacked - now what?
How to keep yourself and your team prepared,
motivated and healthy - before, during and after a
hack.
Lena Smart
CISO (retired, kind of…)
Scot-Secure West
September 11th 2024

Smart Cyber Consulting LLC
What we will be discussing today
I wanted to share the stories of CISOs who have worked at companies that have been
hacked.
We read about these events online, but what happens before, during and after these
events?
How do you keep your team spirits up when they’ve been awake for 38 hours straight?
How do you tell your customers, C-suite and Board what has happened?
Let’s find out.

Smart Cyber Consulting LLC
A little bit about me
●First CISO at NYPA, Tradeweb & MongoDB
●Board member - American Society for AI
●Advisory board member (6 companies)
●Avid reader (I’ll read anything)
●Bad cellist (really bad)
●Love to learn new things (AI prompt engineering)
●Love to teach and help others in the industry

Smart Cyber Consulting LLC
SANS PICERL
Preparation
Identification
Containment
Eradication
Recovery
Lessons
Learned

Smart Cyber Consulting LLC
The 6 sequential steps of PICERL
Prepare People. Policies. Procedures. Plans.
Identify Awareness. Unusual Processes. Alerts.
Monitoring.
Contain Stop the bleeding. Notify Management. Assign
criticality.
Eradicate Delete artifacts. Discover root cause. Restore
backups.
Recovery Return to Ops. Test everything. Monitor.
Lessons Learned Document incident. Blameless post mortem. Seek
funding*

Smart Cyber Consulting LLC
Preparation:

Smart Cyber Consulting LLC
Identification
Detection Monitoring Chain of custody

Smart Cyber Consulting LLC
Containment
Chain of custody
Chain of custody
Chain of custody
Chain of custody
Limit the scope
and magnitude of
the incident.
Notify the
appropriate
people.
Kill backdoors, patch
exploits and remember
to document everything!

Smart Cyber Consulting LLC
Eradication
The goal is to eliminate all traces of malicious activity
●Remove malware
●Check credentials for any trace of compromise (escalated
privileges)
●Patch vulnerabilities
●Restore affected systems to a secure state

Smart Cyber Consulting LLC
Recovery

Smart Cyber Consulting LLC
Lessons Learned
THIS IS THE MOST IMPORTANT PART!!!
Documentation, documentation, documentation.
Review all affected parties, including customers. What could you have done better? What was done well?
Start working on the budget (you’ll need money to fix the broken stuff)
Provide an Executive Summary for customers / Board members etc
Update Policies and Procedures as needed.
Consider “NO BLAME” post mortems. You’ll be glad you did.

Smart Cyber Consulting LLC
Okay, so now what?
You’ve done everything right. Followed the plan.
You fixed the problem.
There wasn’t too much reputational damage, or material cost (hopefully).
Your customers are back on track.
Work is returning to normal (how long depends on how bad the incident
was).
Your team though - how are they doing? Has anyone asked?

Smart Cyber Consulting LLC

Smart Cyber Consulting LLC
The psychological impact of being hacked
Ask any CISO when they were hacked - they can tell you to the second
when it happened and what they were doing.
Happened to me at MongoDB the evening of Wednesday December 13th
2023.
When I saw the Slack message from a trusted employee, saying that they
thought we had been hacked, I felt physically sick.
Then the professional in me kicked in and I got to work, and didn’t sleep for
38 hours…

Smart Cyber Consulting LLC
Helping your team deal with the impact
●Remain calm. As a CISO, I’d say this is the number one requirement for the
job!
●Be the buffer between your team and upper management / the Board.
●Make sure the team is focused on what they SHOULD be doing.
●Be prepared for the unexpected:
○Laptops breaking on Christmas Eve
○Babies arriving early
○People traveling due to holiday season
●REMAIN CALM!

Smart Cyber Consulting LLC
The psychological impact of a hack on the team
As a CISO you should:
●Acknowledge and support emotional well-being
●Promote open communication
●Provide access to professional support (Employee Wellness Programs)
●Encourage work/life balance (when possible)
You should NOT:
●Start assigning blame - it’s unproductive and unprofessional
●Think that “knowledge is power” - do not withhold information from your team
●Panic - instead, encourage a calm and methodical approach to handling the
situation

Smart Cyber Consulting LLC
How to handle the C-suite and Board
●Communicate clearly and transparently
●Translate technical details into business impact
●Outline the Incident Response Plan and progress (do this regularly)
●Engage in constructive dialogue
●Request support for additional resources (budget / personnel etc) - do this as
early in the process as you can
Do not take the hack personally. It’s difficult not to - but trust me, you do not want to
go down that rabbit hole.

Smart Cyber Consulting LLC
How to handle the irate customer
●Listen actively and empathetically - they are probably scared too
●Provide clear, honest and ACTIONABLE information
●Reassure and focus on solutions
●If appropriate look at offering compensation or additional tech support
●Maintain open communication
I held many customer calls and made sure I had the appropriate level of people on the
call(s). CISO to CISO discussions go much better than having 15 people who are super
technical and want to deep dive into the weeds…

Smart Cyber Consulting LLC
The money problem…

Smart Cyber Consulting LLC
Wrapping it all up
3 key takeaways from this talk:
1.Prepare for the worst and practice that preparation regularly
1.Take care of yourself - you’re no good to your team if you’re sick
1.Don’t be afraid to ask for help - reach out to other CISOs

Smart Cyber Consulting LLC
Question time.

Thursday 11
th
September 2024 | Hilton Hotel, Glasgow, UK
#ScotSecureWest

Eoin McGrath
Solutions Engineer
ThreatLocker
#ScotSecureWest
BREAKOUT D

headshot
How to Create a Successful
Malware Campaign
Eoin McGrath
Solutions Engineer
How to defend against
cyber threats.

Network
•Endpoints on Network
•Servers
•LAN
Endpoint
•Malware
•Remote Access Tools
Cloud Apps
•Office 365
•GSuite
•CRM

Tips to Create
Successful Malware

EDR
How is Malware Detected?
Next-Gen AV
Traditional
Antivirus

How is Malware Detected?
EDRNext-Gen AV
Traditional
Antivirus

How is Malware Detected?
Behavior Based*
Looks at More than Just a File.
Next-Gen AV
Traditional
Antivirus
EDR

Ti
Tips and Tricks to
Create Successful
Malwareps and
Tricks to
Create Successful
Malware

Write Unique Code

Use an ICON?
Royal Ransomware

Sign Your Code?

Use Local
Servers

Use Existing
Software

100% of Malware
is Detected During
AV and EDR Tests

100% of Successful
Cyberattacks
Were Not Detected in
Time, or at All.

Every Time You Open
Software on Your Computer
That Software Can Access
EVERYTHING You Can.

How is Malware Distributed?
Vulnerabilities Supply ChainSocial Engineering
•Email with a download link
•Teams or similar messaging
apps
•Attached directly to an email.
“I_love_you.vbs”
•Social Media – “Speed up your
computer” OR “Stop companies
spying on you”
•Embed malware in an office
macro
•Leave a USB drive in a
parking lot
•Internet Explorer 2019
•Zoom 2020
•Office, over and over again
•RMM
•Windows, Eternal Blue, and
Multiple RPC
•RDP
•MoveIT
•CCleaner 2017
•SolarWinds
•3CX

Microsoft ‘Follina’

How is Malware Distributed?
Vulnerabilities Supply ChainSocial Engineering
•Email with a download link
•Teams or similar messaging
apps
•Attached directly to an email.
“I_love_you.vbs”
•Social Media – “Speed up your
computer” OR “Stop companies
spying on you”
•Embed malware in an office
macro
•Leave a USB drive in a
parking lot
•Internet Explorer 2019
•Zoom 2020
•Office, over and over again
•RMM
•Windows, Eternal Blue, and
Multiple RPC
•RDP
•MoveIT
•CCleaner 2017
•SolarWinds
•3CX

What you should be doing?
•Block Unauthorized Software
•Ringfence trusted applications.
•Secure Configuration
•Patch
•Control Storage
•Endpoint Detection and Response.
NetworkEndpoint Cloud

Take Away Admin Rights

What you should be doing?
•Block Unauthorized Software
•Ringfence trusted applications.
•Secure Configuration
•Patch
•Control Storage
•Endpoint Detection and Response.
NetworkEndpoint Cloud

Tips to Move Across
Networks

With the Cloud The Network is the Internet
North Korea
Russia
China

Port Scan of All Devices
on the Network
Angry IP

Exploit Vulnerable Software
Nessus

What you should be doing?
•Block Unauthorized Software
•Ringfence trusted applications.
•Secure Configuration
•Patch
•Control Storage
•Endpoint Detection and Response.
•Close Inbound Ports
•Use Host Based Firewalls.
•Use Dynamic ACLs
•How IoC Detection and Response
NetworkEndpoint Cloud

Dynamic ACLs

What you should be doing?
•Block Unauthorized Software
•Ringfence trusted applications.
•Secure Configuration
•Patch
•Control Storage
•Endpoint Detection and Response.
•Close Inbound Ports
•Close Outbound Traffic on Servers
•Use Host Based Firewalls.
•Use Dynamic ACLs
•How IoC Detection and Response
•Ensure you are working with Good
Companies.
•Dual Factor Authentication
•Use IP Restrictions Where
Possible.
•Send Logs to SOC or MDR
NetworkEndpoint Cloud

Storage Control
Zero Trust Endpoint Protection Platform
Community
Allowlisting
Network Control
Ringfencing
ThreatLocker
®
Detect Configuration Manager
Elevation Control

Quick Tips

place QR code
Book a Demo
Follow
place webinar video
THIS LAYOUT IS ONLY FOR DEMO &
SOCIAL MEDIA PROMO
Webinars

Kevin Robertson
Chief Operating Officer and Co-Founder,
Acumen Cyber
#ScotSecureWest
BREAKOUT H

Develop, not operate,
your way to success

Whoami
Develop, not operate, your way to success212

Traditional SOC’s vs Modern SOC’s
Develop, not operate, your way to success213
SOC Director
T1
Analyst
T2
Analyst
T3
AnalystSecurity Engineer
T1
Analyst
T2
Analyst
T3
AnalystSecurity Engineer
T1
Analyst
T2
Analyst
T3
AnalystSecurity Engineer
SOC Manager 2SOC Manager 1 SOC Manager 3
Inefficient | Expensive | Siloed skills | Burnout
SOC
Engineer 1
SOC
Engineer 3
SOC
Engineer 2
SOC
Engineer 4
SOC
Engineer 5
Traditional
Efficient | Cost-effective
Diverse skillset | Less chance of burnout
Modern

So…what is developing your way to success?
Quality Over Quantity: Hire 5, expect the productivity of 10, and reward them like 8.
(The specifics may vary, but you get the idea!)
Automate Relentlessly: Automate processes until it hurts. Then automate some more.
•Example: Saving just 5 minutes per engineer per day with automation. With 10
engineers, that adds up to 3,650 minutes per year – equivalent to around 7.5
workdays saved.
•Example: Certain tasks can be fully automated – for instance, logging in from a new
country without other detections. This could trigger a Slack message to the user for
confirmation, an email to the manager, or any other custom workflow.
Evaluate Every Incident: Assess the effectiveness of your detection logic.
How can it be improved?
The Best Guide for Running a Modern SOC: Surprisingly, it isn’t a security book: Site
Reliability Engineering – How Google Runs Production Systems.
Develop, not operate, your way to success214

Develop, not operate, your way to success215
How to get started
Evaluate Your Current Position:
•What are your metrics? MTTD (Mean Time to Detect), MTTA (Mean Time to
Acknowledge), MTTR (Mean Time to Resolve), MTTC (Mean Time to Contain)?
•What skills do you currently possess in abundance? What skills are you lacking?
•How do you approach staff training? Who is leading your development strategy?
•Is your leadership team fully committed? Do they embody the qualities necessary for
success?
•Do you have the right technology in place? Do you have a roadmap/budget specifically
assigned to advance the strategy?
Build a Comprehensive Plan:
•Consider the key pillars: People, Process, Technology, Automation.
•Develop your approach across these stages: Ad-hoc, Tactical, Strategic, Measured.

People
Develop, not operate, your way to success216
1
Ad-hoc
Basic staff training aimed at meeting
company or vendor compliance
requirements.
2
Tactical
Regular, dedicated time each week for
employees to focus on upskilling.
Strategic
Cultivate a culture where continuous
learning and knowledge sharing are
embedded into daily practices, supported
by leadership.
3
4
Measured
Align key metrics with training objectives. Focus on continuous improvement and timely upskilling for emerging threats. For example, within 48 hours of a
significant 0-day vulnerability release, ensure 50% of engineers are proficient in detection and mitigation techniques.

Process
Develop, not operate, your way to success217
1
Ad-hoc
Respond to alerts as they come in from the
platform.
2
Tactical
Leverage threat intelligence to automatically
enrich alerts, streamlining triage and
response times.
Strategic
Implement correlation logic for multiple
alerts and establish a lessons learned
process after every major incident.
3
4
Measured
Implement and track metrics that improve incident response, including reduced resolution times, enhanced detection accuracy, QA fail rates, and increased playbook
coverage. Continuously refine processes, integrating automation and lessons learned for ongoing efficiency and effectiveness improvements.

Technology
Develop, not operate, your way to success218
1
Ad-hoc
Implement a logging solution to store
historical and forensic data.
2
Tactical
Deploy basic detection logic, using vendor
out-of-the-box (OOTB) rulesets.
Strategic
Focus on seamless integration of new platforms
with existing systems to ensure interoperability,
support a robust detection engineering program,
and unify multiple solutions across various attack
vectors, preventing data silos and enhancing
overall security posture.
3
4
Measured
Track MITRE ATT&CK framework coverage and atomic testing compliance. Implement a mature route-to-live process for detection logic.

Automation
Develop, not operate, your way to success219
1
Ad-hoc
Alerts generate notifications sent to
platforms like Slack, Teams, and via email to
responders.
2
Tactical
Enhance all alerts with threat intelligence
upon ingestion and pre-populate search
queries within the ticketing platform for
faster response.
Strategic
Invest in a mature SOAR solution, enabling
engineers across the organisation to actively
contribute to the automation lifecycle.
3
4
Measured
Quantify the ROI of automation efforts by tracking the percentage of enrichment at ingestion, the percentage of automated response actions, and the
time saved, allowing for the reallocation of resources to higher-value tasks.

Develop, not operate, your way to success220
Closing thoughts
Getting Detection & Response Right:
D&R is crucial but challenging. Don’t neglect the basics—investments in endpoint
protection, email security, and CSPM offer great returns.
Targeted Investment:
1% of attacks can cause 99% of the damage. Invest in niche areas if they present
real threats to your organisation.
Balanced Strategy:
People, process, technology, and automation are all vital components of a
successful security strategy. Avoid over-investing in technology if you lack the
skilled personnel to operate it. After all, a skilled carpenter with basic tools will
always outperform an unskilled carpenter with the best tools.

Develop, not operate, your way to success221
Continuous Improvement:
Security is not a one-time effort. Regularly review, update, and refine your
strategies to adapt to the evolving threat landscape. Continuous improvement
should be at the heart of your security operations.
Collaboration is Key:
Foster a culture of collaboration within your security team and across the
organisation. Sharing knowledge and working together on incident response,
detection engineering, and automation efforts can significantly enhance overall
security effectiveness.
Measure What Matters:
Focus on metrics that directly impact your security outcomes. Whether it's
reducing incident response times, improving detection accuracy, or increasing
automation efficiency, tracking the right metrics will guide your strategy and
highlight areas for improvement.
Closing thoughts

Thank You

Wednesday 11
th
September 2024 | Hilton Hotel, Glasgow, UK
#ScotSecureWest

Rachel Close
Senior Responsible AI Manager,
BBC
#ScotSecureWest
BREAKOUT J

Security & AI
Do we really need new
governance?
Rachel Close
Senior Responsible AI Manager (Governance & Risk)
Image: Teresa Berndtsson / Better Images of AI / Letter Word Text Taxonomy / CC-BY 4.0

Responsible AI

Responsible AI
Let’s go back pre-2022….

Responsible AI
Models
& data are
transparent
Technical / AI savvy
Understand governance &
compliance
End use is
known/predictable
Process takes time, with
gates
Models & data are more
transparent
Evaluation toolkits
available
Not huge numbers
Risk is contained /
predictable
Others have
done this
before
AI development lifecycle / process

Responsible AI
And industry guidance reflects this…

Responsible AI
Models
& data are
transparent
Technical / AI savvy
Understand governance &
compliance
End use is
known/predictable
Process takes time, with
gates
Models & data are more
transparent
Evaluation toolkits
available
Not huge numbers
Risk is contained /
predictable
Others have
done this
before
AI development lifecycle / process
Technical language /
concepts
Technical testing /
evaluation
Standards, Risk & control
framework
AI Impact Assessment
Process-based
governance

Responsible AI
And now…

Responsible AI
Models
& data are
transparent
Technical / AI savvy
Understand governance &
compliance
End use is
known/predictable
Process takes time, with
gates
Models & data are more
transparent
Evaluation toolkits
available
Not huge numbers
Risk is contained /
predictable
Others have
done this
before
AI development lifecycle / process
Suddenly the processes don’t align as well…

RAI as a service for all
Responsible AI
But that doesn’t mean AI is a free for all

RAI as a service for all
Responsible AI
STAFF USING AI
TOOLS
3RD PARTIES
USING /
PROVIDING AI
BUILDING AI

Staff using AI tools
Responsible AI
STORYTELLING
Supporting AI literacy
through metaphor
Bringing the issues (and
solutions!) to life for
teams
CULTURE
Reinforcing existing
software approval
processes
Embedding a culture of
responsible AI
Reducing risk from
shadow AI

240
BBC Values
BBC Editorial Values
Fairness
Security & Robustness
We will act in the best
interests of the public
Transparency &
Clear Explanations
Accountability
Human Oversight
We will be open
and transparent
Respecting Rights
Human Creativity
We will prioritise
talent and creativity
BBC AI Principles

241
Chad G. Peters
I haven’t been to university but have done lots of online training and respond
well to feedback. I’m looking for a position within the media industry that will
enable me to make a big impact.
•Makes stuff up, plagiarism, defamation
•Prone to bias, gender and racial stereotypes
•Sends sensitive information off to third parties
•Not clear what he’s worked on

3
rd
Parties Using and Providing AI
Responsible AI
THIRD PARTY RISK
MANAGEMENT
Embedding AI questions
into due diligence
Careful technical and
legal review
Accountability
ALIGNING THE
OUTCOMES
Making sure AI use is
aligned to BBC values
and principles
Reinforcing roles and
responsibilities

Aligning the Outcomes

Third Party Risk Management
Supplier
Internal User
•Confirming training data, both for
applicability and rights
•Confirming testing done
•Confirming RAI approach
•Agreeing protections in the
contract
•Confirming how the tool and
outputs will be used
•Confirming we have the rights to
input relevant data
•Confirming the right people have
been consulted

We can’t outsource accountability!

Building AI
Responsible AI
TESTING
System and user testing
Red Teaming
Bias Testing
SECURE
DEVELOPMENT
Using secure models and
restricting access
Maintaining data
integrity and quality
Security by Design
DOCUMENTING
Model cards and data
sheets
Records of your risk
assessments

Secure Development
Access Management Data Quality and Integrity Security by Design
Just like any other technology!

Testing
Secure system testing without
live data
User testing with
representative group
Red teaming, including
adversarial attacks
Bias testing to improve
awareness

Nothing is one and done!

So do we really need anything new?
Responsible AI

DON’T RE-INVENT THE WHEEL*
RISKS COMMSGOVERNANCE TRAINING
Responsible AI
What we already have
*UNLESS IT’S BROKEN

CO-ORDINATION & COLLABORATION
SINGLE AI STRATEGY
CO-ORDINATED RISK
APPROACH FOR AI
Responsible AI
What we may need to develop

RESPONSIBLE AI
Responsible AI

RESPONSIBLE AI
DATA PROTECTION
INFOSEC LEGAL
EDITORIAL POLICY
COMMERCIAL & RIGHTS RESPONSIBLE AI
Responsible AI

Responsible AI
Nothing new
required
The reality
Rip it up and start
again
In conclusion…
We have the tools, it’s now about the evolution!

Thank you
[email protected]
This image by Jamillah Knowles / © We and AI / Better Images of AI / People and Ivory Tower AI / CC-BY 4.0

Ryan McConechy
CTO,
Barrier Networks
#ScotSecureWest
BREAKOUT C

XDR Demystification
Ryan McConechy
Chief Technology Officer

What’s in our tool bag?
EDR
E-Mail
Gateway
CASB
SWG NGFW
NTA
AV
NAC

What else you got?
Attack Surface Management
Vulnerability Management
SIEM
MDR

Hello security tortoise

Say no to slow
Time spent:
Triaging alerts
Gathering info from tools
Analysing context
Gives adversaries time to:
Compromise systems
Exfiltrate/encrypt data

XDR tortoise jetpack
Very
XDR
Much
Response
Threats
Hunted
So single
pane
Big
investigate
Many
Correlations

Wait, isn’t it just SIEM?
Functionality
Detection vs Response
Business value

Demo

Challenge and choices
Vendor agnostic? Vendor MatchIsolated?

Do I need it?
Multiple security technologies
Multiple vendors
Alert fatigue
Slow security response

Can I do anything more?
XDR handling threat response…
What about compliance?

Questions?

@barriernetworks

Katherine Chipdey
Director: Solutions Engineering and Alliances,
Automox
#ScotSecureWest
BREAKOUT E

in an Age of Infinite
Vulnerabilities
Proactive Risk
Reduction

Agenda
274
●What is the state of the threat landscape
●Why is proactive risk reduction critical to
keeping a secure environment in today's day
and age
●How can we implement safe automations to
keep a baseline of compliance to
continuously lower risk in our environments

The Volume Problem
275
2015
6,480 published
CVEs
2017
14,645
2019
17,308
2021
20,161
2023
28,961
2024
34,888
35% of all attacks were
patch exploits

The Tool Problem
276
Multiple on-prem tools
COMPLEX
VPN dependent
INFLEXIBLE
Minimal automation
TEDIOUS

277
Average time to
remediate critical
vulnerabilities.
102 Days
Time it takes adversaries
to weaponize and exploit
new critical
vulnerabilities.
7 Days
90% of Automox customers harden
critical infrastructure within 1 day of
an identified vulnerability.
1 Day
The Time Problem

AUTOMATION
Thoughtful Automation to make the mundane easier
278
Cloud-Native
Zero infrastructure.
Zero VPNs.
Zero hassles.
Cross Platform
Windows, macOS,
Linux, and third-parties from the
same solution
REST API
Infinite integration and
automation with your other
toolsets
A R C H I T E C T U R E
F U N C T I O N A L I T Y
Patch
Any software, any
endpoint, anywhere
in the world
Control
Seamless remote control
of endpoints and software
deployment
Configure
Automate any action you
can imagine, or pull from
our catalog of Worklets

Patch everything, automatically
279
Windows, macOS, 10+
Linux distributions
SINGLE PANE OF GLASS
Hundreds of software titles
TRULY AUTOMATED PATCHING
Hundreds of hours saved

Hands-free configuration, everywhere
280
Automate any
action
INSTANT ACTION AT
SCALE with AI or
custom scripts
Pre-built from the
Worklet Catalog
PLUG AND PLAY
AUTOMATION
Automox Time to
Remediation
●Microsoft releases Patch
Tuesday details

●Automox releases
custom- built worklet for
CVE-2023-26910
●Automox released PT blog
with script and expert
advice
●Customers remediate en
masse with Message
Queuing RCE vulnerability
worklet
10:00AM
10:48AM
12:00PM
12:01PM

281
Monitor any condition
Measure any state
Deploy any package
Take any action
= Save your team
time, reduce risk
proactively
Automate Any Task, on Any Endpoint

Prevent Attacks & Breaches
Work Less
Patch Management
Automated
Spend minutes, not careers
managing patches and configurations
Yes, Everything
Any server, laptop, or cloud workload
+ native third-party software patching
Work Fast
Vulnerability Management
Remediate Now
90% of our customer patch zero-day vulnerabilities in
less than 24 hours
Vulnerability Sync
Upload vulnerability reports and deploy CVE-specific
packages in minutes.
S O L U T I O N
S O L U T I O N
Prevent Attacks & Breaches
Upload reports from…
Stop reactively remediating and set a baseline of compliance with
AX policies that reduce your risk up to 95% off the bat

53% cited security concerns as a significant
barrier to automation in endpoint management
Third-party patches and ransomware risks
Access creep
Unsigned PowerShell risks
Lack of visibility (pre- and post-automating)
Automation
Roadblocks
*Based on the 2024 State of IT Operations Report

PEOPLE PROCESSES PRODUCT
●Get team buy-in
○I.e. Calculator
●Define process owners
●Secure executive sponsor
●Tap into in-house
knowledge
●Brag for future support
●Identify frequent, mundane
tasks
●Understand current
workflows frequency and
inventory
●Determine priority/severity
●Develop process-oriented
steps (bridge IT -> Security)
●Know your tech stack and
if/where to invest
●Leverage SaaS
●Don’t reinvent the wheel
(leverage existing scripts)
●Demonstrate results with
the right reporting
Automation. Laying the groundwork.
Don't forget your Automated Patching Checklist

Thank You

Maxim Filatov
Data Scientist,
Meta
#ScotSecureWest
BREAKOUT B

Fraud Detection and Prevention:
Leveraging Advanced Techniques to
Safeguard the Marketplace
Maxim Filatov

About Me
●Data Scientist in Commerce and Ads Integrity at Meta (last 3 years)
●Prior that 5 years at Anti Fraud team at Yandex
●Built comprehensive Anti Fraud System for Yandex Market

Marketplace-Specific Challenges in Fraud Prevention
●Physical Goods & Direct Losses:
○Costly FN and FP: Fraud leads to tangible losses (e.g., stolen high-value products)
○But delivery times offer a window to detect and stop fraud
●Complex Ecosystem:
○Multiple actors are involved – sellers, buyers, logistics, support, and more
○The diversity of payment methods, shipping options, and product categories requires tailored
fraud prevention strategies for each

Common Fraudulent Activities in Marketplaces
●Buyers:
○Promo code, discount, and cashback abuse
○Account takeovers, returns, and non-pickups
●Sellers:
○Scams, duplicates, stock blocking, fake reviews
●Logistics:
○Cancellation fraud, delivery theft/substitution
●Payments:
○Stolen cards, chargebacks, BNPL fraud
●Internal Fraud:
○Misuse within logistics and support teams, internal auctions
●DDoS, cookie stuffing

Key Red Flags in Fraud Detection
●Unusual account activities
○Note: Fraud may be rampant in early stages or with weak defenses
●Unprofitable orders and suspicious order patterns
○Extreme discounts, multiple identical purchases
●Behavioral anomalies
○Use of multiple addresses, cards

Fraud Detection Techniques
●ML for Classification & Anomaly detection: Classify orders, prices, users to detect deviations
●Clustering: Group users, orders and patterns to detect outliers
●Fingerprinting: Track users/devices across sessions
●Behavioral & Technical Signal Analysis
●Discover fraud schemes through historical data

Real-Time Monitoring & Predictive Analytics
●Prevent rather than mitigate
●Monitor high risk segments
●Profitability Model: Analyze customer and order profitability to assess risk
●User Scoring: Rank users by risk based on behavior
●Clustering to find networks and limit fraud scaling

Prevention Measures
●Hard restrictions: Prepay-only, no promo codes
●Soft restrictions: Dynamic cart limits and purchase delays
●Seller & Logistics:
○Identity verification protocol at onboarding
○Payout delay
●Dynamic restrictions on risky segments and activities to limit potential harm

Credibility and trust
●Measuring Effectiveness
○$ value of TP/FP
○Monitor customer complaints regarding AF measures
●Ensuring Quality control
○Continuous recall/precision measurement via Human Review
○Dark web monitoring to detect emerging fraud trends
●Customer support and investigation process for fraud complaints
○Establish clear communication channels and feedback loops between fraud prevention and
support teams

Aligning Fraud Prevention with Business Goals
●Focus on business objectives, Not Just Rules: Anti-fraud measures should support overall
profitability
●Influence product design for safety: Integrate security features into product
●Leverage all data sources: Use internal and external data, including fingerprints, behavioral, and
transaction data
●Collaborate with external partners, e.g BNPL providers
●Align product and payment fraud systems for better protection
●Make Fraud Unprofitable: Fraudsters will exist—make it costly for them

Real-World Fraud Case Studies
●Case 1: Surge in Returns, two schemes:
○Genuine items replaced with counterfeits
○Internal auction exploitation

Real-World Fraud Case Studies
●Case 1: Surge in Returns, two schemes:
○Genuine items replaced with counterfeits
○Internal auction exploitation
●Case 2: Spike in Order Cancellations
○2.1 Partial Cancellations
■Abusing discount logic and free shipping
○2.2 Full Cancellations after prepay
■Exploiting instant bank cashback

Ben Hall
Director of Technical Account Management
Tanium
#ScotSecureWest
BREAKOUT G

So.. how do you win at
Cybersecurity?

Visibility & Control
Continuous
Safeguarding
Detection&
Countermeasures

Visibility& Control
Asset Discovery Youcanonlyprotectwhatyouknow
Identify Critical AssetsBudget islimited, focusonimportantassets
YouneedaccesstotakeactionsAccess Control

Visibility& Control
Challenge Statement from a customer… What we did to change this
Implemented a new discovery process using Tanium
•identifies assets on the network
•labels them – what are they, where are they?
•brings them under management
•uses automation to maintain an accurate posture
Use this data to feed accurate inventory to CMDB
asset hardware and software inventory is now accurate and real-
time
Implement a new automated patching solution
•Now covers 98% of the known estate
•Minimises the unknown estate
•Reduces manual overhead and significantly reducing mean
time to patch
Organic growth – multiple tools, poor coverage
= inaccurate picture
Processes for decom are flawed,
Devices still alive after decom
No good baseline,
We (think) we patch 82% of our known estate
We patch little of our unknown estate

© 2024 Tanium. All rights reserved.
Key questions every IT leader needs to ask & answer!
First level questions:
How many assets do we have & what is the scope of
our network?
What is running on all the devices in our network?
What is going in and out of our network? What do we look like to an attacker?

Visibility & Control
Continuous
Safeguarding
Detection&
Countermeasures

ContinuousSafeguarding
Administrator Overview Knowand restrictyourpowerful users
Patching Close (unknown) vulnerabilities
Vulnerability& ComplianceIncreaseattackercosts& efforts

ContinuousSafeguarding
The vulnerability landscape is
changing.
Vulnerabilities are increasingly more complex
Vulnerability hunting is now commonly looking for files
on disk – libraries and dependencies rather than just
applications
There is often a gap in zero days between disclosure
and plugins available
When vulnerabilities are disclosed, the situation
evolves rapidly, and can mean that there are new
things to look for hourly
The classic vulnerability management of, wait for the
plugin, wait for the scan, patch – isn’t enough
The solution to closing the gap:
Start looking sooner, we may not have the full picture as soon
as the vulnerability is disclosed, but knowing some of the picture
is better than not knowing
Complete automated patching of OS and 3
rd
party software is
the first defense. The more automated and quick patching that
can be done on a regular basis, the less vulnerability
management work needs to be done.
Mitigate before patching, often, changing a registry key, a
config setting, or deleting a compromised library can remove
exposure in the time we wait for a patch
Use dynamic tooling, using tooling that can tell us the situation
right now, what version of an application or library is installed,
what is the content of a file

Further ContinuousSafeguarding
Zero-day vulnerabilities can surprise
pre-existing defenses
A useful recent example to mention is the libwebp
vulnerability (CVE-2023-4863) – a vulnerability for a
standard library embedded into many apps
It was hard to find because the vulnerable component
was often wrapped in a library, and that library forms
a part of the app
No tool is set up to find this sort of dependency, so
vulnerability scanners were blind without an
alternative approach
How did we address this with our customers?
Libwebp was first disclosed on September 7
th
There were no formal tests until 2 weeks later
Even then, the tests were only looking for browsers and common
business apps, leaving a huge blindspot
We helped our customers to use Tanium to:
1.Clear the low hanging fruit, update common business apps
that are known to have dependency
2.Use Tanium to look through files on disk for electron
framework and other known frameworks
3.Use custom IP developed to query file contents for unknown
exposure
With this approach, our customers were 90%+ mitigated before
vulnerability scan plugins were available

© 2024 Tanium. All rights reserved.
Are your [operational tools | configuration compliance
and vulnerability scans | security controls] present and
effective?
Key questions every IT leader needs to ask & answer!
Next level questions:
Where does our data come from and where is it stored?
Do we have a handle on our privileged users and their
access control across the entire organisation?
Are there opportunities to scale and automate processesto
make the job of staying ready easier?

Visibility & Control
Continuous
Safeguarding
Detection&
Countermeasures

Detection&Countermeasures
Detect Identifycompromisedendpointsand
stopsuspiciousbehavior
Respond Take a widevarietyofremedialactions,
such asimposingnetwork quarantines,
deployingpatchesorrunningcustom
scripts.

© 2024 Tanium. All rights reserved.
What processes do we have in place for monitoring and
detecting potential security incidents?
Key questions every IT leader needs to ask & answer!
Next level questions:
How do we respond to a security breach or potential threat?
How do we ensure that our systems and applications are
updated with the latest security patches and features?
Can our team walk anyone through our incident response plan?

Thank You!
[email protected]

Kat West
Director of Dataprivacyrules &
Head of Information Governance,
The Scottish Government
#ScotSecureWest
BREAKOUT K

Cybersecurity and the GDPR –
A Mission Impossible?
Katharina West
Head of Information Governance and Data Protection, The Scottish Government
Director of Dataprivacyrules

319
What we discuss today
• How to embed good information & data governance into a digital
strategy by default
• Some of the common challenges in managing and sharing personal
data in enterprise environments
• Ways to address some of these issues, key learnings and best
practice

320

Social Security Programme I Information Governance Team
Information Governance
Information Governance (IG) is
an umbrella term to describe a
holistic coordination strategy
of how personal information,
or personal data, is being used
by an organisation.
321

Social Security Programme I Information Governance Team
OFFICIAL SENSITIVE
Information Governance
How to build in data privacy
by default into your
organisation’s digital strategy
322

Social Security Programme I Information Governance Team
Information Governance Framework
Data privacy by default refers to the technical and operational
requirements when delivering or building services and platforms
that ensure data protection is ‘baked’ into the system build from
the start.
This means we are looking at the end-to-end technical design
and the entire data flow journey. For example:
•Information Technology & End-to-End Security
•Physical Design and Infrastructure
•Accountable Business Practices
•Transparency & User-Centred Design
323

Social Security Programme I Information Governance Team
Information Governance Framework
Understand how
personal data flows in
your organisation.
324

Social Security Programme I Information Governance Team
Information Governance Framework
325
HYBRID
WATERFALL AGILE

Social Security Programme I Information Governance Team
Information Governance
326
DESIGN DEVELOP TEST DEPLOY MAINTAINREQUIREMENTS
Get your IG person in early.

Operational set up
Business as usual &
Maintenance of
live-running operations
Policies
Operational
Guidance
Staff
Training
Data
Breaches
Records
Management
Freedom of
Information
Requests
Privacy by Design and Default
Information
Security
Data Protection
Risk Assessments
Data Sharing
Agreements
Memoranda of
Understanding
Legal checks and
new legislation
Information
Security Risk
Assessments
Data Processing
Agreements
Risk Register
Tenders &
Procurement
3
RD
Party
Contract
checks
Operational
options
assessments
Operational
Health
Checks
Advising on Project Design and technical compatibility with data protection
requirements, i.e., data retention/deletion function, access controls functions,
encryption, data storage and processing
Data Quality
Data
Management
Data Privacy
Accountability
i.e., DPO
•Social Security Programme I Information Governance Team
Information Governance In Practice
Overall
Accountability
i.e. SIRO, CDO
StatisticsDigital
Assurance
Assessments
after every
project phase
ICO
Consultations
Data
Architecture
327

Social Security Programme I Information Governance Team
OFFICIAL SENSITIVE
Benefits of good data governance
328
It’s all about reducing risk!
By incorporating IG from the start, you help your project to
•be compliant with the law – reducing the risk of regulatory fines
•get a full picture of potential risks, risk avoidance or risk mitigation
•provide cost-effective solutions by implementing only what’s
needed
•significantly reduce any reputational damage stemming from
potential risks or regulatory fines

Social Security Programme I Information Governance Team
OFFICIAL SENSITIVE
Challenges
Most organisations do either too little – or too much.
Not understanding the full data flows in your organisation:
•Do you know
1)what datasets are entering your organisation
2)via which routes, and
3)how this information is stored, processed, disposed of?
Not understanding the legal requirements that apply to your organisation:
•Do you know
1)Which legislation applies?
2)How this legislation impacts your operations?
3)Which parts of the legislation are obligatory, which are ‘nice to have’s?
329

Social Security Programme I Information Governance Team
OFFICIAL SENSITIVE
Challenges
Holistic factors
•Capacity – do we have the resources and skills to make it
happen?
•Financial restraints – do we have the money to
implement?
•Long-term impact – does the implementation of this new
system outweigh the effort and costs?
•Larger corporate goals – is this new digital strategy aligned
with the wider corporate vision?
330

Social Security Programme I Information Governance Team
OFFICIAL SENSITIVE
Key learnings
331
Technology is a multiplier of
good or bad data practices.

Social Security Programme I Information Governance Team
OFFICIAL SENSITIVE
Key learnings
Take Aways
Networking and collaboration are
key –
•Externally – as someone
probably had the same
issue as you
•Internally – consciously
break down silos when
developing new
organisational policies
and operational practices
and risk assessments
332

333
Thank you!
Katharina West
Contact me at:
[email protected]

Wednesday 11
th
September 2024 | Hilton Hotel, Glasgow, UK
#ScotSecureWest

ScotSecure West Summit 2024 - Glasgow 11th Sept

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

ScotSecure West Summit 2024 - Glasgow 11th Sept

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Slide 46

Slide 47

Slide 48

Slide 49

Slide 50

Slide 51

Slide 52

Slide 53

Slide 54

Slide 55

Slide 56

Slide 57

Slide 58

Slide 59

Slide 60

Slide 61

Slide 62

Slide 63

Slide 64

Slide 65

Slide 66

Slide 67

Slide 68

Slide 69

Slide 70

Slide 71

Slide 72

Slide 73

Slide 74

Slide 75

Slide 76

Slide 77