Qualys Security Conference 2015

Las Vegas, Aria Resort, October 8-9, 2015

Join us for our 13th annual security conference that connects our customers with our engineers and leading industry experts. This year our architects will unveil the many new groundbreaking technologies they are building into the Qualys Cloud Platform and Integrated Suite of Security and Compliance solutions.

Why Attend?

QSC14 Highlights:

Training Highlights:

Agenda

Tuesday, Oct 6 (Training)

Vulnerability Management Training

Trainer: Nick Dlouhy

Register

Earn 8 hours of Continuing Professional Education (CPE) credit for attending this class.
Please bring your (ISC)2 member number to class.

AM Session

9:00 – 10:00AM Basic Vulnerability Management
Overview of Vulnerability Management Lifecycle
Hands-On Lab: Account Setup

Vulnerabilities, KnowledgeBase, and Search Lists
Hands-On Lab: Search Lists
10:00 – 11:00AM Understand Your Network
Using Discovery Scans (Maps)
New Graphics Mode Map Results
Hands-On Lab: Mapping
11:00AM – 12:00PM Asset Management
Host Assets
Asset Organization and Prioritization
Manage Asset Tags
Application, Ports/Service, OS, and Certificate Inventories
Hands-On Lab: Asset Tags, Asset Groups and Asset Search
12:00 – 1:00PM Lunch

PM Session

1:00 – 2:30PM Vulnerability Scanning Engine
Authenticated Scanning
Introduction to Qualys Cloud Agent Platform
Review Results
2:30 – 4:00PM Reporting and Fine Tuning
Manage Reports using Templates and Scorecards
iDefense Threat Intelligence and 0-day Risk Analyzer
Hands-On Lab: Reporting
4:00 – 4:30PM User Management
Create Users
Organize Users into Business Units
Remediation/Trouble Ticketing
Hands-On Lab: User creation and Remediation labs
4:30 – 5:00PM Certification Exam

Policy Compliance and Advanced Vulnerability Management Training

Trainer: Phil Niegos

Register

Earn 8 hours of Continuing Professional Education (CPE) credit for attending this class.
Please bring your (ISC)2 member number to class.

AM Session

9:00 – 9:30AM Introduction
Account and Application Setup
Hands-On Lab
9:30 – 10:00AM Policy Compliance Overview
Policy 101: A Top-Down Approach
The Qualys Control Library
The Path To Compliance
SCAP Support
10:00 – 10:30PM Compliance Scanning
The Qualys Cloud Platform
Compliance Scanning Requirements
Compliance Scanning Options
Raw Scan Report (Authentication Issues)
Hands-On Lab
10:30 – 11:00AM User Defined Controls
Windows-Based Controls
Unix-Based Controls
Hands-On Lab
11:00 – 11:30AM Controls and Policies
Create Policy From Scratch
Create Policy From Existing Host
Qualys Policy Library
Hands-On Lab
11:30AM – 12:00PM Compliance Reporting
Policy Report and Report Templates
Request Exceptions using Interactive Reports
Hands-On Lab
12:00 – 1:00PM Lunch

PM Session

1:00 – 1:30PM VM and PC Implementation Objectives
Hands-On Lab
1:30 – 2:30PM Scanning and Continuous Monitoring
Scanner Placement and Deployment
Scanner Parallelization
Secure Authenticated Scanning
Qualys Cloud Agent Platform
Hands-On Lab
2:30 – 3:30PM Asset Management
Asset Groups vs. Asset Tags
Effective Asset Tag Design
Asset Tags and Regex
Stale Host Tags
Hands-On Lab
3:30 – 4:30PM Reporting and Remediation
Compliance Scorecard Report
Vulnerability Scorecard – Setting Goals for Acceptable Risk
Measuring Business Risk in a Trend Report
Monitoring and Enforcing Patch Deadlines (i.e. SLAs)
Unknown Devices Report
Hands-On Lab
4:30 – 5:00PM Q & A

Wednesday, Oct 7 (Training)

Advanced Vulnerability Management Training

Trainer: Nick Dlouhy

Register

Earn 8 hours of Continuing Professional Education (CPE) credit for attending this class.
Please bring your (ISC)2 member number to class.

AM Session

9:00 – 10:30AM VM and PC Implementation Objectives
Mapping with the “none” Domain
Unknown Devices Report
Continuous Monitoring
Hands-On Lab: Planning Deployment, Mapping, and Continuous Monitoring
10:30 – 12:00PM Scanning and Continuous Monitoring
Scanner Placement and Deployment
Scanner Parallelization and Performance
Authenticated Scanning
Attribution and Delegation of Scanning Tasks
EC2 Scanning Overview
Qualys Cloud Agent Platform
12:00 – 1:00PM Lunch

PM Session

1:00PM – 2:00PM Asset Management
Asset Groups vs. Asset Tags
Automation with Asset Tags
Effective Asset Tag Design
Hands-On Lab: Advanced Scanning, Account Management, Tagging
2:00 – 2:30PM Reporting and Remediation
Host Based vs Scan Based Findings
Setting Goals for Acceptable Risk
Monitoring and Enforcing Patch Deadlines (i.e. SLAs)
Measuring Business Risk in a Trend Report
Identifying and Responding to Process Bottlenecks
Hands-On Lab: Qualys Report Metrics
2:30 – 4:30PM API primer for Qualys API
Python and Curl
API v1 and v2 for Vulnerability Management
Hands-On Lab: API v1 and v2 lab
4:30 – 5:00PM Q & A

Web Application Scanning

Trainer: Phil Niegos

Register

Earn 8 hours of Continuing Professional Education (CPE) credit for attending this class.
Please bring your (ISC)2 member number to class.

AM Session

9:00 – 10:00AM Web Application Scanning Overview
Scanning Your Web Architecture
Hands-On Lab
10:00 – 11:00AM Web Application Setup
Crawl Scope
Application Scanning Options
Selenium Scripts
Authentication
Crawl Exclusions
Malware Monitoring
Hands-On Lab
11:00AM – 12:00PM Scanning with Qualys WAS
Discovery Scan
Vulnerability Scan
Authenticated Scanning
Using Selenium for Authentication
Hands-On Lab
12:00 – 1:00PM Lunch

PM Session

1:00 – 2:00PM Reporting with Qualys WAS
Scan Report
Web Application Report
Catalog Report
Scorecard Report
Hands-On Lab
2:00 – 3:00PM Tagging and Users
Manage Tags to Organize Your Applications and Users
Setting User Scope
New Users
3:00 – 4:30PM Burp and MD Integration
Malware Monitoring
Burp Professional Integration Overview
Hands-On Lab
4:30 – 5:00PM Q & A

Thursday, Oct 8 (Conference)

7:30 – 8:30AM

Registration & Breakfast

8:30 – 8:45AM

Welcome & Opening Remarks

Amer Deeba, Vice President of Corporate Development and Strategic Alliances, Qualys

8:45 – 9:30AM

Opening Keynote

Philippe Courtot, Chairman and CEO, Qualys

Qualys Cloud Platform – 2015 Update and Roadmap

9:30 – 10:30AM

Qualys Cloud Platform

Sumedh Thakar, Chief Product Officer, Qualys

10:30 – 11:30AM

Refreshment Break in the Solutions Showcase

11:30AM – 12:30PM

Cloud Platform Showcase

Engineering Leads, Qualys

12:30 – 1:45PM

Lunch in the Solutions Showcase

1:45 – 2:30PM

Keynote: Tyler Shields

Tyler Shields, Principal Analyst, Forrester

Qualys Cloud Suite – 2015 Update and Roadmap

2:30 – 3:15PM

Vulnerability Management Roadmap & Cloud Agent Platform VM

Tim White, Director of Product Management, Cloud Platform, Qualys

3:15 – 3:45PM

Policy Compliance Roadmap & Cloud Agent Platform PC

Hariom Singh, Director of Product Management, Policy Compliance, Qualys

3:45 – 4:30PM

Refreshment Break in the Solutions Showcase

4:30 – 5:15PM

Web Application Scanning & Web Application Firewall Roadmap

Frank Catucci, Director of Web Application Security, Qualys

Steve McBride, Director of Application Security, WAF, Qualys

5:15 – 6:15PM

Break Before Dinner

6:15 – 7:15PM

Transportation to Dinner

7:30 – 10:30PM

Cocktails, Dinner & Live Entertainment

Aureole at Mandalay Bay

Friday, Oct 9 (Conference)

7:30 – 8:45AM

Registration & Breakfast

8:45 – 9:30AM

Keynote: TLS Maturity Model

Ivan Ristic, Author and Director of Application Security, Qualys

Solution Sessions

9:30 – 10:00AM

Using Splunk for Security Analytics

Gorka Sadowski, Director Global Strategic Alliances, Splunk

John Haberland, Director of Strategic Alliances and Integration Partnerships, Qualys

10:00 – 10:30AM

Actionable Threat Intelligence: The New Standard for Vulnerability Prioritization Management

David French, VP of Business Development & Sales, Kenna

Roxanne Carr, VP of Information Security, Comerica Bank

10:30 – 11:15AM

Refreshment Break in the Solutions Showcase Book Handout for Ivan

11:15 – 11:45AM

Mitigations and Countermeasures for 0-day and Public Vulnerabilities Through Threat Intelligence

Jayson Jean, Director of Vulnerability Management, Verisign

Rohit Mothe, Vulnerability Research Engineer, Verisign

11:45AM – 12:15PM

Continuous Monitoring in the Real World

Pedro Abreu, Senior Vice President and Chief Strategy Officer, ForeScout

12:15 – 1:15PM

Lunch in the Solutions Showcase

Case Studies

1:15 – 2:00PM

Microsoft

Viacom

Closing Keynote

2:00 – 2:45PM

Closing Keynote & Book Signing: Martin Ford

2:45 – 3:00PM

Closing Remarks: Philippe Courtot

3:00PM

Conference Adjourns. See You Next Year!

Guest Speakers

Martin Ford
Martin Ford

Author and Entrepreneur

Read bio

Tyler Shields
Tyler Shields

Principal Analyst

Forrester

Read bio

Ivan Ristic
Ivan Ristic

Author and Director of Application Security

Qualys

Read bio

Event Information

Pricing

Attendance at the Qualys Security Conference is complimentary. This includes access to all general sessions, breakout sessions, training, breakfast and lunch both conference days, and dinner on Thursday, October 8. Pricing does not include travel or hotel accommodations.


Travel and Accommodations

We are pleased to host our event for the third year in a row at the Aria Resort & Casino, located on the Las Vegas strip. We are offering QSC 2015 attendees a special conference rate ($177 per night*) for hotel rooms if you reserve before September 14, subject to availability. Make a reservation online or call the Aria Group Reservation Department at 866-359-7757.

Aria

Aria Resort & Casino
3730 Las Vegas Boulevard
Las Vegas, NV 89158
T: (702) 590-7757
www.arialasvegas.com
* Rate does not include 12% tax and a $25 per night resort fee

Dinner

Join Qualys for cocktails, dinner and must-see entertainment.


Cocktails and Dinner 7:30 – 10:30PM

Aureole

Aureole Restaurant
at the Mandalay Bay Hotel
www.charliepalmer.com/aureole-las-vegas/

Premiere Sponsors

Splunk logo Thycotic logo BMC logo Verisign logo NopSec logo Forescout logo

Supporting Sponsors

LogRhythm logo Compass IT Compliance logo Lumeta logo

Session Abstracts & Speaker Bios

TLS Maturity Model: A New Way of Looking at TLS Security

Ivan Ristic
Author and Director of Application Security, Qualys

Life used to be much simpler back in the day when we thought that encrypted communication via TLS is just... secure. Not any longer. Now, it seems that every day we are bombarded with information and problems with ridiculous names, usually acronyms. But are all those problems equally dangerous? How to make sense of it all? We introduce TLS Maturity Model, a fresh and practical way of looking at TLS security that will allow you to cut through the fluff to focus on what really matters.

Unauthenticated vs. Authenticated Scanning: Doesn't Matter, You're Doing it Wrong

Jonathan Cogley
CEO, Thycotic
Nathan Wenzler
Senior Technology Evangelist, Thycotic

Overcome the hurdles to authenticated scanning by using a privileged account management tool. Find out how you and your IT operations team can protect and manage privileged credentials, while giving your scanner appliance secure, automated, and audited access to those accounts. If you are already doing authenticated scanning, you may be leaving pass-the-hash vulnerabilities behind on scanned devices. Find out how to use the Thycotic integration with Qualys to ensure you are scanning all your devices with seamless authenticated scanning, dramatically improve security by reducing pass-the-hash exposure, and automate the entire process for all the devices on your network.

Operational Governance, Regulatory Mandates, and Security Threats – Oh MY!

Mary Cauwels
Director of Solutions and Product Marketing, BMC

Competing priorities, new and more dangerous threats, limited resources, and huge penalties loom over Security and IT Operations teams on a daily basis. How can these teams work together to close the SecOps Gap and create healthy, and secure environments hardened from new vulnerabilities, and able to pass audits more easily? Join Mary Cauwels, Director of Intelligent Compliance, BMC Software to learn more about best practices for Security and IT Operations.

Achieving Strategic Information Security Management with Qualys and TraceSecurity

Wes Withrow
Cybersecurity Expert, TraceSecurity

Cloud-based IT Governance, Risk and Compliance (IT GRC) solutions have been described as the “lightweight Enterprise Resource Planning (ERP) tool” of the security industry. IT GRC solutions like TraceSecurity’s TraceCSO integrates the different units of an information security program the same way that an ERP solution integrates the different business units across a company; making it all work cohesively with the right visibility. The integration of TraceCSO with Qualys gives security teams the ability to manage vulnerability scan results within TraceCSO’s centralized interface and benefit from automated communication between areas of TraceCSO, such as risk, audit and compliance management.

Mitigations and Countermeasures for 0-day and Public Vulnerabilities Through Threat Intelligence

Jayson Jean
Director of Vulnerability Management, Verisign
Rohit Mothe
Vulnerability Research Engineer, Verisign

In a perfectly ideal world, organizations would roll out each and every software security patch in the software update bundle within 24 hours of its release.


However, the world, especially the IT security world, isn’t ideal and this is not a realistic expectation to meet. There could be a multitude of variables and factors at play that could affect the prompt and timely deployment of all the software fixes. Wrong or even delayed decisions can potentially be a huge financial expense and compromise the overall security posture.


So what can an organization do to help protect their enterprise? The proper solution to this problem is prioritization. And for prioritizing, an organization not only needs to understand the context, scope and magnitude of the threat but also the immediate steps to be taken to work around/remediate it appropriately. In this talk Jayson and Rohit discuss the mitigations and countermeasures that Verisign iDefense provides through its threat intelligence services to help enterprises against exploitation.

The Attack Path: Not All Vulnerabilities are Created Equal

Michelangelo Sidagni
CTO, NopSec

Recent high-profile security breaches have highlighted that attackers follow very specific attack paths, the same paths used by expert penetration testers in their engagements. In the eye of an attacker, not all vulnerabilities are created equal. Regardless of the CVSS score, attackers use a unique prioritization algorithm in scoring vulnerabilities and placing them in their attacks paths.


In this session, we will present a real world case and analyze the prioritization algorithm used by attackers. In addition, we will highlight the most common vulnerabilities and misconfigurations found in the attack path and offer recommendations of remedial actions based on insight from these scenarios.

Actionable Threat Intelligence: The New Standard for Vulnerability Prioritization Management

David French
VP of Business Development & Sales, Kenna
Roxanne Carr
VP of Information Security, Comerica Bank

Identifying all of your IT assets and exposing all of the vulnerabilities across your enterprise is the cornerstone of a good vulnerability management program. As you continue to scan over time, you find more and more vulnerabilities, even as you remediate. What vulnerabilities do you prioritize first, and where do you focus your limited resources in order to effectively reduce your risk and get the greatest return on your investment? And how can you quantify and measure your true exposure to vulnerability risk?


Adding real-time threat context to your vulnerability and remediation management enables you to prioritize the most critical vulnerabilities at the right time, and reduce your exposure to threats. And automating this process means you can made threat intelligence actionable, and remediate with confidence.


This presentation will highlight how Comerica partnered with Qualys and Kenna to connect its vulnerability scanning program with actionable threat intelligence to employ a risk-based approach to vulnerability management. Learn how Comerica is driving down it’s exposure to vulnerabilities that match active Internet breaches, and tracking its remediation progress with little manual effort and without adding additional headcount.

Using Splunk for Security Analytics

Gorka Sadowski
Director Global Strategic Alliances, Splunk
John Haberland
Director of Strategic Alliances and Integration Partnerships, Qualys

Security analytics can give businesses critical insight into potential threats and enable faster detection by prioritizing vulnerability and event data. This session will demonstrate a new way to look at and analyze vulnerability data by combining Splunk and Qualys. A live demo will walk attendees through a Splunk app that pulls vulnerability data using Qualys APIs, and shows users how to build custom reports and dashboards to help security teams identify the most critical threats in their perimeter.

Continuous Monitoring in the Real World

Pedro Abreu
Senior Vice President and Chief Strategy Officer, ForeScout

Organizations are challenged by the pervasive nature of Cyber threats and vulnerabilities to their valuable corporate information that is maintained on their networks. By continuously monitoring the network and the devices on the network, world class tools, working together, such as Qualys and ForeScout, assess the state of vulnerabilities by executing scans anytime desired. Vulnerabilities can be addressed and remediated quickly. Real world examples will highlight the way organizations leverage and rely on these solutions to help protect their information and company brand.

Jonathan Cogley
CEO, Thycotic

Jonathan grew up in South Africa and began his software engineering career in London where he founded Thycotic Software Ltd in 1996, moving Thycotic headquarters to the United States several years later. Thycotic is recognized as the fastest growing private company in identity and access management. Jonathan speaks at more than 40 enterprise technology events throughout the year and has appeared in notable news outlets such as The Wall Street Journal Radio, The Washington Post, CNET, Yahoo! Finance, PC Magazine and CSO. Jonathan regularly contributes to WIRED magazine’s Innovation Insights on all things infosec.

Nathan Wenzler
Senior Technology Evangelist, Thycotic

Nathan has over a decade of experience designing, implementing and managing both technical and non-technical solutions for IT and Information Security organizations. Throughout his career, Nathan has helped government agencies and Fortune 1000 companies build new information security programs from scratch, as well as improve and broaden existing programs with a focus on process, workflow, risk management, and the personnel side of a successful security effort. Currently as the Senior Technology Evangelist for Thycotic, Nathan brings his expertise on security program development and implementation in both the public and private sector to admins, auditors, managers, and security professionals.

Tyler Shields

Tyler Shields
Principal Analyst, Forrester

Tyler is a leading expert on mobile and application security topics, having researched a diverse set of topics and focuses his research time and energy around both corporate business strategy and the technologies used in securing the rapidly converging mobile and application threat landscape. Before joining Forrester, Tyler was product owner and manager for mobile solutions at Veracode, where he was responsible for or contributed to global go-to-market strategy, mergers and acquisitions, technology due diligence, competitive intelligence, and product research and design.

Martin Ford

Martin Ford
Author and Entrepreneur

Martin Ford is the founder of a Silicon Valley-based software development firm and the author of two books: The New York Times Bestselling Rise of the Robots: Technology and the Threat of a Jobless Future and The Lights in the Tunnel: Automation, Accelerating Technology and the Economy of the Future. He has over 25 years experience in the fields of computer design and software development. He holds a computer engineering degree from the University of Michigan, Ann Arbor and a graduate business degree from the University of California, Los Angeles.


He has written for publications including The New York Times, Fortune, Forbes, The Atlantic, The Washington Post, Project Syndicate, The Huffington Post and The Fiscal Times. He has also appeared on numerous radio and television shows, including NPR and CNBC. Martin is a frequent keynote speaker on the subject of accelerating progress in robotics and artificial intelligence—and what these advances mean for the economy, job market and society of the future.

Ivan Ristic

Ivan Ristic
Author and Director of Application Security, Qualys

Ivan Ristic is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs website. He is the author of two books, Apache Security and ModSecurity Handbook, which he publishes via Feisty Duck, his own platform for continuous writing and publishing.


Ivan is an active participant in the security community and you'll often find him speaking at security conferences such as Black Hat, RSA, OWASP AppSec, and others. He's currently Director of Application Security Research at Qualys.

Jayson Jean

Jayson Jean
Director, Vulnerability Management & Research, Verisign

Jayson Jean is the Director in charge of the strategic direction and fulfillment of product requirements for iDefense’s Vulnerability Management solution set portfolio. Operationally, Jayson provides management oversight for both the Vulnerability Research Lab and Vulnerability Exploit Intelligence functional components. Jayson brings more than 15 years of technical experience in the software, telecommunications and security industries. Early in his career, he worked at several start-up companies as a network engineer. Prior to joining Verisign, Jayson worked for Science Applications International Corporation (SAIC), where he served as a security analyst for the US Department of Homeland Security (DHS).

Rohit Mothe

Rohit Mothe
Vulnerability Research Engineer, Verisign

Rohit joined Verisign in 2013 as part of the iDefense Vulnerability and Exploit Intelligence (VEI) team. He joined the Vulnerability Research Labs (VRL) team in 2014, where his primary work includes managing the iDefense Vulnerability Contributor Program (VCP), and contributing to internal vulnerability discovery efforts. His interests are in areas related to exploit development, vulnerability discovery, and reverse engineering. He has a Masters of Science in information security from The Johns Hopkins University, MD. During his Masters program he worked as an Intern at Cigital Inc., focussing on Web application penetration testing and file format fuzzing.

Wes Withrow

Wes Withrow
Cybersecurity Expert, TraceSecurity

For over 15 years, Wes has worked in IT and information security. He began his career as a systems engineer at Under Armour then joined The Johns Hopkins University Applied Physics Laboratory. Here Wes served in enterprise IT operations management, systems engineering, and information security roles, working closely with the Department of Defense. He leveraged the diversity of his expertise becoming the CIO at a consulting group that provided managed IT services to several industries. Wes represents TraceSecurity as a Cybersecurity Expert at onsite client engagements and across the country at conferences and speaking engagements providing deep industry knowledge spanning all verticals.

Mary Cauwels

Mary Cauwels
Director of Solutions and Product Marketing, BMC

As Director of Solutions and Product Marketing for BMC Datacenter Automation and Cloud, I'm dedicated to bringing IT automation to life. With over 15 years in high tech software and hardware, I’ve helped bring new products to market, watched them grow to leadership positions, and deliver value to thousands of customers in both business applications and IT. I love hearing how my customers have derived value and optimized their investments in mission critical technology. Prior to joining BMC, I held marketing leadership positions at CA Technologies, SAP, SafeNet, and Compaq Computers.

Michelangelo Sidagni

Michelangelo Sidagni
CTO, NopSec

Michelangelo Sidagni serves as Chief Technology Officer leading technical development, security research and operations for NopSec. Prior to NopSec, Michelangelo was the Director of IT Security Services at Ciphertechs and served as a lead internal security consultant at Blue Cross Blue Shield advising on HIPAA security and privacy initiatives. Michelangelo holds numerous professional certifications in information security including CISSP, CISA, and CIA and is a frequent speaker at information security events around the country. He holds a Master's of Business Administration from the University of Pavia in Italy.

Gorka Sadowski

Gorka Sadowski
Director Global Strategic Alliances, Splunk

Gorka Sadowski, cybersecurity expert, has dedicated his career to helping organizations improve their security posture. He spent the last 20 years defining, implementing, and positioning security solutions in the marketplace. He has worked to bring together disparate technologies and vendors in unified ecosystems. He believes cybersecurity can only be achieved via strong cooperation of complementary subject matter experts. Gorka is Director of Global Strategic Alliances for Splunk where he fosters Splunk’s role as the Nerve Center for Security Command Centers.

Pedro Abreu

Pedro Abreu
Senior Vice President and Chief Strategy Officer, ForeScout

Pedro has served as senior vice president and chief strategy officer of ForeScout since March 2015, where he is focused on advancing corporate strategy that bridges product development, sales and marketing. Prior to joining ForeScout, Pedro held several senior-level strategy and operations roles with Intel Security, EMC and McKinsey. He earned an MBA from Haas School of Business at U.C. Berkeley, and a CS in Computer Sciences from Instituto Superior Técnico in Portugal.


Trial Chat Demo