New Skills

Last year, I spoke at 26 security meetings and conferences. I learn the most when I’m in the field with my heroes. If you have a local meeting or conference that would benefit from any of these topics, let us know and I’ll do my best to show up.




WitFoo Chief Technology Officer
Charles’ dedication to maturing the craft of InfoSec is built on a diverse career path across the industry.
He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a contributing product reviewer for InfoWorld magazine focusing on network security products. Charles spent 7 years running Herring Consulting, a company dedicated to process orchestration, data sharing, and marketing. In 2012, Charles joined the Lancope team as a pre-sales engineer, promoted to Consulting Security Architect and later as Strategic Account Manager following the acquisition of Lancope by Cisco. In 2014, Charles partnered with veterans of the military, law enforcement and cybersecurity to research new approaches to improve the craft of cybersecurity operations. In 2016, that research resulted in the forming of WitFoo.
When not working with cybersecurity heroes, Charles enjoys SCUBA divining with his wife, Mai.

Abstract 1 – Flight Deck Information Assurance Auditing

Naval Air Training and Operating Procedures Standardization (NATOPS) is said to be “written in blood.” NATOPS was created in 1961 after nearly 50 years of the US Navy flying aircraft. The extensive system was created to stop the extreme failures that resulted in the loss of hundreds of lives and billions of dollars in loss.
Between 2015 and 2017, WitFoo researchers worked with organizations from higher education, Fortune 500, healthcare and mid-market to test NATOPS quality assurance (QA) approaches in cyber security and information security auditing.
In this session, the following experiments and findings will be discussed:
  • Defining the correct “unit of work” in security operations (borrowing from Maintenance Action Forms.)
  • “Data Evolution” of extremely technical information that can be understood by executives (and Admirals).
  • Ongoing, organic metric collection and analysis in contrast with inspections and audits
  • Separating human audits and architecture audits
  • Improving auditing using NATOPS Readiness Inspections approaches

Abstract 2 – Cruising on a Security Data Lake: Solving Big Data Challenges in SECOPS

Researchers at WitFoo in conjunction with The University of Chicago and representatives from Law
Enforcement, US Military and Fortune 500 organizations conducted more than 2000 controlled
experiments on production networks from 2016 through 2018 to establish a Big Data pipeline for use in CyberSecurity Operations that allows for the application of investigative workflows and indicators of compromise in near realtime as well as providing for retrospective analysis of the complete data stack when new insights and indicators are made available. The first section of the session will evaluate the strengths and limitations of Big Data technologies including Elasticsearch, Splunk, Hadoop, Kafka, MySQL NDB, Cassandra, NoSQL vs RDBM as well as pipeline philosophies including streaming and batch processing. The second section will outline the specific approaches that are used in the discovered pipeline.
The third section will provide a demonstration of the pipeline in use to detect emerging threats and to retrospectively find threats missed historically. Upon completion of the session, attendees will understand the philosophies, components and steps in creating an effective big
data pipeline that addresses the challenges in Cyber Security Operations.

Abstract 3 – Breaking NBAD and UEBA Detection

Network Behavior Anomaly Detection (NBAD) and User and Entity Behavior Analytics (UEBA) are
heralded as machine learning fueled messiahs for finding advanced attacks. The data collection and
processing methodologies of these approaches create a series of new exploitable vectors that can allow attackers to navigate network and systems undetected. In this session, methods for poisoning data, transforming calculations and preventing alerts will be examined. Proof of concept Python code will be demonstrated and made available. Approaches to harden against these attacks will also be discussed as well as outlining needed changes in detection standards.
Previous Speaking Engagement Videos

Abstract 4 – Metric Driven DEVOPS

Developing software that changes the world, exceeds customer expectations, provides turn-key functionality in diverse scenarios while meeting security and compliance requirements is the holy grail of Security Development Operations (SECDEVOPS). There are thousands of variables that need to be constantly addressed to find the balance that delivers sustainable and secure success. In this session, WitFoo’s chief engineers will outline an innovative approach to secure devops called Metric Driven Development. It will cover the following topics:
– Creating a metric collection infrastructure to alert on security and functionality deficiencies
– Utilizing metrics to write optimized unit and system tests
– The optimal value of code coverage, application pen-testing and static code analysis
– Integrating metrics into customer support evolutions
– The place of containerization in SECDEVOPS
– Build metric driven use cases from hypothesis to pivot
By the conclusion of the session, attendees will have the tools necessary to implement lean and effective development pipelines that deliver secure and useful code in a fraction of the time and at a fraction of the development cost.

The post 2020 Conference & Security Meeting Talks appeared first on WitFoo.