General Info

The dramatic surge in open source software supply chain attacks has sent defenders scrambling to find mitigations and solutions. At the highest levels of the U.S. government, mandatory guidance is being established to secure code dependencies and security gaps in software used in the most critical projects.

Join us as we bring together security experts to discuss the biggest software supply chain hacks, the complex nature of the problem, best practices for mitigating security issues, and the frameworks and specifications currently available.

Agenda

Agenda

March 22, 2023 11:00

Trust in Software has Eroded

The global trend of digitization and the rapid transition to remote working has created an increased reliance on an organization's software supply chain. Malicious actors are exploiting the complexities and interconnectedness of this modern supply chain ecosystem to expand their reach. To keep pace with the evolving threat landscape, a new approach to establishing security and integrity within the supply chain must be adopted to regain trust and transparency amongst software publishers and consumers. During my talk, I will outline key actions that both software publishers and consumers can take to uplift software supply chain security and protect against software tampering.

Charlie Jones
ReversingLabs, Director of Product Management

March 22, 2023 11:30

From CEO Fraud to Vendor Fraud: The Shift to Financial Supply Chain Compromise

The tactics that worked for your business five years ago likely aren’t still working today, and cybercrime is no different. The CEO fraud that dominated the last few years is not nearly as successful as it used to be, partially because employees understand that their CEO isn’t emailing them about gift cards at 2:00 in the morning. Not to be outdone, cybercriminals have shifted their tactics, now relying more on vendor impersonation and vendor email compromise to run their scams. Join us for this webinar with Lane Billings, Group Product Marketing Manager at Abnormal Security, where she’ll answer your questions about this new threat, including: What are the various types of financial supply chain compromise? How do threat actors use impersonation and account compromise to run invoice fraud, aging report fraud, and blind third-party attacks? Why have threat actors shifted tactics, and what do your employees need to know? How can you stop these evolving attacks before they reach your inboxes? The average invoice fraud attack costs $183,000 and Abnormal has seen attacks that request upwards of $2.1 million. Attend the session to make sure you’re prepared to defend against them.

Lane Billings
Abnormal Security, Group Product Marketing Manager

March 22, 2023 12:00

BREAK

Please visit our sponsors in the Exhibit Hall and explore their resources. They're standing by to answer your questions.

March 22, 2023 12:15

How to Leverage SBOMs to Reduce Software Supply Chain Risk

In today’s software supply chains, how do SBOMs help detect vulnerabilities and support vulnerability management programs? How do SBOMs bolster our response to new threats? Most importantly, how can enterprise security teams bridge the gap between AppSec and Product Security to reduce friction with developers, but still shift right to ensure products are secure prior to release? In this talk hosted by Finite State Engineering Manager Jason Ortiz, we will examine why attackers love the huge attack surface presented by OT/IoT and the key challenges facing stakeholders in today’s software supply chains. In this session, Jason will explore the value, visibility, and confidence that a shift-right methodology can bring to vulnerability management and your software supply chain through dynamic SBOM management.

Jason Ortiz
Finite State, Lead Engineer

March 22, 2023 12:45

Securing The Digital Supply Chain: Do You Trust Your Devices?

The global device supply chain is complex and difficult for any one team to tame. Unfortunately, the software that supports the devices in your supply chain (endpoints, servers, network devices) is riddled with device-level vulnerabilities that are rapidly being exploited by today’s cyber adversaries. Join Eclypsium Security Evangelist, Paul Asadoorian, as he discusses 5 practical steps to take to identify, prioritize and mitigate the vulnerabilities that exist “below-the-OS” attack surface. Key Learnings:

  • What should be prioritized in shoring up your digital supply chain, and what can wait
  • How to secure hardware-based vulnerabilities against modern attacks that are missed by traditional EDR and VM tools
  • Examples of real-world firmware attacks and how to mitigate the risk

Paul Asadoorian
Eclypsium, Security Evangelist

March 22, 2023 13:15

Tech Session - Compromised Enterprise-Grade Routers and Downstream Supply Chain Risks

In the 2023 threat assessment, the U.S. government's ODNI noted one of the largest threats from Chinese actors derives from “cyber-espionage operations include compromising providers of… managed services, and broadly used software, and other targets potentially rich in follow-on opportunities for intelligence collection, attack, or influence operations.”

What does that look like in the real world, and how do we abstract that concept into tangible actions? This talk will discuss two real-world examples of threat actors targeting networking equipment to facilitate supply-chain style attacks against downstream customers:

1. In the case of HiatusRAT, the threat actors passively collected email transmitted to IT services and consulting firms by sitting directly outside their network. This could have enabled them to obtain information about the security posture of their customers and potentially even credentials from the IT provider.

2. Our second case study will focus on another threat called ZuoRAT. This campaign target SOHO routers, rather than the larger enterprise devices targeted in the HiatusRAT campaign. The capabilities of ZuoRAT could enable threat actors to gather credentials and deploy trojans.

Lastly, we will discuss possible ways to mitigate these threats moving forward.

Danny Adamitis
Lumen Technologies, Principal Security Engineer

March 22, 2023 13:50

Fireside Chat: Ivan Arce on the Supply Chain of Supply Chain Vulnerabilities

Chief Research Officer at Quarkslab Ivan Arce joins SecurityWeek editor-at-large Ryan Naraine for an in depth discussion on newly discovered vulnerabilities in the Trusted Platform Module (TPM) 2.0 reference library specification and the supply chain ramifications, especially at major cloud computing providers.    

Arce, a pioneer in the pen-test and offensive hacking industry, will shed light on complications in the multi-vendor disclosure process and best practices for securing software and computing supply chains.

Ivan Arce
Quarkslab, Chief Research Officer

March 22, 2023 14:25

An Abnormal Approach to Email Security

The open design of cloud email platforms provides new opportunities for collaboration and extensibility, but it has also opened up new channels for attackers to exploit. Only Abnormal Security leverages advanced behavioral data science to stop the full spectrum of email attacks, including phishing, impersonation, and vendor fraud while providing direct visibility into your security posture. Watch the Abnormal demo to discover how you can: Stop the socially-engineered attacks that other solutions miss. Detect and disable compromised internal accounts. Automate your SOC workflows and save time. Discover misconfiguration risks across your cloud environment.

March 22, 2023 14:35

Software - The Hidden Threat in Your Third-Party Risk Management Program

The inescapable blast radius of recent supply chain attacks (CircleCI) demonstrates the reliance of modern enterprises on the open-source ecosystem. Software provides threat actors an enticing vector to hide and distribute malicious artifacts to unsuspecting enterprises. ReversingLabs discusses the shortcomings of existing application security toolchains and how their Software Supply Chain Security Platform can assist software consumers to combat this threat.

March 22, 2023 14:55

Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

March 22, 2023 15:15

Finite State Platform Demo

Do you want to see how Finite State automates product security across the software supply chain? In this 3-minute video, we'll show you how Finite State can help you manage IoT and OT risk by:
  • Identifying critical vulnerabilities in your connected products
  • Prioritizing the mitigation of what's exploitable
  • Delivering unprecedented threat context that empowers informed decision-making
See why it matters that our solution features the world’s largest device intelligence database and, as a SaaS-based solution, that it's easy to implement. See how our core features help our clients cut time to market across their connected product portfolios, enhance incident response, produce actionable SBOMs, and help them comply with enterprise security policies and multi-industry mandates.

March 22, 2023 15:20

Networking & Virtual Expo

Please visit our sponsors in the Exhibit Hall and explore their resources.

ON-DEMAND: An Abnormal Approach to Email Security

The open design of cloud email platforms provides new opportunities for collaboration and extensibility, but it has also opened up new channels for attackers to exploit.

Only Abnormal Security leverages advanced behavioral data science to stop the full spectrum of email attacks, including phishing, impersonation, and vendor fraud while providing direct visibility into your security posture.

Watch the Abnormal demo to discover how you can:

  • Stop the socially-engineered attacks that other solutions miss.
  • Detect and disable compromised internal accounts.
  • Automate your SOC workflows and save time.
  • Discover misconfiguration risks across your cloud environment.

See for yourself why customers love the platform and why more than 10% of the Fortune 500 trust Abnormal to protect their email environment.

ON-DEMAND: Software - The hidden threat in your third-party risk management program

The inescapable blast radius of recent supply chain attacks (CircleCI) demonstrates the reliance of modern enterprises on the open-source ecosystem. Software provides threat actors an enticing vector to hide and distribute malicious artifacts to unsuspecting enterprises. ReversingLabs discusses the shortcomings of existing application security toolchains and how their Software Supply Chain Security Platform can assist software consumers to combat this threat.

ON-DEMAND: Protecting Beyond the OS – The Hardware and Firmware Integrity Journey

Often the most ignored component of Zero Trust and Trusted Supply Chain – Hardware and Firmware Integrity. Let’s understand why attackers are targeting areas outside the OS, how to ensure your IT hardware doesn’t have any hidden threats, and how you can integrate this into your existing controls.

ON-DEMAND: Finite State Platform Demo

Do you want to see how Finite State automates product security across the software supply chain? In this 3-minute video, we'll show you how Finite State can help you manage IoT and OT risk by:
  • Identifying critical vulnerabilities in your connected products
  • Prioritizing the mitigation of what's exploitable
  • Delivering unprecedented threat context that empowers informed decision-making
See why it matters that our solution features the world’s largest device intelligence database and, as a SaaS-based solution, that it's easy to implement. See how our core features help our clients cut time to market across their connected product portfolios, enhance incident response, produce actionable SBOMs, and help them comply with enterprise security policies and multi-industry mandates.

Sponsors