VASCAN 2019: Full Schedule

7:00am EDT

Breakfast/Registration

Tuesday October 8, 2019 7:00am - 8:45am EDT
Shenandoah B & C

Breakfast/Lunch

8:45am EDT

Welcome to VASCAN 2019

Tuesday October 8, 2019 8:45am - 9:00am EDT
Shenandoah B & C

Welcome & Keynote

9:00am EDT

Keynote Speaker

Speakers

Chris Goodson

National Sales Manager for US Higher Education, Amazon Web Services (AWS)

Chris Goodson is a sales leader in AWS’s Education Organization. He leads a team that works with college and universities across the US, assisting these institutions with a range of AWS cloud solutions – from infrastructure and data lakes to Alexa deployments and Machine Learning... Read More →

Tuesday October 8, 2019 9:00am - 10:00am EDT
Shenandoah B & C

Welcome & Keynote

10:00am EDT

Vendor Meet and Greet

Tuesday October 8, 2019 10:00am - 10:30am EDT
Shenandoah A

Break/Vendor Meet and Greet

10:30am EDT

Securing AWS Accounts: Design Patterns, Control Strategies, and Best Practices

Many organizations are taking the dive into AWS for new projects and migrating existing solutions to their cloud. This presentation will go over topics on: simple design strategies to control/delegate permissions; ensuring and controlling AWS access by 2FA; best practice recommendations to segregate account purposes; and automation-assisted security controls, including who has access and with least privilege, through infrastructure-as-code.

Speakers

Lee Doughty

Senior Cloud Systems Engineer, Virginia Cyber Range

Lee Doughty is the Senior Cloud Systems Engineer at the Virginia Cyber Range (a commonwealth-funded initiative attached to Virginia Tech). His primary responsibilities include securing and managing the dozens of AWS Accounts used by the range, provisioning tens of thousands of student... Read More →

Tuesday October 8, 2019 10:30am - 11:30am EDT
Allegheny A - C

Allegheny A - C

10:30am EDT

VASCAN DevOps Toolset Landscape

With the explosion of public cloud and private cloud adoption, the DevOps tools landscape has become increasing saturated and nuanced. A myriad of tools (Ansible, Chef, Puppet, Terraform, CloudFormation, container orchestration, etc.) now present themselves as options for configuration management and infrastructure provisioning. In this session we will look at the use cases for automation, orchestration and intent-based IT infrastructure provisioning. We will contrast and compare the pros and cons of the most popular offerings in the industry and also discuss various security considerations and implications to environment, data, and CI/CD process security in a DevOps world.

Speakers

Tihomir Hristov

Exec. Director, Infr. and Rsrch. Computing Svcs., Old Dominion University

With a background in server, storage and heavy network administration, Tihomir Hristov is the lead for Networking at Old Dominion University Information Technology Services. He has spent the past year leading the Public Cloud Acceleration and DevOps/Infrastructure as Code initiatives... Read More →

Tuesday October 8, 2019 10:30am - 11:30am EDT
Appalachian A & B

Appalachian A & B

10:30am EDT

Monitoring and Alerting with Prometheus

Prometheus is an open source monitoring and metrics collection tool that’s recently seen a sharp rise in popularity. At William & Mary we switched from Nagios to Prometheus in just under a week, and are able to monitor more than ever before (250k metrics every 30 seconds using a single server). In this session we’ll talk about how Prometheus monitors things on-prem and in the cloud, how it alerts, and what it took to make the switch.

Speakers

Phil Fenstermacher

Lead Linux Engineer, William & Mary

Tuesday October 8, 2019 10:30am - 11:30am EDT
Appalachian C

Appalachian C

11:30am EDT

3rd Party Assessments

With the growing need for software, applications, and tools migrating to the cloud combined with regulatory compliance and the need to protect privacy and data, assessments can seem like a bottomless pit. How do we document, assess vendor security, and streamline this process? There are many types of audits and assessments that can be used to help facilitate these goals. This session will help in understanding how to document these assessments, understand how to read the reports, and streamline the process to be repeatable.

Outcomes: Understand the ways to document 3rd party assessments to include documenting any risks or mitigations. Learn how to read and know the difference amongst SOC reports and other provided assurances. Collaborate on ways to streamline the process and maturity models.

Speakers

Kate Rhodes

Asst. ISO for Risk and Compliance, Old Dominion University

Kate Rhodes is an Assistant Information Security Officer for Old Dominion University. She is an ODU alumni who began her career in Information Security in 2011 when joining the Army. After serving in the Army, she worked in information Security as a contractor for the Navy and NASA... Read More →

Amy Tunison Kobezak

Associate Director, Security Risk and Business Operations, Virginia Tech

Doug Streit

Executive Directory, IT Security & Planning, Old Dominion University

Doug has served at Old Dominion University for over 25 years, working as a systems engineer, server-systems support manager and technical director. He accepted the responsibilities of Information Security and Identity Management in 2011. Current responsibilities include strategic... Read More →

Tuesday October 8, 2019 11:30am - 12:30pm EDT
Allegheny A - C

Allegheny A - C

11:30am EDT

Strong Roots, Strong Trees: Implementing CIS Control 1

A look into our journey towards implementing CIS Control 1, “Inventory and Control of Hardware Assets” in a decentralized environment. CIS Control 1 is the foundation of a comprehensive security program. University of Virginia is using multiple asset discovery systems and processes to attempt to build a complete inventory of systems on our network. This will strengthen other CIS controls and security measures. Take a walk with us and see how we are doing this, what’s working, what’s not, and future plans.

Speakers

Michael Grinnell

Deputy CISO, University of Virginia

Michael Grinnell is the Deputy CISO at University of Virginia. He has worn many different hats in his career, including security analyst, operations director, and enterprise architect. He is currently working on implementing a comprehensive information security program at UVa. Michael... Read More →

Tuesday October 8, 2019 11:30am - 12:30pm EDT
Appalachian A & B

Appalachian A & B

11:30am EDT

GitOps Safely with Tests

GitOps is a technique for managing any number of things using code. Managing systems using code means we can audit changes, conduct peer reviews, and perform automated scans. We’ll talk briefly about what GitOps is and why it’s worth doing before diving in to how you can automatically test before releasing your bots and pipelines on your critical infrastructure.

Speakers

Phil Fenstermacher

Lead Linux Engineer, William & Mary

Tuesday October 8, 2019 11:30am - 12:30pm EDT
Appalachian C

Appalachian C

12:30pm EDT

Lunch

Tuesday October 8, 2019 12:30pm - 2:00pm EDT
Shenandoah B & C

Breakfast/Lunch

2:00pm EDT

Crypto Ransomware: Why is it a billion dollar industry?

We hear frequently in the news about local and state government agencies succumbing to ransomware attacks. Higher education isn't immune and we may not be prepared as well as we should be. There are many aspects to this type of attack and, unfortunately, the attackers frequently succeed. Until ransomware becomes less profitable, it will continue to get worse.

During this session, we will explore these questions:

What does an attack look like and how does it progress?
Why is it so profitable and how does cyber insurance factor in?
Why are some organizations so vulnerable to it?
What can we do to stop this epidemic?

Speakers

Philip Kobezak

Associate Director, University Information Security Initiatives, Virginia Tech

As the Associate Director of University Information Security Initiatives, Philip is responsible for leading security initiatives that have a broad impact. He has 20 years of experience in higher education IT with 13 years specifically in information security. He maintains six GIAC... Read More →

Tuesday October 8, 2019 2:00pm - 3:00pm EDT
Allegheny A - C

Allegheny A - C

2:00pm EDT

Shifting Left with App Sec

Vulnerable web applications are one of the primary contributors to compromises within an organization, as a compromised public web application can provide attackers with a foothold into the organization’s environment. From traditional web application vulnerabilities to the use of insecure libraries, it is getting more and more difficult to defend critical web applications against cyberattacks. Compounded with the shift to DevOps methodology and the use of Continuous Integration and Continuous Delivery models, the way application security is managed must adapt to the speed and agility of modern software development shops. This talk will focus on VCU’s vision and approach in designing and implementing an application security model over the past 3 years to help build security into application delivery pipelines.

Speakers

Dan Han

Chief Information Security Officer, Virginia Commonwealth University

Dan is the Chief Information Security Officer for the Virginia Commonwealth University. He has over 17 years of experience working in various roles in IT and focused on information security management in the higher education and healthcare sector for the past 13 years. Dan specializes... Read More →

Tuesday October 8, 2019 2:00pm - 3:00pm EDT
Appalachian A & B

Appalachian A & B

2:00pm EDT

Next Generation Approach to Security

Complexity is the primary challenge to effective and efficient security today, as evidenced by the endless series of incidents, where mis-configuration and misalignment of security controls are invariably at the heart of devastating breaches. The future of security is evolving in a more complex world, in which growing constellations of security widgets are combined to protect increasingly distributed and dynamic cloud native applications, against ever more sophisticated adversaries. As we move forward, embracing more comprehensive “end to end” application platforms, we have the opportunity to greatly simplify and enhance the effectiveness of all aspects of security.

A platform that reaches from development and testing, thru deployment and orchestration, to governance and analytics can create a single aligning version of the truth, about “what is being protected”, “how it should behave” and “what are the plausible options, if it doesn’t”.

In this session we will consider how we can leverage long orphaned development, orchestration and governance context, in production to transformatively improve the effectiveness and efficiency of security policy management across the security technical portfolio. We will consider specific examples from each contextual dimension (e.g. development, platform orchestration, governance/classification), to concretely demonstrate how such improvements can be realized in operation. Finally we will highlight how “end to end” platforms are increasingly enabling this kind of capability as an intrinsic aspect of more holistic application focused management.

Speakers

Dennis R. Moreau, PhD

Senior Engineering Architect, Cyber Security, VMware

Dennis Moreau is a cyber security architect in the Office of the CTO at VMware. His current efforts focus on designing transformatively simpler, more effective, and more efficient protection in premise, edge and cloud hosting scenarios. He has worked in collaboration with OASIS... Read More →

Tuesday October 8, 2019 2:00pm - 3:00pm EDT
Appalachian C

Appalachian C

3:00pm EDT

Vendor Meet and Greet

Tuesday October 8, 2019 3:00pm - 3:30pm EDT
Shenandoah A

Break/Vendor Meet and Greet

3:30pm EDT

ODU AWS Journey and Lessons Learned

ODU Network and Security Teams share their experiences, gotchas, and lessons learned during the initial buildout of an AWS Design and Architecture using a mix of native AWS tools and traditional enterprise solutions. Driven by the use case of business continuity, but also trying to open the door of a future public cloud service expansion, we cover some tradeoffs and decisions made during the first phase of our migration. We will leave some time for general questions and an open design discussion.

Speakers

Tihomir Hristov

Exec. Director, Infr. and Rsrch. Computing Svcs., Old Dominion University

Mark DeDomenic

Assistant Information Security Officer for Security Operations, Old Dominion University

Mark is the lead for the Security Operations team and serves as one of three Assistant Information Security Officers at Old Dominion University. He graduated from ODU with a B.S. in Computer Science from ODU in 2007 and has been working in information technology at the University... Read More →

Tuesday October 8, 2019 3:30pm - 4:30pm EDT
Allegheny A - C

Allegheny A - C

3:30pm EDT

Strengthening your Organization's Cyber Security Posture with the CIS Controls and Open Source Tools

The assessment of critical controls and improvement plans can be considered a way of enhancing the security posture through implementation and monitoring of technical controls. This presentation will address the process of implementing and monitoring some of the CIS Controls using a mix of Open source and Commercial Tools in conjuction with continuous monitoring of security controls driven by the SIEM and providing valuable Threat Intelligence.

The presentation will focus on the following topics:

CIS Controls
Incident Case Management
SIEM Analytics
Data Enrichment
Malware Analysis
Automation and Orchestration
Threat Intelligence

Speakers

Daniel Terceros

Senior Information Security Analyst, Georgetown University

Daniel Terceros is a Senior Security Analyst at Georgetown University with a focus on Incident Response and Threat Detection. He holds a M.S. in Telecommunication and Security Forensics along with several professional designations including the Security+, Certified Ethical Hacker... Read More →

Tuesday October 8, 2019 3:30pm - 4:30pm EDT
Appalachian A & B

Appalachian A & B

5:00pm EDT

Reception & Founders Award Presentation

Tuesday October 8, 2019 5:00pm - 6:00pm EDT
TBA

Reception

7:00am EDT

Breakfast

Wednesday October 9, 2019 7:00am - 8:30am EDT
Shenandoah B & C

Breakfast/Lunch

8:30am EDT

GDPR and Privacy Shifts in the US

The presentation will cover the impact of GDPR on privacy in the EU as it relates to the violation and levying of fines against corporations. The discussion will also include the shift in the mindset towards privacy in the US and how many states are changing their laws to adjust. There will be an analysis of how this will impact the perspective of data privacy as a right of citizens in the US and various states.

Speakers

Shana Sumpter

Director of Information Security, University of Richmond

Shana Bumpas has been an information technology professional for over twenty years working in both public and private sectors. The last ten years have been focused in cybersecurity. After serving in the US Navy as an aviation electronics technician, she started a career in information... Read More →

Wednesday October 9, 2019 8:30am - 9:30am EDT
Appalachian A & B

Appalachian A & B

8:30am EDT

Information Security from the CIO Perspective

CIOs will provide their insights on the status, challenges, options and futures around information security operations in higher education. In addition to hearing their perspectives, the presenters will respond to questions from those attending.

Speakers

Dale Hulvey

Assistant Vice President for Information Technology, James Madison University

Dale Hulvey serves as the CIO and Assistant Vice President for Information Technology at James Madison University. He provides overall leadership, vision and management of the IT organization consisting of four departments, Computing Support, Information Systems, Technical Services... Read More →

Rusty Waterfield

Associate Vice President for University Services & Chief Information Officer, Old Dominion University

Rusty Waterfield is the Associate Vice President for University Services and CIO of Old Dominion University (ODU). As CIO, he leads the Information Technology Services (ITS) organization which is responsible for developing innovative and scalable solutions and responsive support that... Read More →

Wednesday October 9, 2019 8:30am - 9:30am EDT
Appalachian C

Appalachian C

8:30am EDT

Growing Security in the Amazon Cloud

General outline:

AWS Foundations
AWS Security Essentials
AWS Well-Architected Framework and Tool
Monitoring and Logging in AWS
Multi-Account Governance with AWS Control Tower and AWS Landing Zone
Security and Compliance Monitoring with AWS Native Services

Speakers

Chris Casto

Solutions Architect, Amazon Web Services (AWS), Worldwide Public Sector (WWPS) Education

Chris Casto started his career in the public sector, supporting K12 students, teachers, and administrators at the WV Department of Education as developer, sysadmin, DBA, and ultimately Executive Director. In his role as Solutions Architect at AWS, he uses his experience to help Higher... Read More →

Jianjun Xu, Ph.D.

Amazon Web Services

Dr. Jianjun Xu was an Astrophysicist and a Sr. software executive before he joined Amazon Web Services (AWS) as a Sr. Solutions Architect. He specializes in software development, Big Data, AI/ML, scientific and high performance computing(HPC). Jianjun enjoys interacting with researchers... Read More →

Wednesday October 9, 2019 8:30am - 4:45pm EDT
Allegheny A - C

Training

9:30am EDT

Vendor Meet and Greet

Wednesday October 9, 2019 9:30am - 10:00am EDT
Shenandoah A

Break/Vendor Meet and Greet

10:00am EDT

VASCAN Community Shared Vendor Assessments

The move to cloud-enabled applications has changed the face of departmental technology spending as a host of applications and services have become available for departments to purchase. This expansion of applications across our schools, which are often offered by young companies leveraging hosted data centers, have presented challenges to traditional risk management. This session will present work being done by several VASCAN participating schools – VCU, JMU, VT, W&M, VMI, UVA, and ODU. A model for sharing results of 3rd party vendor assessments has a hope to streamline assessments and risk decisions. Come hear about the work being done and join the discussion on a shared assessment model that can help all of our schools to focus our efforts on the highest risks, and scale our limited resources to this growing area of support.

Speakers

Doug Streit

Executive Directory, IT Security & Planning, Old Dominion University

Dan Han

Chief Information Security Officer, Virginia Commonwealth University

Darlene Quackenbush

Information Security SIG, James Madison University

Darlene leads JMU’s information security program in the areas of security planning, risk and contingency management, and incident response. She also facilitates information technology policy development, strategic planning, and audit processes for JMU's Information Technology department... Read More →

Amy Tunison Kobezak

Associate Director, Security Risk and Business Operations, Virginia Tech

Pete Kellogg

Director of Infrastructure Services, College of William & Mary

Pete is a graduate of Rider University in Lawrenceville, New Jersey, where he earned a Bachelor's degree in English Literature. He went on to receive an MBA from the Mason School of Business at the College of William and Mary in 1997. Pete holds professional certifications from the... Read More →

Flex Vaughn

Information Security Officer, Virginia Military Institute

Wednesday October 9, 2019 10:00am - 11:00am EDT
Appalachian A & B

Appalachian A & B

10:00am EDT

Leveraging CUI to Shape University IT

Part one: We’ll present on the technical implementation of our CUI environment and how we satisfied the control requirements of a NIST 800-171 environment.

Part Two: We’ll discuss how George Mason University architected our CUI and ITAR controlled environment with the goal of moving to a NIST 800-53 moderate based university policy. We’ll discuss how our implementation of our CUI compliant environment is being used to shape next generation central IT for security and services.

Speakers

Curtis McNay

Director of IT Security, George Mason University

Curtis is the Director of IT Security and the acting Chief Information Security Officer at George Mason University. He has over 30 years of experience working in the hospitality industry and in higher education in various IT roles, including system and network administration, managing... Read More →

Ali Golkar

IT Security Analyst, George Mason University

Ali is an IT Security analyst at GMU. He has been with the GMU IT Security office for almost 3 years, originally joining the team as an intern. He is primarily responsible for leading risk assessment projects, threat and vulnerability analysis, as well as monitoring Mason's CUI environment... Read More →

Joe Braud

Chief Information Security Officer, ePlus, Inc.

Wednesday October 9, 2019 10:00am - 12:00pm EDT
Appalachian C

Appalachian C

11:00am EDT

Positive IT Security Risk Scoring

The Virginia Tech IT Security Laboratory is developing an experimental risk scoring system. The goal of this system is to give risk scores to IT assets and help system managers and administrators improve scores over time.

An alternate goal of this system is to improve relations between security teams and operational teams. All too often, security teams submit vulnerability reports or assessments to IT Managers that may not positively encourage their teams to take action. We hope that risk scores will be more encouraging and seen in a positive light. Operational teams will be able to see their scores and work to improve them over time and constantly obtain slightly better scores (and security). They will also be able to have friendly competitions with other areas across campus to see who can achieve the best score!

Speakers

Randy Marchany

Information Security Officer, Virginia Tech

Brad Tilley

Sr. Security Architect, Virginia Tech

Brad has more than 20 years of experience in systems programming, ITmanagement and IT security. Before returning to Virginia Tech, Brad wasthe Information Security Officer at Radford University where hesuccessfully led the university's information security program for anumber of years... Read More →

Nick Gomez

Student Researcher, Virginia Tech

Nick is a student researcher in the IT Security Laboratory. He is an ECE major at Virginia Tech with a Cyber Security minor. Nick plans to graduate in May 2020.

Wednesday October 9, 2019 11:00am - 12:00pm EDT
Appalachian A & B

Appalachian A & B

12:00pm EDT

Lunch

Wednesday October 9, 2019 12:00pm - 1:30pm EDT
Shenandoah B & C

Breakfast/Lunch

1:30pm EDT

Security Operations from a GRC Practitioner's Perspective

Historically, Security Operations (SecOps) has been seen as threat management activities driven by control requirements in an organization’s GRC framework. It’s rare that SecOps is used to drive the shape of GRC in an organization. This talk will provide the view of someone who’s done both SecOps and GRC and will discuss how SecOps can be leveraged to drive GRC frameworks, controls, and decisions.

Speakers

Joshua Cole

Chief Technology Officer, Assura, Inc.

Josh was one of those kids who was staring at a computer monitor rather than having a social life. He fell in love with computers the first time he laid hands on an Apple II+ in 1983. His first computer was a Timex Sinclair 1000 with 2K(!) of RAM and a blazing fast 3.25 MHz processor... Read More →

Wednesday October 9, 2019 1:30pm - 2:30pm EDT
Appalachian A & B

Appalachian A & B

1:30pm EDT

Using Terraform to Securely Build, Deploy, and Detect Drift in your Cloud Environments

Terraform has gained a lot of attention due to its ability to define "infrastructure as code." While it simplifies and enables version controlling of our infrastructure, how should we integrate these tools into build pipelines? How do we do it in a least-privileged manner (reducing blast radius if something happened)? How can we automatically detect when our infrastructure has drifted from our configuration, either intentionally or maliciously? And how can we share best practices more easily across our organizations? In this workshop, we will learn (in a hands-on manner) best practices for each of these in a simple project environment utilizing AWS. While Terraform experience is recommended, it is not required. All are welcome to attend!

Speakers

Michael Irwin

Engineering Manager, Docker

Michael Irwin recently joined Docker as an Engineering Manager for a team focusing on onboarding, training, and getting folks up and going with containers. He is looking forward to explore new and innovative ways to help lower the barrier of entry and make containers more approachable... Read More →

Wednesday October 9, 2019 1:30pm - 3:30pm EDT
Appalachian C

Appalachian C

2:30pm EDT

After the Storm: Lessons Learned From a 3 Year Security Enhancement Program

After experiencing a major security incident in 2015, the University of Virginia rebuilt core infrastructure and embarked on a 3 year, 36 projects and initiatives, program to improve information security. Learn from our successes and challenges in implementing multiple concurrent security products and changes in a decentralized university environment. Policies, MFA, server and endpoint security, log correlation, phishing simulations, user awareness training, and network protections: there's something for everyone!

Speakers

Michael Grinnell

Deputy CISO, University of Virginia

Wednesday October 9, 2019 2:30pm - 3:30pm EDT
Appalachian A & B

Appalachian A & B

3:30pm EDT

Afternoon Break

Wednesday October 9, 2019 3:30pm - 3:45pm EDT
Shenandoah A

Break/Vendor Meet and Greet

3:45pm EDT

Cyber Security Risk Assessment Findings

The presentation will detail a year’s worth of findings from cyber security risk assessments performed by the GO Virginia cyber security program students. While undergoing assessments for businesses and municipalities around the Shenandoah Valley, a large number of similar gaps were discovered across many organizations. The purpose of the presentation is to make IT professionals aware of common shortfalls with cyber security maturity. In addition, the genesis and methodology of the study will be shared so that participants may learn from the findings, and may also may contribute stories of their own.

The session will also discuss the cyber security job program provided by the GO Virginia grant. In less than a year, twenty-four students have completed class work, earned their CompTIA Security+ certification, and have received job training. Seven of those students now have better jobs or positions, while six more have brand news jobs that the program brought to Waynesboro, Virginia. We are currently working with a US Congressional Representative on adapting the foundation of our program for use with the proposed bi-partisan Cyber Ready Workforce Act.

Speakers

Dan OBrien

GO Virginia Cyber Security Program Manager and Instructor, Blue Ridge Community College

Dan OBrien is the current GO Virginia Cyber Security Program Manager and Instructor at Blue Ridge Community College. With over 20 years of experience in the computer networking and cyber security industry, Dan’s background includes work with the US Departments of Treasury and Justice... Read More →

Wednesday October 9, 2019 3:45pm - 4:45pm EDT
Appalachian A & B

Appalachian A & B