VASCAN 2019

With the explosion of public cloud and private cloud adoption, the DevOps tools landscape has become increasing saturated and nuanced. A myriad of tools (Ansible, Chef, Puppet, Terraform, CloudFormation, container orchestration, etc.) now present themselves as options for configuration management and infrastructure provisioning. In this session we will look at the use cases for automation, orchestration and intent-based IT infrastructure provisioning. We will contrast and compare the pros and cons of the most popular offerings in the industry and also discuss various security considerations and implications to environment, data, and CI/CD process security in a DevOps world.

A look into our journey towards implementing CIS Control 1, “Inventory and Control of Hardware Assets” in a decentralized environment.  CIS Control 1 is the foundation of a comprehensive security program.  University of Virginia is using multiple asset discovery systems and processes to attempt to build a complete inventory of systems on our network.  This will strengthen other CIS controls and security measures.  Take a walk with us and see how we are doing this, what’s working, what’s not, and future plans.

Vulnerable web applications are one of the primary contributors to compromises within an organization, as a compromised public web application can provide attackers with a foothold into the organization’s environment. From traditional web application vulnerabilities to the use of insecure libraries, it is getting more and more difficult to defend critical web applications against cyberattacks. Compounded with the shift to DevOps methodology and the use of Continuous Integration and Continuous Delivery models, the way application security is managed must adapt to the speed and agility of modern software development shops. This talk will focus on VCU’s vision and approach in designing and implementing an application security model over the past 3 years to help build security into application delivery pipelines.

The assessment of critical controls and improvement plans can be considered a way of enhancing the security posture through implementation and monitoring of technical controls. This presentation will address the process of implementing and monitoring some of the CIS Controls using a mix of Open source and Commercial Tools in conjuction with continuous monitoring of security controls driven by the SIEM  and providing valuable Threat Intelligence.

The presentation will focus on the following topics:

• CIS Controls
• Incident Case Management
• SIEM Analytics
• Data Enrichment
• Malware Analysis
• Automation and Orchestration
• Threat Intelligence

The presentation will cover the impact of GDPR on privacy in the EU as it relates to the violation and levying of fines against corporations.  The discussion will also include the shift in the mindset towards privacy in the US and how many states are changing their laws to adjust.  There will be an analysis of how this will impact the perspective of data privacy as a right of citizens in the US and various states.

The move to cloud-enabled applications has changed the face of departmental technology spending as a host of applications and services have become available for departments to purchase. This expansion of applications across our schools, which are often offered by young companies leveraging hosted data centers, have presented challenges to traditional risk management. This session will present work being done by several VASCAN participating schools – VCU, JMU, VT, W&M, VMI, UVA, and ODU. A model for sharing results of 3rd party vendor assessments has a hope to streamline assessments and risk decisions. Come hear about the work being done and join the discussion on a shared assessment model that can help all of our schools to focus our efforts on the highest risks, and scale our limited resources to this growing area of support.

The Virginia Tech IT Security Laboratory is developing an experimental risk scoring system.  The goal of this system is to give risk scores to IT assets and help system managers and administrators improve scores over time.  

An alternate goal of this system is to improve relations between security teams and operational teams.  All too often, security teams submit vulnerability reports or assessments to IT Managers that may not positively encourage their teams to take action.  We hope that risk scores will be more encouraging and seen in a positive light.  Operational teams will be able to see their scores and work to improve them over time and constantly obtain slightly better scores (and security).  They will also be able to have friendly competitions with other areas across campus to see who can achieve the best score!

Historically, Security Operations (SecOps) has been seen as threat management activities driven by control requirements in an organization’s GRC framework. It’s rare that SecOps is used to drive the shape of GRC in an organization. This talk will provide the view of someone who’s done both SecOps and GRC and will discuss how SecOps can be leveraged to drive GRC frameworks, controls, and decisions.

After experiencing a major security incident in 2015, the University of Virginia rebuilt core infrastructure and embarked on a 3 year, 36 projects and initiatives, program to improve information security. Learn from our successes and challenges in implementing multiple concurrent security products and changes in a decentralized university environment. Policies, MFA, server and endpoint security, log correlation, phishing simulations, user awareness training, and network protections: there's something for everyone!

The presentation will detail a year’s worth of findings from cyber security risk assessments performed by the GO Virginia cyber security program students. While undergoing assessments for businesses and municipalities around the Shenandoah Valley, a large number of similar gaps were discovered across many organizations. The purpose of the presentation is to make IT professionals aware of common shortfalls with cyber security maturity. In addition, the genesis and methodology of the study will be shared so that participants may learn from the findings, and may also may contribute stories of their own.

The session will also discuss the cyber security job program provided by the GO Virginia grant. In less than a year, twenty-four students have completed class work, earned their CompTIA Security+ certification, and have received job training. Seven of those students now have better jobs or positions, while six more have brand news jobs that the program brought to Waynesboro, Virginia. We are currently working with a US Congressional Representative on adapting the foundation of our program for use with the proposed bi-partisan Cyber Ready Workforce Act.