In today's threat landscape, it's not unusual for attackers to circumvent traditional machine learning based detections' by constantly scanning their malware samples against security products and modifying them until they are no longer being detected. But more recently, we've seen a rise in attackers attempting to compromise these machine learning models directly by poisoning incoming telemetry and trying to fool the classifier into believing that a given set of malware samples are actually benign. Just deploying a set of malware classifiers to protect users in not enough. We need to constantly monitor the performance of deployed models and have sensors in place to alert against anomalous incoming traffic.

In this talk, we discuss several strategies to make machine learning models more robust to such attacks. We'll discuss research that shows how singular models are susceptible to tampering, and some techniques, like stacked ensemble models, can be used to make them more resilient. We also talk about the importance of diversity in base ML models and technical details on how they can be optimized to handle different threat scenarios. Lastly, we'll describe suspected tampering activity we've witnessed using protection telemetry from over half a billion computers, and whether our mitigations worked.

Overall, the presentation describes guidelines on creating reliable, scalable and robust production level machine learning models and systems in an active adversarial, noisy, temporally biased (concept shift) security domain. It focuses on identifying various vectors of attack in the data collection, model training, deployment process for malware classification and then proposes mitigations across the ML attack surface.

This session will cover:

• Pros and cons of deploying client vs. cloud-based ML models for malware detection
• Real world case studies on past adversarial attacks that we’ve observed
• Journey of using stacked ensembles from a concept to a mature system running in production and protecting over half a billion customers from first seen malware attacks
• Different techniques for black box model interpretability and ways to avoid unnecessary biases
• How stacked ensembles compare against simulated adversarial ML attack techniques and some real-world case studies on their benefits

For over a decade PowerShell has empowered administrators, DevOps practitioners and automation enthusiasts to accomplish significant tasks with relative ease. However, malicious threat actors have also harnessed PowerShell’s capabilities by writing extensive offensive tools and frameworks in PowerShell.

The PowerShell team has countered these malicious trends with adding numerous defensive enhancements to PowerShell including extremely deep logging visibility (like ScriptBlock, Module and Transcription logging) as well as blocking capabilities and interfaces like the AntiMalware Scan Interface (AMSI).

This talk draws from over four years of Incident Response experience to lay out a technical buffet of in-the-wild malicious PowerShell payloads and techniques. In addition to diving deep into the mechanics of each malicious example, this presentation will highlight forensic artifacts, detection approaches and the deep visibility that the latest versions of PowerShell provides security practitioners to defend their organizations against the latest attacks that utilize PowerShell.

So if you are new to security or just want to learn about how attackers have used PowerShell in their attacks, then this talk is for you. If you want to see what obfuscated and multi-stage, evasive PowerShell-based attacks look like under the microscope of PowerShell deep inspection capabilities, this talk is for you. And if you want to see why these security advancements to PowerShell are causing many attackers to shift their tradecraft development away from PowerShell, this talk is for you.

Enjoy an open mic discussion, over lunch, with security leaders at Fortune 1. During this session, Walmart's CISO and deputy CISO will discuss their opinions and ideas about the next generation of IT security. 

There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we call “VBA stomping” refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. Come find out what is new with VBA Stomping since our presentation on the topic last year. 

In this session, Jason O'Dell, director of incident response and hunt at Walmart, will explain what the world’s largest retailer has learned about purple teaming at scale and how it can be used to improve the overall security posture of an organization.

This session will cover:

• How red and blue teams can improve collaboration forming a true purple approach.
• Specifics on how to implement periodic purple teaming campaigns in your organization.
• How an effective purple team helps make both your red and blue teams more effective.

This session will introduce you to Walmart’s Bug Bounty adventure – take the journey with us as we talk pain points and what areas we focused on maturing.

MITRE ATT&CK™ has become widely adopted in the community as a way to frame adversary behaviors and improve defenses. But how can you use it for your team with what you have, where you are? Katie Nickels will break down the ATT&CK knowledge base so you understand how you can put it into action. She will explain the philosophy and approach behind ATT&CK, then dive into how you can use it, whether you’re a one-person shop or an advanced security operations center. Katie will cover how you can use ATT&CK for detection, threat intelligence, assessments, and red teaming, with a focus on actionable takeaways to help your team move toward a threat-informed defense.

Your Handshakes Are Leaking 

Adam Gold, Senior Technical Expert, Dynamic Defense Engineer at Walmart

User Agents are for the birds! Learn one easy to implement way to detect SSL MITM, curl, wget, and other unfavorable traffic interacting with your Command and Control server.

Finding All the Things

Dori Clark, Application Penetration Tester at Walmart

An overview of discovery strategies and process.

Information Overload: Vulnerability Management in a World with Too Much Data

Jesse Tadlock, Director, Information Security at Walmart 

Today we have more information on security flaws than any human can process. This talk will focus on practical ways to translate data into action. What are the key principles to drive action? How do security professionals use the abundance of data to prioritize and resolve issues?