Sp4rkCon 2019
Sp4rkCon 2019
Featuring insightful technical talks from industry-leading information security pros. At Sp4rkCon, you'll discover emerging trends, offense and defense strategies and the latest tools to secure data. Oh, and did we mention it’s free?
Register Today

Third-annual Sp4rkCon

Saturday, May 4, 2019 at the David Glass Technology Center in Bentonville, AR

Sp4rkCon is a free, one-day conference jam packed with insightful technical talks from industry-leading information security professionals. At Sp4rkCon 2019, you’ll discover emerging trends, offense and defense strategies and the latest tools to secure data. Guest speakers include Daniel Bohannon, Principal Applied Security Researcher at FireEye, Katie Nickels, ATT&CK Threat Intelligence Lead at The MITRE Corporation and Jugal Parikh, Senior Data Scientist at Microsoft. This year will also feature noteworthy talks from Walmart covering advanced malware techniques, sandbox evasion and decision automation for risk analysis, plus much more! Follow @Sp4rkCon on Twitter for the latest news and conference information and let us know how excited you are about #Sp4rkCon2019.

2019 Speakers

Location

Schedule

8:00 a.m. Event Check-In

Attendees will be asked to provide registration confirmation number and a photo ID. A light breakfast, coffee and refreshments will be served during check-in. 

9:00 a.m. Opening Remarks

Tim MalcomVetter, Director, Red Teams at Walmart

9:10 a.m. Hardening Machine Learning Defenses Against Adversarial Attacks

Jugal Parikh, Senior Data Scientist at Microsoft

In today's threat landscape, it's not unusual for attackers to circumvent traditional machine learning based detections' by constantly scanning their malware samples against security products and modifying them until they are no longer being detected. But more recently, we've seen a rise in attackers attempting to compromise these machine learning models directly by poisoning incoming telemetry and trying to fool the classifier into believing that a given set of malware samples are actually benign. Just deploying a set of malware classifiers to protect users in not enough. We need to constantly monitor the performance of deployed models and have sensors in place to alert against anomalous incoming traffic.

In this talk, we discuss several strategies to make machine learning models more robust to such attacks. We'll discuss research that shows how singular models are susceptible to tampering, and some techniques, like stacked ensemble models, can be used to make them more resilient. We also talk about the importance of diversity in base ML models and technical details on how they can be optimized to handle different threat scenarios. Lastly, we'll describe suspected tampering activity we've witnessed using protection telemetry from over half a billion computers, and whether our mitigations worked.

Overall, the presentation describes guidelines on creating reliable, scalable and robust production level machine learning models and systems in an active adversarial, noisy, temporally biased (concept shift) security domain. It focuses on identifying various vectors of attack in the data collection, model training, deployment process for malware classification and then proposes mitigations across the ML attack surface.

This session will cover:

  • Pros and cons of deploying client vs. cloud-based ML models for malware detection
  • Real world case studies on past adversarial attacks that we’ve observed
  • Journey of using stacked ensembles from a concept to a mature system running in production and protecting over half a billion customers from first seen malware attacks
  • Different techniques for black box model interpretability and ways to avoid unnecessary biases
  • How stacked ensembles compare against simulated adversarial ML attack techniques and some real-world case studies on their benefits
10:10 a.m. PesterSec: Using Pester and ScriptAnalyzer for Detecting Obfuscated PowerShell

Daniel Bohannon, Principal Applied Security Researcher at FireEye

Attackers obfuscate PowerShell to evade rigid detections. With recent improvements in obfuscation detection, savvy attackers have started to obfuscate less and more selectively to avoid detection. Come learn how PesterSec leverages Pester and ScriptAnalyzer to detect minimally-obfuscated PowerShell.

Description:

Over the years as attackers have increasingly used PowerShell as an important piece of their offensive toolkit, the PowerShell Team has countered by building deep inspection capabilities into PowerShell that are not found in any other scripting language. However, as defenders began using this new visibility and significantly improving their detection of malicious PowerShell usage, attackers adapted their techniques.

As attackers turned to the heavy usage of specific obfuscation techniques, like those found in Invoke-Obfuscation and Invoke-CradleCrafter, to target certain aspects of PowerShell’s ScriptBlock logging, defenders once again had to match this offensive shift with their own shift in detection methodology.

Defenders have since turned to various data science approaches, like those built into Revoke-Obfuscation, to more robustly detect heavy PowerShell obfuscation. However, countering offensive projects like PSAmsi have enabled attackers to apply selective obfuscation in minimal quantities to evade specific A/V signatures while falling under the “obfuscation threshold” of newer data science approaches.

Come learn how PesterSec combines the power of ScriptAnalyzer and Pester to perform context-specific detections of minimally-obfuscated PowerShell commands and scripts. These platforms also highlight the ease of access to PowerShell’s Abstract Syntax Tree (AST) for any PowerShell practitioner.

11:00 a.m. Break for Lunch

Step away from your seat to grab some delicious eats catered by Taziki's Mediterranean Café and check out the Sp4rkCon expo booths. 

11:45 a.m. Fireside Chat

Jerry Geisler, Senior Vice President and Chief Information Security Officer at Walmart

Adam Ely, Vice President and Deputy Chief Information Security Officer at Walmart

Moderated by Regina Grayer, Senior Technical Project Manager at Walmart

Enjoy an open mic discussion, over lunch, with security leaders at Fortune 1. During this session, Walmart's CISO and deputy CISO will discuss their opinions and ideas about the next generation of IT security. 

12:20 p.m. Advanced Malware VBA Stomping – What’s New in 2019

Carrie Roberts, Dynamic Defense Engineer at Walmart 

Kirk Sayre, Dynamic Defense Engineer at Walmart

There are powerful malicious document generation techniques that are effective at bypassing anti-virus detection. A technique which we call “VBA stomping” refers to destroying the VBA source code in a Microsoft Office document, leaving only a compiled version of the macro code known as p-code in the document file. Maldoc detection based only on the VBA source code fails in this scenario. Reverse engineering these documents presents significant challenges as well. Come find out what is new with VBA Stomping since our presentation on the topic last year. 

12:55 p.m. Purple Team at Scale

Jason O'Dell, Senior Director of Incident Management, Walmart

In this session, Jason O'Dell, director of incident response and hunt at Walmart, will explain what the world’s largest retailer has learned about purple teaming at scale and how it can be used to improve the overall security posture of an organization.

This session will cover:

  • How red and blue teams can improve collaboration forming a true purple approach.
  • Specifics on how to implement periodic purple teaming campaigns in your organization.
  • How an effective purple team helps make both your red and blue teams more effective.
1:30 p.m. Bug Bounty: Growing Pains - Road to Maturity

Susan Graves, Cybersecurity Risk Expert at Walmart

Terrye Molz, CISSP Cybersecurity Risk Lead at Walmart

Stanko Jankovic, Staff Information Security Engineer at Walmart

This session will introduce you to Walmart’s Bug Bounty adventure – take the journey with us as we talk pain points and what areas we focused on maturing.

2:05 p.m. Putting MITRE ATT&CK™ into Action with What You Have, Where You Are

Katie Nickels, ATT&CK Threat Intelligence Lead at The MITRE Corporation 

MITRE ATT&CK™ has become widely adopted in the community as a way to frame adversary behaviors and improve defenses. But how can you use it for your team with what you have, where you are? Katie Nickels will break down the ATT&CK knowledge base so you understand how you can put it into action. She will explain the philosophy and approach behind ATT&CK, then dive into how you can use it, whether you’re a one-person shop or an advanced security operations center. Katie will cover how you can use ATT&CK for detection, threat intelligence, assessments, and red teaming, with a focus on actionable takeaways to help your team move toward a threat-informed defense.

3:05 p.m. Lightning Talks

Your Handshakes Are Leaking 

Adam Gold, Senior Technical Expert, Dynamic Defense Engineer at Walmart

User Agents are for the birds! Learn one easy to implement way to detect SSL MITM, curl, wget, and other unfavorable traffic interacting with your Command and Control server.

 

Finding All the Things

Dori Clark, Application Penetration Tester at Walmart

An overview of discovery strategies and process.

 

Information Overload: Vulnerability Management in a World with Too Much Data

Jesse Tadlock, Director, Information Security at Walmart 

Today we have more information on security flaws than any human can process. This talk will focus on practical ways to translate data into action. What are the key principles to drive action? How do security professionals use the abundance of data to prioritize and resolve issues? 

4:10 p.m. Hacker Jeopardy

Ben Miller, Enterprise Security Testing at Walmart

6:00 p.m. After Party

After Sp4rkCon 2019 wraps up at the David Glass Technology Center, head on over to Bike Rack Brewery to unwind with a night of music, food and fun. Bring your Sp4rkCon event badge to enjoy some yummy bites on us!

Bike Rack Brewery 

801 SE 8th St #61, Bentonville, AR 72712  (map)

6 p.m. to whenever ;)

 

Parking & Event Maps

Event Booth Partners