LIVE From IBM Think 2018: Security and Resiliency Campus

March 18-22, 2018 was “showtime” for IBM Think 2018 in Las Vegas! This conference offered attendees a brand new event format — filled with rich educational and networking opportunities (plus all of the food and fun you expect at a world class conference).

We assembled the community of best-in-class experts to help tackle cybersecurity problems, from overcoming the skills shortage to applying advanced analytics and AI to security data to develop better, more actionable insights on potential threats. Read the article to learn what happened in and around the IBM Security and Resiliency Campus during the week, and watch replays of our keynote and core curriculum sessions.


2:00 p.m. | Thursday
That’s a Wrap!

Thanks for following along this week as IBM Security & Resiliency took Las Vegas by storm. It wasn’t all work and no fun — #IBMRocks featured three great concerts: Barenaked Ladies, Train and The Chainsmokers. Some of our staff also won big (about $6) at the Sigma Derby Horse Race, which is an IBM Security tradition when we are in Vegas. I’ll miss those little ponies next year when we roll into San Francisco for Think 2019.

IBM Think 2019 banner.


1:30 p.m. | Thursday
How to Knock the SOCks off Attackers

Etay Maor, IBM Executive Security Advisor, shows some of tricks that hackers use to steal our personal information. Watch the replay (skip ahead in the video to the 6:45 timestamp) to learn from real life examples – because to fight the hackers, you have to think like one!


11:00 a.m. | Thursday
The Disruption Dome

In our business, we often refer to the moment of a cyberattack as the “boom” moment. It’s when you realize something is wrong, and your day just took a turn in a very unexpected direction. We brought this experience to life this week in our Campus Disruption Dome.

Imagine you are a Security Director at a hospital who discovers your patient records are on the dark web…or perhaps you’re the CISO who has just been informed that confidential customer client data is in the hands of your competitors…or maybe you’re the CIO of an airline who discovers malware has infected your terminals and passengers are stranded. What do you do next? Watch the replay of the keynote to hear more about how to handle that moment of “boom”.


9:15 a.m. | Thursday
Security Operations Centers and the Evolution of Security Analytics

Our last day in the Campus started with a session from Paul Dwyer. He explained that as the security operations center (SOC) model matures, staffing is evolving to focus more on planning and building and less on basic operations. Having the right staffing model and tooling is essential to automate some of the work in the SOC to improve efficiency. For example, automation can help the level 1 analyst reduce error rates and augment decision making on how to handle alerts. Dwyer indicated that many of these automation services will reside in the cloud.

Mature SOCs have the capabilities to move beyond traditional threat management to become the point of coordination for managing a range of business risks. Organizations can use the tools and talents of a SOC to extend to cyber fraud, insider threats and other areas to evolve into a risk analytics center.


8:30 a.m. | Thursday
Hacked in Two Minutes

One of the new experiences in the IBM X-Force Cyber Range is capture the flag, which tests technical aptitude and crisis management. Participants are tasked to execute network-level attacks, cryptography and steganography challenges, network forensics and reverse engineering. With some help from the developers of this experience, Richard Moore, John Clarke and Anthony Johnson (from X-Force Threat Intelligence), I was able find a vulnerable machine, launch an attack and cause havoc ranging from installing malware to data theft and corporate espionage — in less than two minutes!


4:15 p.m. | Wednesday
It’s Time to Shift Security to the Left

Application developers adopt DevOps processes to shorten time to market. However, many apps that are released to production contain security defects. Anatoly Bodner and Eitan Worcel explained that 25 percent of security defects still make it to the production releases, mostly due to a lack of skills to implement and remediate security controls properly. It’s estimated that over 40 percent of attacks that resulted in data breaches targeted applications last year.

Given that it’s 100 times cheaper to fix security defects before an app is released, they suggested that shifting security to the left will have significant benefits. This cultural and process shift is referred to SecDevOps, which prescribes that each role in the development process must have the skills and tooling they need to fulfill their role. It also builds accountability into the development process, so decisions are not driven by convenience but by outcomes.


3:30 p.m. | Wednesday
The Need for Collaborative Cyberdefense

An estimated 80 percent of cyberattacks are driven by collaborative cybercriminal groups. In light of this staggering statistic, collaboration among the good guys is required at the threat intelligence and capability level, according to Paul Griswold and Rich Tellijohann in their talk today on collaborative defense.

Paul described the IBM X-Force Exchange as the “Google for security,” allowing users to search for keywords and interact with more than 400,000 members and 800+ terabytes of threat intelligence. One retail organization replaced multiple tools, reduced investigation time and streamlined collaboration across the security team by adopting this threat research platform.

Rich talked about technology collaboration and the IBM Security App Exchange, where users can share and download more than 140 apps based on IBM Security technologies. He featured a new app from DomainTools that integrates threat information in bulk into IBM QRadar.

Paul Lindsey from Cigna Information Protection, Global Threat Management also talked about how he maintains a threat sharing network that includes a trusted series of partners and values relationships that are reciprocal in nature. His team also works to create seamless experiences for their security analysts by taking advantage of the apps that help their environment work better together.


2:00 p.m. | Wednesday
Establish Digital Trust with a Frictionless User Experience

As companies invest in business transformation, ensuring that customers, employees and business partners have a frictionless user experience is central. But how can a business know who you are, especially when there are so many ways to prove identity?  While we may tolerate this in the physical world, it’s not acceptable in the digital world where switching costs are low, since they add friction and subtract from the digital experience.

Establishing digital trust is an ongoing process, not a one-time event, according to Jason Keenaghan. The more you learn — and the more information that can be corroborated — the more trust you establish. But you must do it in a way that does not impact the user experience. An ideal strategy is to pick one project to start with and make sure that you are taking a multilayered approach to risk assessment. Relying on just a single context domain, such as a device ID or even behavioral biometrics, is not enough to provide a high level of trust. You must go beyond that and capture the full view of the user.


11:15 a.m. | Wednesday
Automate and Enforce Continuous Security Compliance

A sea change is occurring in how companies view compliance from “because I said to” to an essential requirement that is pervasive across operations, according to Cindy Compert, chief technology officer (CTO) of data security and privacy at IBM Security. Consumers vote with their feet, and she noted that 25 percent of people say they will change providers after a heath care breach. If they don’t trust you, they won’t work for you, buy from you or partner with you.

Compliance is a starting position but must evolve to ongoing cyber risk management that is aligned to the business. Organizations must move from “check-the-box” compliance to taking accountability for results and being stewards for data security, as discussed yesterday by IBM CEO Ginny Rometty on CNBC. A new IBM study from the Institute of Business Value reported that 50 percent of executives believe that GDPR is an opportunity to transform security, privacy and data management. Cindy advised attendees to prepare to integrate with cloud, practice worst-case scenarios and think about how to embed trust into the fabric of your business.


11:15 a.m. | Wednesday
Why Endpoint Management Is Critical to Security Strategy

Recent attacks such as WannaCry have exposed risks at the endpoint level, Petya/Not Petya at the operating system and application level, and Meltdown/Spectre at the hardware level.

Operating system patch hygiene is table stakes, but it’s not a strategy, according to Tom Mulvehill, IBM Security offering manager. He explained the five key elements to an endpoint security strategy:

By building an integrated endpoint management strategy, Tom shared how US Foods reduced patching time by 80 percent and saved $500 million in unused software licenses.


10:30 a.m. | Wednesday
Cloud Security State of the Union

Mary O’Brien, IBM Vice President of Development, opened this session by sharing an anecdote in which a CISO recently told her that they started a two-year “lift and shift” project to move from 0 to 95 percent of their workloads to the cloud. Security is a concern but not a barrier, since the benefits of the cloud to modernize their business is so great.

Sridhar Muppidi, chief technology officer (CTO) of IBM Security, explained that the journey to cloud can typically be categorized into three scenarios:

  • Migrate existing workloads to the cloud;
  • Develop new applications for the cloud; and
  • Extend on premise workloads a hybrid cloud.

Regardless of the path of the journey, the presenters explained that your security posture will change. Security teams need to integrate their workloads with the cloud provider’s logs to maintain visibility and meet compliance requirements.

However, in all scenarios, security and compliance remains a shared responsibility between the organization and the cloud provider. David Cass, IBM Vice President of cloud and software-as-a-service (SaaS), reminded the audience that you can’t outsource accountability.


9:00 a.m. | Wednesday
Is Your Data Security Strategy Proactive or Reactive?

As organizations see an explosion of data — including moving to the cloud — security teams are feeling pressure from line of business, audit and security teams. Data is becoming more difficult to secure because it’s dynamic, distributed and in demand. Security controls should be applied to secure information where it resides.

David Mahdi from Gartner Research explained that protecting your data is essential for success in the digital world. When designing data security governance programs, he recommended starting with a proactive approach that includes line-of-business needs (80 percent of IT professionals don’t do this today) rather than starting with point products for specific projects.


6:00 p.m. | Tuesday
Mixing With Bruce Schneier

The day wrapped with remarks from Bruce Schneier on how to achieve cyber resilience in a world of security attacks. The session concluded with a reception, complete with Margareta Verde refreshments designed personally by Bruce.


5:15 p.m. | Tuesday
Power in Progress

A panel of transformational speakers challenged everyone to stand up and be the voice of change to open doors for equity and keep them open to enable the best talent to thrive. A thoughtful discussion continued about how to break the mold and rethink what is possible — because to develop ethical and unbiased technology, everyone must participate in its creation. This is especially important in cybersecurity, which is an area with a significant shortage of skills, although leaders are hopeful about growing the presence of women.


4:45 p.m. | Tuesday
Lessons Learned From IBM’s Cyber Range

The IBM Cyber Range team engaged the audience in a short “real-life” scenario that challenged members to respond to allegations that their company’s data has been found on the Dark Web. Three teams — security/IT, communications/PR and HR/legal — had to determine their next three moves after receiving a phone call from a reporter. Participants had to think on their feet and chaos ensued.

Over 1,400 organizations visited the IBM Cyber Range in 2017 to test their level of readiness. Bob Stasio explained that the first step an analyst needs to take in this situation is to validate and verify the data, often by identifying the compromised credentials and looking for patterns of unusual behavior. Next, the response team must be quickly assembled, and most participants fail miserably in this step because they cannot identify and contact the right people. Finally, a “break-the-glass” crisis response plan needs to be activated. Guidance from Executive Director Christopher Crummey is to “practice like you fight, and fight like you practice.” Allison Ritter explained how the learning activities are designed around gamification to deliver a hands-on and fun experience.


2:45 p.m. | Tuesday
Meet IBM X-Force Red

Some of our X-Force Red superstars showed me demos of their latest services offerings on display in the campus. I started out in the Password “Cracken” experience with David Bryan and Dustin Heywood. I created a long password with letters, numbers and symbols and felt confident it was secure. Well, it only took them 148 seconds to analyze and break it! Their password cracking system is used with organizations as part of comprehensive reviews of cybersecurity readiness. Coincidentally, Cracken was featured on the Today Show with Megyn Kelly this morning.

Charles Henderson and his team members Krissy Safi and Cris Thomas also showed me the IBM X-Force Red Portal, a subscription-based service that streamlines testing programs for organizations. Through an easy-to-use web portal, testing workflow, history and budgets can be easily maintained and retrieved when necessary. The X-Force Red team has the capability to test virtually any type of target and technology and has global coverage.


2:15 p.m. | Tuesday
The Need for Silent Security

According to the recent “Future of Identity Study,” security is beginning to outweigh convenience for many people — however, there are generational differences. Younger people are moving beyond passwords but adopting biometrics at a faster rate than other demographic groups.

The message to developers is to design for a frictionless user experience so that security is so silent, you don’t even know it’s there.


1:00 p.m. | Tuesday
Are You Ready for the “Boom” Moment?

The IBM Security & Resiliency keynote opened with a video that described a “boom” moment — said less politely, it’s when the “sh*t hits the fan.” It’s the time when you experience a cyber incident — maybe it’s ransomware, stolen credentials or even a failed audit. Left of boom, where most security professionals are comfortable, is the space of prevention and detection. Right of boom is a decidedly less comfortable space: Every second matters and you often need to engage outside of the IT and security team — often legal, human resources, public relations and even the board of directors. In fact, a recent Ponemon Study revealed that more than 75 percent of organizations do not have a response plan in place.

Ted Julian, Wendi Whitmore and Mike Errity described how to build a plan that includes the right workflow to orchestrate your way through the boom and the type of partnerships that can help you in your time of need. These partnerships include a technical response team that can quickly analyze the situation, handle crisis communication and work with law enforcement. Also required are experts that can quickly recover of all of the technology and assets to restore business operations.

Watch IBM Security General Manager Marc van Zadelhoff’s Keynote Address


12:00 p.m. | Tuesday
AI and Machine Learning Are Our Best Weapons Against Cyberthreats

Live from “The Cube” at Think, Mary O’Brien described how we’ve reached the perfect storm in cybersecurity. With more than 1.2 million unfilled jobs predicted, coupled with 50 billion connected Internet of Things (IoT) devices, the opportunity for criminals to attack is increasing and the number of professionals to stop them is not. We are entering the era of man assisted by machine, and infusing AI and machine learning into security is our new practice to fight cybercrime.

The Cube


10:45 a.m. | Tuesday
Introducing SecOps.Next

This session opened with a simple question: “What if you were a doctor that had to perform life-or-death surgery blindfolded on dozens of patients while a superbug took over the operating room?” Everyone agrees we would never allow our health to be jeopardized in such a manner. However, that nightmare scenario is starting to occur in security operations centers (SOCs). As web traffic encryption becomes more pervasive, workloads move to the cloud and the number of Internet of Things (IoT) devices to secure explodes, it’s getting more and more difficult for overworked security analysts to see what’s really happening in the environments that they’re tasked with protecting.

IBM Security Vice Presidents Jim Brennan and Koos Lodewijkx described a vision for the SOC of tomorrow that they call SecOps.Next. This platform will be capable of dealing not only with these challenges, but also with those that we have not yet even considered. Read more about how you can see across all devices and clouds, tear down internal silos between IT and security, automate to get your team focused on what matters most, and ensure all are rowing in the same direction to get ahead of threats.


9:00 a.m. | Tuesday
IBM CEO Ginni Rometty’s Think 2018 Address

IBM Chairman, President and CEO Ginni Rometty opened the conference by declaring that this is an exponential moment when business and technology align to give you the ability to outlearn everyone else in your industry.

Rometty remarked that the exponential growth of data provides one of the greatest opportunities and has the potential to be the greatest issue of our time. She challenged us all to think about the security of that data, how our professions will evolve (such as new collar jobs) and making inclusion (especially for women) a reality for everyone.


6:00 p.m. | Monday
Now Open: The Security & Resiliency Campus

The campus format is all new this year, designed to make it easier for everyone to network, learn and recharge. The Security & Resiliency Campus has been described as “an amusement park for cyber geeks,” and tonight’s opening reception did not disappoint. After introductory remarks, more than 20 demo stations came to life, all staffed by experts in light blue shirts ready to assist visitors.

During the week, our campus is the place for most of the security curriculum. Our agenda is organized into 12 topic areas, and each includes a 40-minute Core Curriculum session (which will be available for viewing live and on demand) and a related series of 20-minute Think Tank discussions. For a summary of the 12 topic areas,  you’ll find the Security & Resiliency Roadmap a helpful companion to the Think Mobile App. With over 160 sessions, hands-on labs and interactive experiences to choose from, there is something for everyone.


4:45 p.m. | Monday
“We are Just Getting Started”

In today’s keynote for IBM Security Business Partners, IBM Security General Manager Marc van Zadelhoff reminisced that it’s been just 6 short years since the IBM Security business unit was established. And with the help of our channel partners, we are just getting started in taking the $90B market for security solutions by storm. IBM Security Strategy Vice President Kevin Skapinetz explained the three-point plan for growth:

  • Help clients build an immune system to integrate the silos of point security products in use today;
  • Make security a team sport, especially with partnerships like this year’s Beacon Award winner Sogeti;
  • Use advances in in AI, cloud and the ecosystem as “force multipliers” to advance the speed of innovation.


4:00 p.m. | Monday
Security Safeguards Required for Transition to the Digital Economy

More than 70 percent of organizations believe that digital transformation is essential to their business though it comes with increased risk of data breaches and cyberattacks, according to a new study from the Ponemon Institute. Larry Ponemon presented findings from the new study “Bridging the Digital Transformation Divide: Leaders Must Balance Risk & Growth.” Securing cloud environments, data critical to operations, IoT devices and high value assets were noted as being critical elements of a successful digital transformation.


2:30 p.m. | Monday
Experience the IBM X-Force Command Center

Do you have the skills to join the hacking team “Daemon Crew”? The X-Force Command Center team is challenging you to test your skills to see if you are “leet” enough to join their operation.  Allison Ritter, IBM Security Threat Gamification Engineer, will lead you through a timed challenge – since in order to fight the hackers, you need to think like a hacker! You can also take a virtual reality tour of the X-Force Command Center.  Stop by the experience in Think Academy (Mandalay Bay South, Level 2, Shoreline).


1:00 p.m. | Monday
Shopping in the Security & Resiliency Campus

I managed to get a sneak peek at some of the fun items available for visitors to Security & Resiliency Campus. If your work bag is a disorganized mess of cords, stop by and pick up a roll-and-go cord keeper. My personal favorite is the pop socket – especially since my number of cracked phone screen claims has exceeded my insurance coverage.

We kick things off tonight in the Campus with a party at 5:30 p.m. — with refreshments, live music and experts on hand to answer your security questions.


12:15 p.m. | Monday
Getting to Know Watson for Cyber Security

Most organizations can’t scale to handle the level of threats coming into today’s security operations centers (SOCs), according to IBM Offering Manager Chris Hankins. He explained that security analysts are only able to keep up with 8 percent of the information they need to do their jobs, and 43 percent of security professionals ignore a significant number of alerts.

IBM QRadar Advisor with Watson uses artificial intelligence (AI) to unlock a new partnership between security analysts and their systems and technology. Through a series of examples and an interactive discussion with the audience, Hankins illustrated how Watson helps Tier 1, 2 and 3 analysts work with more speed and efficiency.


11:30 a.m. | Monday
Are You Ready for GDPR?

Cindy Compert, IBM chief technology officer (CTO) for data security and privacy, drew huge crowds this morning for her talk on the General Data Protection Regulation (GDPR). She shared a practical road map based on client experiences to help attendees assess which controls to implement and how to measure progress. She also explained the five steps in the IBM Framework for GDPR: assess, design, transform, operate and conform. If you missed her talk, you can find Cindy’s blogs and webinars in our ongoing series, “Getting Ready for GDPR.”


10:30 a.m. | Monday
You Ask, Experts Answer at the IBM Security Learning Academy

The team from the IBM Security Learning Academy is broadcasting live all week with a packed schedule of Open Mic, Tech Talk and Ask the Expert sessions. Check out the schedule and, if you’d like, submit a question in advance.

The team’s lab is open daily in Think Academy — Mandalay Bay South, Level 2 (Shoreline). In addition, you can access more than 1,500 courses and 150 hand-on labs online at SecurityLearningAcademy.com. Stay informed of all of the Security Learning Academy’s programs by following @AskIBMSecurity on Twitter.


6:30 a.m. | Monday
Good Morning Thinkers!

Need to shake off the jet lag or recover from a late night fighting cybercrime? This year’s Think Wellness Program offers morning and evening activities that include walking, running, yoga and kickboxing. Expert talks are scheduled throughout the week about nutrition, lifestyle and health. Find out more information in the mobile app, available for iOS and Android.


3:00 p.m. | Sunday
The IBM Security Community: Share. Solve. Do More.

Today, our clients and partners gathered to swap stories about the daily adventures of working in cybersecurity.

In his keynote address, IBM Security General Manager Marc van Zadelhoff announced a new online community for clients to network, build relationships, share product feedback and engage with subject matter experts. He noted that we live in a world where cyberattacks happen at the endpoint, application and hardware layers. Solving this problem requires the “good guys” to continue to work together by sharing capabilities, sharing threat intelligence and sharing ideas.

The agenda also included user group meetings, which were facilitated by members and IBM product experts. It was like a big family reunion!

If you would like to learn more about the IBM Security Community, stop by the Security & Resiliency Campus this week or browse the online community.


10:00 a.m. | Sunday
Welcome to Think. Let’s Get Social!

The Mandalay Bay is coming alive this morning as Thinkers arrive from all over the world. This week, you can follow IBM Security & Resiliency through:

If you are with us in Las Vegas, I recommend the IBM Events mobile app to organize your schedule (download in the App Store for iOS and Android). When you need to charge your electronics (and yourself), we have power stations and snacks in the Security & Resiliency Campus. Let us know what inspires you to think by tagging @IBMSecurity in your social posts.

Relive Think! Watch the Think 2018 Security & Resiliency Sessions on-demand

Contributor'photo

Stephanie Stack

Digital Strategy, IBM Security

Stephanie is the Program Director for Security Intelligence, where she leads strategy and operations for the...