Chris Nickerson

Abstract: Getting Value from testing, not just a report. For ages, the industry has tried time and time again to improve its ability to defend by battening down the hatches. We have relied on playing vulnerability “whack-a-mole” and realized that even the most secured and patched system can be used in a full-scale attack. As a response, we have attempted to create better sparring partners to attack the environments and bring light to ways to sink the ship. While that approach has had limited success it still does not scale to the rapid deployment and expansion of today’s enterprise. Combined with the growing shortage of testing talent, this method will have to change in order to break through the barrier of testing debt. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters.

In this talk we will discuss the aging strategies of Enterprise Testing and the evolution of value. We will discuss how to test as well as how to scope for maximum value. No more scan based reports. No more waiting to finish the engagement before improvement begins. No more secrets. It is time we change the strategy to work as a team and end the engagement more secure than we started, EVERY TIME.

Chris Nickerson, CEO of Lares, has spent the last 19 years of his career leading, inspiring, and sometimes irritating, the security industry. With Lares co-Founder Eric M. Smith, he created the unique methodology used at Lares to assess, implement, and manage information security realistically and effectively. Collaborating with a group of other InfoSec researchers, he founded the Penetration Testing Execution Standard (PTES), and is working with the Red Team Alliance Training Collective to create a certification for Red Team Testing. He is one of the founders of the Security BSides conferences, he’s been a keynote, speaker, and/or trainer at more than fifty InfoSec conferences worldwide, including DEFCON, CyberWeek, and BlackHat. He’s a member and certification holder with ISACA, on the board of CREST, and holds CISSP, CISA, BS7799, and NSA IAM certifications. His book, Red Team Testing, is upcoming from Elsevier/Syngress. And despite all that, he is perhaps best known for his appearance on the TV show Tiger Team on TruTV, and his TED Talk, Hackers are all about curiosity, and security is just a feeling