We strive to present the most relevant, timely, and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Monday, August 20 8:30-8:45 am

Welcome, Overview & Summit Roadmap

• Benjamin Wright (@benjaminwright), Esq., Senior Instructor & Summit Co-Chair, SANS Institute

• Eric Zimmerman, (@EricRZimmerman), Senior Director, Kroll; Certified Instructor, SANS Institute

8:45-9:30 am

Keynote Response to High Profile Incidents Often a company needs to minimize and control any immediate public commenting on a data breach or security incident. But what if news of the incident hits the media outlets nearly immediately, requiring you to quickly develop public statements while simultaneously trying to figure out exactly what happened? Do you “spin” the story to protect the impacted organization, or do you say, “no comment” and leave everybody guessing, or do you do something else? This opening talk will look at a few recent high profile incidents and how the impacted organizations responded when their incident became a lead news story. Marc Sachs, CSO, Coventry Computer

9:30-10:15 am Don't Panic! Tales from the Front Lines In a time of crisis, the last thing you should do is overreact. To determine if there was an actual breach, you need a plan, clear thinkers, and decisive advisors. Mary N. Chaney, Esq., CISSP

10:15-10:35 am

Networking Break

10:35 am 11:35 am

Presentations Investigation and Notification of Data Breaches Laws including the new General Data Protection Regulation (GDPR) require organizations to give notice of data breaches. This session will consider how those laws are interpreted and enforced in practice. It will consider procedures for authorities to discover details about how an organization investigated and evaluated a suspected breach and then decided whether notice was required. It will consider methods for maintaining confidentiality of investigations. The discussion will include the possibility for class actions, collective actions or other private lawsuits to enforce law related to data breaches. We’ll examine the topic from three perspectives, with attorneys from continental Europe, the UK, and the US.

• Alexander Blumrosen, KAB Avocats Associés

• Richard Hall, CyberLaw UK

• Melinda L. McLellan (@MELINDAMCLELLAN), Partner, BakerHostetler

• James A. Sherer (@JAMESSHERER), Partner, BakerHostetler

11:35 am – 12:05 pm

Panel Discussion Investigation and Notification of Data Breaches After hearing each of the three perspectives on the topic, Ben Wright will lead an interactive panel discussion. Moderator: Benjamin Wright (@benjaminwright), Esq., Senior Instructor & Summit Co-Chair, SANS Institute Panelists:

• Alexander Blumrosen, KAB Avocats Associés

• Richard Hall, CyberLaw UK

• Melinda L. McLellan (@MELINDAMCLELLAN), Partner, BakerHostetler

• James A. Sherer (@JAMESSHERER), Partner, BakerHostetler

12:05-1:15 pm Lunch 1:15-2:00 pm

How Management Absorbs Information During a Cyber Event The Analyst: Here we go again. Another cyber event and the suits are interrupting the investigation and asking what IOC stands for again. The Leader: Here we go again. Another cyber event and the techies are speaking Greek when I need information. Sound familiar? Of course it does; this isn’t a unique scenario. Cyber events are fast-paced, high-stress scenarios where information is constantly evolving. Suddenly the security team is in the limelight and being asked to provide technical information in business terms. Meanwhile, leadership is being pressured to provide answers to the Board, the customers, and the media. How can these two groups work together in this scenario to get leadership the necessary information without derailing the investigation? Topics will include:

• Understanding perspectives from each side

• What each side should be asking for

• What each side should be prepared to provide

• How to prepare before an actual cyber event Sara Hall, Chief Operating Officer, National Health Information Sharing and Analysis Center (NH-ISAC)

2:00-3:00 pm

Talk Incident Response: From Basics to Best Practices

● Lucie Hayward, Managing Consultant - Investigations & Disputes, Kroll ● Mike Quinn, Associate Managing Director, Kroll

3:00-5:30 pm

Workshop Data Breach Advanced Exercise When many smart people are in the same room, everyone can learn from everyone else. Leaders will walk the assembled Summit participants through a realistic,

challenging case scenario for enterprise management that faces a cyber crisis. The scenario will raise a thicket of technical, practical, legal, and public communications issues. As these issues come up, the floor will be open for questions, discussion and debate. Participants will evaluate the options available to management and learn by living through a simulated experience with peers and experts.

5:30-6:30 pm Networking Reception

Tuesday, August 21 9:00-9:45 am

Keynote Jim Routh, CISO, Aetna

9:45-10:30 am

Beauty & The Breaches: One Organization’s Journey Towards a Culture of Confidentiality For Henry Ford Health System, privacy and cybersecurity has been a journey of continuous quality improvement and team collaboration. Multiple incidents and evolving response plans ultimately netted beautiful results, as Henry Ford's Privacy and Security team expanded its scope over the course of 7 years. Join Meredith Harper for this engaging session that will review the beauty that can come out of each breach. Harper will share her perspective as a Chief Information Privacy and Security Officer, providing a window into how breaches have led to dramatic process improvement, and how people, process, and technology were put in place to continuously develop a culture of confidentiality at Henry Ford Health System. Meredith Harper, Chief Information Privacy & Security Officer, Ford Healthcare System

10:30—10:50 am

Networking Break & Vendor Expo

10:50-11:45 am

Getting Data Breach Right: Lessons Learned from Fighting in the Cyber Trenches The call comes in from the FBI. A customer. Your IT Director. You have a problem. Your data, your customers’ data, is exposed. For sale. Locked down. Two servers are impacted. No wait, it’s forty-two… You’ve been breached. For years now, this story has been repeating itself in retail store chains, health care systems, fast food restaurants and other verticals. And in response, enterprise has upped its game, investing billions of dollars to improve cyber defense towards becoming increasingly cyber resilient. But even the best laid plans – the best IPS, the best end-point protection, the best employee anti-phishing training and awareness campaigns – aren’t fool-proof. That’s why it is so important to be prepared to get a data breach ‘right’ if and when it happens to your organization. In this impactful session, Ansbach will discuss the lessons they’ve learned over the years towards getting data breaches right as one of the top breach ‘first responders’ in the U.S. and globally. Through a discussion of real-world examples, of fighting in

the data breach trenches, John will surface keys to a successful response while also highlighting some not-so-obvious not-to-do’s and de-railers to avoid. He’ll also discuss the evolution of breach response and the ways in which companies are revising and innovating their approach to executing an effective response to cyber crisis. This session is designed to be a focused discussion surrounding actionable insights and practical ideas for those tasked with managing and mitigating data breach within their organizations. If you are trying to up your game and prepare for cyber crisis, you won’t want to miss it. John Ansbach, Vice President - Engagement Management, Stroz Friedberg, an Aon Company

11:45 am-12:30 pm

Crossing Borders: Managing a Security Incident Across Multiple Collaborating Organizations How often does a security incident or breach response cover four different organizations? It can and does happen in a university environment, where multiple stakeholders are involved in sensitive research. When it does happen, there are not just local security and privacy officials to coordinate but also the urgent question of who is in charge of the response. This presentation will provide the story of a real incident, the bumps, twists and turns, and, after the smoke cleared, the lessons learned, both from a risk management and regulatory compliance perspectives. Take away key guidance on how to address this risk through relationships between information security professionals in these various collaborating organizations. Thomas Siu, CISO, Case Western Reserve University

12:30-1:30 pm

Lunch

1:30-2:05 pm

Global DFIR in a Fractured World: Challenges in Managing International Incidents. Despite decades of efforts to foster frictionless global trade and finance, the truly vital currency of our global economy – data – seems harder to move across borders than ever. While data protection and privacy laws have always varied from country to country, Edward Snowden’s revelations about data collection and mining by government intelligence agencies along with rising alarm around how global technology juggernauts like Facebook and Google are using (or abusing) personal data has given us a more fractured set of rules to follow as DFIR practitioners. Failure to recognize and heed applicable laws and restrictions when planning and carrying out an incident response protocol can put you in the cross-hairs of a local regulator that may not take kindly to you moving data across borders – even if your purpose is purely benign. The kinds of issues that can catch even seasoned first-responders off guard include export controls that can apply to certain forensic tools and technology, challenges getting specialized equipment and personnel into or out of certain countries (hint: Pelican cases can attract unwelcome attention at the airport). In other situations, even when you try to do everything “by the book” and work in cooperation with local law enforcement, unexpected problems can arise (and in some cases, guns can even be drawn).

This talk will use specific examples and rely on the speaker’s experience with cross-border IR and forensics to illuminate pitfalls and try to provide some best-practices guidance on how to respond with necessary urgency and confidence while still staying on the right side of the law. R. Jason Straight, Sr. VP, Cyber Risk Solutions, UnitedLex Corp.

2:05-2:40 pm

Title and abstract to come Bruce Cowper, Senior Program Manager, Trustworthy Computing at Microsoft

2:40-3:25 pm

Actionable Insights from the 2018 Verizon DBIR This presentation will demystify the Data Breach Investigations Report (DBIR), highlight the key takeaways for all major verticals, review the commonalities and patterns of breaches, and discuss some of the more controversial findings from the report. Ismail Cattaneo, Associate Director, Cyber Security Incident Response Team (CSIRT), KPMG LLP

3:25-3:45 pm

Networking Break & Vendor Expo

3:45-4:30 pm

Learning and Improving From Human-Based Breaches Events and reports such as the 2018 Verizon DBIR continue to identify people as one of the primary drivers of breaches. From auto-complete in email to targeted phishing attacks, people are at the root of why breaches happen. However, instead of continuing to blame people, we need to learn from these incidents and ask ourselves whether security is really to blame. Are the processes we demand too difficult to follow, have we trained people in a simple to understand approach? We will do a dive into human behavior, what you can learn from your breaches, and how to improve your resilience by focusing on people. Lance Spitzner, Director, SANS Security Awareness

4:30-5:00 pm

Summary Remarks Eric Zimmerman, (@EricRZimmerman), Senior Director, Kroll; Certified Instructor, SANS Institute

Speaker Biographies

John Ansbach, Vice President - Engagement Management, Stroz Friedberg, an Aon Company

John Ansbach serves as a Vice President of Engagement Management in Stroz Friedberg’s Dallas office. In support of his clients, which include Fortune 500 companies, law firms, federal, state and local entities and foundations, John provides proactive cybersecurity risk mitigation services. He also supports his clients in responding to information security incidents, directing and managing digital forensic investigations, and in handling electronic discovery matters overseeing data collection and processing projects. John is a 21-year litigator turned in-house lawyer. He has more than 10 years of litigation experience and another 10 years of experience serving as a Chief Legal Officer and General Counsel to companies with national and international footprints. Immediately prior to joining Stroz, John served as General Counsel for a global technology systems integrator that supported commercial enterprises with cybersecurity, cloud, unified communication and networking, storage and compute solutions. In that capacity, John was responsible for all the legal affairs of the company, as well as the company’s information security; international operations and compliance; and, internal audit functions. He developed and implemented the company’s first formal internal information security program, developing a team and implementing technical and non-technical safeguards, processes and controls to help keep the company, its employees and customers secure. John is a Certified Information Privacy Professional for the U.S. private sector (CIPP/US). He is also a cum laude graduate of Texas A&M University where he earned a Bachelor’s of Science degree in Economics. He earned his law degree from The University of Texas School of Law in Austin. Ismail Cattaneo, Associate Director, Cyber Security Incident Response Team (CSIRT), KPMG LLP

Ismail has over 15 years of experience in the IT Security space as an engineer, analyst and leader. He

holds GSEC, GMON and CISSP certifications and constantly seeks to engage audiences.

Mary N. Chaney, Esq., CISSP Mary N. Chaney, Esq., CISSP, has over 20 years of progressive experience within the fields of Law, Information Security, Privacy and Risk Management. She graduated from Xavier University in Cincinnati, Ohio with her B.S.B.A in Information Systems and received her J.D. degree from Thurgood Marshall School of Law. Ms. Chaney spent several years practicing law in Washington, DC focusing primarily on anti-trust and intellectual property rights infringement cases. She then transitioned to serve her country by becoming a Special Agent for the Federal Bureau of Investigation (FBI) where she investigated cybercrime and served as their Information Systems Security Officer. Ms. Chaney obtained her Certified Information Systems Security Professional (CISSP) certification in 2008. In her corporate career, she has held senior level information security roles with Comcast, Johnson & Johnson and GE Capital. Ms. Chaney also held a post as an adjunct professor with the University of Cincinnati where she assisted with the establishment of their Cybersecurity Certificate program.

Currently, Ms. Chaney practices cyber security law for her own firm, The Law Offices of Mary N. Chaney,

P.L.L.C. where she specializes in helping the CIO, CISO and General Counsel understand each other to

legally protect the enterprise from cyber security risk.

Sara Hall, Chief Operating Officer, National Health Information Sharing and Analysis Center (NH-ISAC)

Sara Hall has spent her career in the Cybersecurity field and is now the Chief Operating Officer for the

National Health ISAC (NH-ISAC), a non-profit working for the cyber protection of healthcare as part of

the Nation’s critical infrastructure. In this role, she drives operations and cybersecurity solutions that

improve security for the healthcare sector. Sara also serves on the Strategic Advisory Board of the

International Consortium of Minority Cybersecurity Professionals (ICMCP), a non-profit working to bring

more minorities and women into the field of cybersecurity.

Prior to her current role, Sara served as the Chief Information Security Officer (CISO) for health

intelligence biotech company, Human Longevity, Inc., and before that as CISO for the U.S. Department

of Health and Human Services (HHS). Prior to coming on as the COO of the NH-ISAC, Sara served on the

Board of Directors of the NH-ISAC.

In all of her roles, response to cyber events has been a common refrain. The gaps between cyber

response and leadership response are a challenge for every organization and Sara has lessons learned

and successful approaches to offer.

Meredith R. Harper, MHSA, CHC, CHPC, HCISPP, ITIL Chief Information Privacy & Security Officer, Ford

Healthcare System

Meredith joined Henry Ford Health System in 2003 as their first Chief Privacy Officer. Over her 24-year

career, she has emerged as a strategic leader who is not just interested in processes, goals and

objectives but most of all she is passionate about her greatest assets…her human capital. Her success

has been attributed to her ability to manage large-scale complex projects that cross-functional areas

within integrated delivery systems and health plans while advancing the skill sets of her team members.

As the industry has evolved, so has her areas of responsibilities and in 2012 her role was expanded to

include leadership responsibilities for Information & Network Security, Privacy & Security Risk

Management as well as Identity & Access Management. As Chief Information Privacy & Security Officer,

she has responsibility for the protection of Henry Ford’s provider, insurance, retail and research

businesses. Her sensitivity to the operational needs of these various businesses helps her guide the

objectives of her team to ensure that the operations are successfully married with the technology or

regulatory requirements.

Meredith is an active member of the Health Care Compliance Association and the International

Association of Privacy Professionals where she has demonstrated her commitment to compliance by

holding dual certifications in healthcare compliance and privacy. She is also certified as a HealthCare

Information Security & Privacy Practitioner through the International Information System Security

Certification Consortium, Inc. and a Certified Information Security Manager through the Information

Systems Audit and Control Association.

Meredith is a member of HIMSS, CHIME, Inforum, the PHI Protection Network, the Michigan Council of

Women in Technology, Information Technology Senior Management Forum, Association for Executives

in Healthcare Information Security, America’s Health Insurance Plans, InfraGard, the Information

Systems Audit and Control Association and Walsh College IT/Cybersecurity Advisory Board. She serves

as a Governing Body Co-Chair for the Detroit CISO Executive Summit and a member of the Health

Information Technology Commission for the State of Michigan. She is the immediate past Chair of the

Michigan Healthcare Cybersecurity Council and the immediate past President of the Medical ID Fraud

Alliance.

Meredith is passionate about empowering women and minorities to embark upon careers in technology

especially in information security where those populations are not very well represented. She serves on

several advisory boards in support of that passion and she has a unique perspective she enjoys sharing

with others. She has also served her community for almost 27 years through her Diamond Life

membership in Delta Sigma Theta Sorority, Inc.

Meredith is a proud alumna of the University of Detroit Mercy where she received her Master’s in

Health Services Administration and her Bachelor of Science in Computer Information Systems. She is an

avid supporter of her alma mater’s mission and serves on the advisory boards for the Center for Cyber

Security & Intelligence Studies and the Health Information Management program. She is currently

enrolled at Loyola Chicago School of Law where she is pursuing her Master’s of Jurisprudence in Health

Law.

Melinda L. McLellan (@MELINDAMCLELLAN), Partner, BakerHostetler Melinda McLellan works with clients to navigate complex privacy, cybersecurity and data management issues in a rapidly evolving regulatory environment. She counsels companies of all sizes across multiple industry sectors, helping them identify, evaluate and manage the myriad compliance obligations associated with corporate privacy and information security practices. Melinda regularly advises on the creation, development and implementation of global privacy and security policies, standards, procedures and guidelines, as well as company codes of conduct and employee privacy training programs. Attentive to her clients' business needs, Melinda's proactive approach favors pragmatic, forward-thinking compliance strategies that emphasize prevention and mitigation of privacy and data security risks. Melinda counsels clients on regulatory compliance strategies and best practices for private-sector use of cloud computing solutions, biometric authentication, facial recognition technology, geolocation tracking systems, mobile applications, behavioral marketing tools, social media platforms, data analytics services and other emerging technologies. She also develops and implements EU General Data Protection Regulation (GDPR) compliance programs for numerous US and international organizations, including GDPR applicability analysis, data mapping, data transfer mechanisms, consent mechanisms, “right to be forgotten,” data security assessments, breach response programs, selection of Data Protection Officers, and employee training. Marc Sachs, CSO, Coventry Computer

Marcus (Marc) Sachs is the Chief Security Officer of Coventry Computer, a startup in stealth mode,

where he is responsible for overall corporate security policy and strategy. He is a retired US Army

officer, was a White House appointee in the George W. Bush administration, and prior to joining

Coventry was the Senior Vice President and Chief Security Officer at the North American Electric

Reliability Corporation. Prior to NERC he was Verizon’s Vice President for National Security Policy. Marc

directed the SANS Internet Storm Center in 2003-2010 and has co-authored several books on

information security. He holds degrees in Civil Engineering, Computer Science, and Technology

Commercialization. He is a licensed Professional Engineer in the Commonwealth of Virginia.

Thomas Siu, CISO, Case Western Reserve University

Tom directs the CWRU Information Security Office, with responsibility for information security program,

security operations, identity management, and IT policy. Tom specializes in risk management practice,

security strategy, emergency operations (including BCP and DR), and FISMA security adaptations in a

research-intensive educational environment. Current CWRU activites include deployment of multifactor

authentication, IT strategic planning, and deployment of a Security Fusion Center. Tom also is active in

addressing US policy with regard to information security and higher education. He is part of the

leadership team of the Northeast Ohio Cyber Consortium (NEOCC), a cross-channel security threat

sharing organization. He serves as Co-Chair of the Technologies, Operations and Practices (TOP)

Working Group for EDUCAUSE, and is a graduate of the MOR Advanced Leadership Program. Tom is a

past officer of the Executive Council for Northeast Ohio InfraGard. He holds a SANS GSEC Gold

Certification (badge- www.youracclaim.com/badges/8b1e5d13-a1d9-4c2c-80db-ab522c014c80) and

serves on the GIAC Advisory Board, and a participant in REN-ISAC.

Jason Straight (@UnitedLex), Chief Privacy Officer/SVP - Cyber Risk Solutions, UnitedLex

Jason Straight has been managing information security risks, data breach incidents, data privacy

obligations, and complex e-discovery challenges for over a decade. He frequently writes and speaks

about topics relating to data privacy, cybersecurity, data breach response and forensics. Previously, he

led the cybersecurity practice of a leading global investigations and cybersecurity company.

James A. Sherer (@JAMESSHERER), Partner, BakerHostetler James is a Partner in BakerHostetler’s New York office, where he chairs the Information Governance practice team and serves as a member of the E-Discovery and Management and Privacy and Data Protection groups. His work focuses on litigation; discovery management processes; enterprise risk management; records and information governance; data privacy, security, and bank secrecy; technology integration issues; artificial intelligence; and related merger and acquisition diligence. Prior to joining BakerHostetler, James worked as in-house litigator with a Fortune 500 company. James holds an MBA, his CIPP/US, CIPP/E, CIPM, and FIP data privacy professional credentials, the CIP and IGP information governance designations, and the CEDS eDiscovery specialist credential. James is a fellow of the American Bar Foundation and a member of The Sedona Conference® Working Groups One, Six, and Eleven. He is also a member of the New York State Bar Association EDiscovery Committee as well as the New York eDiscovery Counsel Roundtable. James is admitted to practice in New York, Washington DC, and Michigan. Eric Zimmerman, (@EricRZimmerman), Senior Director, Kroll; Certified Instructor, SANS Institute When Eric Zimmerman was a Special Agent with the FBI, one of his responsibilities was managing on-scene triage. He identified several gaps in an existing process and started creating solutions to address them. What began as building and expanding a few live response tools took Eric down a path that eventually led to him writing more than 50 programs that are now used by nearly 8,800 law enforcement officers in over 80 countries. Much of Eric's work involved designing and building software related to investigations of sexual abuse of children. In a single year, Eric's programs led to the rescue of hundreds of these children. As a result, in May 2012, Eric was given a National Center for Missing and Exploited Children's Award, which honors outstanding law enforcement professionals who have performed above and beyond the call of duty. Eric was also presented with the U.S. Attorney's Award for Excellence in Law Enforcement in 2013. Today, Eric serves as a Senior Director at Kroll in the company's cybersecurity and investigations practice. At SANS, he teaches the FOR508: Advanced Digital Forensics, Incident Response and Threat

Hunting course, and is a two-time winner of the SANS DFIR NetWars Tournament (2014, 2015). Eric is also the award-winning author of X-Ways Forensics Practitioner's Guide, and has created many world-class, open-source forensic tools. Eric is a sought-after instructor and speaker who brings expertise in the cyber realm, complex law enforcement investigations, computer forensics, expert witness testimony, computer systems design, and application architecture to his work and classroom.