In-Person Event

Red Hat Defense in Depth

November 13, 2018Herndon, VAHyatt Regency Dulles

 

SECURING THE MODERN ENTERPRISE USING OPEN SOURCE

Join Defense in Depth 2018, where cybersecurity professionals can learn and network alongside Red Hat and Intel security experts, partners, and industry peers. No one can solve IT security issues alone. Solving problems together as a community is the future of technology.

 

WHAT TO EXPECT

Defense in Depth is an annual event that brings together industry experts with depth of knowledge of the latest upstream and enterprise security developments. Participants will be able to choose their own adventure mixing interactive talks and hands on labs throughout the day.

 

WHO SHOULD ATTEND

Defense in Depth was created specifically for security practitioners familiar with open source software.

 

AGENDA

8:00 a.m. - 9:00 a.m.Registration Check In and Breakfast
9:00 a.m. - 9:30 a.m.Welcome and Keynote
9:45 a.m. - 3:00 p.m.Talk Tracks and Labs

Registration for this event is closed.

 

9:00 a.m. - 9:30 a.m.Welcome Keynote: The Importance of Platform Security: What Intel and Red Hat are Doing to Help You Secure Your Systems and Infrastructure
Steve Orrin, Federal CTO, Intel
Shawn Wells, Chief Security Strategist, Public Sector, Red Hat

Attend one of the following tech talks:

9:45 a.m. - 10:45 a.m.Next Generation Tools for Container Technology and Security
11:00 a.m. - 11:45 a.m.Secure Tactical Edge Computing

Or reserve your seat for one of the following labs if not attending a tech talk above:

9:45 a.m. - 11:45 a.m.
A laptop is required if attending a lab.
11:45 a.m. - 1:00 p.m. Lunch
1:15 p.m. - 2:00 p.m.Choose from one of the following tech talks:

  • Red Hat Enterprise Linux Security Roadmap
  • Deploying SELinux Successfully in Production Environments
  • Securing Kubernetes Clusters
  • Meltdowns, Ghosts, and Shadows - The New Normal
  • Automated Security & Compliance for Hybrid Environments
  • 2:15 p.m. - 3:00 p.m.Choose from one of the following tech talks:

  • Next Generation Tools for Container Technology and Security
  • Defensive Security with Ansible
  • Secure Tactical Edge Computing
  • OpenStack Platform Security Strategy and Roadmap Update
  • Aligning Common Criteria, US Government Configuration Guides, and Security Automation
  • Morning

     

    Afternoon

    Date: Tuesday, November 13, 2018

    Time: 8:00 a.m. – 3:00 p.m. EST

    Location:
    Hyatt Regency Dulles
    2300 Dulles Corner Blvd
    Herndon, VA 20171

    If you have any questions, please send us an email.

    Morning Keynote: The Importance of Platform Security: What Intel and Red Hat are Doing to Help You Secure Your Systems and Infrastructure

    9:00 a.m. - 9:30 a.m. - Luray D, E, F

    Steve Orrin, Federal CTO, Intel
    Shawn Wells, Chief Security Strategist, U.S. Public Sector, Red Hat

    With the ever increasing rate of threats and breaches, the need to focus on system level security has become clear. Starting with a solid foundation of hardware rooted security capabilities that are enabled and extended into the firmware, virtualization, OS, application and service layers is necessary to protect data throughout its lifecycle. Intel and Red Hat will highlight key building block technologies available today that can be leveraged and scaled to secure platforms and achieve compliance enhanced security postures.

    Next Generation Tools for Container Technology and Security

    9:45 a.m. - 10:45 a.m. - Chesapeake and
    2:15 p.m. - 3:00 p.m. - Cirrus C, D

    Dan Walsh, Consulting Software Engineer, Red Hat

    This talk will introduce new ways of running OCI Compliant containers from container registries like docker.io, quay.io, and artifactory.

    Understand why breaking up the monolithic container daemon into a series of smaller runtime tools, we can greatly increase the security of using different types of containers.

    Hear what OpenShift/Kubernetes needs to run a container?

    During this session the following topics will be introduced:

    • CRI-O a new container runtime dedicated to OpenShift/Kubernetes.
    • Buildah a new way of building OCI Container Images
    • Podman a new way of testing, managing and working with containers from the CLI.
    • Skopeo a mechanism for managing/moving container images between container registries and between different types of container storage.

    Each section will also explain security benefits from using the new tools.

    Secure Tactical Edge Computing

    11:00 a.m. - 11:45 a.m. - Chesapeake and
    2:15 p.m. - 3:00 p.m. - Luray C

    Donny Davis, US Army Solution Architect

    As edge computing begins to roll out on your network, the one question that needs to be in the forefront is how to secure the capability.

    Secure Tactical edge computing is an emerging market, and Red Hat has answers. Come learn how to secure your edge computing devices with Red Hat Openstack

    Red Hat Enterprise Linux Security Roadmap

    1:15 p.m. - 2:00 p.m. - Cirrus C, D

    Mark Thacker, Principal Product Technology Manager, Red Hat

    Security has never been a more important topic. Red Hat has been a leader in open source security for decades, incorporating open standards and supporting security technologies throughout all of our products.

    In this session, we’ll discuss the future of Red Hat security, including how new technologies can help you respond to security requirements in DevSecOps, compliance, virtualization, hybrid cloud deployments, privacy, containers and management. We will also discuss hardware root of trust technologies, the latest security vulnerability responses and the changing security compliance landscape.

    By the end of this session, you’ll understand Red Hat’s future security plans, how they may affect you, and how you can help us shape the future of security.

    Deploying SELinux Successfully in Production Environments

    1:15 p.m. - 2:00 p.m. - Potomac

    Alex Jacocks, Sr. Solutions Architect, Red Hat
    Lukas Vrabec, Software Engineer, Red Hat

    The following talk contains an overview of Security Enhanced Linux Technology, which is part of Red Hat Enterprise Linux. I'll introduce the concept of Reactive and Proactive security and when and how Proactive security can help to mitigate damage, after successful exploitation of systems. After that, these principles will be described using a demo with real examples of exploits. Then we'll look at SELinux security policy, how it works and what SELinux rules look like. Containers security using SELinux will be also explained and described, using real examples.

    Securing Kubernetes Clusters

    1:15 p.m. - 2:00 p.m. - Chesapeake

    John Osborne, Solutions Architect, Red Hat

    From federal agencies to unicorns, running Kubernetes clusters has become the de-facto way to optimize IT workloads on-premise and in public cloud. Yet securing these workloads can be challenging as there are many attack surfaces that need to be protected. This talk will discuss the multi-layered approach that Red Hat believes is paramount to securing a Kuberntes cluster and what it actually means to be secure-by-default. This talk will also cover recommended best practices and introduce emerging container isolation technologies such as gAdvisor and kata containers.

    Automated Security & Compliance for Hybrid Environments

    1:15 p.m. - 2:00 p.m. - Luray B

    Lucy Kerner, Security Evangelist and Strategist, Red Hat

    Maintaining visibility, control, and security, and ensuring governance and compliance remains paramount, but it becomes more difficult and time consuming in a hybrid infrastructure consisting of physical, virtual, cloud, and container environments. In this session, you’ll learn how a combination of Red Hat's Management Portfolio and OpenSCAP can help you with these challenges in your hybrid infrastructure by automating security and compliance. Specifically, in your hybrid infrastructure, you’ll learn how to easily provision a security-compliant host, how to quickly detect and remediate security and compliance issues, how to ensure governance and control in an automated way, how to do proactive security and automated risk management, how to perform audit scans and remediations on your systems, and how to automate security to ensure compliance against regulatory or custom profiles.

    Meltdowns, Ghosts, and Shadows - The New Normal

    1:15 p.m. - 2:00 p.m. - Luray C

    CRob, Product Security Assurance Lead, Red Hat

    Join Red Hat Product Security as we talk about the last year in computer vulnerabilities that was highlighted by a string of microprocessor flaws that captured the world's attention. We will talk about the series of issues that started off with Spectre & Meltdown that was unveiled to the public on January 3rd, 2018 and continue on through the subsequent issues the culminated in the August 14, 2018 release of L1TF/Foreshadow.

    Attendees will come away with a better technical understanding of the speculative execution CPU vulnerabilities, understanding how Red Hat and the computer industry has and continues to react to these flaws, and understand the risks and trade-offs of the mitigations.

    Defensive Security with Ansible

    2:15 p.m. - 3:00 p.m. - Chesapeake

    Lucy Kerner, Security Evangelist and Strategist, Red Hat

    Ansible is a leading automation tool for the system administrator, but how can you use it as a way of managing enterprise security postures? As defensive technologies improve their ability to identify unusual processes and binaries on their endpoints, attackers also adjust their techniques, becoming more creative in order to stay under the radar. In this session, you will learn why Ansible is a great tool for defensive security, see examples of how to use Ansible for defensive security, review examples of Ansible security integrations across the Red Hat Portfolio, and review real Red Hat customer examples of Ansible security automation implementations.

    Aligning Common Criteria, US Government Configuration Guides, and Security Automation

    2:15 p.m. - 3:00 p.m. - Potomac

    Shawn Wells, Chief Security Strategist, U.S. Public Sector, Red Hat
    Bob Clemons, NSA Information Assurance

    Do the DISA STIGs or DoD Configuration Annexes reflect authoritative guidance? Are DoD STIGs deprecated? How does this align with Common Criteria? Where can authoritative baselines be found, such as RHEL7 STIG Ansible Playbooks? Who makes them? Who signs off on them? Will they be supported by Red Hat?

    DoD Configuration Annexes were finalized by NIAP, NSA, DoD, and DISA earlier this year. Come hear directly from NSA and Red Hat on how product evaluations and DoD configuration guides have been aligned, where to find content, and what current workflow looks like.

    OpenStack Platform Security Strategy and Roadmap Update

    2:15 p.m. - 3:00 p.m. - Luray B

    Keith Basil, Senior Principal Product Manager, Red Hat

    Join us for a discussion and update on Red Hat's OpenStack Platform security strategy and roadmap. This session will cover a review of our compliance-driven approach security, the latest in encryption and key management within OpenStack and a glimpse of public sector artifacts aimed to accelerate obtaining FedRAMP authorization for OpenStack Platform.

    Attendees will be up to speed on OpenStack's security direction and have an awareness of upstream efforts behind the Compliance as Code movement.

    Ansible: Automation and Security as Code Lab

    9:45 a.m. - 11:45 a.m. - Luray B

    Alex Jacocks, Senior Solutions Architect, Red Hat

    Build playbooks to build in security, empower junior staff and offload senior staff, and automate your most tedious tasks!

    What you will learn:

    • Running ad-hoc commands
    • Writing a playbook
    • Install and configure Ansible Tower
    • Templates and Security.

    Overview

    Today is meant for anyone who has any exposure to Ansible, whether you have used it or not. We are going to start with a short overview (yes, slideware) and then we’ll get into the lab as soon as possible. That is where we will spend most of our time. Your Responsibilities Have a discussion. This will be boring if it’s just us up here talking for over 4 hours. Participate. We are going to cut you loose with Ansible here in just a little while. Have questions. Have opinions. Hopefully you have your laptop with you. If not, please find a shoulder-surfing buddy. See? Not only can we dig into Ansible but you can make a new friend!

    Securing Your Software Supply Chain with DevSecOps

    9:45 a.m. - 11:45 a.m. - Luray C

    Manny Evangelista, Solutions Architect, Red Hat
    Mike Surbey, Solutions Architect, Red Hat

    What you will learn:

    • A tiny bit of Jenkins
    • Automating the development process
    • Trusted Software Supply Chain

    Agenda

    • Introductions and Agenda
    • Familiarization with the Environment
    • Setting the Context

    Overview

    In this workshop, you'll be building a Secure Software Factory for a Java based website leveraging several containerized tools such as Gogs, Nexus, Jenkins, Sonarqube, and Che hosted on the OpenShift Container Platform

    Container Security Workshop Lab

    9:45 a.m. - 11:45 a.m. - Luray A

    Matthew Miller, Senior Solution Architect, Red Hat

    Learn how to scan, secure and leverage properties in the Linux kernel like seccomp, namespaces, ccgroups to secure your docker containers.

    What you will learn:

    • Cockpit
    • CGroups
    • Namespaces
    • Seccomp
    • SELinux

    Overview

    Today is meant for anyone who has any exposure to Containers, whether you have used them or not. We are going to start with a short overview (yes, slideware) and then we’ll get into the lab as soon as possible. That is where we will spend most of our time.

    Red Hat Enterprise Linux Security Technologies Lab

    9:45 a.m. - 11:45 a.m. - Cirrus C, D

    Lucy Kerner, Security Evangelist and Strategist, Red Hat
    Lukas Vrabec, Software Engineer Security Technologies, Red Hat

    In this lab, you'll learn about the built-in security technologies in Red Hat Enterprise Linux.

    Specifically, you will use OpenSCAP to scan and remediate against vulnerabilities and configuration security baselines. You will then block possible attacks from vulnerabilities using Security-Enhanced Linux (SELinux) and use Network Bound Disk Encryption to securely decrypt your encrypted boot volumes unattended. You will also use USBGuard to implement basic whitelisting and blacklisting to define which USB devices are and are not authorized and how a USB device may interact with your system. You will also learn how to deploy opportunistic IPsec to encrypt all host to host communication within an enterprise network. Throughout your investigation of the security issues in your systems, you will utilize the improved audit logs and learn how to use the Audit Intrusion Detection Environment (AIDE). You will also learn how to create a single sign-on environment for all your linux servers using Red Hat Identity Management and learn about GNU Privacy Guard (GPG) which can be used to identify yourself and encrypt your communications. You will also have a chance to learn how to use firewalld to dynamically manage firewall rules. Finally, you will make multiple configuration changes to your systems across different versions of Red Hat Enterprise Linux running in your environment, in an automated fashion using Red Hat Ansible Automation, using the Systems Roles feature.

    OpenShift Security Lab

    9:45 a.m. - 11:45 a.m. - Layton

    Brad Sollar, Solutions Architect, Red Hat
    Jonathan Van Meter, Solutions Architect, Red Hat

    Learn about secrets and how to Secure your microservices and containers by using and extending Linux scanning features, SCC, Seccomp and the security API.

    What you will learn:

  • SELinux
  • Openshift deployment
  • SCC
  • Seccomp
  • Security API
  • Overview

    Today is meant for anyone who has any exposure to Containers, whether you have used them or not. We are going to start with a short overview (yes, slideware) and then we’ll get into the lab as soon as possible. That is where we will spend most of our time.

    Donny Davis started his career in the US Army as a 25S (Satellite Communications Operator/Maintainer) in 2002. He went to Basic Combat Training at Fort Jackson, SC and Advanced Individual Training in Fort Gordon, GA. He spent 13 years in the US Army, with tours to Iraq, and Afghanistan. He got out of the Army as a Staff Sergeant in 2015, and came to work for Red Hat as a Solutions Architect supporting the US Army Team. Donny currently holds two certifications from Red Hat, RHCVA and RHCE.




    Manny Evangelista is a Solution Architect for Red Hat’s Public Sector Organization. He works with Federal, State, and Local agencies along with Red Hat’s Partners and Communities in promoting open source software for enterprise environments. For the last 13 years, he has used his passion for technology in fulfilling the mission of several Federal agencies. And now with Red Hat, he continues to do so the open source way.

     




    Lucy Kerner is currently the Security Global Technical Evangelist and Strategist at Red Hat and helps drive thought leadership and the global go-to-market strategy for security across the entire Red Hat portfolio. Lucy creates and delivers security related technical content to the field, customers, and partners and has spoken at numerous internal and external events and is a 2018, 2017, and 2016 Red Hat Summit Top Presenter. Prior to her current role, she was a Senior Cloud Solutions Architect for the North America Public Sector team at Red Hat. Lucy has over 15 years of professional experience as both a software and hardware development engineer and a pre-sales solutions architect. Prior to joining Red Hat, she worked at IBM as both a Mainframe microprocessor design engineer and a pre-sales solutions architect for IBM x86 servers. She has also interned at Apple, Cadence, Lockheed Martin, and MITRE, where she worked on both software and hardware development. Lucy graduated from Carnegie Mellon University with an M.S. and B.S. in Electrical and Computer Engineering and a minor in Spanish




    Steve Orrin is an experienced CTO and Product/Solution Architect. Concentration on Security and Security related topics & technologies as well as E-business challenges. Have founded 2 ISV Start-ups and brought them through productization and customer delivery. Have taken an development stage security company through acquisition. Regular speaker on Security, Privacy, and Web Services topics.

    Specialties: Internet Security, PKI, Cloud Security and Trusted Clouds, Virtualization Security, Malware and Botnet Detection, Cryptography, Web Services/SOA/Web 2.0, XML Threats, Steganography, Legacy Applications, Mainframe Architecture, The Internet/Technology Start up Process, Secure Development Process and Best Practices




    Christopher Robinson (aka CRob) is the Lead for the Red Hat Product Security Assurance Team. With 20 years of Enterprise-class engineering, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

    CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program.




    John Osborne is a Principal OpenShift Architect dedicated to Red Hat Public Sector customers. He has been largely focused on the role of Kubernetes in government IT modernization for over 3 years. Before his arrival at Red Hat, he worked at a start-up and then spent 7 years with the U.S. Navy developing high-performance applications and deploying them to several mission-critical areas across the globe. He is also co-author of OpenShift In Action.

     




    Mark Thacker has over 25 years in the IT industry with a concentration on enterprise computing with an emphasis on security solutions. He has authored deployment guides on multi-level labeled security, firewalls, network separation, role-based access control, encryption and identity management.

     

     




    Lukas Vrabec is a Software engineer at Red Hat and is part of Security Controls team working on SELinux projects focusing especially on security policies.

     

     

     




    Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Consulting Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years. Dan has made many contributions to the docker project. Dan has also developed a lot of the software on Project Atomic. He has led the SELinux project, concentrating on the application space and policy development. Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox back in RHEL6 an early desktop container tool. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.
    Twitter: rhatdan
    Blog: danwalsh.livejournal.com
    Email: dwalsh@redhat.com




    Shawn Wells, Chief Security Strategist U.S. Public Sector is focused on creating strategic approaches, frameworks and technologies to elevate the competitive superiority of the U.S. Government’s Information Assurance capabilities.

    This work often takes on the most difficult, controversial, and frequently classified, capability development collaborations between Red Hat and the U.S. Government. Utilizing rapid innovation that open source development enables, combined with an engineering rigor process, Shawn is responsible for producing mission-critical quality technology for offensive and defensive purposes. Specifically, Shawn focuses on “Radical Innovations,” defined as technologies new to existence, and “Next Generation,” which pushed existing capabilities into completely different operating windows.

    Prior to this role Shawn was the Director of Innovation Programs. Chartered with helping the Defense and Intelligence Community build innovation climates, Shawn engaged these communities in internal venturing and intrapreneurship to create and incubate new ideas and drive enabling technologies. Shawn built a portfolio of innovation programs, defined as emerging ideas and mission capabilities, and drove them into open source development projects for transition into formal government-industry partnerships.

    Previous roles include serving as Technical Director for U.S. Intelligence Programs, where he oversaw Red Hat’s classified technical initiatives with agencies such as the NSA, CIA, and NRO; Global System z Practice Lead, building a global sales, strategy, and marketing organization for Mainframe computing; and formerly an NSA civilian, Shawn was the architect of the Al-Qaeda Senior Leadership SIGINT Database (AQSLDB), which ingested, exploited, and analyzed High Power Cell Phone collections in support of capture or kill missions.

    Government programs frequently encounter extreme loss aversion and threat rigidity responses. Often attributed to organizational complexities, there is poor understanding of where new capability opportunities originate, poor selection patterns for innovation portfolios, and frequently inflexible processes for execution biased to incremental projects. There’s no way to run small, cheap, radical experiments. Shawn frequently leads the “how and why” conversation behind Red Hat’s open innovation and collaboration models, sharing success stories from across public sector.