IAM, MFA, & Password Security Solutions Forum 2022

  • Friday, 20 May 2022 10:30AM EDT (20 May 2022 14:30 UTC)
  • Speakers: Chris Dale, J Wolfgang Goerlich, Joseph Carson, Robert Pogorzelski, Nabeel Saeed

Is Multi-Factor a silver bullet which stops phishing for credentials? How easy is it to access and get a hold of employee credentials outside of phishing? Zero trust, are we there yet? We embrace authenticating with biometrics on our phones, but what is the hold-up on workstations? Is the password finally dead now?

Organizations are increasingly feeling the pressure of threats and attackers are knocking on our door wanting in. IT-Operations often have to do more with less, and users might resist the implementation of too rigid and restrictive security controls. On top of it all, we might even have to deal with internal politics when looking at safe ways forward. There are many questions to ask ourselves, and many which are not answered.

Join the SANS Solutions Forum Interactive Slack Workspace for this event (and all SANS Forums)! Connect once and you're set for all events in 2022!

>>>>Download a copy of the presentations here!




Friday, May 20, 2022 | 10:30 - 1:30 PM EDT

All session times are listed in Eastern Daylight



10:30 AM

Welcome & Opening Remarks
Chris Dale, SANS Instructor & Subject Matter Expert

10:45 AM

Street Cred: Increasing Trust in Authentication

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication? The industry needs to trust passwordless authentication. Adversaries and then criminals have circumvented our authentication controls for decades. From the very first theft of cleartext passwords to the very latest bypass of a second-factor, time and again improvements in defenses are met with improved attacks. What holds us back from getting rid of passwords? Trust. In this session, we will propose a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication.

J Wolfgang Goerlich, Advisory CISO, Cisco Secure

11:20 AM

PAM Back to Basics

With so many high-profile breaches accomplished through compromising passwords on privileged accounts, PAM is a top priority for organizations of all sizes (Gartner puts it at the top of the security list for two years running). Join Thycotic’s Chief Security Scientist Joseph Carson, as he takes you on a brief journey through the PAM lifecycle to get you quickly up to speed and understand the PAM matrix of all the different types of privileged accounts that exist across all your different IT domains, often referred to as your privileged account attack surface.

Joseph Carson, Chief Security Scientist & Advisory CISO, Delinea

11:55 AM


12:10 PM

The Psychology of P@ssw0rds

The truth is: passwords are very likely to stay with us till the end of times. For the very same reason why one may still find Windows XP machines running critical DOS applications - legacy systems. Systems which maintenance is bravely passed from one generation to the next, along with the secrets stored in plain text files in long forgotten directories usually called "Desktop" or "My Documents". Not to mention hundreds of thousands of network devices, custom services and related protocols, security cameras and control systems, all of which will not accept any other authentication mechanism.

So what can be done? In order to strengthen our organizations' defense it is crucial to understand how passwords are being created, what are the most common tricks for bypassing policies and how mechanisms for weak credentials discovery can be improved. Is there any relationship between the native language being used in a password and its complexity? Does left hand as the dominant one have impact on the combinations being used? How much harm can a single file consisting of one hundred lines can actually do? During this session we will discuss the results of an on-going, years long journey of building the smallest and the most effective password dictionary.

Robert Pogorzelski, Penetration Tester, River Security

12:45 PM

Best Practices for Using Customer Identity Solutions to Stand Up Against Security Attacks

Customer Identity solutions are cornerstones of protecting our connected world, ensuring that only authorized users - employers, contractors, partners, and customers - can access the resources they need. Security attacks are on the rise and we analyze how and why these identity attacks are able to penetrate. Today we will share best practices around threat mitigation that we see on our platform.

Nabeel Saeed, Senior Product Manager, Okta

1:20 PM

Chris Dale, SANS Instructor & Subject Matter Expert