Challenges in Control Validation
2022-08-13, 15:00–16:00 (US/Pacific), Main Stage (In-person)

Testing security controls is hard. Really hard. Every incident responder has lived with victims who are sure existing security controls should have prevented or detected the intrusion. While some organizations don’t do any security control validation, those that do understand the challenges. While red team operations allow for point-in-time validation, how are organizations dealing with control validations during product updates or configuration changes? By and large the answer is “they aren’t.” On this panel, we’ll discuss why control validation is difficult. Then we’ll discuss recommendations for scaling control validation operations in practically any organization.


Sample panel questions may include:
How is control validation different from red teaming?
Isn’t control validation just purple teaming? (it’s not)
How do you recommend my organization starts its first control validation exercise?
What’s you #1 recommendation for maturing a control validation program?
What are methods for scaling control validation programs?
How much validation is too much? When is the cost no longer justified?

Jake Williams is the Executive Director of Cyber Threat Intelligence at SCYTHE. Williams is an IANS Faculty Member and also works as a SANS Analyst. He is a prolific speaker on topics in information security and has trained thousands of people on incident response, red team operations, reverse engineering, cyber threat intelligence, and other information security topics. Jake is the two time winner of the DC3 Digital Forensics Challenge, a recipient of the DoD Exceptional Civilian Service Award, and is one of only a handful of people to ever be certified as Master Network Exploitation Operator by the US Government.

Kristen is a Cyber Threat Intelligence Analyst at SCYTHE. Prior to joining the herd she worked for the United States Department of the Army in various roles ranging from network and system administration to vulnerability management and cyber compliance. She has a penchant for solving technical puzzles, leaping from perfectly good airplanes (or cliffs), and finding the best local hole-in-the-wall restaurants. If you want to talk about foreign travel, sports nutrition, or why Episodes 4-6 are the only Star Wars movies that matter, she's your girl!