What's New or Not in 2020: Are we Making Progress?

want to introduce today's keynote speaker speaking on what's new or not in 2020 are we making progress on the intractable security problems we have Larkin Ryder she's the interim CEO at slack and here you go oh all right let's move off the big picture of my face oh okay Oh

yeah all right I'm gonna go ahead and start in the interest of time because the first few slides are mildly amusing but really I can just stand here and talk and and that'll be great so I am excited to be here talking about the next big thing but I'm going to talk about the last 10 years of big things instead in my presentation so we're all grounded in our history something I know I need to take more time to do speaking of my history yes I am currently the acting chief security officer at slack and nobody's more surprised about that than I am right so how did that happen well I have to blame in part these two well these

two gentlemen right here in 2004 my manager decided to flee back to France for an extended vacation at the end of the year while we were completing our survey Knox Lee audit and there was just one thing left to do and that was to secure the databases with the financial statements in them of financial records no problem right that's that's the core of what you do for Sox and of course I had zero experience at that time either in security or databases so I was the perfect person to take on this task in a very small company I didn't mess that up too badly it turns out so they let me take a crack at messing with a network

as part of PCI DSS great wonderful you can feel free to take my slides wherever you want to if you need to move them and if I have to work without my speaker notes it's it's whatever I found of mine I'll just make something out that's fine that's what I was gonna do anyway so that went okay and that led me on to working in the enterprise security team at Twitter and then working at slack as the director of risk and compliance and then director of product security and apparently the natural progression from doing all that is to be the acting chief security officer great

okay let's get back to where we were all right and then here we are at b-sides booth celebrating our tenth anniversary exactly if this is actually I'm so excited to be here because this is actually my favorite conference that I go to of all the security conferences that I have been to so far I haven't found what I like more than b-sides it's local I don't have to travel it's the right size and I get to see a bunch of people who I look forward to seeing every time I can't walk down the hall without collecting like ten hugs all right so what have we done in the last ten years to bring us here what have we

accomplished well to have that conversation I want to have that conversation but first I'm going to treat you all to a little story so my husband and I a little while ago we're looking at combining some investment accounts right so we had to get on the phone with the agent who had the separate account they were all in one company but separate accounts we wanted to bring them together the agent is like okay let me ask you some identity information so the agent is collecting like your name your birthday or social security number etcetera and that miss Ryder I have one last security question for you can you please tell me what is the name of the street you grew up on

okay I you know typey typey look it up all right all right Capital D % open question mark smiley face and lowercase P uppercase number one you know whatever I had a long string and I read it off and that was that was the answer to that question and then thank you miss Ryder that's correct mr. Ryder can I ask you please tell me the name of your first pet and my husband his eyes get a little wide and then his shoulders just start shaking with laughter and he says Rover and that is what it's like in my house all right so talking about the attend the events of the last ten years that shaped our

perception I'm gonna talk a little bit about some fun malware some great data breaches and some awesome vulnerabilities starting right away with malware remember when I thought about malware when I first started out in my security career my perception was that ruins somebody's day you know that's too bad that happened to that other person over there on their one computer and nobody else is impacted and that's annoying but I didn't really think of it as anything that was particularly earth-shattering world-changing important all right well let's jump into 2010 okay because that's when Stuxnet really became something that we were allowed to become aware of and this is a really interesting story so we're maybe talking about 20 million dollars in

centrifuges that were damaged by Stuxnet but really the implications defy math here right this is for those of you who don't know the malware that was introduced to the uranium enrichment facility in Natanz so this had the purpose of disrupting the the Iranian ability to enrich uranium it was a program that was started by the US government and it's it's fascinating how it progressed if you haven't read Kim's letters countdown to zero daybook I really recommend it it's a it's an amazing read I can't wait to see who's in the movie all right and then wanna cry of course landed many years later this was one of the most dominant pieces of ransomware for billion dollars were

impacted across 150 countries and then not Pecha was really fun not really ransomware this ostensibly was the the Russian government trying to destabilize Ukraine I think something like around 70 percent of the infections where we're in that one geographic location right so this again like Stuxnet was very targeted I think the introduction point was some document that was widely used for filing taxes in the Ukraine or something so of course with all malware it wasn't just you contained to the Ukraine I bet some of these other US companies global companies that were impacted maybe they had to file taxes in the Ukraine and they were impacted as well alright so talking about data breaches here's a list of data breaches

it's a small list compared to the actual number of daily briefing list it really focuses on some of the larger breeches they would look larger if Yahoo didn't look so big sorry about that Yahoo it's just how things are when you have three billion is your your winning number but Yahoo is is one of my favorite breeches as well because there you know there are great records that I've seen I've seen great presentations about the Yahoo breach and understanding that this is a case where we got from identification you know all the way through prosecution to conviction for the people who are responsible like yeah I hope that's something that we can do more of if we work harder on our

attribution capabilities in this case names email addresses telephone numbers birthday it's passwords and security questions were all impacted so Adult Friend Finder is a it's possibly a different motivation this one in Ashley Madison maybe you know those are motivated by people who are making a moral judgment on the users of these sites but again you have some very private data that's being impacted here as well in this case plain text or weekly hash passwords were included ok target takes me all the way back to my pci-dss roots right so looking at this particular compromise of these point-of-sale systems it was one of those cases where the hackers had to go in and fix bugs in the point-of-sale

systems that way they were attempting to corrupt because they had a plan right they had you know a couple of weeks before Black Friday to get their malware in there get it stable get it working through the holiday season to get the credit the payment card and debit card information that they wanted out of that environment so they made sure that malware was good they had to of course have access to the server that was cryptographically signing all the downloads to the point-of-sale systems so you know yay for network segmentation and then they had to have an exfil path and this is where famously a vendor was involved in the breach as well we can

talk about that in a bit all right so vulnerabilities earning names there's so many here you're not going to see your favorite they're just too many favorite vulnerabilities but but heartbleed was the one that really stuck in my consciousness is one of the first one a memory leak in the open SSL implementation for the tls heartbeat extension this meant that anything that you were actually trying to encrypt on open networks was potentially available to someone who had access to that data stream so very scary because you know again payment card data passwords you know private medical history information anything could be exposed through this next up were meltdown inspector very interesting because they were at the

hardware architecture level and of course if you're working on a in a processing environment where you have shared a hardware stack then you're worried about processes being able to read the data of each other and then eternal blue okay eternal blue was actually the vulnerability that was behind want to cry and not Petya this was a mishandled SMB protocol packet that allowed malicious code execution and this one was interesting because this was known for a long time by the NSA and they chose not to disclose it so that they could capitalize on it it was then eventually disclosed by shadow brokers all right so how have we been changed by these events well I certainly

just developed an increasing interest in information security as a result of being aware of all these things but certainly we have to think about how that perception has changed person you know think about how those events have changed perception more globally so this is a study that was done by the World Economic Forum and it's a global risk perception survey and you'll notice that number five and number eight on this list are cyber attacks so this is the list of things that they think will increase and be impactful in the next decade I think part of that perception has to be defined by the media so one thing I've noticed as I read the paper

every day and I do and that's the sidewalk in front of my house where the paper actually in physical form gets delivered every day and these are three articles that I found related to information security in that were in the paper in one day so I think that heightened awareness is something that we're all experiencing but the media is bringing it to into everybody's consciousness but a lot of other things besides awareness chain in the last decade things materially changed in the way we get our job done and I want to talk about some of the trends that I think are reshaping working lives certainly we have to talk about the cloud certainly we have to

talk about privacy regulation and the ubiquity of mobile devices that I see literally right now pointing at me from around this audience so talking first about cloud so when I first started in computer science my my first job out of college was testing network equipment for Hewlett Packard so I quickly learned that I did not wear nice clothes for that job because what you were going to be doing is there was this little mini data that desks all around the perimeter and then in the center of the building is the data center where you go in there and you actually are installing these network devices and you're pulling up the floor tiles and you're running the

cables because that's how networks were built they were actually built in those days that was that is not what we're doing right now right we have switched completely to virtualized environment and software-defined networking is what we use every day and of course the most important device in that environment was the firewall that we were using to protect it but now our perimeter is really identity security of some combination of your your human users and the passwords they use and hopefully two-factor and probably you know their devices is our trust anchor and their email or trust anchor for making sure all that is working the way you want it to work as a security professional and

then finally that perimeter because now it's nice and virtualized is evolving at an incredible rate you can sign up for a new service faster than I can run that cable under that floor for sure now one of the things that really helps that and I work at slack which is definitely part of this problem I realize that is I put this slide up here with someone else's company is that we have both free and paid tiers that are available to your users so your users are you know having a great time you know going and finding whatever it is they need and then clicking the accept button on those terms of service and then uploading your

company's private data there whether they're really authorized to agree to those terms of service on behalf your company that might be something that you want to remind them about and of course then you have all of that data ending up in the private cloud right on that in that in the in the cloud so you're probably as a security professional thinking oh what can I do to make sure I'm tracking all the data that's ending up in that you're probably thinking about more cloud services that you're gonna buy to help you track that data that's ending up in the cloud or you know maybe you actually have a controlled networking environment and a cosby and you want to go old-school with

that but again what you're doing is you're bringing more vendors into the equation and this puts more I'm over you know vendor vendor risk management vendor security review was definitely something that I thought about in 2010 but now it's just like this is like I need more people for that we need a better solution as a community for how we establish trust with all the vendors that we rely on and that is important because every vendor that is on this screen here was material in a breach a significant breach probably one of the ones on the list Fazio was the mechanical service that controlled the HVAC system that was the exfil vector for the target

point-of-sale malware all right and of course vector and meltdown so we already which we already talked about right but we're all hosting data on these shared services so so our hosting environment it was also a cloud environment it's also a virtualized environment so you know basically every one of my customers was like I need to talk to the C so now when Spector and meltdown became a thing because they wanted to know that their private data in my AWS environment was being protected from specter and meltdown all right so one of the good things that I think has happened because you can't just spend all our time talking about the bad things that have happened is

privacy the privacy regulation that has come forward in the last 10 years has been certainly significant we have two things that are of importance mostly in the EU we have GD P R and then here in California we have C CPA so that's the general data tection regulation and the California consumer Privacy Act both of those give some protections on these areas right it makes sure that you as a user have permission or are granting permission both for the processing and in some cases the selling of your data you can have your data removed the right to be forgotten as it's commonly known you have visibility to the data that's being stored about you you have a requirement

for breach notices you have some data portability so you don't get locked in in one particular vendor because they have so much of your data you have the right to remove that information and then there are monetary penalties penalties in my favorite one the right to private action that means for example under CCP a that you as the consumer have a right if you have non-encrypted non redacted personal information and it is subject to unauthorized access exfiltration disclosure as a result of the business failing to maintain security procedures and practices that are appropriate so this is saying that we as cloud service providers as holders of consumer data have to make sure that we're doing right by the consumer with

respect to security or they have the right to come after us appropriately one the only thing I don't like about all the privacy regulation is that it does take resources away from everything else I'm trying to do for security because I have to rush over to whatever that regulation is I have to you know walk through that checklist of security requirements and making sure that I'm doing all of them and they are vague they're not prescriptive they're they're very broad I have to like actually talk to lawyers about how to interpret them and whether they really map to my system of controls or not or you know do I have a gap and what is everyone else doing

and has there been litigation that's decided what good looks like about you know what you do with IP addresses for example I would love it if there were a more prescriptive standard that everyone could agree to everyone could align on and you know just go do ISO 27001 and everybody don't be good something like that all right okay so now let's talk about bring your own device the mobile devices are ubiquitous and I love mobile devices they are great than easy to use the apps are just downright almost fun even if their work based you know it's easy token based access for getting whatever you want there are notifications coming to my device all the time everybody

loves me isn't that great and it's but from my perspective easy to FA right this is a way for me to put a second factor of authentication in front of my entire you know identity protected perimeter that will actually be usable for my user so I'm happy about that and there are biometrics there which I have mixed feelings about biometrics are potentially complex from a privacy point of view but for users who need it if they need a biometric to authorize themselves and keep that second factor or easy enough to use I'll take it but there's the problem of loss right we've had this problem for a while but it's really more so with the expection

of there's an expectation of mobility among our employees right so they have their mobile devices and they expect to be able to use them for the work that they do they're putting data on those devices they're putting the tokens on those devices that are there potentially at risk this has increased the use of laptops in my opinion I think the two go hand in hand people just expect to be moving around more and that can create problems for the company now one is of course lost it's extremely embarrassing when you know laptops and devices get lost and that exposes the information there certainly for the company I I did a meaningless study where I collected

five years of data to see you know what happens to laptops and you know what's the behavior there yeah cars and bars pretty much if you're losing a laptop or personal device it's either gonna be because you left it in your car or you took it to a bar and you know I know everybody does those things just just letting you know and then there's the complexity of the fact that you're putting your company's data on your personal device whether you're using a personal laptop or a personal phone how many people here right now today are carrying two phones for this very reason okay yeah that's that's about what I thought right I mean they're like maybe

it's maybe five to ten percent of the people here have probably are doing that because they've been through this before and the rest of you haven't been through this yet so you're not doing it but once you have you will because if your company ever needs to take your device from you and get a complete image for of it for discovery purposes you are not going to feel very comfortable about having that ever happen to you a second time and then malware is increasingly becoming something that we have to worry about in the mobile device ecosystem humming bad was installed on 10 million devices this is III won't go into detail here but that is a that is an Android

system malware I think going back to 2016 and there as many as 24,000 malicious apps that are being blocked every day so how many are actually being stalled like it's an incredible it's an incredible volume and something that I think we don't have a great handle on all right I am going to give you another story here hang on I got to remember it because I don't actually I'm not actually working from speaker notes up here in case you couldn't tell this was the one where which one was this Arkady do you remember damn it Oh oh yeah I remember so my husband called his credit union he was he needed to close out his

account so the agent picks up the phone yes my husband's like yeah I want to close my account yes there is a charge for that it's a dollar 95 to close your account and I'll need a credit card from you and my husband's what you're gonna charge me to close my account that's ridiculous and sir if you want your account closed you have to pay the dollar 95 fee but I'm ready to take your credit card number at any time I my husband's like no I'm not gonna pay you for that and the agent hangs up on him at which point my husband notices that he has Mis dialed the number for his credit union and whoever he was talking

to was actually not an agent of that company just some guy who was collecting credit card numbers and I don't know probably more than a dollar 95 at a time all right so I don't make predictions about things if I were to make predictions I'd probably make these three that we're going to see a lot more internet-of-things participation in virus distribution and botnets I've heard I you know when I was getting ready for this presentation and looking around about things one of the things that kept coming up was machine learning because machine learning is all the rage I can't wait to see the battle between the machine learning systems that are going to introduce them malware and the

machine learning systems that are going to remove the malware I know who I'm rooting for but we'll see and then the vulnerability of Skadden infrastructure I think there was a recent Senate bill that was passed that was going to suggest that maybe more of our critical control systems should be analog and not digital all right so these are the things that have been changing but how have these changes in the last 10 years you know impacted the struggles that we have with information security well I think we talked a little bit about how the cloud is changing things but I think there's some things that continue and I want to focus now on kind of the

constants the work that continues and I think user behavior continues to matter deeply and I'm going to talk a little bit about detection I kind of have a bee in my bonnet on detection right now I always have one on user behavior all right so this is what I call the checklist of the impossible this is the list of things that people tell users that they always have to do and I call this the checklist of the impossible because while it is still important for security it is also a nassima to most of the work that our users are doing right there in the cloud all the time the cloud runs on links those links are

going to show up and you know attachments as downloads from those services all of these are things that I know most of the people I work with they have to interact with every single day so telling them oh you know how you do your work don't do it that way seems like an impossible ask to me staying patched is something I'd like us to solve those problems I'd like us to figure out how we can make sure things just update seamlessly and automat and without too much user interruption maybe minimize what level is needed if that's possible I realized that there's still 1 million machines vulnerable to eternal blue so this must be a hard

problem for people right they must really need our support to figure out how to solve it all right and I know phishing is still the top thread action so I know people are still clicking on links and entering their credentials but again we have to figure out how to make sure that that's something they can do safely this this is the second half of that checklist and this is slightly less impossible right so we can probably avoid USBs USB drives probably VPN is barely available for us it's I don't know I don't pack up my data it's all just in the cloud right and it's important to note that the USB that was the entry point for Stuxnet right so for

those of you who don't know if you're trying to get software into a secret facility in Iran you don't have a lot of network entry points so it is still an interesting and valid vector for attack but whatever you're trying to do you probably have a cloud service that will let you do these things you don't have to use USBs to move big files around anymore but if I could simplify it for the user if I could make it easier for them if I could say look they're really these are the only things that you have to you know if I had to give a new user onboarding in five minutes this would be the checklist that I would use if you

see something say something probably the only time I was ever directly involved in a company that was experiencing an active attacker that was on their network and attempting to exfiltrate data came to light because one database engineer noticed one query on one server that was running too long on optimized queries you know on our database tier that shouldn't be happening hey Joe look there's this on optimize query huh bill that's odd let's go tell security and that is that attack came to light for the security team that day could have gone so much differently for that company I think this is one of the most important things we can tell our users all right use what I gave you please don't go up

and sign up for the free tier customer data is off-limits that's kind of obvious and if you don't understand why I'm adding friction for you tell me that you don't understand cuz I would love to explain it to you I really would my experience is 99.99% of the people that you work with they just want to do the right thing and they don't understand why they they have to choose between right thing a and right thing B and you're there to help them rationalize that all right and this is the final thing that I have that I am concerned about detection how much more time do I have left by the way I have 20

minutes Oh awesome okay we can I can really I can really grind this axes when I'm hearing here so let me go back actually to this slide so I was in a room recently with a team of other CISOs and we were talking about metrics and we were talking about how hard it is to define metrics for our industry how do we meaningfully explain the great job we're doing as CISOs in building a security program and protecting the sensitive data that is in our care and it's hard to find a metric that represents your progress towards preventing something from happening which is what you're really trying to do as a CSO and one of the things that we

know is important is our ability to detect when the bad thing happens and so we were talking about red team and attacks and you know the time to detect and and how quickly we can we can do that and is that a valid simulation or are we kidding ourselves and in kind of the consensus in the room settled down to yeah we're gonna get owned and we're not going to know it and then we're gonna get fired and then all the ceases are gonna stand up and shift right one company and sit down again like yeah that's probably what's gonna happen but man that's that right like why aren't we gonna know what why can't

we tell we get so much data we know that the most attacked industry is going to be health care it's gonna be organized crime it's going to be a financial motivation we have a lot of information that we should be relying on about what the threats are to the environment that we're working on and we should use that data to understand who is coming after us and how they are coming after us so here's what it's worth right we even know how much we need to spend because we can take this data on what it's worth to the attacker and we can figure out how many people they're gonna need what equipment they're gonna buy how much

they're gonna pay for those zero days so that that they can get something of value to them so we know exactly how much they're spending on what they're gonna buy we know a little bit about what what they're gonna buy is going to look like and what it's going to cost them we can use that data to figure out what we should be spending in defense based on the information that that we have I know health care isn't spending that money because you can see how challenged they are just to provide the services that they're trying to provide in this country in order to really do right by their patients but you know last time I went to a new health care

provider they had to take a copy of my driver so they had to look at my driver's license and I think they took a copy of it when they copied my insurance card because that insurance card is just a flimsy peep a piece of paper that anyone could make a copy of and they could say hey I'm Larkin Rider I need a new kidney by the way and you know it's it just it's trivially easy unless they can secure my identity with another piece of collateral so I understand why they took it and what I'm hoping is is they took that piece of paper and they put it in a file and they locked it in a

drawer and they didn't like you know upload it to a system but I don't know for sure right so you know we see how much the health care industry gets ransomed and that worries me because I was talking with a friend and he was saying yeah my concern is that the ransomware that we hear about at hospitals is just the visible example how the healthcare industry is under attack but they're really so owned in every other way that they're working and they have zero detection so they just don't know it because detection to be clear I know it's a hard problem like I know it is not easy to figure out your detection story but if this if I'd land

no other message in this presentation and this is why I put this one at the end is that we are the people who have to be responsible for changing that mindset and that attitude we have to change that attitude in ourselves and with the people that we work for how will you know if you're owned how what are what are the indicators that you have and maybe you're like lark and I got nothing I'm starting from zero maybe I'm the first engineer at this company that's thinking about security and I haven't got a dollar - my budgets name or a clue of how I'm going to move forward well I would say start somewhere right just pick one thing you've got to

start somewhere pick one thing that you think is important and understand that one thing in detail get those logs get new logs if you need them study what normal looks like and then build rules on what abnormal looks like when it occurs red team rinse repeat so I worked for a while for Bob Lord at Twitter and I read a blog post he wrote one time it was really interesting it was based on the idea that if you need to build a new security team and you don't have a budget for it one of the things you could do is just find enough money to hire some red team bring in that red team don't you know don't do anything to

secure the systems don't put any preventive measures in place just go in with the red team and test them and test them and test them and just keep showing people how you're owning them over and over and over again until the people who actually own the systems and care about the data and understand what the risk of the disclosure is they're they'll either hire their own security team or give you one I think that's an interesting perspective I think they're good things and bad things about that approach and things that do don't work in the business that I'm currently in but it's interesting and frankly I've always wanted to try it so if any of you are in that position and

you're the first security engineer and you're wondering how you're gonna get through securing all of this infrastructure you have let me know if you're interested in try that I'd be interested to know how that works out for you all right so in closing how do we keep on when we have so much on our plate when we have so many things you know I put this presentation together and I'm like oh man this is depressing like there is too much here to think about how do we keep from going crazy with this you know infinite bag of risks that we all feel like we have to manage well I have some ideas for you three really simple things

first of all please recognize your burden I know I have to spend a lot of time not thinking about that burden as the person who is ultimately responsible at SLAC but every now and then please stop and recognize what you're doing and how it's important and how you feel about that and make sure that you're not not thinking about it too hard and then bound your efforts this is a strategy that I've had to use and I've had to ask my team to use you have an infinite backlog of risk that you're trying to manage don't try to boil that ocean don't try to deal with it all at once prioritize ruthlessly and work on the

first thing and let everything else wait to the next sprint you can't do it all at once you'll go crazy and then finally lean on your community this is why we're here so we have our community with us so we get to spend a couple hours on one week talking to the people who really understand what we're doing what we're struggling with and how hard it can be and maybe even get some tips for making it a little bit better thank you so much

all right do I get to answer some questions now thank you so much thank you I appreciate it I appreciate it have a great day everyone so you're out there [Applause]