Keynotes: AMA
Show transcript [en]
this is awesome it's so great to be able to chat with folks um you know kenan is is incredible and uh looking forward to hearing more about your thoughts thanks and i'm super looking forward to hearing your thoughts too i mean um on the tech side you're pretty impressive pretty impressive i'm not gonna lie so ian r asks bonus high school yeah 2006. so ian's a whippersnapper i graduated in 95 um from bonus high school this is my dad found this at a uh at a goodwill or something like that and got it to me a couple years ago spent time in in bonus broke some bones in the uh in the wrestling uh got a couple
concussions and rugby so it was a good time anytime you break a bone that's all always a good time yeah the i broke my collarbone and those are really annoying because you can't put a cast on them and so there was a butterfly thing holding my arms back for like a month and it was just it was not a good time i i feel you i actually broke my arm in september i just took the cast off last week and it it was really cool because i got a 3d printed cast oh yeah which was amazing and you can remove it which was probably a terrible idea because i kept taking it off to do
things and then i'd be like ah but a cast is just so annoying i mean you can't do anything good with it my typing was useless i had to learn how to do um you know speech to text for everyone oh really the the uh did you have to deal with like like much weakening of the muscles and stuff oh yeah absolutely surprisingly um so the break was the radius right at the wrist and then part of the wrist broke so you know just being able to like move my fingers is is a new thing really wow well maybe you learn uh dvorak on one hand and cordy on the other yeah totally yeah uh cool so brody's asking um
love to hear the thoughts on the future of azure defender for iot and azure defender in general some thoughts you know one of the things that i think is really interesting is um and actually before we go on maybe if we could introduce ourselves a little bit so that folks have ideas of what what is um kind of game for questions uh can india start yeah sure um keenan skelly i'm a ceo of a company called shifted and we do gamified uh cyber security awareness it's super cool uh my background is a little bit varied and my pathway to cyber security was a bit strange i think maybe probably like most people i started life out diffusing bombs in
the united states army and i moved on to run the comprehensive review program at dhs doing vulnerability assessments on critical infrastructure and then i fell into the evil world of the private sector and startups which i absolutely loved and i became kind of um the go-to person when it comes to cyber security uh ranges training ranges uh you know doing the the red team the blue team the white cell all of the fun stuff in the background and really helping people learn cyber security with some really great fun tools like gamification like artificial intelligence uh etc so that's my short my short run cool and um i'm lee holmes i'm um i work at microsoft i'm an
azure security architect uh inside of azure security and um i spent a i live in in seattle washington i spent a bunch of my time uh as a developer on the powershell team and i wrote the powershell cookbook and the pocket reference and things like that and in the last while i've been as i mentioned doing security architecture for azure security and so you know as we have uh different teams and different products working on different things that's where we work on um you know helping make sure that they're secure through through processes and systems and kind of design reviews and and things like that so i'm always trying to keep ahead of the attackers and do as much as we can
for the defenders as possible um okay so brody's question um thoughts on azure defender for iot and azure defender in general um so i think you know one of the things that i'm really just starting to see in the last you know probably five years is you know if you went to any security conference uh before five years ago 98 of the presentations they were still on on-premises things and we started to see some transition of folks you know being less just generally afraid of the cloud when i think about the cloud you know when you when you think about it as a as an actual thing that you're going to go do you can feel a lot of fear about it
um one of the things that's you know we've been doing as you know as professionals we've been doing our taxes online forever we've been banking online forever and and i think thinking about the cloud as different than just you know working online is is a is a kind of a dangerous way to think about it and one of the things that what i do love about working in azure and and being a big part of how we can secure the cloud is that i get a chance from a first row uh to get a chance to see the amount of security engineering that goes into our cloud infrastructure the design of the the software being deployed to
the cloud and the applications that we're writing and so i know and you know i've experienced other companies and get a chance to see their security maturity and and always how strained everybody is for resources this is one of those things we talk about the cloud where we're able to apply you know microsoft and azure as a multi-billion dollar business the the fraction of the money that we spend on securing azure and securing microsoft is just so much further than folks would be able to to spend on their own otherwise and so i'm really really optimistic about the the increase in security that people can get by moving to the cloud now a bunch of this does come from when
you start to host your infrastructure in azure or aws a big part of that is becoming aware of a lot of the stuff is just handled for you you don't have to worry about you know the servers hosting uh these applications getting compromised that is a very legitimate worry when you're hosting things on premises when they're being hosted in azure you don't have to worry about those being compromised you don't have to worry about your data centers going down you don't have to worry about the operators going in and being bribed to you know steal hard drives and things like that so immediately your base level of security raises when you do start to host things online
then there are still some things when it comes to the way that you interact with your subscriptions with your services with your web apps and things like that and all of these do have an amazing data stream within azure so azure monitor is a great place to to look at i'll touch on that a little bit in in the in the talk later on today now when you start to talk through azure defender um for iot is you know specifically for iot device but for you know azure defender all up you know previously known as azure security center this is a place where we have a whole team that is aware of here are the big risks when you're
hosting things in the cloud and they can do things like um the security score as part of that to help you figure out hey i'm not even aware that there is a lockdown that i can do here but instead start to alert you for these things and they can become your focuses for additionally improving your security so i'm a really big fan of being able to operationalize some of the the security best practices and and azure defender uh is a great way to go about that
skelly who's organizing oh yeah i'm on here as the besides calgary organizers oh okay well that's cool i didn't realize oh you're using the account yes oh i see i'm like so you also in addition to keynoting organize the whole thing definitely not i had uh i had no hand in that whatsoever but um yeah we had some i.t issues of course yeah yeah that's awesome so i really um and i'm gonna jump into what you were talking about in terms of you know microsoft and securing the cloud uh in a past position i had the great opportunity of working with uh some of the folks at microsoft to create um sort of trainings on how to use all
of those features right how to actually get into your account and set everything up whether it's from the sentinel side or from the azure side and i have to say that uh the feedback that we got from the users and being able to do that setup and uh really do it with ease and not have to spend too much time diving into it it's really impressive so kudos the gamification stuff that that you've been working on um what are your thoughts around like gamification of uh application security or kind of infrastructure security absolutely i think um when we start talking about how to get people more um intrinsically comfortable with these kinds of things and these
kind of topics gamification is just 100 um well i say this because i love gamification but 100 is the best way to go people learn by doing things you know you can put a book in front of them a million times and they can read the book and they can do a couple of the exercises but when you put them into a gaming environment where they are task oriented or you know sort of role oriented and they're earning points and they're earning badges more importantly when they're competing against each other and these kind of elements just drive that immersion factor and it's uh it's really kind of exciting what are the the focuses of the gamification that you
focus on is did you mention it was security awareness or so my in my former position it was specifically to train red teams blue team socks so more on the technical side now with shifted uh what i'm doing is definitely security awareness and more probably traditional gaming you know something that has really bothered me and i've struggled with over the last couple of years is we tend to try to solution a human being out of the problem when it comes to security awareness and human firewall and things of that nature we tend to assume that human beings are dumb and they're never going to figure it out they're always going to click on the links
but i don't believe that that's true and we don't really think that that's true either when you get people involved in a way that they enjoy and that they you know actually start to understand then human beings become the best firewall that we could ever really have but we have to get them to the point where they enjoy it so what we're focusing on now is a super fun game where you can be a hacker and you have to protect your stuff and you get cool guide toys and um i had we did a poc not too long ago actually with microsoft and one of my favorite comments from this poc was i finally understand
what a botnet is and it just took that that piece that gamification that immersion um and kind of learning through that nice so we got a question here um someone was asking what words of encouragement or guidance can you give to those just starting in the career um especially given the depth and breadth is so large do you want to start yeah absolutely the biggest piece of encouragement or advice that i can give is be hungry for learning be hungry for education get your hands on every piece of material you can because the field as everybody here knows it changes rapidly techniques change rapidly a technology changes rapidly and what folks are doing in terms of you know
attack vectors and uh threat actors what they're doing changes constantly so whether you're just beginning or whether you're a long time person you really need to jump uh you know jump in head first and really get your hands on everything you can my second piece to that is that is super overwhelming that is literally jumping into the middle of the ocean and trying to figure out you know what you should read what you shouldn't read one of the biggest things you're going to have to figure out in that is what you like and what you don't like so start with the 101s start with the basics for every topic that you think is kind of in your realm
of reality and start there and if it's not you know giving you a warm fuzzy okay next don't go two miles deep in in technical knowledge and figure out that that's really not your jam yeah yeah i i concur with that i think there are you know i come at this from a perspective of you know application security and operational security um the one thing that's just incredible about the security industry is how open things are for sharing and you know the fact everybody here is is here voluntarily just because they're they're looking to learn some more uh there are a couple basic things that i think are important to pay attention to so for
example being aware uh i'm pretty deeply aware of the like the olaf's top 10 for things so knowing what cross-site scripting is and sql injection those are some of the table stakes the one thing i will say is that you know folks that have that i've seen that have come to microsoft with a masters of cyber security today most people that are in the security industry came from non-traditional backgrounds they followed their interests they followed the things that that kind of tweaked their brain the best um and once you like i went to u of t there was zero security in in my program for software engineering um now pretty much you know most universities and schools have some
degree of security at least but realizing that you can come in by following your own interests and and and still be successful um a great resource that i think is helpful to understand some of the great uh the breadth from the industry is leslie carhart uh has her tis phone uh blog and she's got a getting into cyber security mega threat or something like that and i just really love that it does go and talk about some of the major areas um and then as an approach it's what i do personally is as a thing interests me dig into it you can become an expert in the latest malware outbreak an expert in all of malware ever and as you poke
around in the things that interest you you become just more and more well-rounded maybe at some point you just really gel into crypto or you know uh fishing or things like that and you're gonna start to specialize and and become more effective there i see a um a question here about risks on i.t to client communication tech support asking people to click a link and etc so kind of dovetailing on another idea here you know gartner just put out their latest security awareness report and it's kind of talking about how phishing has been the focus of everything because it's such a big problem and it goes back to the clicking on the links right what's going to
happen when you click on the link but the the way that people have been approaching it for the last several years doesn't really allow them to understand the ramifications of clicking on that link in a way that is personal to them okay so you can you can slap people on the wrist and say don't click any links ever because you never know what it might be but that's just not reality right that's not what um users what human beings do so i think you really have to get at the heart of how human beings act from a social perspective from a psychological perspective and that's where uh doing more of the positive reinforcement is really important but i think the
bigger piece of that is that phishing is not the only problem and you can't tell somebody or spend so much time on one particular topic in cyber security without letting them know everything else and all of the reasons that they go together i tend to believe that human beings are generally much smarter than we give them credit for when you start talking about concepts like a botnet or malware or ransomware and really giving enough high-level information that they understand the damages that it does that they understand what their role in activating or not activating it is that they become much more aware of what's going on so i think it's kind of it's kind of a
shift mentally of how we're doing this and how we're getting people to understand what security actually means and really you know i say this all the time now get the human beings back in the game right we spent so long pushing them off and saying we know you're never going to do it right but we can't do that anymore yeah and i think also the like when you can get people and you know the kind of awareness training that you do i think we're never going to get it to a point of every mail says hey log in onto you know the corporate portal and then navigate through this and this and this and then go here you know i think
there's enough complicated websites out there that you know clicking on a link is usually going to be required at some point um making sure that that users are aware of the kind of risks that can happen um it's a really big thing and being aware of you know clicking on a link and being asked for a password there's a couple things after clicking the link that i think become really uh really important and one thing that i've been uh surprised by um so over the past years microsoft has really been uh rolling out using uh 2fa for everything um to the point that you know when you're when you're logged on you you know you log on to your
machine with your password but then from then on every website that you visit that requires you know authentication in the microsoft domain that's all using you know windows hello and 2fa and all that kind of stuff and um you know some people might argue like that's great you're microsoft you can do those kind of things and it's that's a hard pull but we've we've done it and the one thing that's been shocking to me is how effective that has been at the mental aspect of phishing because in the past you wouldn't know if you had half of your sites sometimes asking for your corporate credentials and sometimes not then you might just be more like oh that's just the
site is broken i'm going to enter them we're far enough now that when a site asks for it i've seen this so many times in a screen share with somebody or whatever where they click on a thing and it asks for the credentials and they go hold on that never happens i'm never asked to enter my credential at work and once you're at that point and as you can start to reduce the number of credentials that are being asked for phishing just flops because whenever it does happen then everybody is much much more cautious about it and so um you know i think we're going to start to see less around punishing people for clicking on the links and more around
what what can they do to protect themselves afterwards so lee i see a good one here for both of us but i'm gonna kick it to you first uh the two of you are certainly developed security professionals and have an admirable career director trajectories these size appear these sides appears to have a great mix of novice and experienced security folks what mistakes have you made in your security career and what advice would you provide that would be helpful to both the new and the gray-haired well uh neither of us have gray hair
uh this is good okay so i'll do both uh advice for the the new person and advice for the grizzled um so advice for new people who are interested in security um the advice i would give is to to do the deep dive um you know it's really really common for folks that are new to the industry to uh you know read all the blogs and check all the twitters hear about the newest attacks and and talk about them and and treat that as their kind of center of expertise is like oh did you hear about the latest attack of whatever or hey did you hear that this cve just recently compromised this thing one of the things that i think really
separates people uh early in the career from like really junior in their career to the folks becoming more advanced in their career is to be able to read through let's say an article or or take a look at an exploit and form your own opinions um a great example and i'll defend linux here was what there was a a bug recently in linux with the pseudo command where if you said like pseudo negative one badness would happen and you would get you'd get root um that was widely kind of lambasted of hey linux is so bad at security that this and this this happens and the same thing happens people will point that same gun at microsoft
uh more frequently at microsoft for sure um when you dug into that what you realize is that this was an incredibly esoteric configuration that you had to have a you know very very specific things in this config and then only in that situation would it actually pop and so by digging deep into that then you get the chance to form your own opinion of risk and because if you're just taking your opinion of risk from what others are saying then you're going to be always running after like spectre and meltdown and you know heartbleed and all that kind of stuff and you'll be ignoring the things that are important risks to your organization um and when i think about advice for
the the grizzled folks um and when i think about grizzled folks advice there i think about the ones that are grizzled and they're still effective um and it really harkens back to what you say is like keeping your ear to the ground keeping your eyes open um there are folks who you know i've engaged with that previously were amazing at security and then they started to distance themselves from reality uh or they're just listening less to the real stuff and they start to think about security by proxy and they won't be able to uh if you're if you're asking about something when it comes to to risk they can't go down that path of understanding the depth
and you know at that point it's really easy to get misled by the media or somebody who's got an opinion and is trying to persuade you otherwise and so yeah it you know for your whole career it is painful to dig into the deep things but by being able to do that it helps you both early career and late career canon what about you oh i'd have the same one for both um and it's super super important and for a lot of reasons especially with the gray-haired folks exactly what you just said and my response is community you know find your people find your security people you know read the blogs join the groups go to the
b-sides meetings um you know get on discord and hop on a couple of security servers and you know find people who are thought leaders in the space and hear what they have to stay here what they have to say and communicate with those people the great thing about the infosec in general and i love this is that pretty much everybody is approachable right you can send an email to somebody or a text or a discord message or a twitter message and say hey i found this thing and i was really confused by it and you seem to really know what you're talking about you know can we talk and nine times out of ten they're gonna say
yeah sure because that's cool and they want to help so i think that you know not relying entirely on the community is important kind of like lee said you know you have to find your own space in it but i think that having the community and being able to interact with it is absolutely crucial to figuring out what you're going to do how you're going to do it and it's also absolutely crucial for those those older folks to figure out you know what new stuff is coming in what kind of new technologies are out there so they don't start to distance themselves from that security reality so i'm gonna i'm gonna hit back on community every time
yeah absolutely i think the number when i think about twitter for example right like it's it's one of these things where um that's pretty much the watering hole for information security and um the one thing you know i i've learned as i've grown when i first started getting into twitter it was like oh this person's like infosec famous and like follow them and then eventually you're like you know what they're a jerk uh i'm gonna ignore what they say maybe they did something cool a couple of years ago but they're a jerk um and then there's other people who are like i just really enjoy engaging with them they have good ideas do cool things and they have
four followers so you know it's absolutely not a follower count thing anyone who puts stock in the number of followers they have is just primarily putting stock in how many bots that they have so but yeah the ability to interact with folks that you respect with is super awesome have you had any uh keenan have you had any uh cool um engagements on twitter or community that kind of surprised you oh my gosh absolutely one of my my one of my heroes in my life um ann johnson from cyberpunk roma microsoft actually uh i i happened to be in an event with her and i i responded to something on twitter and she responded back and i was like
oh my god my hero just responded back to me and we've been able to you know continue that communication and have moments where i ask questions about business about cyber security business and about security in general and it's great to have somebody like that just be willing to you know talk to you openly about those kinds of things on twitter yeah how about you um you know there's a couple folks one that i i like is um um i started chatting with somebody and we both realized that um that we liked random hobbies uh and we liked being doing stuff with our hands and stuff like that and um so we were getting ready to
uh go to derby con one year and we're like hey let's do a hobby swap because people don't recognize how much time goes into hobbies you know my wife has to deal with this for knitting where someone's like oh would you mind knitting my family hats and it's just like you're asking for 500 hours of work here so our idea with this hobby swap is we both respect the amount of work that goes into a hobby and you never want to like pay a friend for their hobby because i just no money is worth time when you're in the info infosec industry but we can swap hobby stuff and so um we ended up i ended up um
doing some uh like some rock carving he had a um his house he calls it stonehaven so i chiseled this like stonehaven thing uh in a nice font for him and he ended up he does woodwork and so he made my wife a shawl pin uh like kind of a wooden loop with a stick that goes through it to keep a shawl in the right place and you know you can just you know you can bond over security and you can bond over random hobbies too so that's i have to throw in a gaming reference here i cannot tell you how many infosec people are my friends on xbox like we are just it's a whole other
community of things and like committing to friends over gaming is like next level just do it yeah yeah although there was a question before um so uh keenan what's your own process to stay relevant in the field oh goodness um kind of the same thing we've been talking about this whole time right is never stop learning never get to the point where that you think that you know everything because you don't hands down you don't there was a there was a time when um you know i won some award for artificial intelligence or whatever and i i look back at that now and i'm like gosh i haven't even picked up anything that touches ai in years
so i was like okay i better go do that because somebody's gonna ask me a question about that eventually and would be like well you know i don't know what's happened in the last couple of years so it's 100 stay in it keep learning if you if you started down the path and you love it then keep learning about it don't don't let it go past you one thing we do at work um on my team is we have a series that we've set up just a regular meeting series it's two hours every tuesday and um that is safe space for us to concentrate on learning new things and you know when you're anytime you're
doing security you're like i just i really wish i knew more about buffer overflows or uh machine learning security or things like that and that stuff can feel like it adds up and i don't think it's right for people to only be able to upskill themselves like on their own time in their home time and whatever else and so on our team we have this thing where uh we uh well when we were together we would do this together like it was a conference room that i booked and you would all uh you sit there and learn about whatever you want to learn about the ground rules are that like outlook is closed and the
web is closed unless it's related to what you're trying to learn about and um you know if somebody's like i'm just too busy i'm gonna be on email the whole time then they just don't come and by doing this together as a team we recognize that we're never going to stop learning and that we can that we can learn together and and we end up getting positive reinforcement there where everybody is learning together and we have a little chat at the end about what were you working on and and what was interesting to you um i did the um so under the wire uh some of the under under the wire ctfs a while back i
thought that was a lot of fun uh mess around with you know breaking pythons hashcode algorithm for a while that was fun like uh just always be learning for sure i want to tag onto that because you brought up something that reminded me of the whole con concept right you know uh before coved for us it was all about going to a place and hanging out with everybody and learning together and the social kind of aspect of it but i feel like what we've done to respond to that is amazing there are so many cons there are there pancake cons and there are corn cons and there are grim and there are all of these other
things that you can get into and really learn and get into ctfs and do things with some of the best people in the field and newbies too you know people at all levels so i think this this opportunity has really expanded for us to be able to learn from so many more people than we did with our original con concept yeah and also seeing how things have uh adapted you know uh when kovit first started there was kind of a feeling like cons were going to become just live youtubes and uh this is where it's amazing to be able to have a situation like this where you know folks that are participating are absolutely participating
and it's not just you know watching something that's pre-recorded but but the people are there right so um i've been really enjoying seeing how that works um i think we're still like as a as a industry trying to find our our legs on how to make sure that this is that they're engaging um you know i think it's easier when you're in a virtual conference to like have the window to the side as you're on email or whatever and you know it's kind of doing yourself a disservice if you're not paying attention you'll think you are and then you realize that you don't remember any facts from the whole thing so it's a skill like anything else
okay we've had a couple more come up here um the industry i'll shoot this over to lee the industry is constantly changing and there's always new cool things to dive into how do you both keep a separation of work from personal time and prevent them to bleeding into each other that's a good one yeah um well my secret is to make sure my wife is is interested in computer security so i can talk about it whenever i want um no i i think what i what i my personal approach is that there is just so much that's interesting um that when you realize that you're never going to learn at all at this point you just realize it's all
about you know picking and choosing um you know i i feel like i do a pretty good job on making sure that my my my work i'm effective at work and at home i'm i'm present with my family um you know for sure you know read stuff happening on twitter and and be interested in stuff but you know being able to separate those where you know that like you're never gonna learn everything that's that's interesting and at some point you know families are interesting too and and being around your friends is interesting too uh being around your gamer friends is interesting too um and you know for me it's doubly so because i'm just like
a fanatical hobbyist like i mentioned before i just i just love doing hobbies and and uh you know it you run into the same thing like you can never learn as much as you want about blacksmithing and welding and woodwork and stuff and so yeah just saying you know what this is good for today and you know pick up what interests you the next day too what about you this is so hard for me this is so hard because i'm i'm single and i'm the ceo of a company and it's just me and my dog so i am a workaholic i have no problem sitting down at like seven o'clock at night and then working all the way to two o'clock in
the morning and then like going to sleep for an hour and then coming back and working the whole time and then when covet happened i was like oh my gosh i'm gonna become the most ginormous person in the world because i also love to bake okay i really have to i really have to start organizing my time better so i i think like half of the country when covet hit i i bought a peloton and i force myself i force myself to do a certain amount of time a day and i force myself to walk away from my desk at least a certain number of times a day and i force myself to go play call of
duty at least sometime during the day because for you it's so important it's it's huge it's huge for you know we talked a lot about burnout you know throughout the last couple of days and it's huge for that you can't uh similar to what you said you can't do everything you can't learn at all you can't fix all the problems today uh they're still gonna be there tomorrow so i i also you know reach back into my my military background and think to myself you know is anybody gonna die if i don't do this today and the answer is almost always no and i'm like okay then i i don't need to be sitting here doing this
yeah sometimes for you that was nope yes they will die if i don't do this today all right so oh sorry go ahead oh no go ahead oh the the baking thing you mentioned is like perfect because like we can feel like we can read all the books uh we can feel that we buy we can feel like we can be as updated as we want on security but baking is a perfect one because like you know you can't eat all the cookies and eat all the cake and all the pie and like where you know when you're working from home you can't even like slap it off to you know your co-workers like hey look
at them coming in with a couple dozen cookies so so this was actually a real problem for me when i i started making cakes and i really love to make mirror glaze cakes like really complicated cakes and um i started doing it only when i was stressed out from work and i was making so many cakes i had like a cake every week and i'm trying to give them away and here please take this and here's this holiday cake and uh and then i realized that i was doing it because i was stressed out from work and i had to i'd like you know analyze that and say i can't turn my hobby into stress relief because then it's
kind of it's it's taking away from the fact that it's a calming hobby for me it's a calming thing to do relaxing rather than a response to i i spent you know 24 hours at my computer and like do something so i would say definitely be careful with your hobbies that they don't become you know overshadowed by stress or by burnout yeah it's kind of like it sounds like you turn into somebody with a squash patch but make but out of it was coming fondant and cakes and all that absolutely so a question from uh brett do you think that for a lot of non-technical people um they generally feel that risk is abstracted from them so they're i guess
they're not actually impacted by it that other people are doing it on their behalf um so how do you think non-technical people we can help them um change behaviorally i 100 think that end users are totally abstracted from security um and there's two reasons for that one of them is that the way that we've been teaching about security is not personalized it's not humanized at all it's all talking about the network of this and there's nothing personal about it but there's also a conflicting problem and that is that cyber security breaches the loss of their data their loss of their information most people are getting to the point where they're overloaded with that and they're like you know why does it matter
anymore why do i care so we have to really drill into that personalized piece that humanistic piece that drives people to say wait a minute this is important and that's something we've been really striving to do with our product at shifted is you know make sure that um when you're taking info for some from somebody information when you're trying to get their data that it's personal data it's their driver's license it's their credit card number it's this it's this and then helping them to understand how that leads to other issues within the network and quite frankly since kovig with everybody working from home it's more important than ever that they feel the personal uh impact of what it is that's happening
because they are the ones that are now transmitting all of this information from home while their kids are on their xbox or on twitch and they're oh my gosh i have this great story i was on a security and iot panel at the beginning of like march uh sort of april time frame and everybody was talking about securing all of these devices at home and one of the panelists actually was on and he had his everything going on in the background and there was a tv in the background and his kid was you know playing and he entered the wi-fi password and while he was giving his talk and i'm like i i wait what
these are the kinds of things that people need to be thinking about and we're just not we're not getting that information to them in a way that's real or personal enough for them to care so i i absolutely think that that's true what are your thoughts around like um i feel like there's maybe almost two aspects to the question so one are end users at their workstations who are becoming a risk to the company maybe by being phished and whatever and then there's another aspect which is just regular folks on their phones uh and and then there's a perspective of personal security like their bank accounts and things like that um what are your thoughts about how we
um help people understand the risk when it's their personal lives i think it's absolutely critical that and this is going to make a lot of people angry but i think it's absolutely critical that everything is personal all of that is personal because if you think about it from a work perspective if you click on a link or you do this it could be your job on the line it could be your company that gets attacked and all of your data and then the company gets sued and then you know the company goes under or they don't go under and their personal effects to everything that happens in cyber security whether it's the personal effects that you will that will be felt by you
if you do something in your work environment and you click on ransomware and you work in a hospital and suddenly you know you're locked down and patients can't get care or if it's the the effects that will happen to you financially or you know for your home or for your safety or for the photos that you have on your phone that are now all over the internet i think it has to be personal because it is all of these things are personal i wonder if we're gonna see ever a form of ransomware that goes against people um right right now it's really common against companies but you know ransoming people on their you know what's on their private photos and stuff
um that's scary but i don't see it as a place that that these people won't go absolutely and i think you know and this was a big part of the iot push the more that we see all of these devices being connected in your refrigerator and and your robot vacuum and all of the computers that you have set up if you're in information security there's a lot more risk being added to that and if somebody you know comes in and locks down your entire network and all of your things stop working that's that's a personal issue that's a problem and i think we will see more of that in the future and it's interesting too because i feel
like ransomware as we kind of know it started personally like you would hear about people saying like they'd be getting their their computers hacked and then people would go on to the facebook and you know let people know and kind of do the release there unless the ransom was paid um but i feel like maybe it's just the the media and reporting but i feel like that's tailed off compared to the focus on corporate ransomware and yeah because they're being paid more often actually say you know that's an excellent point and i think that you know threat actors and cyber criminals typically go for the path of least resistance right that's why phishing is so popular
um right now because so many end users don't understand you know ransomware they don't understand botnets they don't understand these other things they're they're vulnerable to that kind of attack which you know goes back to teach everybody everything i want to teach the world yeah so we're just about a time what would be what's the question that you were hoping somebody asked and you want a chance to answer anyways i gotta think about that for a second if you have one go so i can think about it okay um let's see here so um i'll ask myself a question uh what what is the thing that i can do as somebody in a company to improve
um improve the security of of our applications and infrastructure um so this is what i primarily do at microsoft and one of the things that i found has been helpful has been security is often considered as a as a block where like you gotta ask and go through security and then they block your release or they do this whatever um we've been shifting to an approach of of just reaching out to teams as soon as possible um i have a regular series of meetings that we run that we call them like security architecture discussions and they're happening all the time and and teams that are like hey we're thinking about doing this can we have a chat early and when you
can get to folks early and show that you care about them and participate in their solution and work with them i've just seen a lot of success to that that's a good one i i'm gonna fall back on one of my super favorites and that is the culture question you know um i've worked with a lot of uh teams whether it's socks or red teams or you know the whole gamut and what i hear from pretty much everybody is our culture doesn't really allow us to do this or doesn't really allow us to get training it doesn't really allow us to go to these events and what i say to all of those people is
that you are the culture you are your company culture tell everybody talk to everybody ask everybody you know don't be afraid to discuss the fact that your culture isn't conducive for most of the people on your team and here's why and here's what we would like to do to fix that you know being able to reach out to your leadership to your executive team and say the culture here is not working for us from a security perspective or any other perspective really and here's why and here's what we'd like to do about it just taking those little steps the ground movement is is huge because if nobody talks about the culture and nobody says the culture sucks here then the culture
is just going to keep sucking so everybody needs to remember that you are the culture so fix it yeah be the change you wish to see in the world change absolutely well that's awesome um that is our time uh those are great closing thoughts um thank you everybody for joining uh this was a lot of fun and thank you keenan nice job i'm super curious to hear about the the the rock carving thing so i'm gonna have to ask you about that later awesome see you later folks alright thanks guys
Related talks
50:04
59:46
53:36
50:00
24:52
57:38