Human Security Engineering: Mitigating the Insider Threat

really happy to have ira here uh eric winkler is the cso for skyline technology systems and the author of you can stop stupid which i think is uh actually a really important message uh so ira he's a cisp and like i said cso for skyline uh and the author of the aforementioned book he's considered one of the world's most influential security professionals and been been named a modern day james bond that yeah he got some tricks for us some you know spy devices or anything like that the secret is there is no tricks okay of all i'm sure we'll learn more about that um so anyway i'm going to skip a lot of this here and just say really happy to

have you here and um looking forward to your presentation and thanks for hanging around this long and we'll try to get everybody back in here yeah thanks [Music] hi can everybody hear me yeah okay good anyway hi there um let's see do people mind if i curse no if you mind if i curse raise your hand actually that nobody would oh thank you okay so i was if i come out here is this okay can you guys still hear me in the street never mind okay so anyway um so i was at a presentation a while ago and if you know me i make sure i get there just in time for lunch or so and

so what happened was i got to an event right before the lunch buffet i get on the lunch buffet and there were some people giving away these little stickers and the stickers basically said don't click on [ __ ] except it was sh asterisk t but basically don't click on [ __ ] and what happened was there was this admin type guy in front of me and he's like oh i need a whole bunch of these i got a whole bunch of people keep clicking on [ __ ] i'm like wow you must give people a lot of [ __ ] to click on things like what do you mean it's like well how are they clicking on [ __ ] if

you're not giving it to them are they using their own computers or their own accounts then you have another problem he's like no they're like well basically stop giving them [ __ ] to click on and they won't click on it and they was like no no and i go by the way if you're giving them all the [ __ ] to click on and you know they're going to click on it why aren't you stopping it after because you know they're going to click he's like well what do you ex and then so anyway he was just kind of mumbling and stumbling way through there but hopefully you get the point of where i'm

going with that so i keep if you're i mean let me just say on a side note now this would indicate for example well another thing i really hate by the way is the whole concept of the human firewall you know that one just sounds so stupid to begin with it's unimaginable how many people think real firewalls are what you're going to rely upon your secret or what you're going to depend your security program on no then why would you want a human one which is by definition even less gonna be less reliable people don't think of that and then i hear people say oh we should make the user the last line of defense and to me if that's your

security program you should be fired because think of it this way even if you can make the perfect human being what happens if the user's malicious and if you make the user your last line of defense and they are malicious even assuming they can somehow be perfect you again have a failed security program but anyway keep that in mind as i start going through this presentation because that's kind of the tone and let's see if i work this okay i did so let's start talking about you know the whole concept here and i like to go over case studies how many people remember the twitter hack that happened a whole 13 months ago i mean i'm

surprised usually people forget about this i have to trigger their memory remember when this was going to be a wake-up call i mean there are so many wake-up calls we get we keep hitting the snooze button but anyway what happened in the case of twitter some criminal mastermind got to use my dr evil quotes criminal mastermind basically went ahead and ended up somehow figuring out what devious ways they tricked twitter system administrators into giving up their credentials and then they were able to go ahead and essentially change passwords on accounts with tens of millions if not hundreds of millions of followers sorry i don't keep track of these things but you know like 100 million followers and then of course

this was national news it was news all over the world things like that the criminal masterminds basically went ahead and used this to steal like a hundred thousand dollars in bitcoin i mean you know get i mean they just use these mage they did a major pretty much this would have been a really really cool hack i don't mean cool and good and legal i mean cool and you know that was a clever one but what they did was they wasted the hack you could tell these people were morons while everybody was calling them a criminal mastermind but anyway that how did twitter handle this twitter had an engineer basically get online on twitter of course uh well i think they issued a

statement on their website but anyway they said well we've we're looking into this and we're gonna really improve our security awareness program and i'm like if that's what you're gonna do you are so screwed but anyway think about this this criminal mastermind ended up being a 17 year old kid in his basement he was the proverbial 400 pound kid in the basement at this point they said they used lots of social engineering sophisticated ways all he did was they used went on linkedin found out who worked at twitter once they knew who worked at twitter then they just started contacting them through various ways and then they did use a quote-unquote man in the middle of

attack kind of to essentially compromise the multi-factor authentication that was a little bit clever if you want to call it that but then what happened was they conducted and the man in the middle they did the vishing attack so so big deal and then what happened was a thousand people inside twitter could access the administrator tool which allowed the password change so when you say you're going to go ahead and start looking at password changes and you're going to go ahead and say oh well we're going to look at that and make sure these people know not to be tricked i'm sitting there like why does 20 of twitter have admin privileges to change accounts with

massive followers and what happened was and i don't know how many people remember this but two years before that there was a german contractor and the german contractor left twitter and he said screw it somebody else should have done this by now anyway and he deleted donald trump's account on his way out the door now twitter was put on notice that people could go ahead and start changing and it seems like they might have gone ahead and put like extra protection on donald trump's account but they didn't think about putting extra protection on other accounts that's really where the problem is not that the users were tricked through sophisticated social engineering anyway how many people remember the

cloud flare you know network going down not as many but this affected give or take about a third of the content delivery networks around the world and what happened in this case was um cloudflare went down when cloudflare goes down you kind of know it and then instead of an instead of having just a twitter engineer do this the ceo of cloudflare went on twitter and basically said the problem is we went ahead and some engineer misconfigured a routing table with a one-line error and we're going ahead and trying to make sure this doesn't happen again and somebody replied back to the ceo on twitter and said oh i hate to be that engineer and much to cloudflare ceo

because the guy can be a jerk but in this case matt prince the ceo of cloudflare he gave an answer that was beautiful his answer was it's not the pro it's not the engineer's fault he goes this is he literally called it a failure of leadership that one person making a one-line error could take down our whole network that was really true leadership at that point and it would have been so refreshing refreshing to hear from twitter now let's kind of i like to look at other sciences and i try to take lessons from other sciences that people for some reason don't know exist like for example safety science safety science is work is like

is is an immense industry safety science for example if people go it hurt themselves in factories millions of dollars could be lost so for example if a factory is shut down you know because somebody is killed or hurt on a production line that costs an organization money they have hard numbers as to what it costs for an injury they know for example how much their insurance rates are going to go up and so on but anyway even in the fields of safety science where they had to look into injuries old school safety science as it was called well as it's called today because when you haven't i mean back then they just call the safety science now it's old school

safety science they were like why was that person stupid enough to get themselves killed and then they tried to look at it from that perspective in other words they looked at the proximity of the attack and said why was this person so stupid to get themselves killed it's the proximity's fault that's what we're doing in cyber security if a user clicks on a phishing message we say oh well gee that user should should have just been more aware oh if the awareness was just funnier that would have never happened and all those sorts of stuff but again people who are ironically trying to say oh never blame the user are blaming the user because if you say awareness is the

solution that meant that the user was not aware so therefore it was the user's fault by your definition but anyway that's old school safety science and the way people are approaching awareness today is the equivalent of old school security awareness well i guess frankly not people many people have adopted new schools so technically it's just safety awareness or security awareness so anyway that's kind of the equivalent of saying well if a canary dies in a coal mine we just need healthier canaries let's give the canaries gas mask because this way they won't die if they're exposed to you know they're exposed to poisonous gas remember a canary in a coal mine is supposed to die well let me actually say

the other way you don't want a canary dying of old age right in the middle of a you know in the middle of a coal mine but if the canary dies that's an indication that there is a problem with the coal mine let's get everybody out of there it's not a problem with the miners the canary in the coal mine is just there because they have a lower threshold of dying of poisonous gas your users are your canaries we don't need healthier users we need systems we need coal mines or computer networks that are healthier that don't put your users in danger for lack of a better way of phrasing it so let's talk about operational problems

and let me again i like analogies if you can't figure this out let's say a bus driver is driving a bus and the wheel falls off the bus do you blame the bus driver to a certain extent you might because part of the bus driver's job theoretically is before they take out the bus kind of making sure the wheel is on tight or everything looks good but generally if a bus is not properly maintained it's not the fault of the bus driver who just happens to be driving the bus on the day the wheel falls off then likewise look at like the medical profession in the medical profession what happens is hospitals and other large medical

facilities if like obviously people die in hospitals on a regular basis that's just the nature of having a hospital but what happens is for all the deaths that happen they get together and i don't want to call there's some word for it it's not a tribunal but it's essentially kind of the same thing where they essentially have the doctor who treated the patient get up and say well i treated the patient this is why they died they especially do this during surgeries and things like that and the doctor walks through the surgery and says this and then all the other doctors start drilling the doctor and say well gee why'd you make that decision or this

decision and when people in safety science started studying medical deaths what they realized was at some point in time when a doctor did something that doctor at that time that was almost in all cases the right decision to make the problem was was that the doctor was essentially led to make that decision a hundred or more decisions before because what happened is they essentially followed a decision path and they went down one way to another way to another way to another way and every decision theoretically was logically the right decision and when they started looking at well how did we get here not why did the doctor make that error at that time but why did we get here they started

realizing that a lot of decisions happened incorrectly or were just made with wrong information a hundred decisions prior so they had to go ahead and start drilling back on why these errors happened in the first place and it wasn't because it happened in the moment it was like going down the it was like pretty much going on the wrong highway to get somewhere so that was why those things happen now we're going to keep taking those lessons to what we're doing so anyway new school safety science basically said you know what if a user hurts themselves the user is just a part of the system the user or not the employee the worker sorry i keep confusing i keep getting

cyber security and safety's confused but anyway so if you're in the process basically if we adopt it to cyber security the user is essentially just a part of the system i know we love to give platitudes about the users the users are our reason for being the users are this the users are that the reality though is the user just happens to be the person on the keyboard in front of where a decision has to be made and that decision could cause error but they are just one piece of the entire system and that's critical to understand so anyway any safety incident in new school safety science is a failure of the entire system if somebody kills themselves on a

factory floor or i should say i should say get killed on the factory floor not kills themselves on the factory floor if they get killed that's a problem with the whole manufacturing process even if a user is pretty much grossly negligent that is still a failure of the whole system in the eyes of new school safety science because the system itself had to provide the user the capability to kill themselves even if it's being grossly negligent and that's something we have to start adopting but more important again the user is just the proximity of the error and we have to start considering that if a user clicks on a ransomware message and explodes the network

that user just happened to be the proximity of where the ransomware was activated not the actual cause of how it got there and the user doesn't go around frankly and encrypt every bit on your network the user just clicks a button your operating systems encrypt everything not the user and that's a critical distinction to remember but again the user is still just a symptom of the problem so most people don't know there's no reason why you would but i must i'm certified as a master scuba diver trainer and the first time i ever heard the expression you can't c-a-n-t stop stupid was in my scuba instructor training and in the scuba instructor training the course director

came out and the course director said you know he just goes on a rant for a while he's like you know you can't stop stupid you know these people they will no matter what you tell them there will always be someone maybe it's not in every class it'll be at least one in every three classes someone will always do something stupid and you always have to be on the lookout and i'm like sitting there thinking i'm like our whole scuba instruction training is about stopping stupid you know when you start looking at what are we training people we're not training people to do highly advanced things like scoob scuba diving is actually relatively straightforward and

easy i could show you a lot of people who scuba dive that make it look like if they can learn anybody can learn it literally is that easy if you just are don't freak yourself out but what happens in the whole scuba industry is there we are and like when we take somebody out into the water we don't just take them out into the water first we make them take you know classroom training or online training 100 hours and really that training is just here are lots of ways to kill yourself and here's how not to do it and then they finally take a test and after they show the test a smart school will say well

i'm going to retest them when they get here just in case they had somebody else take take the test for them we're going to retest them okay they pass now we're going to take them to a pool we're going to go ahead and we're going to show them equipment we're going to first test the equipment ourselves then we're going to have them test the equipment then before we let them use the equipment then we're going to put them in the pool and basically when you put them in the pool you're really not they don't you don't care if they know how to swim scuba gear makes it so you don't know how have to know how to swim we just care that they

don't freak out in the water that's pretty much it then once they get in we make sure they put it on right then they go and they go in uh shallow water then we slowly take them down to deep water they don't freak out they pass everything then we take them to real water and then there's a limit to how many people we could take and then also a smart instructor will go ahead and i don't know how well you can see it there but there's another person in the background which is why i use the picture because a smart instructor will bring a dive master or assistant instructor to watch because as you can tell the instructor's

there probably the one on the bottom bottom right side and that guy he can't watch everybody so a smart instructor will bring somebody else but still everything's insured the students are insured we're insured the facilities insured we know the hospitals we know the barometric chambers everything's already set and anyway that's how you not don't kill yourself and statistically scuba diving is safer than bowling which is actually a true statistic at least in one point in time so where does the blame fall when we're actually talking about user errors generally when you look at safety science safety science kind of figures out you know what ninety percent of injuries are the result of the environment ten percent

are the result of some sort of user action where everything else is okay and what i mean by the environment for example you know when people injure themselves in a factory there was one case where like things would fall on users people would walk you know like something would fall down that's one case then there were other cases where i was work when i do awareness programs for organizations i always talk to the safety science people and one time i was walking with the safety science person through a warehouse and the guy was showing me you see these yellow lines here on the floor these yellow lines are new because we had a whole bunch of

accidents where people were getting hit by forklifts that were driving around the warehouse so we paint we did all these studies and inevitably we just spent a few hundred dollars painted the lines down the floor and pretty much just about all of the injuries went away because forklifts stay to one side people stayed the other and the only injuries we now have left are people on their iphones wandering into the forklifts or forklift drivers on their iphone driving into people so that gives you an idea where things go and likewise when a user does something that we say stupid user by default ninety percent of the time it's something the environment created for the user in one way or another how many

people just for example i will admit this how many people ever clicked on an email message thinking you were hitting the delete or the report button but it turns out that the cursor was lagging and it happened to be over a different button instead i know i've done that a few times you know that wasn't i mean i would love to i had nothing to do with that that was not my intent that was not the action i thought i was taking just this system video was lagging and that's why it happened that's the environment but what is that other 10 some 10 could be carelessness blatant blatant of blatant ignorance and things like that

you could be a lack of training could be ignorance but don't underestimate malice again according to the verizon data breach report 28 of data breaches result from user malice that's not a trivial number it's probably not like the real number because the data breach reports just talking about major incidents but still a large number of incidents result from malice and awareness is not going to stop that if you are a security professional and you're addressing the user problem you have to consider malice as part of the overall issue but anyway still awareness might fit into certain portions of this but still it's only 10 to the overall problem another science like to look at is um

counter-terrorism in counter-terrorism the fundamental concept that people have kind of settled on is the concept of boom and boom is essentially the terrorist event and then they keep talking about and even in cyber security there's lots of people who keep moving let's let's move left you know how many people heard left let's move left how many people actually know what that is i mean they just assumed everybody knows military technology and like all this stuff and we don't but anyway moving left essentially means that you are supposed to go ahead and try to stop the event before it happens then write a boom in terrorism is how do you respond to a terrorist attack so for

example in the grand scheme and i'll move to the next slide breaking it down a little bit more if you're talking terrorism and real counterterrorism boom is the attack itself then you have some people who are focused on prevention those are people for example like special forces people intelligence analysts who are trying to track the terrorists down and stop the terrorists where they are maybe conducting psyops and other things they have a completely separate group of people and that separate group of people is there and they are responsible for things like hardening buildings figure out how to protect airports figure out how to protect planes they don't care necessarily who the bad people are they

just care that they are a potential target where do i put barriers in where do i put other things in and that's the other people doing protection then you have at the point of boom you have different types of things like okay hardened cockpit doors um blast resistant cargo holds and things like that to try to stop the attack as examples then write a boom are how do you respond recover and resilience in other words how do you keep things functioning so for example in response you have to first off make sure you know do we have enough hospital space in an area we have to know how to train first responders to respond intelligently like

unfortunately terrorists are [ __ ] and just like they did in afghanistan recently they have secondary explosions so if there's an explosion in an area obviously first responders want to get in there and help people but we can't have that without trying to consider proactively what if there's a secondary attack and then also what if the first attack happens to be radioactive radioactivity biological or chemical weapons that all has to be built in to your right of boom response plans then there's recovery how do we get things up up and running and then even when that's like okay how do we get things back but then there's also resilience people it's like okay even if an event happens how do we keep

everything running no matter what and one of the great things i don't want to say this sounds bad when i say one of the great things about september 11th but the one thing september 11th proved was new york was an awesome city with awesome capability the world trade center was a major transportation hub in and out of new york city the world trade center had some of the world's financial systems embedded in it yet everything was able to get up and running really quickly because everything was built fairly resilient so that was kind of like at least a good demonstration of a process one concept i want to really introduce people to is the concept of user initiated loss

and this is the concept that a user doesn't cause harm a user basically possibly initiates a sequence of events that can result in harm if the system allows harm to exist i also call it user initiated because it might mean yes maybe it's a lack of awareness but it might be malice it might be carelessness i don't know if you've ever seen this but how many people ever worked at an environment where you have parents who have to run out of the office at a given time because if they don't have to pick up their child if they don't pick up their child on time they're fine ten dollars a minute for every minute they're late to

pick them up at child care you have people running around it's like you left your desk open it's like i'm gonna leave my desk open or i was gonna be fined a hundred dollars by child care which do you think i'm gonna do you know you have to consider this there's a concept called the compliance budget and somebody wrote about this i forgot their name i should give them credit but the concept of the compliance budget is people generally want to do the right thing however there are competing issues to allow them to do the right or wrong thing so for example if you're running late for a meeting with your boss and you know you should lock up your

computer you have two requirements be on time for my boss or lock up my computer which one is more pressing you know you got to consider these things when you start doing this but anyway user initiated loss is the concept that a user does not create loss and the user just takes an action that might or might not result in loss if you don't create harm but anyway that's kind of the principle and keep that in mind as i start going through things so as i start going through things left to boom how do we stop the user from being in the position where they can initiate a loss in other words do we take decision

capability away from them so if we're talking about for example help desk people or call center operators they don't need everybody's information about everything you just have to make sure they only have the right information to do the right things this stops a lot of attacks we don't want to empower users to do more than they can because frankly it can get confusing but it also allows them to cause more harm both intentionally and unintentionally and we want to make sure that doesn't happen anyway simultaneously you know you just want to stop the attack from reaching the user you want to create a culture i tell the story sometimes where i was when i was when i

worked at nsa there was one time i was a 24 7 intelligence watch officer inside a very classified part of the national signals intelligence operations center and i was working 24 7 and i had my so we were working tracking certain types of military units and when we saw something we had to get out a plot or plugged in some numbers which drew so i can't tell you what it is but anyway it drew maps on a plotter and what happened was you know it had a mechanical arm so i had to basically take off my badge one day it was like three o'clock in the morning took off my badge got the report out ran to the

restroom forgot to put my badge on run into a guard in the hallway got the guard in the call way the guard's like where's your badge i'm like right i go i guess it's in my office he's like we're going to your office i go you're not allowed anywhere near my office he goes i'll wait outside the door so i he's outside the door i walk in i'm looking around the plotter i'm can't find my badge looking under it and my co-worker all this is like did you forget something ira i'm like where's my [ __ ] badge and he's like you mean the badge that should be around your neck i'm like give me my [ __ ] badge he's

like where why don't you look hard and i'm like and then the guard's like is there do you think i ever forgot that badge again no it was the culture was reinforcing awareness people love to say oh that's shaming that's horrible no it's the most effective awareness lesson i ever had that and when i was in the marines i remember my platoon sergeant walked in first day we got our m16s platoon sergeant walks in i didn't even see him all i heard in the corner of the room was you lose your weapons you will do jail and he walked out and i'm like what the hell was that and it's like that was the most effective

security awareness lesson i ever had i'm like thinking what's doing jail but anyway you will not there was one guy in our in our platoon who broke his leg where it was like bone sticking out and he's like give me my rifle get me and the the sergeant instructor was shut the [ __ ] up and get in that thing and they were like the guy would not lose his leave his weapon behind that was how effective that was but anyway that's left the boom so next is governance and this is what a lot of people governance is not just a bunch of documents that should sit on the side of the shelf it should sit on a

shelf somewhere governance should tell you if you do governance right how every specific job should be performed properly it should say okay here's why we're doing it that's you know policy but it should also say step by step here's how to do things right and i'm gonna come back to that later but anyway that's critical moved in now we're at the point of boom what does the user do do they initiate the loss they're presented with the opportunity what do they do this is where awareness should come in at some point but then let's talk about awareness a little bit are we creating elmer fudds and what i mean by that is elmer fudd if

if you don't know who elmer fudd is i hate you please leave now but if elmer fudd was always on the lookout for the wascally rabbit and no matter what happened and if bugs bunny put on a dress elmer fudd could not recognize him what are we doing with awareness training we're teaching people to be afraid of the hacker the hacker's going to social engineer somebody and you have people who are sitting there it's like oh i got an email is this really the ceo is that a hacker that they warn me about that's not the right question they should be asking the user should be asking what is how do i do my job if

somebody is requesting that i send out like for example well we're approaching tax season soon if an hr analyst gets an email message supposedly from the ceo the ceo the the user should not be sitting there is this really the ceo or is this the hacker i heard about they should be sitting there thinking okay this is asking for pii to be released to an outside party huh what do i do well the process for releasing pii information out to an outside party is i can't do it i have to forward all requests to my manager and my manager then has to forward the request to the head of hr who has to get the general counsel approval so i'm not

going to respond to this because that's not my job no matter who's asking because if you're looking at awareness training and you're respecting you're you're expecting your user essentially think of it this way your users are out there against organized criminals they're out there against sociopaths who have no moral capability whatsoever it's not a fair fight i'm not saying don't give awareness but you have to give awareness for how to do your job right not what to be afraid of because otherwise you're just training training people who can't recognize bugs bunny and address so anyway writer boom the loss has been initiated how does your system handle this are there additional protections are they predicting it i

have this slide here to kind of walk through the whole concept i'm not gonna can i go i think i'm late am i okay i'm fine okay i got permission to do whatever okay and the laser pointer works i'm happy so anyway here's your user in order for for example a phishing message to work stop and think about what has to happen the user's here but for the phishing message to get to the use you have a malicious actor who may or may not pull from social media they then access a botnet somewhere on the internet that message has to go through a perimeter device the perimeter device then evaluates the message and then has to

send it to the mail server the mail server should be looking over that message a lot the mail server then forwards it to an email client the email client can then say okay put in an inbox or spam box now we have the user experience so now that the user experience is there the user then looks at the message and as we have the message here how is the user going to make it you can have the concept of nudges like triggering the people like for example banners that say this message comes from outside the company or so on you know then you have awareness but awareness again should be driven by policies procedures guideline

also it should impact social media they shouldn't post too much there but then let's say the user somehow takes an action you don't want them to the system should say warning you know it's like hey you do you really want to download an executable that's a bad idea then the user says yes i do because this looks like fun then the system should say wait a second i don't want to do that because then the system depending on the type of incident you're talking the system basically a phishing message from my experience has three usual concerns compromising credentials sensitive materials or malware in the case of malware what should happen is the system should say wait a second you don't have

permission to do that the user experience should stop the user from theoretically doing it but even if the user does do that there should be anti-malware which stops ransomware but if we move to like sensitive materials like let's say it's like this is the ceo saying send out pii to somebody else what should happen is even assuming the user is not warned about that you should have things like data leak prevention and other sorts of things on the perimeter that stop the message from going out and also data leak prevention can be on the endpoints themselves to stop it and then also the potential for compromised credentials such as click on this link give us your user id and

password to log in things like that and again web content filters and different dlps should be able to stop that as well but is does the user have really a lot to do with uh clicking on a phishing message and ruining the network again if a user can click on a phishing message and ruin your network your network sucks you've got to get that through your head but anyway so i came up with this concept human security engineering which is why the title is what it is but basically it goes through the concept of all the layers that i showed because i just gave one example for phishing i have other examples for you know for

example usb drives militia you know web unsafe web browsing a whole bunch of other stuff but generally when you stop and think about it governance should be on the outside then in order to reach the user you can have your technical infrastructure in other words your endpoints there like for example dmarc as an example should be able to stop a lot of you know malicious web traffic from going in you have the endpoint technology user experience there's also for example things like on the technology infrastructure ssl and tls inspection you know i gave the example of somebody just clicking on a phishing message with a malicious attachment lately for example you have a lot of

smarter criminals are going ahead and embedding malware inside links that look like they're coming from safe systems such as dropbox or gm or google drive links and stuff like that and in order to stop that you need ssl and tls inspection and so on and then again nudges awareness then the users so the attacks go in through well basically one of my friends said it should be a bow tie because the attacks go in like this then once the user makes a decision then they should basically go out like that so again it has to go in through several layers and out through several layers and this is really what it looks like i'm not making this up i'm

just putting the concept down on a paper like this so anyway i'm kind of out of time anyway but the most important takeaway is you don't want healthier canaries you basically want a healthier mind so that the canaries aren't going to die you know at least not at least the only thing they die from is old age so gotta consider that and um anyway my book is awesome buy my book it's like 4.8 stars on amazon.com so it's awesome you don't need me to tell you that and i'm done thanks

did you want me to take questions or am i does anybody have a question yeah oh sean i did i say it right yes

what

let me try to see if i could paraphrase your question for what it is and maybe you can tell me if i have it right or wrong but did you did you get to the gist of it and you just

okay so when i look at the continuum of this and so if you were okay so to paraphrase this question when you're developing designing networks are applications and so on where is the bulk of the problem and where to address it is that kind of it okay so to answer that question i would say generally the further out you go the more efficient things tend to be so for example when i look at secure email gateways you know i don't i get aggravated by co-fence's advert co-fences advertising because co-fence advertising is pretty much bad-mouthing proof point because one message will get through a proof point secure email gateway and co-fence will point it out now the problem is that there are

tens of thou forever tens of thousands of email messages that a hostile message that a secure email gateway gets maybe to let through like a percentage of a percent like point zero zero one percent or something you're getting a lot at the perimeter because they're really good at stopping that sort of stuff so the perimeter is really good then you get to the spam filters when i look at my spam that still made it through the the secure gateways and everything spam filters i hate the false i hate the false positives but pretty much i'd say pretty close to 100 percent are actually spams but still a lot that still has filtered out tens of thousands of them before it got

to my inbox now it's in my inbox and now i have to start looking at the user experience the user experience if we're talking about anti-malware and stuff anti-malware again that stops a lot of different attacks the user and i'm not downplaying users and people think i think awareness is a waste of money awareness is not a waste of money awareness is like everything else a risk reduction tool and you are s and and the thing is the problem is when you talk human firewall and everything you're promising perfection the only people who promise perfection are fool's liars or actually a combination of both and you should never promise perfection because in order for a user to click on

an email all the technology before it has to fail and if that email causes damage all the technology after the user has to have to fail so everything has to fail for a user to cause damage but you can't promise concepts like the human firewall because you're implying perfection and you should never do that but to your point though when you look at that security awareness looking at the verizon data breach report is a source no matter what four percent of email message or four percent of phishing messages will get clicked on that's the statistic so that means users have a 96 success rate on the other hand technology if you architect it right can have a 99.9

success rate and the further out you can do it the more effective it is and where is the 70 the 70 should be at the perimeter if you can get there so and then sorry much the jennifer's thing if you can implement the zero trust environment in the right way like i like you know z trust has their overall environment that filters everything out that's like a good way of solving it but if you're going to implement things in piecemeal try to look as far away from the user with a technology implementation and that's your best sorry i beat that to death didn't i okay any other things or you just want the prizes i just want the prizes too even

though i gave away the book so thanks [Applause]