Esteban Gutierrez - Security as Nurturance - BSides Portland 2018

and hop in and introduce him mrs. Esteban I think that I first met Esteban at the very first besides Portland which you know he's one of the several who cop Depp's ball rolling to the the you know Sisyphean Boulder that it is rolling down the hill right now and when he submitted this presentation it was obviously great so we accepted it but he asked for in the the speaker notes like special requests he asked for therapy therapy puppies to hand out to the audience so I have a bag of therapy puppies that I'm gonna put up here and he can give out to you if he decides that you need therapy puppy they are not

live puppies they were never live puppies but they're their little soft puppies on little blankets and if you press here so thank you for presenting do what you think needs to happen with these therapy dogs and take a care of them this microphone setup is awkward hello my name is Esteban Gutierrez I I'm the director of information security at a company called New Relic that's a local software application performance analytics digital analytics company and I really like working there I've given this talk a couple times before and can you all hear me okay no all right I'm going to do this

it means I can't really move very much so yeah that's better let me start over so my name is Esteban Gutierrez I'm the director of information security at New Relic we love this conference we think it it makes life better for everybody my talk is about security as nurturance I've been with New Relic for about two and a half almost three years and I work as part of a pretty great team of people we've got product security infrastructure and operations security building a program they're not entirely from scratch but building a program that takes a lot of learnings from how things have not gone well in other companies I kind of feel like sometimes the people

that come to work at New Relic are getting over PTSD from working at other companies and they spend like a good month and a half or sometimes a year going what is this place why is everyone so nice what do you mean I don't have to work after five and it's sort of one of the first companies I've worked at that takes the human part of work very seriously because we recognize that it's not possible to get your best work unless you're living your best life which doesn't involve you know peeing into a cup at 4:00 in the morning as you're trying to reboot a bunch of servers or something like that because you can't get away from your monitor

before New Relic I was at Intel for 10 years and was the cloud security person there for a while did some IT security work there as part of the risk management program learned a lot of stuff there and before that I ran a security operations center for the US Army Corps of Engineers based here at a Portland that was a very very interesting time I was there for a good number of years probably about 15 and with a quick stint doing start-up stuff during the dot-com bubble days I worked for a company called web man how many of you have heard web man I've got some swag later on maybe so definitely not the expired stock

certificates that are worth like 0.003 cents or something like that so but there was the biggest dot-com failure it was an incredible experience there we built a lot of stuff out really fast it was the first company that was really really focused on doing online food grocery deliveries and it was started by John borders of borders books of music so a lot of people thought it was pretty good bet but it kind of died under the weight of real estate and I turned off the lights there basically so I got my start doing linguistics in college I was just thinking about the keynote this morning and how wonderful that talk was and how a lot of the people that I know

have come up in the ranks by not through traditional means and I'm a big big proponent of that stuff and I think she really helped to clarify some things that I really believe strongly about I've generally referred to it as aptitude like this desire the knowledge the desire to get knowledge the desire to figure stuff out not leave stuff alone because you know it's it's it's a challenge it's a puzzle but I really really like the way that she couched a lot of those concepts and specific items around what those things are and the examples that she gave if you didn't catch the keynote I'm pretty sure it'll be a recording of it so so my talk is

about how metaphors we use in security culture specifically about how a change in these metaphors that we as security practice or practitioners commonly used to frame our approach to information security can result in changes about what we can accomplish and this talk is definitely based on my my 20 whatever years of doing information security I think we've been doing things really poorly but there's a lot of things that happen well but there's a lot of stuff that doesn't happen very well at all and mostly we end up just making people feel shitty I think we need to change all that and this change needs to happen in the security industry and perhaps in the tech culture in general and I think

we're starting to see some of those changes occur we need to change how we connect to our work to the organizations we work for and to the people we're trying to help and the change that changed the way we use our knowledge values skills and tools to address the risks and dangers that keep people from being both safe and successful in their work and their business in their lives and changes that sustain a culture that helps people do the things that are important to them instead of having a culture that penalizes and shames them into compliance in my experience InfoSec really isn't seen as an enabler and it's not very connected to the business or to what

people are doing the way they're trying to work the things they're working on security teams are often described as obstacles hard to work with adversarial dogmatic they work in a culture that's often cold secretive and paranoid culture that I think is unsustainable I think there's a lot of us working to bring the importance of connection to our industry as some of the talks that we've already heard today pointed out and being doing a better job of addressing the challenges that are relevant to enabling our own and the success of the companies we work for and hopefully to sustain to sustain a culture that truly protects people safely and do the things that are important to them many security

departments practice a culture that could be described using the metaphor information security as warfare I posit that that's actually a big reason why things are going so poorly and why security teams are often seen negatively and people run away or say things like oh gosh I hope I never see you when they walk through pasture area during their first day in the office and I also think that's one of the reasons why the industry so self-defeating teams are seen as adversarial rigid and so I offer a different metaphor information securities nurturance which I believe leads to more successful outcomes and to doing things in ways that are probably even more comprehensive and take can't take

advantage of more of what people have to offer and what people can do before we get to nurturance let's talk about metaphors why do I believe metaphors are so important before I came into my career in information security I studied cognitive linguistics here at Reed College and some of that work involved how language its structure and use influenced our conceptualization of the world some of you may have heard or read a book by George Lakoff and Mark Johnson called metaphors we live by it's a fantastic read it's pretty quick and it's got some age behind it now so I think in the 80s and George Lakoff has since gone on to do a bunch of writing

based on this work in political discourse he's written extensively over the last 25 years about metaphors and the influence they have on everyday life this book explores how everyday language is filled with conceptual metaphors that we often don't even notice we're using we can't avoid using metaphor metaphorical ideas in both our language and thinking it is deeply ingrained a deeply ingrained part of how we communicate conceptual metaphors help our understanding and experience of one idea or domain in terms of another so we not only borrow words from one domain and apply it to the other we often bring the attitudes and the ideals both positive and negative along with them metaphors frame how we think communicate

learn discover and understand ourselves on each other so the metaphors we use consciously and subconsciously or unconsciously drive culture and practices arising from that culture and in short metaphors influence culture and culture defines practice so let's take a used metaphor like time is money we often say things like don't waste my time or I've invested a lot of time in this project we spent a lot of time fake seeing security bugs so why do I want to do more we tend to value saving money so we tend to be pretty stingy with our time and that has an impact on how we behave with respect to ideas like downtime and rest self-care as versus work like work-life balance quality time

I have a hard time feeling good about downtime and it's something I've been striving to fix in myself many of us find it hard not to do work from home even when we encourage people not to do so and we end up in a culture that prioritizes productivity and profit over self-care and rest and so now back to information security the goal of information security as you all know is to protect an organization's systems software and data but most of all to protect the business and the people involved with it and the goals of the business I think that's an important point that's often lost on people doing the work of information security is obviously really challenging I mean

there's a lot of people here who want to learn how to do it better and business wants to move fast and technology constantly evolves and changes so it's not enough to just learn one aspect of security and and call it good you actually have to be learning things all the time the scale and speed of development leaves little time to check every configuration of file access listen default password and bit of insecure code software code hardware age and gain technical debt which I know probably a lot of you have similar experience to me like technical debt is one of the worst security issues that's out there that's hard to solve and some of this debt requires a lot of toil like

security patching and reboots and there's a lot of examples of how companies fail to to meet their goals to secure and protect the company just everyday in the news there's more incidents more breaches malware infections more deployments of Windows and breaches are routinely reported in news in my role now as a director I'm spending a lot more time talking to like other companies General Counsel's and that kind of stuff and it's it's incredible it's incredible the questions that come from people when they suspect something is wrong and so and I think that's the thing like there's always something wrong and so while in for the SEC teams try to educate review scan and monitor and do

all the work of risk management from the trenches every day as we watch defenses are breached credentials are stolen data is leaked and businesses are compromised and while there are other metaphors that can be used to describe information security such as hygiene or health care our firefighting a some there's actually an interesting paper by NIST done about ten years ago that actually I found after putting this talk together that goes over different metaphors that are used in security specifically the paradigm represented by information security as warfare seems to dominate the industry and when we frame information security by borrowing the words of warfare the attitudes and ideas that come with them create and perpetuate practices that make it even

more challenging to meet our goals if information security is warfare we're not winning and I would argue that it's not something you can win it's not about winning we see it as metaphors influence in the language of our practices we talk about deep militarized zones Bastion servers we practice defense and death we collect and monitor intelligence streams we do intrusion monitoring protect against dos attacks we worry about spyware and can we detect that command and control channel that's controlling the botnet that's you know doing who knows what to our finance systems we worried about we worried about advanced persistent threats I was trying to hold myself not making a joke about advanced apt threats we work on threat models and

attack simulations we secure the perimeter we do red teaming and we explore kill chains even casual reporting on information security uses terms like cyber war in their headlines to fluff stuff up and many security vendors use their use the fear of losing the war as a reason to give them lots of money a culture of warfare is one of secrecy adversaries and it drives the need for urgent action against enemies adversarial thinking leads to treating everyone as a potential enemy locked in a conflict that needs to be won and that's a kind of zero-sum thinking that leads to security becoming a means to an end it perpetuates the idea that security not something that everyone everyone needs

to practice but something that's left to cyber warriors cyber ninjas that can deploy expensive security tools and come out on top all of this became apparent to me one day when I heard a fellow security professional exclaim exclaiming only we didn't have to deal with stupid users we wouldn't have to put in so many controls I've also heard things like if only people didn't click on links we would be safe if we're setting ourselves up to fight against basic human curiosity we're picking the losing side right from the start if we're focused entirely on blocking intercepting and negating behavior that is critical to so much of the work that people do today we situate ourselves as an obstacle and not

as a resource and it's fair to say that clicking on links is critical to much of the work that people do online today and not to mention how many quotes I've seen from Sun Tzu's Art of War at hacker conferences where we often see dudes dressed in camos and tactical vests and other aspects of everyday carry but this isn't the world that I want to live in and I don't think we're going to make a difference if we continue to think this way and I'm thankful to say that I think a lot of us are thinking this way as well we're trying to change stuff I would rather take care of people and the things they

care about using a different metaphor we changed the rules for how we do our work by framing things with a focus on what's important the activities of people value like the things people do to build a successful company or grow an organization or build a business and this is why I think the metaphor information security is inert trance is important it also describes how New Relic security approaches its work and it's largely the reason why I came to work there I'm a father of a 14 year old girl is my daughter Ella she just got her braces off she's pretty happy about that I want to protect her right what father doesn't want you but I don't think the

best way to do this is to make war with the rest of the world to sit on a porch with a shotgun I would rather help her learn the skills knowledge and confidence to grow in the safest way possible and as any parent can tell you this requires a lot of letting go of the need to win battles to meet those goals I need to be connected with my daughter spend time with her so that when I so that I can leverage my experience and knowledge to provide her guidance and I can speak to her interest in the things that she wants to do and what she values with the long-term goal of empowering her to build healthy

patterns of both dependent independence and interdependence hopefully she'll develop fluency and being responsible and practicing accountability both for herself and for others as she grows so what is nurturance and how do we practice it in information security a standard definition of nurturance is attention to nourishment protection and guidance to maturity nurture a nurturance culture is a culture of connection communication mutual support care it's an active demonstration of being aware of what people want to do and accomplish be that my daughter or an engineering team that's trying to do some deployments or a customer now what does it look like for us a New Relic as a culture and as a practice what things do we do to build this out what does it

look like there's three themes that I'm going to focus on in talking about this stuff we do this by focusing on what's really important not not on the controls we're deploying or you know our KPIs or any of that kind of stuff we focus on the things that people want to do when people come to join the New York security team the first thing I tell them is your first job is relationship management so the focus isn't necessarily on the data itself or the systems the controls we used to secure them but the goals that people in an organization find valuable and so we provide nurturance through our interactions and demonstrate active support of what the teams are trying to

do so it's a quality in the way of the way in which InfoSec information security can engage with others and respond to the needs of the business so we do this through communication connection and accountability which in turn allows us to inform and empower and trust and build trust so we inform through communication we communicate things like context matrix dashboards and any data that's relevant to allowing folks to understand what information security risks are affecting them and their projects we do the work to understand what the teams are doing and what's important to them because we want to provide useful information relevant information and data to those teams to help show them the context of

what their what might endanger them so we have a slack bot that automatically tells people about security vulnerabilities and teams so it'll just automatically do that for us so we leverage a lot of automation for that our security folks often walk over to teams to sit down and talk with them to see hey what's up with that team what are they doing but also to talk to them about any sort of issues that are ongoing or maybe in the pipe coming down the line or to help them plan out security features or upgrades in their products or the services or the deployments recently we also do a lot of transparency so we we tend to hold lots

of not as many demos as I'd like but we do demos for our teams we tend to talk very openly about vulnerabilities that we find we don't we don't secret them we don't treat them as a need-to-know we actually try to demonstrate how they work and we try to encourage teams to to exploit them themselves because we find that the more knowledge we give folks the more understanding that they have when we do attack simulations or pen tests or when we have deep pen tests that are done by third parties we take the results and obviously we address those issues but then we turn around and we do a pretty lengthy demonstration or talk on those results so it's not we

don't we don't hide stuff which is really important to us so we connect we communicate with things like context information data through dashboards as well and this helps us really learn what they do so that we can understand the what they do let's see what else was gonna mention I think so this is an example of some of the dashboards we see hopefully I did something - office gate things but there's some names I didn't oh well so who so we explained things like when do our security scans run we actually have dashboards that are open to everybody saying hey you think someone something is attacking your stuff you want to make sure it's not one of our

scanners go to this dashboard take a look at it and it'll tell you when they're running how often and then we do a lot of explanation like here's all the IPS that are doing and we're pretty open about that stuff because we want people to know about that stuff because we want them to know when something is scanning them that isn't us and they can tell us so we we do a lot of metrics gathering and present and presenting that metrics to the people who are probably the ones who are going to understand the dangers to their stuff more than we are so by communicating and informing we empower and we build that connection just as we make it a priority to share

what we see through presentations insights dashboards which is a product that we use in-house that our own product blog posts and other channels we we make it a point to connect with those teams and to build that connection even more deeply we host hackathons and we encourage people to get together with our teams and actually do kind of an informal pen test against things that they think might be worth pen testing in the company we hold on comps where we minh where we try to get people to give presentations the people who are not on the security to get presentations we had a pretty successful and recently at the Kennedy School and it was awesome to

hear like the people not on the security team talked about all sorts of really great security topics that are interesting to them or about the stuff that they're working on and we find that encouraging that kind of work and encouraging that kind of connection strengths and strengthens this culture

our security teams also spend time to explain why why we're asking them to do things rather than dictating what people should do so we focused on those desired outcomes and goals we do stuff like host this besides we also host and support things like RSA other conferences or or work that's going on in the community that is aligned with these goals that we have my experience with traditional security teams like those I've been on in the past mm-hmm apologies to people I used to work with at Intel is to hoard data in secret away the information they collect you know we have security operations center rooms that are filled with people in a dark little room with a

bunch of monitors clicking like ignore ignore ignore and they only show up when they perceive that something has gone wrong so we communicate we connect and then we use that connection to empower and through that knowledge and through that work it allows people to practice accountability and so through this culture of transparency and the work we do with people were able to focus on the tangible and real technical risk to our business and getting people to understand that stuff and making it possible to for folks who want to be secure who want to know they want to do the right thing they just don't really know what it is they know about the dangers to their to their servers and

their services but they need us to translate the technical issues into a relevant set of data that they can use to make decisions about what's actually happening as opposed to relying on a security team to make those decisions for them and that I think helps our security obligations to our customers and to each other and it allows people to hold accountability with themselves and with other teams as well and it allows us to better practice holding people to our s la's the results of our security reviews and the requirements we give them yeah so I think we're running out of time so I got to move fast I saw leis some more examples of how

stuff that we we do we've got this project in-house called security karma that is a takes this output of a vulnerability scan and puts it into team focused dashboards that allow us to prioritize what we think the risk is to them and it allows them to prioritize their work as they move forward to to patch right as they go through their sprints and MMS it allows them to do a better job of understanding what security work they do and what the priority for that work is so the evidence that this culture works I'm still collecting the data I our security team is pretty young but I think some of the things that speak strongly is how

strong the culture is at New Relic for security we have like I mentioned earlier that a first day in the office people will walk by and say oh I hope I never have to talk to you usually those folks come back a couple weeks later and say I love talking to you and we have people come by our desks area all the time about whatever issues or questions or projects they're working on and it's it's great people seek us out they don't run away from the security team which is fantastic so nurturance is a full life cycle process that continues and doesn't necessarily end with a win and I just want to repeat the things that we do or

communicate connect and help people practice accountability and with that accountability it builds that trust so it's important to me I want the industry to change I wanted to align with the kind of world I want to live in this is the thing I want for my daughter who's sadly at 14 shows no interest of going into InfoSec but it is really good at fortnight I think setting an intention with our language and metaphors is necessary and I want people to feel like security is not an obstacle or that security practices this trench warfare but something that is deeply a part of the fabric of doing what we do to make great software products services and

what not so my call to you is this talk to me about this stuff talk to each other about this stuff communicate with each other connect with your teams go figure out what's important to them give them the data that they actually might be able to use and yeah others are thinking about this so I'm gonna wrap up because I'm being told to go away some other things we're checking out stethoscope which is based on OS query which is a user focused security project Etsy's practices are really good at that where they do user focused design as well Kelly Shortridge has a great blog post called Security's product that has some parallel ideas and thank you very

much I appreciate your time [Applause]

you