Cleveland BSides 2011 Talk3 Mick Douglas

dave is getting the stream back up don't fail us now Dave we're halfway through don't let it die yet alright our next speaker is Mick Douglas and he's gonna be doing Blue team is sexy refocusing on defense and let me give you a quick little bio of of Mick here Mick is a white hat hacker who hates the term white hat he's a member of the Paul com security podcasts while he joins in pen test his passion is network and system defense which we'll be talking about today with that Mick Douglas hey everyone so since this is a smaller group if you don't mind I'd like to make this presentation just be a little more

interactive so if you have any questions you see anything you want to challenge me you think I'm full of it let me know okay this is a small crowd let's have fun with it alright so my talk is blue team is sexy rifo refocusing on defense now I arrived a little bit late due to traffic and being a little sleepy from going at the aid conference yesterday and yeah a-alright much love to marshal you so I get here just a couple minutes before right now and I'm told you need to have a stick figure in your presentation I was like oh really stick figure and they're like yeah so boom quota Matt no more stick figures that's

that all right so now here's the problem right before I really get into the talk I just want to show of hands how many people here are red teamers do red team to attack pentesting okay so we got a good good good some folks student at how many people here are blue team you do defense do that all right how many people are like managers do you management that sort of stuff all right how many people haven't raised their hand in or just kind of hanging around alright cool well for you guys that are hanging around I fully expect you know plenty of shenanigans and having me call out on being called out on some stuff

but he some things that I've noticed and we've been talking about on the Paul calm podcast lately is that things are a little weird in the information security industry right now and in some cases things are actually going quite badly one of the things that I contend and this is just my opinion is that the blue team the people who are doing the defense aren't getting enough love and we're going to go over why they're not getting that and and some things that you can do as a blue team member or things you can do is a red team member or things you can do is management to help give the blue team some love one

thing that you need to remember is that information security is kind of like a stool or a tripod there's going to be multiple people and I'm going to talk about this in a little bit in the slides but you're going to have the red team in the blue team and management and all three of them working together will give you a holistic information security program if you don't have those three pieces working in concert bad things are going to start happening and I see some of the wry smiles and some people kind of nodding and you're like yeah I know I'm feeling that pain well hopefully we can talk about some of the root causes

for that and give you some ways to fix them so now blue team is just the unsung hero when you're doing your blue team and you're doing your job well what happens nothing that's right that's that's what you want does that problem does that cause a problem though sure if if good is not being heard from it's easy to ignore the other problem is that blue team just isn't flashy it doesn't have the razzle-dazzle that gets to my next point red team gets all the attention you know when was the last time that there was a hacker con where somebody said check out this firewall config look how awesome it is just that yet you're laughing right because it

just doesn't happen and that's a problem red team does have some flesh they do have razzle-dazzle its meat I do red team I love doing red team work but you know we can't leave the other half of the entire industry in the dust for that that's just insane so the problem is this this blue team being ignored red team getting all the attention causes a feedback loop okay some of the things that I've been seeing and again I'm going to talk about this in a couple slides red team is getting a little more funding little more resources than blue team is you're seeing cases of where blue team people who might be rock stars at blue team have a very shallow career

arc they after they go so far they have to go red team in order to advance their career now I'm not saying there's anything wrong with that if you want to go red team more power to you come see me after this come talk to the security justice guys we will be more than happy to teach you and give you the tips and tricks to be successful in red but the problem is what about that firewall admin what about that log and analyst what about those people that love what they're doing in our getting satisfaction out of their job but they're they're just stuck that sucks we're going to talk about ways to grow your career now it's my opinion just my

opinion that the attention has swung a little too far to the red team there's nothing wrong with red team there's there's good red team people there's bad red team people but what I'm just talking about is in aggregate a little too much attention is on the red now I don't want you blue team errs or management people to say okay attention away from the red team no it's we need to give more attention to read or keep the attention at red where we're at because good and just give more attention and love to blue so um there's some tech reasons why the blue team is not getting the attention that they should in my opinion this is this part will be a

little controversial and will rub some nerves the wrong way the part where it's really going to rub nerves the wrong way though is when I talk about from the management perspective there are some things that fundamentally have to change if you're going to have a successful career as a blue team ER notice that I'm putting all the work and effort on blue team nobody is going to come in and rescue you and cuddle you and say you know what blue team we love you you're going to have to earn this love blue team is sexy but you got to go out and earn it nobody's gonna sweep in and love you and everything's going to be all

better I wish I had magic bullets don't have an amp but what I am hoping is to give you a few bullets that could maybe be magical with your work okay so foot-in-mouth forecast there's a very good chance that I'm going to say something little tick somebody off or make me look at fool because hi my name is Mick Douglas if you haven't heard the podcast or you haven't listened to my blogs or whatever it's just what I do now um I do I don't know if you caught that but when I was holding up the hands about Red Team Blue team I actually did have my hands up in both cases I do blue

team work I do red team work so if this talk it all sounds it's a critic at times that's why it's you know just a nature of the job that I do i do have designs on making management so because of these designs on management it's been causing me to rethink how I as a security practitioner should be approaching the suits a lot of the times that I have people you know when we're like once the bar opens will be half years and you know swapping war stories and inevitably very short order somebody starts talking about the oh man did you see you know remember the time that we were having the dhcp server problem and

we just told management we need blind and they just wouldn't do it there's a damn good reason why management didn't do it you know when we come to management and say hey there's a security problem they're not going to want to hear that you know why because it's very very rare are you in a situation where security makes money you're a cost where does that put you in the priority chain really low in a little bit we're going to talk about how to speak to managers so that you can at least bump them bump yourself up and maybe get to the top of the non revenue-producing list of things to do all right now if I offend you at any

point in this presentation I'm sorry let me know this is a small enough crowd that you can just call me out on it feel free to do so but just think of this particular exercise or this particular presentation as an exercise in cow tipping sacred cow tipping now I mentioned about the stool the three-legged stool or the tripod the three different people that are groups that interact our Blue Team Red Team management we're going to go into those a little bit right now so red team red team is actually easier than blue team I'm not saying that it's like dead simple I'm not saying you know run DB auto pone orc or whatever tool tis your

and those tools by the way are fine it's just that that shouldn't be your only trick in your you know bag of tricks but what I do want to say is that being read in general is easier than being blue and the reason why is a thing called attackers advantage if you haven't heard the term attackers advantage you might want to make a mental note write it down because this is something you need to this particular phrase is something that will buy you a lot of traction when you're dealing with management and especially senior leadership at your organization's think of it this way medieval times you got a king the King needs to be protected for the good of the key for

the good of the kingdom so what do they do they build a castle they got the high keep tower they got the arrow slits the murder holes the mo the drawbridge all these things to keep the king safe so that sucks it's going to be real expensive to field an army and attack that castle so what do the attackers do what does the red team do real easy you go the spy rap you have a court jester who's coming in juggling balls you know in the King's like oh you're so Mary Thank You court jester and then at the key moment court jester just reaches into his sleeve throwing dagger king is dead and guess what that whole castle

the moat everything was for naught that's exactly where we're at with pen testing these days you've got your firewall you got your you know your network segmentation all these things and all I have to do is convince you to open up this PDF pretty please or i could use ken the kennedys nice tool and say hey here's an email open it up so like if I were going to you know attack dave kennedy all I'd have to do is say hey Dade for a lifetime supply of Arnold Palmer's just click this link yeah you know it's actually probably worth it cost cost benefit analysis yeah hold on a second let me fire upset but but you

see what I'm saying I mean does that make sense it's it's easier to do Red Team you only need one way in just one blue team and the reason I find blue team to be so rewarding and challenging and it you know you see me smiling when I'm talking about this you have to defend every damn thing that is hard that is cool that is worthy work I like that now getting back to what I was talking about a bit ago with red team drawing all the attention it's seen as where the rock stars go if you're really good at information security or you got to go red team as your career advances you just have to

and you know what that's cool if you want to do that god bless have fun I I really enjoy doing red team work I hope to continue to do red team work it's really it is rewarding but what if you're a blue team guy and you just love doing your blue team stuff I have been in positions and at other companies where blue team people have been just rockin it doing a great job but because they're blue team and they've been at their position for a certain long and certain length of time and hit a technical maturation point they say okay well you know your career development arc here is the firewall admin is over

and now you get to view the network scam monkey and in all but three cases that I've seen that happen it's just disastrous for that person because they didn't want to move if you want the gig by all means go for it but make sure that you have some sort of career arc we'll talk about that now red teaming is new and yesterday I mentioned yesterday I was at aid which is a conference at Marshall University and many of the talks were about just how awful how almost well fraudulent isn't too strong a word actually just how bad some red team people are there's a lot of reasons for that but one of the things that I

would pause it is that red teaming is new it's a newer thing so we don't have as many controls in place to understand what a good pen test entails or not and so as a result a lot of people are making what is actually obscene levels of money for doing really crappy work now that's not everyone but there are people out there who do that there's plenty who do a great job but it's odd that market Corrections haven't been bought brought to bear as fast as you would maybe think that they would have in that situation now blue team actually hold on a second let me show you something I did a Google image search for red team and I get I

have a rocket launcher your argument is invalid and I was like cool i'm going to use that for my presentation and then i did a Google image search for blue team and I got bad okay seriously folks that in and of itself tells you how big of a problem we have in our head space in terms of what it is to be red team to be blue team okay blue team unfortunately has it has a career arc usually depends on your organization but in in in the main it's usually a shallower arc I hate to tell you this though blue team errs as a red team guy as an auditor who you know comes in and tests your networks

you're not using your tools as effectively as you can now the good news is a lot of folks don't know some of the tricks and trick you know pointers i'm going to give you so it's not that you're like being negligent in your job it's just that you're not using the tools to their fullest extent so by using the tools you have to your fullest extent you're going to be able to have using the same or maybe even less budget you're going to have a higher impact for your organization and at that point management's just going to be eating up what you say because you're saving money or doing more with same by the way if

you're in management you ever say doing more with less I I need to talk with you after the talk is that's just awful and finally they need blue team does need to improve on communication with management when you as a blue team er ask or put in your budget request and you say this is really important and you know blah blah blah blah blah and you say well you know my management is just stupid they don't get it lot you know whine whine whine whine whine it takes two to tango ok if you've been asking for the same things over and over again and you're not getting them maybe there's something wrong with the organization maybe it's

not you but you do have to do a little bit of analysis you know little soul-searching and see what you can do to make it be better now management also has a stake in this I know it a lot of you are like more of the hacker mindset and so you kind of have this suits kind of attitude because you know quite frankly I used to and so I understand and appreciate it but understand that management has the opportunity or crisis du jour so they're very interrupt driven much more so than we are that has some very interesting ramifications for your job namely the people who are flashy red team are going to get the limited

attention that they have so maybe you need to do something to make yourself a little flash here maybe make a dashboard so that they can see when things are doing well I don't know also quite frankly i have seen management on needlessly constrict the blue team where they hobble them and the reason why is things like firewalls things like application-aware firewalls things like network access control or a little more mature than some of the red team procedures and policies that have been in place lately and so they understand these things and will you know put these restrictions on them but they don't do the same for red team which is a little one and you know they're too loose with the

red is the result and then also understand that there is a lack of tech skills but I put a question mark there because I would pause it to you that if you are manager and you're a doggone good manager you really don't need to be that much of a propeller head you don't need to be a geek all you need to be able to do is understand how to deal with constraints deliverables that sort of stuff you as the technologists are just the enabler for business okay so not using tools or using the tools we have but not in the best way so what I'm talking about here when I'm saying hacking the tools what I mean is hacking

them in the good old MIT fashion you know making them do new and interesting things or maybe enabling things that were there all along but we just never had reason to enable them so we're going to talk about all of these things your firewall antivirus logs patching automation and user education each of these things though you're probably looking at going hmm boys guys just get no preaching and talking about the same old same old well I hate to tell you but I'm going to be talking about this using the same old same old but in new ways okay remember we talked about layered defense and if you look at this this would be a nice layered defense to have

in your environment but the thing is I've seen a lot of cases of where people have layered defense but it doesn't actually contribute to a holistic system it's just I've got firewall I've got this device I've got that device and working across all of them is very problematic and we'll talk about that a little bit here so now hacking your network you need if you're a blue team ur start thinking like a red team ER what are some things that you can do to frustrate them one of my favorite things when i'm doing an assessment of the places where they'll be providing network access maps and drawings and that sort of you know Visio diagrams and all that happy stuff is

they'll say well here is the firewall and when I hear that I thank saw Burke hard crunchy outer shell soft gooey middle because that's really what they've got if you're in a situation where you've got the firewall you're in trouble so you need to make sure that you have multiple firewalls all over the place and there's plenty of interesting things that you can do with these multiple fireballs show a hands here how many people are doing egress filtering at your firewalls um ok so that's actually a good amount ok so for those of you who didn't raise your hand well just open this up to everyone all right what service uses TCP and UDP 53 dns ok

cool cool do you as an end user at your workstation do you need to talk dns locally excellent that's right i need to talk with my corporate dns server do i ever need to talk with the dns servers out on the wild Internet what ok so there are alternate dns services that's true um be be mindful of who you go to um but as an end user like just a typical end user you really don't need to do that one of and I'm just betraying one of my favorite tricks here what I'm doing red team work almost it's not it's very rare i should say for me to have an environment where they're filtering dns

outbound so if i get a shell on a machine or i need to get a file off that system I can just encapsulate that in DNS traffic and it's just off to the races red teamers am i right I mean that's that's a very easy way to go out is that detectable at your network detection egress filters it could be if you have them tuned right but chances are you're just going to say out DNS traffic it's all good so be thinking egress filters true in the scenario that I outlined there's already malware in the system but how frustrating is it for somebody to have a bot or have something and not being able to control it very so it's a good good

tool to have have application-aware firewalls I see plenty of places where they have firewalls in place and they're you know doing okay but they don't have the application component enabled many load balancers have this functionality and people don't use them there's plenty of reasons to do this the overhead from a performance standpoint is not that bad but that return the payoff is actually really really good and your out-of-pocket expenses in many cases are going to just be zero because you're just enabling existing functionality that you've paid for mac address lockdowns so do we have any network administrators in here yeah okay a couple yeah you're kind of you seeing that going like oh you so and so I I you

know what I've been there done my time as a network administrator mac address locked down for those of you who don't know is where you bind you configure the switch port or like on the switch to only accept the physical address of the machine that it's connecting to and it's tedious to do that but it becomes very problematic if you're like in an environment where say the end user workstations are going to be swapping out very often but the thing that's cool about mac address lockdowns is if you have like a conference room and you have mac address lockdown set up and a pen tester comes in and they go dink and plug in to your conference ethernet jack

they're not going to get on there or they're going to have to do some major shenanigans in order to get in there so it's a very cool thing all the switches that are that I know of that are commercially available support this out the shoe you need to look into mac address lockdowns if not for your desktop environments what about your server rooms how often do you swap out the server machines not very huge return on investment source routing I used to be a router administrator I understand that you know large environments have to in some cases allow source routing which is basically we're in your packet you tell it which hops it's going to take

rather than letting the routers along the way determine the path if you're I would recommend that you go to your network teams or your management and see if you can turn off source routing inside your network don't fall on your sword for that one though there might be some weird legacy reasons that you have to support it what you should though get ready to fall on your sword for is accepting source routing in bound there's no reason you should ever ever ever do that it's I don't want to get into the technical reasons why just due to time constraints see me if you have questions about that baseline baseline your network know what normal looks like

there's plenty of tools out there if you don't have traffic analyzers tools like n top Argus there's a net flow you know if you if you're using that there's plenty of commercial tools out there but you need to know what weird looks like and bear in mind that weird might not just mean a huge influx of traffic it could be that you know a finance system is talking with a database that it never talked to before just one single query or one single database sequel query might be a really big problem depending on going on so have a look for anomalous traffic but understand that you're not only looking for just the huge spikes but the little odd things as well

antivirus I love playing with the antivirus it's easy we're relatively easy using tools like shikata and I to take known good or to take known working malware repackage it and make it so that it works and will execute against existing it basically allows you to bypass the signature detection of existing antivirus products and so people say well antivirus is dead because signature-based detection you know is no no good I wouldn't go that far it does still have a you know a certain use right it's just that you can't rely on it as your only source make sure that you have your antivirus locked down so they'll protect the guilty here but an excellent moment antivirus fail was a call center that I

was testing and they had antivirus on each machine because according to some of the regs that they had to have according to some regs they had to have antivirus and they would get the check box yes you have antivirus the problem was that it was not centralized reporting it was individual workstations of I think it was about 1500 call center employees and they had multiple antivirus administrators who would just go around playing with the AV on each individual machine and the thing that was awesome as a pen tester on this side was when I was launching malware against my one target there was one person I really needed to get into their machine I kept on tripping you know all these

things because I wasn't doing I just wasn't getting lucky bottom line so the AV was tricking tripping out and said wow this is bad this is bad well there was tons of logs and tons of errors that they used centralized reporting would have just boom I was I would have shot up like a you know signal flare and they would have known what was going on make your own custom malware signatures now this is a cool thing to you know I was denigrating that call center a moment ago i'm going to kind of prop them up they did one of the things that they did that was kind of cool is to prevent people from installing applications like

limewire or you know BitTorrent tools they actually made custom signatures custom dat files that included the applications that they didn't want running you can do that almost all antivirus products out there allow you to make your own signature file for particular pieces for particular applications that's kind of cool if you don't have a tool that allows centralized configuration and application management in your network but you do have anti-virus and most people have anti-virus this is a cool you know way to kind of get around that and still hit that objective also whitelisting hot diggity damn do I love waitlisting show a hands though how many people are doing whitelisting okay see a couple not many not many talk with your

antivirus vendor ask them what whitelisting features they have you might already have white listing functionality and are not using it white listing is has been in the past a pain to enable but some of the vendors now have a good thing where it's called learn mode you you set it into learning mode let it run for two weeks maybe a month and then you go back and you review what applications were running and then you can see okay well these are cool applications this will be the Blessed list of applications what that means is a bad guy then I don't care how crafty i get with tools like shikata ganai or other repack errs when that

particular executable goes to run and it's not on that application whitelist not going to happen there there now there are no guarantees there are some things you can do against white listing applications but this the toehold the surface area for an attacker becomes infinitely smaller it's a very very powerful way to protect your systems logs I can't stress this enough logging is amazing it's also the biggest pain to do as a security professional and finding the right log entry isn't like finding a needle in a haystack that's too easy it's like finding one specific needle and a pile and needles it's really tough the signal-to-noise ratio in many cases is horrific also one of the things that you want to think about

is if you've got you know you can use tools like syslog and snare and other things to aggregate your your logs so if you have a central logging collection and a lot of companies have requirements to do this so they have these already start thinking about having alerting enabled so that if something weird happens that you get an email or that the pager goes off you know I hate saying it but you know sometimes having the pager go off is a good thing also be thinking about the skill level of the people who are tending your logs solution a lot of places they put the rookie on that they say well new guy you're going to cut your teeth son I

want you to look and just watch this tale run its tailed a chef and you're gonna watch it till your eyes bleed have fun I'm out and the reason that you're doing that is because that that person who's being mean had to do that they had to sit there and watch the tail dash F until their eyes bled the thing that I don't like about that is this is the heartbeat of your company if this is the network if these are the systems you're protecting doesn't it make sense to have your ninjas looking at this do you now understand why I think it's a bad thing that we're starting to push blue team in to read if you have someone who's a log

ninja let them be a log ninja there is plenty of work in statistical analysis OLAP data cubes there are plenty of things to do this is you can make your career just on logs patching when I teach for sands a lot of times there's you know here's what you need to do for remediation it's patch patch patch you know like every other slide patch well here's this exploit and what do you do patch here's this exploit patch and people start laughing in there like oh well is patching you know the end all be all no but for an interesting exercise those of you who are you know familiar with metasploit or core impact open it

up look at your exploits that are available to you and count how many are solved by patching it's not all it's not perfect but you're dropping off at least two-thirds of the attacks just by doing something you should already be doing patch now most places are really good about patching the operating system where things get a little hairy though are the applications what happens when you have say developers who you know need a piece of software that's just not in the corporate build what do you guys do they need that software so they get it but it's a one-off do you patch that one off software not many places do it's tedious it's very hard it's time

consuming I don't have a real good answer on patching the applications other than to say if it's on your network you have to be willing to give it support also network devices show hands here who who's done router administration I have you have okay so show of hands how many people have done a patch on a router device and had the patch below the thing up yeah it's almost a one-to-one ratio patching network devices is one of the most painful and nerve-wracking and and just nerve rattling experiences you're ever going to have you know the other thing that like to add insult to injury say a patch goes flawlessly you know what you have to do you have to take

down big chunks of the network you are not I you are not a popular person if you're doing network device patching it needs to be done though because if I can get into your router it's at that point it's just like I've got a beautiful steak and a nice baked potato and a nice cold beer because I'm just going to sit down and eat your network it's great so make sure that your network devices are getting patched it in of the ones that are up there I think that that's the most painful one to patch because it's risky not going to lie you know if you're a very large network and you've got like say uh you know the 6500 series

cisco routers those that's not pocket change it can be very challenging to go to management and say hey I need a another device that costs more than most sports cars to sit idle for you know most of the year except the couple times a month we're going to run this one thing and it's going to take about 30 minutes they're gonna just look at you like ya know so you know be aware that it's risky but you got it you're going to have to articulate the trade space for them automation this is something that I get on my high horse about start small and think big you might be thinking yourself well I know there's so

many things that I could automate but it's so hard it's you know Oh scripting I just there's too much where do I where do I begin guess what folks you eat the elephant one bite at a time that's it no so start small think big just think of this is there one thing one thing in a given week that just like makes you like your teeth curl you know you're just like oh I gotta do the TPS report again oh when you have that that teeth curling kind of feeling automated because you know what it makes it all go away now I'm not going to lie it takes more effort usually to make the automation it does but the neat thing is

from once you get that script going until you know heat death of the universe that thing is gone it's solved now you might be saying well how how do I know when to automate something a good rule of thumb that I got from an excellent book called the practice of systems administration is if you've done something twice you're almost guaranteed that there's going to be a third fourth fifth sixth it's just gonna happen over and over again now I have heard this from time to time I'm scared about losing my job if I automate everything away and I am living breathing proof that that can happen I have lost two not one but two jobs as a result of

automating myself out of existence I will tell you this though that was the shortest time I have ever been unemployed in fact in one case it you know I'm gonna take liberties with the guy but he's like Mick sit on down yes sir and he says well I got some good news and I got some bad news oh well good news good news is you're fired i'm gonna save a lot of money and I was like what's the bad news it is like well you're gonna go work for the competition what well you see I was at the Country Club and having my martini well on the green and I mentioned about how this one

punk this admin automated himself out of existence and I happen to let your name drop okay and so you're going to go work for r & Co oh cool yeah those guys are good yeah you're actually going to be getting paid more and all this other stuff sweet in both times actually where I got out I actually wound up making more money and it's it's really weird it's kind of counterintuitive but I will say this when you're in an interview and you can look that person in the eye and say that you know cuz its standard question you know why you're looking for a job you know what you know why aren't you working you look them in the eye and

you say I automated myself out of my job I did my job so well that the company now can can do what they need to do without me it's all automated they're gonna be like dry humping your leg at that point I mean it's just ridiculous so remember you are greater than the robot army okay you are but what's really cool is you can make your robot army go out and do it another thing about automation here's here's something to ponder and think about about a year and a half ago the Department of Defense and with a little bit of help from sands they did a survey to see how many public and private sector security positions

were available and to see how many security practitioners are available for the United States there is a lack of security people who are qualified how much are we lacking take a guess come on seventy-five percent it's actually worse than we only have one tenth of the people that we need and when I first saw that you know I was like yeah come on yeah wacky you but then I what was in a position where I'm starting to sit for interviews and see people that are interviewing and I got to tell you that that does seem about right so automation is a great force multiplier to have for your organization user education I'm not going to beat this one to death too much

but I will say this it's not totally it's not time lost true most of the people that go to your education it's just going to go in one ear out the other they don't care about security I you know news flash where security people were wired differently than everyone else but here's what's cool I can't count the number of times I've been doing an incident response or some sort of like you know analysis on it just an ugly event that I'm dealing with and you know I'm just kind of hit a wall you know I've got the packets I got the stuff but I'm missing some pieces in the chronology and then someone emails me

and says hey by the by yesterday I got this email with this attachment and I didn't open it up because it looked kind of creepy thank you you know why because that email didn't just go to that one person it went to the whole group or select people so what you're looking for from your user education is you're looking for spies basically so do it know that a lot of the people aren't going to care you know that's just the cost of doing business but if you can get one or two people from each user education event that you have you're going to have a network of your own human IDs network that is amazing

cultivated reporting to management don't sound like this guy don't be a I youth it by the window and I can see that squirrels and they were married yeah you don't want to be this guy but and you might be saying well you know gosh I'm suave well oh I'll tell on myself for instance I thought that I was all slick and cool because I was trying to present to management and I said hey management if you buy that jacket Ron 5,000 security appliance we're going to put it in and our return on investment is going to be awesome I might as well have gone in there with a big clown afro and a red puffy knows the reason why is

I use the phrase return on investment from a business standpoint return is money that you make after spending money do you know of any security product process procedure or policy that makes you money just crickets quiet yeah that's right you're an expense it's what I should have said is that it would be revenue protection you know put the positive spin on there you know you need to you need to speak their speak there's plenty of good plenty of plenty of great books out there one that I'm working through right now is the personal NBA it's an amazing resource and it's actually been reshaped of interacting with business and oddly enough is a technique many of the things that

management needs to hear are actually kind of anti intuitive from what we think of as needing to hear it's very fascinating so now management I did see a couple hands and management so I want to harp on this slide for a little bit make sure that your blue team rock stars have a future make sure that they have a way to continue to get fulfillment continue to explore continue to play with doing the job that they loved one of the things that you know you can do is maybe you can't grow them any further maybe they're you know a tier 3 and that's as high you have at your organization well what you can do is maybe say look you know I

get the ear tier 3 I can't give you more money but what I can give you is I'll give you one afternoon every other week to just hack around with the network and just play and come up with new and interesting ways to do what you do better giving them time to play is actually a very rewarding thing one of the things that Google has that so compelling is that twenty percent time that's an unseemly amount of time to give people to just pack around and play that said man is a geek I gotta tell you that is just that is an amazing benefit to have does that cost yes it's an opportunity cost you're losing you know

productive time from that person maybe they're not going to be coming up with something that's amazing and and powerful but you know a perfect case of where they rolled the Dyson so how it went was atlassian software they're an Australian company I learned about them from the java posse which is a really cool podcast it's much tamer than security justice or Paul calm which is more the pity but anyway um they they implemented just once a quarter they would have what they called a fun day where for 24 hours the engineers were allowed to work with whoever they wanted to on whatever they wanted to 24 hours they quashed they squashed so many bugs in their software it was ridiculous they

started making that being mandatory the event where they I think it's now almost monthly there but it's amazing how you can motivate people with not just dollar signs not just titles also be able to understand who you're rock stars are seat time does not equal skills it's you know you might have someone who's come into the organization and has only been there for a year but they just really get the stuff understand it they think like you know a blue team or ought to and you've got some other guy who's been there for 40 years and just really doesn't get it so understand that you know it you need to set up a meritocracy if you can also

blue team errs one bit of advice I can give you is if you're not happy with your job and please understand that I don't mean like you're you know clicking your heels something into work you know whistling Zippity doo-dah if you are you might need to have your meds adjusted but you know I'm just saying that if if you're not happy with your job remember it takes two to tango you need to come up with what your career goal is and if practical chat with your manager about it that chances are your manager will at least try to help you be happy policies boy you know this is something that a lot of people hate policies it's dry

it's not fun and you know what you're dead wrong because you know why policies is you hacking the company policies are amazing because there's been plenty of times where I've been at multiple and this is something I try to do at every single company I've had cases of where I'm like well you can't do XYZ and they say oh then you know why you know and I don't have policy to back it up what's really cool is if I write the policy or assist in the writing of the policy I actually have that piece of paper and I can say hey you know just so you know you can't have that particular bit of software you can't do XYZ and they like

they're like oh stupid security guy and go no no no it's not me stupid security guy it's this policy hate the policy I'm just here to tell you as a matter of fact I'm just here to tell you because look see here on this section of the policy it says that you can get terminated for doing this so this is actually like me being a really nice guy you still have your job and they're like thank you so much security guy so policies are huge um one thing that you that just real quick make sure that it's based off of a framework using frameworks actually makes policy creation easier and helps you when you're having to do business with other

companies make sure that information security has a seat at the table it's great to put to actually put in what you want in the policy and then later on it might not be an immediate payoff but when that day comes man is that cool auditing I love auditing I love doing assessments and you know why because if you do your policies this is where the policy you know your policy is the teeth auditing is the jaw that grinds the th down auditing is not a four-letter word it's an amazing process because it is the agent of change if you talk about the team's or the groups in your organization who have political juice the clout internal audit baby

everybody's scared of them if you have these guys on your side again you get to be the well you know it's not I'm just the security guy it's that auditor he is just so mean but here you know let me help you understand what you know why we need to do what we need to do here's a pro tip though when you work with your auditor either an internal audit team or an external audit team you can depending on how sly you want to be yeah depending on how slight you want to be you can actually be very subtle and say oh so financial services audit huh and you're like yo you're going to be like testing

financial systems and seeing how secure they are yep does that mean you would maybe be checking the Active Directory to see how long the password expiration is set yeah why oh just wondering let's leave those little seeds now be careful on how you do that you can wind up causing a little problems as a certain hip-hop stars fond of saying snitches get stitches so be careful on how you do that now some takeaways attackers advantage all we need is one weak link in the chain and this I should have upped the contrast here a little bit but that's a nice thick chain padlock zip zip tie holding that together week all right blue team deserves loves really internet that's

what you got for you know the blue team earn that love understand that you've got to earn it nobody's going to come in Swee'Pea and you know treat your right you have to show your value to the organization maximize the tools make sure that you can show that they're getting a good you know getting good value out of what they're paying for up your skills listen to podcasts you know watch videos hey be said it's folks there's plenty of ways that you can increase your skill set you can't go it alone remember the tripod remember the stool you've got management you got red team you can't just do it by yourself so give blew a chance make sure that they

have a career make sure that policies are around that give them the teeth that they need and make sure that auditing is the one who's enforcing those policies blue team should not be the long arm of the law that's a fight they shouldn't be in so questions oh ok so I've been told that all questions will be handled in the hallway chat so bottom line is I don't want you to be like this guy who just walks away all confused if you've got some questions comments whatever let me know and feel free if you can't meet up in the hallway or if you're on the b-side streaming folks feel free to hit me at my email address or on Twitter so

thank you very much for your time thanks Mick great talk all right why do you everybody out of here for lunch if you have questions for Mick go see them out in the hallway here or come on up and we'll be back at one o'clock to do the afternoon sessions one o'clock