2016 - Gavin Millard - Breaking out of the Infosec echo chamber

aha and they're good more even I've got malapa me a technical director of tenable who hears everyone and necess they were men for it and those Javid said I think I'm going to talk about today I should have been talking about stunt hack and that would have filled this the hall apparently but I'm not measuring it talk about the business of security so I've been in the industry for 18 years now I think I used to have to persuade companies to actually put firewalls in which is a bizarre concept nowadays you know I couldn't talking to them about IDs and like well no no no you know we have not even got a firewall yet it's like holy [ __ ] you're kidding

me so I've been in in tenable for a few years now and my previous job as was at a vendor and a lot of the work that I do is really communicating with the sea level so the seaso CIO working with them on how to build a good security program how to communicate that security program to the business now one of the one of my annoyances that I have is vendors as Javid said like vendors create what they think executives want to see if I go to any major product nowadays and they have their this is the this is the C ISO report that you should be showing in front of the board [ __ ]

right any vendor that tells you that they can create an executive dashboard is lying to you ok the main reporting tool that NEC so uses is what sorry PowerPoint PowerPoint every damn time or Excel even as well and so I've been working on that quite light it's all about you know how we communicate with the business how we break out and actually talk in a different way to to people that are outside of our industry so yeah why is this important well yeah InfoSec is now in the news a lot you know so we've got big breaches we've got these bugs that they're hitting the news yes I yeah I go on like ITV News at

10:00 talking about an open SSL vulnerabilities crazy right yeah bong you know some InfoSec dudes going to talk about open SSL vulnerability yeah bong you know and then some terrorist did some [ __ ] so it's quite weird you know we have here we have breaches the they're obviously very large and very unfortunate the more unfortunate thing is quite often when the CEO of the business stands in front of the cameras and makes a total fool of herself or himself yeah we see a lot of stunt hacking as demonstrated by the fact that track 2 is full stunt hacking is you know like this really your popular thing we have people that really care about

their privacy now yeah so many years ago when I talked about InfoSec to people that were like I have no idea what that is you know I talked about you know cybersecurity now people really know about this stuff they're really thinking about it they really care about what's happening to their data and then we have things like you know tea and and ransomware which people are really concerned about you know you know be a light bulb or whatever they're hacking in their track to right now you're a light bulb or you know a kettle you know people really care about this stuff now because you know it's their consumer stuff you know you you read about people finding out

they're pregnant because of their Fitbit that type of stuff right obviously not me and then oh yeah we're here about ransomware all the time now is where I'm getting really bored of hearing about ransomware in the news ransomware to me just tells me that you are not good at security damn straight right basically just means you're not patched your stuff okay let's move on so I think the the really the main starting point for all this you know this interest in the info security came along April 7th 2014 everyone knows this logo right my mum knows this logo no word of lie when heartbleed hit I used to have a text message on my on my

slides I took it out to my mum wasn't very happy and you should never annoy your mum I had my mum sent me a text message on April 7th said Gavin on worried about this heartbleed thing we don't know if dad and I are going to be affected by this I've looked at your Twitter's I can't tell right now I know that I'm on Twitter solely to educate my mum dad on security but you know everyone was really concerned about its suddenly you know like you had CEOs asking about an open SSL 101 B vulnerability is crazy when you think about it right and unfortunately when heartbleed him really we had two different camps of people

okay we had the people that really knew their stuff in fact I was at a tenable user group and I had a guy from a very large Bank speaking there on that morning a guy called Amir had C paddock awesome guy right and he's got brilliant name I love saying his name it's really pretty cool and I said to him mate I can't believe you're here I thought you'd be dealing with heartbleed it was like no no it's fine I know exactly where all my venerable systems are I know exactly what the remediation plans are I've tasked my team they're going to address it I estimate it's going to be patched in two days awesome that's the answer

people should have given yeah good old Amir had a bad dick unfortunately that isn't the answer that many people got when they were asked the question are we secure when they were asked that question and this is you know the the question that will scoff at like hahaha how can you be secure you know 100% secure how you stupid idiot for asking me that question the business doesn't want the answer they want a different one unfortunately as security we've always answer that question either with hope and a handshake is in yeah yeah we've got this it's cool don't you worry your pretty little head about this the security stuff we've got it all say you won't

understand what we're talking about so I'm not even gonna tell you basically hope in a handshake right we've got this security thing don't worry about it okay these are not the answers the business is looking for right when you're asked that question are we secure giving them a fluffy answer is not the answer they're looking for so give you I'll give you an example but my wife works in marketing sorry yeah marketing cut but wife works in marketing I get to do my slides I don't really she's rubbish at PowerPoint and and if the business says to her if we give you a million dollars how many leads are you going to generate yeah how

much business are you going to generate she will have that stuff locked down cold she'll say for a million dollars the you know the cost of acquisition is XYZ the cost of lead is this you the pullthru is this the conversion rate is this did it I'll generate 30 million dollars worth business okay that is the answer that the business is looking for when later when they ask questions not don't worry about it we've got this so rather interestingly we're supposed to be good at this stuff right we're supposed to be telling people the things that they want to hear in ways that they want to hear we're supposed to be good at social engineering right we're supposed to be

able to mimic people and be able to hide in public site but we suck at it when it comes to business right we we appear to be terrible at it come in so I'm just insulting social engineers um so yeah we seem to Rhys up a tip when it comes to being us communicate with the business when we ask the questions we don't mimic the business okay we we stay in our little echo chamber you know don't worry you're not going to understand this stuff okay so little pop quiz to start us off what's what does this stand for

okay right what's really interesting is a few of you got it wrong I'm not going to say who but we use these words all the time right and we do it in a way that people don't out vowel outside of our echo chamber don't really know if we do it in articles we do it in everything we write about I'm really really careful whenever I write a quote for the media that I don't use buzzwords I'm sure if you've ever read any of my comments you think you dumbass you supposed to say socks5 proxy here I know it sucks my proxy no one else does though right so I don't use those words what's this

yeah right the reason I put open source intelligence up here is because we're sort of first started talking to me about this I didn't know what it was I was like oh you're just talking about the stuff you do before trying to break in something right but you use a buzz word and we don't get it okay what's this

anyone look look right so this is really interesting all right not one person knows what this is no stop guessing you're not gonna get it you're never gonna get it right so yeah we talked about yo xfr yeah or all these different buzz words we're not the only people to have buzz words all right that's a marketing one customer acquisition cost okay and this is really important one for marketing right so marketing always talk about CAC because right what's the customer acquisition cost right yeah it is he gonna cost us five minutes to get a new customer through the door five thousand dollars whatever and they think about it in this way by the way they

never talk about CAC outside of marketing this is why you've never heard of it I've heard of it because I married a marketing person okay they know how to communicate outside of their echo chamber a lot of us don't what's this one good man good man you can have some chocolate so this one is a business one okay people care about this stuff basically how much money am I making okay so when it comes to security I'm going to quite Richard Branson some people think is a bit of a [ __ ] in realities a billionaire so Spode done something right okay complexity is your enemy any fool can make something complicated so how to keep things simple

basically one of the things that we do in IT security is we try to be the smartest person in the room okay I'm sure none of you like this but trust me after speaking with the IT security people 15 years I'm used to the pissing contest right I walk in a room I'm used to the pissing contest okay now I have ways of dealing with the pissing contest III in fact I'll let you know right so I have a little secret if I walk into a meeting and I have a pissing contest with with with a with a prospect with a customer whatever I win every time okay oh I win every time do I drop CVE numbers

like crazy right it works every single time cv 2014 five one one nine okay that was the hacking group flash vulnerability okay so we're looking up it'll be right okay drop CVE numbers when you're in a pissing contest you will win I guarantee it okay but anyway that is that is not the point the point is that you know we try and be the smartest person in the room we all have egos that people like Javad for example like big egos right we all have egos big ego for a small person will have egos and and we all try to be the smartest person in reality oh yeah thank you yeah get the red card in reality you the smartest

person in the room is the person that's simplified down so everybody understands it I was I was in a presentation a very large telecom quite a few years ago start of my vendor career and walk in there's low tech is in there's a couple of business guys right and we were talking about file integrity is worth the trip wire and so I knew everything about file integrity right hash clashes all this type stuff I'm sitting there talking to these techies and they were firing questions at me right and I was like knocking him back I was at awesome meeting you know the kind of thing where he's like damn straight I'm good right yeah it was that

type of meeting right and I walk out the meeting and the the VP of me that I was with he said how do you think that meeting went I was like a hot man you know I'm not about the park it was awesome it was like that was terrible okay this is going to be painful this is my new boss that I met only a month ago why do I suck and he said who were you talking to in that room it's like everyone no you were you were talking to the techies they're asking you really cool questions the one person that really cared about this stuff the business guy walks out halfway because you were

talking about stuff he didn't understand okay that is a bad outcome okay and it's all about simplifying the the messaging that we use to be able to communicate with that person because in reality that person is the person that's going to sign the check to enable you to buy more security stuff okay so the first thing we have to think about so we have to communicate effectively outside of our echo echo chamber is how do I actually measure security okay so we're not measure something I can't communicate it I can't report it so we have to do that this is good slide right Jeff had he liked this one thanks yeah look at that but by the way that's wing-dings I think

in the background it says I'm like making slides makes Gavin a dull boy or something I can't remember now but anyway so for me we're metrics are the rosetta stone of business communication okay marketing talk to sales in metrics sales talk to finance in metrics finance thoughts to the business to the the c-suite metrics security need to do the same thing right social engineering mimic the people you're talking to okay instead of talking about DLP you know sort of cross site scripting all that type stuff metrics that is the only way should be communicating with the business because it's something that's quantifiable that they can understand we'll talk about that more ok so there's loads of good places to get metrics so

the cybersecurity framework is a NIST 853 oh it's a really good framework okay but embedded within a cybersecurity framework there's loads of metrics that you can use steal them by the way if you've not looked in cybersecurity framework it is coming according to Gartner obviously list paid them to say this I'm sorry I didn't say that really yeah so by 2020 more than 50% of organizations will use this basically using this framework and metrics okay so if you don't know about this stuff now go and research it because it's going to land on your table in the next year or so okay obviously we have sans as well okay embedded within every control of sans we

all know sans right yes Gavin good eye sans gives you effectiveness metrics for each of the top 20 controls okay some of them are [ __ ] by the way for example one of the things that they say you should do for malware is count how many pieces of malware you've seen don't do that that's a really bad metric but there have some really good ones as well go and we'll talk about that towards the end but there have some really good ones all right if you ask an analyst people like Javad who used to be 451 now if you ask like Forrester is an example and you say what's metric should I use they always say our metrics are

all different for every different company yeah they're you know it depends on you know who you're talking to [ __ ] right there's there's some really good foundational metrics that you can use I'll give you a example of some towards the end okay the next thing we have to ask ourselves to be able to communicate and to be able to talk outside the echo chamber is how to actually align what I'm doing with the business okay so when I used to break into stuff when before I found tweed and wearing suits and having to stand up in front of people when I couldn't communicate with anybody you know when I lived in a broom cupboard I

used to find stuff wrong with the company that I was working for and and other companies as well and I say this is really bad you really need to sort this out and I would get ignored I'm sure we've all experienced this right you find something really bad and nobody does anything about it happens all the time okay it's because we're not aligning what we're doing with the business okay one of my really good friends is a CEO of a massive financial infrastructure institution sorry and I was talking to him a few years ago now and we were chatting away I was talk about security risk and I was like yeah we're trying to you know change our messaging

to include security risk and you just look to me he says there was no such thing as security risk there is only business risk I was like oh wow you are so right if you're mitigating technology risk if you're mitigating technical issues that aren't aligned to the business you're doing the wrong thing okay don't patch something you don't care about let me give you an example who knows what this is this is by the way is another one of my favorites that I drop in meetings I've give me one giving you my secrets Ms 1468 and huh no it's a microphone oh you're pretty sharp but you're not being wrong so it was the vulnerability in Cobras

right as so there was some really big vulnerabilities last in 2014 from Microsoft 60 GMS 14 62 64 and 68 they're really bad ones one of them was the s channel vulnerability you know there's some really bad ones ms 1468 was kinda like the worst right basically it gave anybody the ability to have a credential any credential and elevate their privileges to be domain admin okay really bad right in fact when Kaspersky got hacked this was the privilege escalation vulnerabilities that they used to be able to get root yeah right they they you know they talked about apt and all this sub stuff actually Kaspersky did a really good job of disclosing how the hack happened you

know I think that they they were very very good about it embedded though in their reports it talks about the the different vulnerabilities that were used this one was used to elevate privileges they got hacked in January this was released in November they hadn't patch their service okay now it so it's really bad for an ability right when this came out I went to see one of my favorite retail customers not far from my office and walked in he's a brilliant guy you know really really smart security director and often gonna have a little chats with him and I said what are you gonna do about MS 1468 and he said nothing it's really interesting tell me why

yours you know I trust ye he's not just ignoring stuff he's he's he's being smart about it I said why why aren't you passionate he's like Gavin it's the end of November if I caused downtime in our infrastructure I will not have a job next year so the risk of patching is higher than the risk of somebody using this to get into our infrastructure compensating controls etc etc but in reality you know he couldn't patch till January February ok that is a lining security risk with the business risk the business risk was significantly higher patching the vulnerability than it was to not patch what great question it was good fit yeah because no no no because I'm talking about

measuring you will get there met Javid yeah there were I'd nationally giving you crap so no metrics are all being able to have the visibility of this is really important making the decision on what to do about it and sometimes isn't metric driven right so if you look at this vulnerability from a CBS s scoring perspective this was a 10 right this is a really bad one yeah it's remotely exploitable you know you don't have to be on the same network blah blah blah right it's really really bad one but he had the foresight in the visibility of his infrastructure to know the patching this could cause him problems therefore he's not going to patch ok

now obviously if they got hacked he would've been fired but it was a good thing to do ok now my favourite bit though and this is really what you know the the main focus is is how do I then communicate this information to the business ok so stuff how not today right I work tenable yeah we created necess with Renault right every Road race and created when here in back in 1997 he was 17 by the way makes me feel really like I've not accomplished anything and you know he yeah he created a brilliant all right we've all seen necess reports big ass long report okay I've seen organizations have these in their inbox as something that they

should action here operations deal with this for me no problem don't worry no one noticed so you these reports go unopened an action right don't do this when it comes to reporting putting a 300-page security report in Suns inbox is pointless nobody's going to read it nobody's gonna do anything about it pointless right you know for me I always talk about tell me the five things that need to fits not the 5 million things I shouldn't ok so don't give a 300-page gear to report even though we have one of the companies that creates massive report ok so we're told that what we should do to be as communicating with business is to have happy face sad face I've seen no other

vendors talk about this massively insulting some of them are smartest people I know a CEOs of businesses but some of the smartest guys and girls I know are CEOs of big companies right you meet them they are really impressive people they know their [ __ ] in fact I was talking to the CEO of a massive vendor scooty vendor and we were having a bit of a laugh about you know how rubbish antiviruses and and I said I'll antivirus you know it's terrible you we shouldn't create something because it's you know it's the same as everyone else's antivirus and he said to me Gavin 99% of organizations have antivirus it's a good thing because we'll make lots of money right you know

they see things in a different way but you know he's right yeah he's yeah he'd they think about money but they're not stupid okay so putting a happy face sad face in front of them is the quickest way to a lose your credibility and B get fired do not listen to anyone that tells you happy face sad face okay as I said what we need to be doing is communicating in a way that CEOs understand now I've been quite lucky to be senior in organizations right and I get the executive report PACs I get the you know the the monthly metrics of the organization you know the yeah I see it from marketing from finance from sales

from all the different business units okay all of it is metrics now Brad our VP of IT he does the same thing right he knows that it's the only way that will fit into this is is communicating metrics as well so let's give an example right let's say that a marketing give you some really good metrics on all the different parts of the yo the the sales process and then your your piece of the metric pack is either a happy face sad face or a 300-page report okay happy which is sad face exactly okay so this is how I do security reporting now one of the one of the things that I'm quite fortunate to be able to do is talk to a

lot of CeeCee's right and I got to know them I often say show me dashboards yo show me your report show me what you communicate to the business they generally suck okay in fact our mutual friend that's a a twin of myself and he showed me his report back he was actually really quite good because there he got a marketing guy to help him with all the graphics and most of them suck though now I challenged to see so few months ago and I said to him show me dashboard he says show me yours if you were going to go in front of the board and talk to them how would you communicate security was like it's a

really good point I always ask people I never show so I created this right took me probably about an hour to do that okay I'm pretty good at PowerPoint by the way but yeah it took me about an hour to do this okay so this let's look at this for a second right by the way the taught so I've got top line metrics the top things at the top and then operational metrics okay so top-line metrics by the way top-line metrics will change for organizations so yeah I are often ask businesses what's your what's your top line metric that you use for security to measure security and it could be the amount of money lost

used for unfortunate activity that's a BNP paribas main metrics great one difficult to measure but it's great one you know you talk to you know an online online retailer it's the amount of downtime caused by a security event or the amount of accounts compromised or whatever you know the top-line metric is top-line metric that suits your business so for me I had to be a little bit more generic security incidents how many security incidents occurred that led to data loss by the way when you measure security incidents measure data loss okay I don't care if you got malware all right you're gonna get malware okay I don't care if somebody's sniffed oh sorry if somebody

ports scanned your network you're gonna get port scanned right doesn't matter it's an irrelevance what really matters is the amount of data lost okay then I also want to measure security activity so how much downtime is security actually causing within the infrastructure because that really matters right we need to know that security are doing stuff but we also need to know that they're impacting the business in some way so I can make an infrastructure really damn secure right you won't be have to do anything on it but I can make it really secure I can patch everything really quickly but it's going to cause downtime okay so we need to have that balance in there to be able to

report on it and then the operational metrics I like to use these operational metrics okay there's lots and lots of different operational metrics you can actually kind of exchange them in and out and but for me these are some of the really good ones so talk to me about compliance right how much my infrastructure is complying to our our best practices you know beer either PCI be CIS configuration assessment you be whatever it doesn't matter but let's measure that okay then let's measure visibility how much of my infrastructure am I actually checking for weaknesses this is a really important metric because when you're standing in front of the board and you say are we we only have five

vulnerabilities and say yeah that's great how much of the infrastructure have you checked though there you go I don't know your credibility Scott okay you need to measure how well you're doing on this type of stuff then remediation how many how much of the infrastructure has had the biggest vulnerabilities patched in a timely fashion okay so percent of internet-facing assets receiving patches to critical bugs in less than seven days thanks a really good metric by the way that's a sans metric all these are sans metrics and then prevention percent sensor systems with up today anti antivirus or DLP or whatever control your percentage of systems that are protected by the firewall whatever you want okay

but I put AV on there because well people keep using it still so for me these are really good cyber hygiene metrics all right if you measure this stuff if you walk into a meeting with anyone in the you know in a senior level and you put this stuff in front of them and say hey this how what I'm doing security this is very nice drive improvements you are going to have a very different conversation with them okay I noticed that we are our visibilities like what can we do about that you're giving that giving them something that they can actually have a conversation about we're not talking about your cross-site scripting vulnerabilities SQL injection

vulnerabilities all these stuff things that they don't understand we're talking about metrics that they do understand that they can quantify so this is the next level down right this is the type thing that we need to be communicating okay so by the way percentage is a really good way of hiding bad stuff right yeah so oh yeah 50% of our systems have been patched so well you know our infrastructure is huge you know it's 10,000 systems probably you know five thousands of man being patched or so it's a really good way of hiding stuff so you take it to the next level and you actually break it down now I love to break things down by people

ownership okay so let's say Javad and I work together in a in a company and yeah he works for the UK office I work for the American office and we have these metrics right that we measure the effectiveness of security okay this month I kicked Javed's ass on visibility and patching okay what if I gonna do next he's going to work his little tush off to try and beat me next month but it drives behavior okay if you can quantify it if you can measure it if you can then assign ownership to it it drives behavior okay so if we have the right metrics in place we can improve overall security easily by assigning ownership let me give you

an example right so I used to work for a tripwire another vendor and I did an off-book project basically I use my corporate credit card to hire a developer to create a new product fortune yes little bit bad but I wanted to achieve something so I was ripped bored I knew a business intelligence developer I took a few thousand dollars at him and he came in and worked with me to create some dashboards using ROM B I don't you ever seen it's like an awesome visualization tool on an iPad and I said to him you know I want these metrics put into this platform so he came in he did it okay and I gave me

some sample data and then I added for each of the compliance for compliance for each of the areas I added ownership so Jim the CEO I put down as owning the corporate network Alex the sales guy anything that has customer information on Kevin the professional service and support guy like the estate I can't me but it was right but I added ownership to these things I then sent a an iPad over to America to the CEO and said open this up click this play with this dashboard let me know what you think by the way can I have five thousand dollars and and so the first thing that they said it was the sales guy the VP of Sales first

thing he said was the thing I don't like about this dashboard Gavin is the fact that I'm at 60% at Jim's at 80% it's made up fake data right but that's the way people think yeah they're really competitive a lot of people are competitive so you know adding ownership and assigning names is a great way of driving behavior so what's the most important thing on this slide

action clothes you like my trend lines good trend line yeah yeah so the trend line is good right it's good it's good but action points we need management sponsorship to ensure all operational teams have granted access okay if you want to see this improve if we don't want to have a sad face next month when I walk in I need you guys to support the work and help me have access okay okay Gavin no problem at all we'll go we'll help you with that that's what the business wants right tell them what the problem is ask for help set the tone at the top Drive behavior okay by the way if you suck at PowerPoint there's ways of cheating okay

many people don't have PowerPoint skills by the way I've seen lots of vendor prepare lots of presentations comes a people suck at PowerPoint they're often a car crash and you know if you do suck at PowerPoint there are ways of cheating so I worked on a whole project called infographic security pretty funny right but infographic security it was all about using infographic tools to be able to create these reports so this is a info Graham and this took me with the with the data on a Google spreadsheet your Google sheets five minutes I did it a couple of days ago okay just to get this screenshot it took me literally five minutes here's my here's my metrics okay here's the is the

Excel spreadsheet that I always use just dropped info Graham boom there we go okay so as as you mature in your roles or as you as you are now communicating in a way that resonates with the business is a really important thing visualization notice my slides as an example they're really simple slick that's how you need to communicate okay not bullet points right if you're copying copying and pasting into a PowerPoint slide you're doing it wrong okay I have a rule that my fonts should never be less than 30 points on a PowerPoint slide alright so if you suck a PowerPoint use info Graham it's like ten dollars a month or something okay yeah if you have if

you've got C so that's creating these metric packs for reporting drop them into a tool like this suddenly people care right you think about a lot you really used most reviews Twitter the stuff that gets tweeted the most visual things yeah if I said if I post an infographic or a picture or something like that man I get loads of tweets like my biggest tweets I'm a Korean but I spent five minutes creating you know the Homer Simpson with the zero you know how many days since an accident and I said how many days since an SSL vulnerability and it like it had zero on there cuz obviously there was like a couple years ago that got

retweeted like 500 times yeah say something insightful everyone ignores you right so um you know people have visual use tools like this to be able to communicate in a way that really resonates with them now why is this really important okay Warren Buffett he knows his stuff is another billionaire I've know stuff quoted like two billionaires I have no idea what but that they know what they're doing in business okay and a Warren Buffett I don't invest in things I don't understand this is very truth business okay people invest in stuff that they feel that they can touch that they can understand that they can quantify that they that they know and so by us being

techies and talking about cross-site scripting people don't invest in fixing it because they don't understand it okay so being able to talk in this way really helps us you know being able to communicate in a way that resonates with the business really helps us because if you don't get investment security fails if you don't get money you can't do stuff you can't do important stuff and so it's really important that we do think about this stuff I know it's kinda like a little bit marketing you right you know it's a bit like oh man I got a that guy from tenable he's talking about making my slides a bit flashy when I when I'm talking front of people this

[ __ ] matters right trust me I sit in front of people talking about millions of dollars worth of investment my slides is slick as hell when I'm doing that okay because people have visual they understand this stuff and if I don't have that money I can't do good things it's the same whenever you're going to the business to ask for money to ask for budget yeah imagine like let's say yeah Jared and I are working together again here we decide to work together again the first time is a mistake but this time is going to be different and yo he goes up he says I need a new firewall white need a new firewall

because it protects the it protects the network it's going to stop people on being able to come into my network okay yeah fine thank you Jeff add for that insightful comment and then I come in and I say you know we need X Y Z because you're at the moment this is how effective we are at security by the way for you have this investment this is how effects if we're now going to be and actually be able to demonstrate that in a clear concise way maybe even by an infographic if I'm feeling a little bit frisky that morning maybe just buy some slides they'll invest in me okay basically to sum L up communicate like a see

okay it's really difficult right you know trust me ice be a huge introvert right my favorite thing to wear was an Oracle t-shirt okay I thought I was the mutts nuts walking around with read Oracle in a white t-shirt yeah and I had long long hair give me a minute I had long hair yeah and yeah I I was a massive techie right huge techie you know he's to break-in stuff yeah he's all cool but you know I didn't communicate with the business at all okay I took step back yeah when after that massive horrible meeting where you know the the vp of my company told me that I sucked I took a step back and said how could I be

doing this better this was the answer okay with that if you have any questions of whether I follow me on Twitter if you don't I don't you do thank you yeah you clicked on it yeah you're looking for Javad yeah it's J its j 4v v 4d i know it's difficult but you know yeah I know yeah yeah it does that look leet I know yeah so yeah yeah is ping me an email we I'm going to be around to about two o'clock as well outside come and ask me any questions but before we wrap up does anyone have any questions they want to ask in front of all these other people yes tenable thank you

thank you for that question that was awesome no it's so I'm in reality it doesn't matter what tools they are as long as you can surface this information easily you know I always say that you know a expensive firewall configured badly is just as good as a cheap firewall configured well okay so it doesn't matter to me what tools you use now with in reality of what you're doing is you're getting like the key piece of information out these tools and then you're just using Excel to manipulate the data you know so obviously me working for tenable I've been banging on this for a very long time and yeah we do surface this stuff really easily right

and you know it's a yeah we've got what we call an arc assurance report card marketing insurance report card which does surface this information really easily but lots of vendors are moving towards having metrics within their products okay now you have you really careful though because some vendors think that some metrics are good they're wrong right so as an example a Beatles think that counting how many pieces of malware they've caught is a good metric it's a terrible metric okay let's say you caught 50,000 piece of malware last month yeah right well done okay you've caught 48,000 this month what does that mean nothing right I said nothing

so from an operational perspective yes I agree from like a security guy perspective that's a perfectly valid thing to do right yeah of the 50000 piece of malware that come in what was the main vector of attack by the weight will be flash and what was the main vector of attack right uninstall flash you know but it was the I've done well not to rag on flash today day BP are probably very happy so yeah I I agree with you it's a really good metric right you know which vector is been leveraged to the most be able to infect our systems and how big is that infection that's a that is a good metric right you know it's been like

vulnerabilities don't count how many vulnerabilities I don't care if you have five million abilities in it Seema relevance but tell me the distinct different vulnerabilities vulnerability types you know web app for example how many web app for an abilities how many coding errors how many configuration issues those sub things are quite good metrics but actually just reporting on the amount of malware core is really bad okay because if you're at 50 thousand last month you at forty eight thousand this month have you just missed two thousand have you got the same amount of assets on the network you know is it because there's less malware there's not leaving less malware all right so what does that

mean have I made important it's an immeasurable thing it's pointless okay so you know be careful when you're looking at which products to use and what metrics that you can get out of those products because R&D create stuff that they think will work in the real world often they don't okay so for me go to sans sans have the best ones I think right go to sans that by the way metric of measuring malware is one of the once I told you that some of them suck but you know go to the sands have a look at each effectiveness metric and pull out the ones for each control that you want okay and then your usual products that you

have to try and surface that data okay yeah

this is true yeah people do use that right so yeah the the I did a research paper with their van Sanborn basically if you ever read in the press you know 58% of people said this this this is quite often van Sanborn that have done that and so I asked them to do some research for me and one of the questions was what metrics you used to measure security that was the top metric okay

yeah yeah yeah it is it's an unfortunate reality right so you know for me like how many ransomware attacks have we had is actually probably a better metric now because you know that is something that is really quantifiable and in identifies that you've got poor cyber hygiene that needs to be improved yeah if I was there i sat down with I I have always have metric conversations with CISOs that I've talked to and I went and talked to a massive infrastructure part of their critical national infrastructure and I said to what metrics do use he said before I tell you I'm gonna tell you what metrics I inherited that's like okay cool we I go on then go ahead and he said that he

said that metric measure the amount of malware and he said we also used to measure the amount of events seen in our s I am right which is a by the way another really bad metric don't do that okay so he he went and reported to the CEO literally to the CEO of this multibillion-dollar company what a huge company I can't say it is a very large company and he went and reported to the board and he put it in front of them and said you know these are the metrics for this month and they went ah hang on a minute hang on a minute the amount of events has gone down from last month why he was like I have no

idea yeah it's a really dumb metric but he had to while he was trying to bring his new metrics in he had to actually fill his SIEM with junk to make sure that he's always going bottom left to top right ok quite interestingly he also told me that I'm his report for the piece of malware he got pulled up on it because two months ago he had exactly the same now caught by Symantec ok about forty eight thousand three hundred and ninety two one month fourteen you know it's same the next month and the CEO of this multi-billion dollar company when that's impossible what's happened and he got a roasting for it yeah I hate this

metric anyway and you I'm getting crap for it so yeah be careful what you surface if that works for you keep on going I mean yeah if that's one of your top line metrics that's awesome you know put it up in the top corner

yeah fYI good yeah thank you great feedback yes

yeah and that's that's a writ that's a whole subject for another talk right I think that's a really painful thing you know I personally think that we are moving towards minimal shippable security right where there is no no no bells and whistles we can't afford to do that anymore it's like literally minimal ship or security okay there are many many big security vendors that don't realize they're gonna die in the next five years because people will not be spending you know five hundred thousand dollars on a firewall okay there's pointless you know that's just that's just put a filter in there it doesn't matter it could you use iptables IP chains whatever right I've shown my

h-net but you know let's just put a filter on so you know for me measuring the value of security is really really difficult especially in something that's that's a an organization that's just shipping products right in reality oh my goodness I got red card right in reality you look at RT like IOT is a really good example of where security fails you've got cheap quick secure you can have two of them people always go cheap and quick and always ignore secure and so it's a tough thing and we'll have to wait for another day because I've been told that I've had to finish right thank you very much [Applause]