BSidesAugusta 2019 - Keynote: Ben Johnson

welcome mr. ben jonson who's going to be given the keynote for besides augusta 2019 just a little bit about Ben's background he's the chief technology officer and the co-founder of obsidian security and prior to founding of obsidian he was the co-founder of carbon black so ladies and gentlemen please join me in giving a warm welcome to mr. Ben Johnson well thanks thanks for giving me some of your time thanks to the besides organizers for inviting me to come out I live in Southern California so a little bit of a hop here thanks to the University for hosting this and all the other sponsors let's just dive in right if you can hold your questions I usually go fast so there's plenty of

time for questions at the end and I randomly noticed there's like a weird character in some of the slides so I don't know what that is but it's there I just give you a little background on myself it's always weird talking about yourself but I think it helps give you perspective on why I'm talking about the things I'm talking about much like maybe a lot of you I got my start in the intelligence community NSA around 2000 was doing some fun stuff as you many of you might be doing now or you know have have done and then went to a defense contractor support adenosine CIA and SOCOM best time of my life I would have done it for free and they

paid us to do it so that was those greats and then started doing some private sector work started doing some Incident Response and my co-founder of carbon black Mike Viscuso and I and some others were doing some Incident Response and it was forensics we were like why are you imaging hard drives to investigate malware this seems archaic so we came up with the idea for recording everything create a 10-point agent create a company called carbon black that grew to now it's probably twelve hundred people VMware just just announced they were gonna buy them and in 2017 I said you know I want to do something different I love early-stage I love building I love entrepreneurship I

want to start something new so I moved out to California started obsidian we focus more on SAS security cloud security that kind of thing and we're about 50 people I love sitting on on boards or interacting with other entrepreneurs so a lot of what you will find in my slides I think have to do with like building and sort of aggression and how can you move forward quickly and I missed the mission I missed the mission so I work with DOJ and stuff with FISA courts as you can imagine they have nothing interesting going on right now so you know it's it's it's it's pretty wild but I work as basically an interpreter of the tech for

the judges right cool all right well why are we here luckily it's a Saturday maybe unluckily I don't know but it's a Saturday so you should probably have fewer fires going on you know I don't see a lot of laptops open that's awesome you can take notes or do whatever but the point is we're here to learn and so really my goal is just to have you reflect have you think about some stuff and then hopefully you remember and we see children I need to be careful about swearing and things like that but I'm gonna throw a lot at you and it's going to be some very high-level maybe some a little bit more in the weeds and

hopefully everyone walks away with something but the goal is really just to get you to think you get all the great technical tracks the rest of the the rest of the day so that's where you dive deep I'm more hey think about this how can we do better kind of stuff so it's an expanding universe expanding enterprise you have all this stuff we keep growing our surface area and yet look at everything we're doing we should be perfectly secure not really look at all the stuff on that that doesn't actually maybe make you more secure because we spend so much time on all sorts of stuff as defenders and that's okay but can we trim down some of this

stuff can we focus on what really matters and when you think about defender challenges there's a huge skills gap now we can debate and I see lots of debates online about is this real or what's the cause maybe HR doesn't know how to hire it doesn't matter I travel over the place there's not enough people not enough people doing the right work not enough skills we need to fill the skills gap it's great that there's the next generation of defenders here and if you're under 18 please go into cyber and if you don't work in cyber now please go into cyber there's this thing deploying decay that I preached about a lot actually a final gentleman named KC

Smith was the first one that mentioned the term and it immediately stuck with me because we set up our tech stacks we set up our technology and rather than get better over time it gets worse now new technologies ideas like machine learning and things like that have promise where they might become better each day but in reality most of your tech stack is worse today than it was yesterday from a defensive perspective the adversaries are changing your environments changing your rules need to change we just said there's not enough people so you're not doing enough care and feeding to tune your rules tune your detection tune your your your other you know mechanisms and then

attackers have success so just like any market it breeds competition if someone's sitting in Eastern Europe or other parts of the world they can make so much more money on the cybercrime side then legitimately what do you think they're gonna be tempted to do and then finally there's just an explosion of data right I know when we spin up Amazon instances and things like that we're thinking about terabytes not not gigabytes and soon it's tens of terabytes and things like that and you flip a switch that whole thing might be public so there's a lot and I came up with this term a couple years ago I'm not saying I ain't necessarily came up with it for the very first time but I

said you know there's this lack of cyber self-esteem like this lack of can we do it we need this Sesame Street Big Bird telling us like yes we can't actually make a difference so maybe that's the role I'm taking today is Big Bird but this lack of cyber self-esteem now I'm happy to say this year it feels like we're starting to turn the tide a little bit people starting to be optimistic like yes we can make a difference but in general there's a lot of oh man it's really hard to to stop the bad guy a lot of burnout that kind of thing so there's a lot going on I don't want to talk about the Bleak nature of things but

give me a few more minutes on that and then you start thinking about cloud now this is the cloud specific talk but clouds here hogs new or newer yet who protects cloud Amazon protects security of the cloud you're responsible security in the cloud people forget that or people don't understand that so all this new stuff that we're adding is still our problem and clouds talk to clouds if you weren't aware of this you probably are but if you weren't aware of this it's so easy to add integrations and upload files move data that kind of thing so we have this very dynamic universe very dynamic enterprise that we're trying to defend we don't have enough people the bad guys are doing

well it's tough I get it and just to throw some quotes in here you know I've heard like IT is leaving us in the dust going 0 to 100 right or we have no idea about these these new SAS accounts or I just heard the other day actually a new a new high which is we have 1,000 AWS accounts 1000 at one company how do you defend that and if you're not doing a lot with cloud or you're not doing a lot with IR the IR companies are doing a lot with cloud they're responding a lot to things like office 365 G suite github those are getting popped anyways talk about the bad guys for a second what would a talk

be without some threat scape type slides breaches are accelerated in fact you can see the latest data have on here is 2017 because the point is not really the years it's the fact that there's more and more of it going on but I said you know what let's throw in a slide for this year all sorts of headlines don't need to pick on companies but you see it you're sick of it you probably even get an emotional rise anymore when you see millions of records because you're like yeah another one so we're not getting better I hope we can get better but we're not there yet and so who are these adversaries and I don't

know why that first picture didn't load so maybe that's technical difficulty number two you got cyber criminals they want to monetize whether stealing information or breaking into your AWS pounds spinning up instances to crypto mining you know mine Bitcoin and other other crypto currencies there's different ways they're making money but they're out there they're trying to make money you get the hacktivists are trying to make a point they might not agree with your political stance might not agree with a product you make they're just trying to show off whatever it is they're out there to and we have to deal with it and then you get the nation-states who are trying to steal your intellectual property or look up

information on their own citizens or look up information on our government officials and then you have the insiders you have someone at your company that maybe wants to do the wrong thing but really the main reason I put this slide here is because what are the first three become the first three all want to become a fourth one the insider if I'm a nation-state attacker I want to get access to your environment as if I'm an employee especially a privileged privileged accounts so they want to get access on the inside so if you are not thinking how do I defend against insider attacks you're missing you're missing out and yes there's the emotional side like Oh Joe or Mary or whomever would

never do anything yeah but what could their credentials do what could your own credentials do are you trying to do lease privilege anyways we have a lot of adversaries we have to think about we also just have the human factor and there's some challenges here defenders we tend to defend infrastructure but the attackers attack humans these two things are not aligned we're thinking about IP addresses how do I defend this subnet how do I defend this host they're thinking how do I get into the CEOs mailbox we have to create better alignment there and then it's not just outside it's not just adversaries or malicious intent mistakes mistakes happen all the time it is so easy

especially with cloud to flip the wrong switch have a public bucket have public database and there is the insider threat as well right and I've been saying this we've been saying this I don't know who originally said this you've seen CISOs of like Microsoft and Cisco literally say the same quote but hackers don't break in they log in Rob Joyce formerly head of you know at NSA he said credentials are much more valuable because you just login you don't have to worry about is this technical exploit can it work and finally if you're not getting hit hard if you don't have lots of fires going on does that mean things are good I saw this in a tech TED talk about

something totally separate from from tech or cyber so a TED talk the absence of disease does not mean health you guys all see this if you're working in an IT or security just because you don't have an active Incident Response and active compromised doesn't mean things are good so we need to get more aggressive we need to think how can I make things better so thinking about how we approach this we can do better in some ways we are getting better but there's a hundred and twenty seven new devices not just bought but put on the internet every second so someone can do the math and by the end of this talk how many new

devices is that and you've seen this and I don't know who originally came up with this but data is the new oil really what that means is data is super valuable it's like the new way to create wealth and so if people are after data and there's all these new devices we are gonna be gainfully employed for a long time and we got to take that challenge we got to step up and know that this is not going to go away it's gonna get worse and in my travels first at carbon black did a whole bunch of stuff before of course in the Intel community but then at carbon black and now obsidian one of my main roles was traveling the

world to talk to people like yourselves I've met with over 700 enterprises 700,000 miles that's not quite my travel that's a little little beyond but sometimes it feels like that the number one difference between a really good team and a not-so-good team is are you approaching security as an engineering problem versus an analytical problem what I mean by that is if you're just creating a team pointing them at some tools some logs and saying whatever comes out you think about it give me a report done if you're just thinking about it more like an analyst you're not going to be as good as the team's we're thinking what can I build what can I stitch together how can I

solve this like an engineer how can I reduce risk through building through engineering we need analysts not saying we don't need at that but as a group you guys need to think about am i approaching security more like an engineer we need to shift our mindset so related to the last slide too often we have this passive mindset oh we're security we just monitor the the environment we we sort of take whatever people do in the business and then we just try to you know kind of monitor secure it you can think about it about it like we approach security with read-only access we approach the environment with read-only access and we just wait for events to happen to us

or can we flip it and say no no we're gonna be aggressive we're going to get right access to the environment that can be figurative right access where you're helping to implement policy and drive strategy it can be actual right access technical right access but can you shape the environment can you say no no we're gonna change this one thing and guess what downstream effects way better we have to think about it like this we have to shift the mindset and there's this notion of essentialism so if you're not familiar with essentialism I got some book recommendations at the end because I love book recommendations I'm a huge book nerd since I don't have free time

but let's just say if I have free time I read books on leadership teamwork all of that stuff happy to nerd out on that but my favorite book is essentialism how do you focus on the vital few things versus the trivial many we all focus on the trivial many all the time I still do it all those emails all those meetings they don't actually matter not saying you can just ignore all of it but what actually matters can you get to that root of what actually matters and so the author Greg you know says basically how how are you spending your time where can you get the best ROI of your time we don't have

enough people we have too much going on so security is ripe for this kind of thinking how do you apply your time in the best way so we'll come back to that so for the longest time we have said what can I block what can I prevent we block we lock things down cool we need to do this we need to continue doing this but as many of you here know we can't only do this right but let's call this slowing attackers down we need to slow attackers down nice and simple slow attackers down knowing that that's not enough in the last especially 10 years we shifted tons of resources and probably thousands of cyber vendors including my

company previous companies into detection and response ok we can't block everything we have to be able to detect bad and respond we added lots of tooling we must find things quicker react quicker clean up more effectively and so you started to see these new concepts emerge like orchestration where instead of an alert going straight to an analyst and they have very little context you send it to some automated system to validate correlate enhance maybe you enrich it with some threat intelligence like what other people out there think about this IP address this binary these different types of attacks what's this device what can i gather from from from this equipment who is this user is this normal for the user is

it the CFO of the intern and then what would pop out is an enriched deliver to then go to a human or maybe soon not even a human much more context and then can they quickly preserve evidence clean up kill processes reset credentials we've done this maybe some people haven't gotten here yet that's ok but we've done some really cool stuff and this saved a lot of time so this is a positive movement forward and then what it allowed is for us to do things like threat hunting by the way this is a cybersecurity talk so I'm gonna say about a thousand buzzwords so I apologize I should have said at the beginning but that's just

that's just the way we we talk about stuff so throw hunting you have a hundred percent of possible detection zuv possible things you should be alerted to your tooling is not gonna stop it's not gonna tell you about a hundred percent let's say it tells you about eighty percent that gap between eighty percent one hundred percent you need to have a human mindset go in and look for the stuff that the tooling is not telling you about and then when you find it you go in you give a little care and feeding avoid that deploying decay you upgrade your detection rules your tooling and now maybe are 81% now these are made-up numbers but I think you get

my drift so we started doing some pretty cool stuff there right so we've done a bunch of stuff beyond blocking so we good we get no there's this elephant in the room or let's say several elephants we have employees we have contractors we have guests we have the almighty executives that don't want to run your agent you go to places like law firms every single partner is basically like a CEO and wants to do their own thing you go - let's just say parts of government where there's a lot of different elected officials from let's say different jurisdictions they each kind of run IT they're themselves they don't really follow a consistent standard so it's

kind of scary but we have this this big mass of people we have to worry about so what do we do we start saying don't click be paranoid don't circumvent us don't install that we start forcing training I do that you know I'm the Acting CEO as well at obsidian we have to do that a lot of times audit and compliance requirement or e training so we start pushing training on people often the lowest cost we can get away with and we start preaching so let's call this discourage bad behavior by the way the previous one let's call that speeding defenders up I forgot to mention that so slow attackers down or speed defenders up so now we're trying

to discourage bad behavior among the population this are we good now we realized as a community that's not enough either we can't say no that's basically the reality of a CSO or security team in the corporate world you can't say no business is trying to move fast especially with SAS and AWS and these other tools you can't really say no anymore no has become yes but this is a direct quote from my friend on a panel the other day he said that I said oh so the CSO is the but of the organization right won t thankfully but so you have to say yes but you have to do it more collaborative more constructive you or

we if you're working in cyber defense are still accountable can you just complain when something gets breach and say yeah but they didn't work with me yeah they might get slapped on the wrist but you're still in charge of security you have to collaborate and what you hear a lot of times is why did that person click the link most of the time they're smart enough to know they shouldn't have clicked it but really what happens is maybe they didn't care they didn't care right they thought oh this this might be bad or whatever but you know so apathy sometimes they just don't care so can you appeal to the mission the purpose you got to start

thinking about how do we work together how do we get people believing in the reason for cyber defense and cyber security it's not just an intellectual thing it has to be an emotional thing people have to care to help keep it safe to care to come report to you when they did something wrong that's mostly the heart right so we have to enable security and assessments and everything that goes with it upstream we need it earlier we need it easier and cheaper to correct right we have to get into software lifecycle so we have to get into processes we need to be a great partner really what we need to do is encourage good decision-making you know if you

think about and I've never worked in like a candy candy factory or anything but if you think about like a candy factory they're checking the candy as early as they can like as soon as it comes out of the oven they're doing some QA on that trying to see is this the right thing they don't wait till it's in the box shipped to the store and then try to go all over the place and check I might do that as well but most of the QA is upstream as possible upstream is possible so we need to encourage good decisions so we start putting these together we want to slow attackers down that's really thinking about the

adversaries you want to speed defenders up that's thinking about InfoSec and then everyone else we want to discourage bad behavior and encourage good decisions with me so far yeah cool now I'm gonna change the wording just a little bit so and I'm still trying to figure out what to call this thing so this is the first time I've talked to people in a large audience about it happy to take any feedback by the way all the slides are available happy to chat I'm here the rest of the day I would love to catch up answer any questions give you my opinion on anything so I'd love to connect but you know we want to slow attackers down but

you're not really like it's not like football and you're at the goal line and the attackers on one side and you're on the other really like there's a there's a bit of distance right because you're sort of in the back and in the middle is your environment is your employees and I'm gonna call that driving default security because that's what we want to do we want to slow attackers down speed defenders up and we want to drive default secured as a reason why I wore shirts as default aggressive on it today drive default security when we talk with that a little bit more so we think about this first of all communication I bet pretty much everyone here gets way more

excited about using Kali Linux or Metasploit or you know whatever the tool is now I'm I'm too busy you know managing people and stuff to be caught up on the latest things but you probably get more excited about X Floyd's defending and hardening and that's cool we need that we need a lot of that but if you can't communicate it kind of dead in the water at least if your team can't communicate to the rest of the business so can you communicate what matters why you're doing certain things why you need to be involved in that new marketing initiative to consider you know some new technology they're bringing in so the reason I like this wording that's been

picked out it's because it's simple you can say hey hey CEO yeah this this month were really focused on slowing attackers down or worse focusing on speeding offenders up or we're driving default security throughout the organization and I love love Dilbert cartoons because they're so realistic actually okay so you're thinking about slowing attackers down can you create fewer entry points make it harder to compromise now luckily some of this stuff also improves employee experience you add single sign-on everyone's going through the same single sign-on cool they log into one thing and then they get to any app they need or mostly that's awesome it also means you can really monitor one choke point and then you can make sure

everyone logging into that system is using multi-factor authentication but you also have to think about you have to disable some of the legacy authentication protocols was just working with a team that was having 400 compromised accounts per day they disabled legacy authentication they went down to one or two because a lot of times legacy authentication doesn't require MFA so you've got to think about that and then of course things like anti-phishing ways to just kind of block all those attempts that are coming in all the time but can you slow attackers down make it much harder for them to get in and feel free to take any pictures of any of these slides but like I said

these will all be shared as well the other thing is attack vectors right so who's familiar with like olaf apps probably a lot of people right so let's say you're using Google Drive right probably familiar with you know Gmail and you can use their their Google Docs thing a lot of times what happens is your by default gets shared with your domain right everyone in your environment cool but that guy over there just installed an OAuth app and he gave it entire access to his account for Drive so now your documents not only shared with your company but that random Moscow application and any user can just do this it's all about productivity and speed and integrations and so now the

sort of threat landscape your environment it's so different because employees can just add to your surface area like that and then some other things that may be a little bit more on-premise just disable PowerShell and you're gonna say yeah I can't cuz IT needs that can you disable PowerShell six of the seven days per week and on that seventh day only enable it for a one hour you can push out your updates then just do it yes I know a lot of what I'm saying is easier said than done but can you start to think about how you might get there or it's only enabled on even days or something right you at least cut that down remove local admin

yeah I've been preaching this for a long time and whitelisting I know sometimes whitelisting is hard but what's a great example of waitlisting the iPad you can only install from the App Store or at least it's hard to install from other places and it gets scrutiny on every app that goes into that App Store so can you think about how you might approach something like that so we're thinking about how do we slow attackers down and then beating defenders up visibility can you collect essentially continuous recording could be network packets host logs cloud logs DNS requests but can you enrich those can you tie that together with some threat intelligence that says oh this this is known bad this is known

good and then how frequent how rare how prevalent and then who are these people or who you know is this is this a known bad binary spawning all these other things it's good to know all those relationships but this is hard enough it's really hard when your environment looks like the left and I've sat in traffic like that in Asia if your environment looks like the left and I'm guessing a lot of your environments do it's hard I get it you have all this on-prem stuff maybe a bunch of cloud stuff you have some windows XP maybe still I don't know but can we at least try to get to the right try to get to

the right where it's much cleaner you have gold images you have consistent ami images on a Amazon you're using consistent containers all that consistency then you can look for the anomalies much easier when there's no consistency it's the left when there's no rule following it's the left remember we talked about the heart you get a get into people's hearts and say guys we need help we need to get closer to the right guess what IT wants the right as well if you have a divide between security and i.t i.t what's the right they want a clean environment no one wants to deal with that so we have to reduce entropy reduce all of that crap and then vendors

how many vendors are there and I'm a vendor multiple times over so I get it I think there's like 2,500 startups now in cyber something crazy like that push on your vendor push on them what does it cost you a question like hey can you add this maybe a little bit of time to describe what you're looking for push on them if you bought something in January for a year most most software and stuff is a subscription now annual subscription if you bought something in January and you're coming up on renewal this January's product must better be a lot better than last January and if it's not ask the vendor why make sure that they're progressing that they're moving

forward so you're paying for better product in 2020 then you paid for in 2019 push on them you can tell them I sent you I'll get all the that you know push on so we need to speed defenders up you need to lemma tree you need access if there's an incident and you don't have access you're gonna be running around begging for access in the middle of a fire I've seen teams that see some compromise in o365 they have to put in a ticket and hope within a week to get the logs from IT because they don't they won't get access that's just an example but make sure you have the access you need to do your job sounds dumb when I

say it like that but reality is hard right leverage the hell out of your tools you got plenty of tools every tool you have right now I guarantee you you're not getting a hundred on the value out of it that's just the way it is that's just reality you see some awesome demo you might get a lot of value out of it but there's always more can you pick one or two that are really helping you and figure out how you can get maybe a little bit more out of it maybe there's some new features you haven't even seen because you skip that email from the vendor saying hey we updated something I mentioned push on

your vendors write code I even put this in here twice why because it's important right code if you don't know Python just learn Python it's really easy and if you've never coded before I get it there's a learning curve but you can learn it and Python is super popular in security right code a lot of the teams out there now they only hire software engineers to staff their security teams because so much of it is carving up data pulling together different AP is you know really applying that engineering mindset I think Dino's talk at blackhat the keynote I think was about software engineering is really how you do security now so you've got to be able to

write code and then retrospectives did you share any lessons learned are you gonna go in on Monday being in a better place than you were last Monday did you carve off time to add a new rule or tune your technology if you didn't go do it again I've lived in everyone's for the most part positions I get it it's tough but you got to figure out how to do this so driving default security this is probably you probably think about this a little bit less than maybe the other thing so other things you know maybe if you've worked in security for a long time you're already thinking about prevention detection response what have you can you

start to enlist other people in the business - essentially attend security boot camps or basically sit is a full-time security person for a couple weeks and guess what you can make it a perk cybersecurity is hot grandma out there is worried about hackers right now it sounds a little cheesy to say that but the point is people are excited they want to know like every time I talk something like oh you're in cyber and they're like like they won't shut up on the plane make it a perk everyone wants to learn so instead of making it like some 1970s like security awareness you know video that no one wants to watch and they feel forced on teach him how to

secure their personal Gmail teach him how to secure the Linksys router at home I mean tell them how to watch out for suspicious activity for their Tesla account right but you can start to do these things that are a little bit more creative and gets more buy-in in the heart in the mind and you know one of the one of the teams I talked to West Coast team that's just just phenomenal they said of all this stuff they do the best thing they've done is they pull a full time DevOps person into security for two weeks sometimes longer then they roll them back out as basically a full-time security person they still are a DevOps person but they now have a much

better understanding of how security operates they just keep roll rotating through the team they said this is the number one thing they've done to improve security it's just bring people into the team have them sit with you go through that boot camp together roll them back out you know also have an ambassador you have a connection you can call that person say hey I really need help with getting this this telemetry or what have you so think about art can you do stuff like this I'm throwing a lot at you because I know you can't do it all but I'm hoping you can use some of this stuff the other thing is we think of

access as binary you have access or you don't have access we need to think of access as having a half-life as decay as soon as I give you access to something it should start decaying so the moment it is granted you are moving to a more secure state if no one does anything default right talking about default if no one does anything it's going to end up in a more secure place if you continue on this path you have to actually go out of your way to extend access where as what do we do now we do the opposite you actually have to go out of your way to clean up the accounts and I don't if you can see but that's just

just an example like then you get these messy environments where the blue area is what's used and the purple is what's been provisioned you have all this extra surface area all this extra risk extra accounts you have to look at during a quarterly review so can you default to a more secure future think about access hmm as having a half life a bunch of other stuff like we're probably all dealing with things like SAS you know like office 365 Salesforce github whatever whole bunch of different tools can you establish processes to review those upstream before they're purchased can you be involved give you a secret or tell you a secret you have to make the

process easy because if you don't what do people do this go around the process so you have to truly be a partner we have a process where our privacy and security folks analyze everything we want to add to our environment but we have to we know we have to do it quickly or engineering is going to be slowed down or eventually people just you know they're human they want to get their job done they're gonna find a way around it so you have to do that have access review process ideally it's more what do we need to extend to versus what do we need to turn off and then have sponsorship for guests and contractors

how many times do you see that contractor account could be a service account you have no idea who put it in place probably everyone in this room has seen that can you tie that better to a actual employee who's accountable for that access we talked about single sign-on just get everything going to the same funnel so it's more you have more security by default and then things like file-sharing you can set file-sharing and a lot of these apps to require a mandatory password and to expire rather than just sharing it forever so by default you're more secure and just disable things like mail 40 just do it why why allow that disable external calendar access all these

things that the adversaries use to get into your environment or to further their cause or send out spam on your behalf just flip a single setting and you're in a better place your default more secure I know it's hard and I know you have to have conversations that's why I started this with you have to be able to communicate just think about some of these things and you start thinking about infrastructure-as-a-service things like AWS their settings you can implement that say no to public sharing or networks or buckets that would be you know public just disable that stuff so by default it's more secure more safe and someone has to go out of their way

or get an exception to be a little bit more risky centralized access I think if you're in a engineering shop hopefully already doing this but can you implement static and dynamic vulnerability scanning during the build before it even creates the the binary or whatever your output is before you ever ship it to production and then make sure people are educated on that shared responsibility model where Amazon or Microsoft or whomever is only responsible for a small sliver still on you still on DevOps still an infrastructure right so can you get everyone thinking about more default security built-in so wrapping up it's all about people so I'm throwing a lot at you but at the end of the day it's

all about people we can do this we can influence I've seen some amazing things out there we need leaders I truly hope everyone in this room walks in on Monday into their environment feeling more like a leader maybe already do but feeling like a leader like I can make an impact you might be the the freshest person on the team the youngest person on the team you might have a thousand people reports you doesn't matter you can be a leader you go in and you say we're gonna impact this change this positive change and you need to be aggressive if you're passive security is just not gonna get the seat at the table it needs you have to be

aggressive you have to get that buy-in and I love to say all progress is people and all problems are people that's what I believe so you got to work with the people so how can you get buy-in how can you make it so people believe in your cause and have to go out of their way to add more risk or be insecure rather than that default more secure path secure path forward so if you start implementing some of this you work on culture right you got to think about the culture if everyone is doing it or is helping just a tiny bit if you have a thousand people and each person helps like 1% more that's better than a

headcount right you've got to have that culture that's gonna report that incident got to report that privacy violation that's gonna do the right thing when they're building the the API so you got to create leverage there's a lot more of them than there are of us so we have to think about that and it's different teams same mission so if you have frustrations remember that same mission okay take a deep breath go have a conversation ask why you're getting pushed back while you're getting friction I was fortunate enough to give talks at a couple conferences where they got the gentlemen in the bottom right Captain James Weatherby was speaking so I got to hang out in the the sort of

speaker's lunch with him and he said he would go to all the people on the left and make sure they knew who he was he was a human his life was at risk they weren't just screwing a bolt in they were helping him complete his mission right he made sure that there was a lot of that human contact so everyone understands they're working together so different teams same mission you're gonna and run into friction that's okay have a conversation you're all into making a business successful and then just getting technical for a second there's so much open source stuff out there go try it maybe you have to try it in a lab or try it at home first but

then ask your team if you can bring it in yeah a lot of the cost when implementing a tool is not just a financial license cost there's the time the administration the Karen feeding I get it but can you try some of this stuff even in just a small like remote office or something like that it's part of your business if it works there then you scale it to the entire corporation I've seen teams that about $20 credit cards and sprinkled the numbers throughout their environment in different files and in different places and then they just wait for a charge to happen and that's a great signal that something bad happened cost them like a

thousand dollars total 450 of them right I'm not saying that's the best idea in the world but it's simple it's simple simple it's creative right and you're probably sick of hearing this maybe even you're sick of saying this but really the attacker has to be successful once right you're the goalie and soccer and they're shooting kind of unlimited penalty kicks okay it's a little bit better than that but you get the drift but a big part of this talk is really how do you influence the environment once they land in your environment that's your turf that's your turf they're across enemy lines at that point they should have to be a hundred cent perfect and they're

not going to be really you're the casino they're the card card counter right you should have the odds in your favor I know a lot of times we don't feel that way but can we feel that way can we get to that place so we want to slow attackers down we want to speed defenders up can you drive default security three favorite books if you're like me everyone loves a book recommendation essentialism how do you focus on the vital few versus a trivial many extreme ownership especially if you're military crew basically just how do you how do you do more yourself right you can always do more how do you do more how do you get ahead of the game how do you

reflect get better for the next time so it's told very well through you know combat lessons learned and then team of teams how we had to reorganize to fight al-qaeda in Iraq because they just moved much more quickly than than our military and so what did they have to do to coordinate across Special Operations and with that we have about 10 minutes or so questions open to questions and if there's no questions that's okay come up to me after I get it Saturday morning yes

so you might have heard but I think I just to repeat for either video or just to make sure here so brought up half-life for access what tools are out there so there are some tools out there that are good for maybe like privileged access where you can check out and chose for a period of time and then by default it expires it could be 15 minutes could be a week whatever but in general there aren't a lot of tools that will do this across your entire environment and the thing that always you'll say kind of irks me a little bit is when people have an all-or-nothing approach right where they say oh this doesn't cover hundreds

n of my environments not going to do it or you know I have a hundred thousand endpoints and you only cover 98 thousand so I'm not going to do it it's like you gotta take wins where you can get them so with access can you start to find different applications for example slack now I know that's a newer thing and and you know maybe it has more capability but when you add people to slack you can actually say when their account expires and slack will give you a nice message like three days beforehand and say hey do you want to extend this users access not have to is click yes now that might not be the most scalable thing but can

you start to find other areas in your environment that are going to scan for access and and when people are granted and after 90 days they're going to you know automatically say does this person still need it so I don't have a great answer on a like a specific set of tools that'll do this it's more of a mentality like how do i how do i implement that thank you

he said 700,000 copies so the question is really successful successful examples of buy-in I think I think in general no one is a hundred percent successful right like you're gonna have the skeptical person that just doesn't care but you have to keep working on that I think in general you have to start with either executives or middle management but at the same time kind of think about how you're going to approach the general population and that's where I think if you if you really work on you know kind of more perks like it's a perk like hey come to this training and we're going to talk about how to secure your Gmail and things like that um the other thing is

you know I've seen I've seen organizations where I truly believe it's been successful but it's it's this multi-pronged approach right so it's like giving some some training that feels like a perk it's making sure the CEO or high levels of leadership take security seriously because if your leader doesn't it's hard for you to not it's hard for you to take it seriously um and then you can't slap people right if they come report something or got fished you work with them you like you know what I know yeah this email looks really awesome it looks legitimate it's here's why you can think about it differently but you have to have that sort of bedside manner

to go work with the person so they don't feel like they got in trouble right and really just education education education so yes I've seen some examples like that I haven't seen anyone that's like perfect but there's definitely organizations out there where everyone takes security seriously and I think it really starts with believing in the mission and how if you guys are not secure or if we're not secure our customers who are maybe doing some amazing thing they're gonna fall down or they're not going to have our services which they need and it's vital so it really starts with like that heart and then figuring out the different ways in your environment to whether it's talking

to it to leadership or its offering training and it may be more constructive way or not being the you know slap someone you know punch him in the face kind of thing because they clicked on the wrong things so I think it's a multi-pronged approach it's a long story short yes I've seen at work but no no one's perfect I want no one's a harm so the question is if you want to move upstream and software development any specific resources it's probably best to get back to you with actual like lists but I think first of all it starts with making people understand security is a big deal treating any sort of security defect as

like a true bug right like hey if you have a security flaw it's just as the same as if the products not working correctly for the user so as a bunch of that stuff I think we use a website called hack splaining something like that just to get our developers to do some training around you know what is sequel injection what is you know what are all these other techniques that might be more related to software development mm and then there's a bunch of great training out there too where you just kind of get them to to learn the other thing is some of the tools now like github get loud etc you can get certain versions that

automatically atleast do vulnerability scans and things like that right so every time there's a new check in it'll say oh you added three vulnerabilities just on this change usually the change is small or eight most check-ins are small so then you can have more of a discussion or they fix it right then so but it's it like most of the stuff I'm talking about it starts with the philosophy and the mindset and then the technical side is more specific to your organization thank you people need to walk to their next thing so going once going twice all right thank you so much for having me I'll be around all day [Applause]