You Can't Pour from an Empty Cup

[Applause] And with that, I'm gonna turn it over to her. My goodness, thank you so much. I'm glad you actually saved the best for last. Friend is like where I was going to start weeping. Um, so, uh, full disclosure, I am Moose. Uh, normally I am not larger than life, but I am too right now. So, I am giving you this keynote while pregnant, and I never thought that would happen. So, I'm very excited about that. Um, thank you. Clap for him because he's going to need it. Um, all right. Uh, so I want to jump right in. Uh, because I'm I'm going to talk quick. I crammed a lot in here. I I wanted to be cognizant of

like, okay, who's in the audience? Um, could be engineers, could be CISOs, could be uh people getting into the field, could be hackers. Um, so gave a little bit of everything hopefully for everyone in here today. Um, and if not, just some catharsis. So, I wrote the title for this talk before some news came out, which is why the first title is crossed out. Um, really wanted to talk about, oh, put your oxygen mask on first because that's a really cool saying that we all know. And then, um, planes started having issues and I went, that's going to send the wrong message. So, uh, last night changed the title and a few content options in here. um and

and really want to talk about how you can't pour from an empty cup. Um and what that means. Um so there are a few t hot takes in here. It's a little bit spicy. Um also this is the first talk I have ever done without the influence of caffeine. So we're going to see how this goes. But Kathy just scared the crap out of me thinking we were going to mention my employer, which we're not going to do. So like the adrenaline has me going. So we're going to do just fine. All right. So about that pouring from an empty cup. Um really the analogy is for this. Um you cannot help the organization that you're working with

whether that be private, public um or yourself if security has the wrong tools, people and priorities. And so we'll talk a little bit about how to get that in place and what those are today. Um but before we do that, who am I and why am I here? Um just a little bit about me. Actually Kathy went over most of this. Um, I get people out of bad situations for money, uh, when I'm getting paid for it. I've done it without money. So, like a little bit of both. Um, I have ADHD, so I've had a million other jobs. I was a ballroom dad's instructor. I was an autopsy tech, lifeguard, fully artist, vet tech,

bartender, whatever. Um, I am a mother of cats, like Kathy said. I love animals. And I'm located in Brooklyn. You can find me on Twitter, Blue Sky, whatever. I am Litmoose. Um, so we're gonna just jump right in. What are we talking about today? Um, this is my ADHD showing. I promise all of these go together. Uh, so first and foremost, security is an emotion. We're going to talk a little bit about that. We're going to get in touch with our feelings. Um, Sims as we know them today are dead. Um, insider threat wears many masks, including AP. Uh, most people think of like malicious, non-malicious, insider threat. We'll talk about who's doing it a lot right now. Um, and it's it's not

who you would think. Um, or you read the news and it's exactly who you think. Um, AI is just machine learning that marketing humans learned about and strapped extra dollar signs onto. Yes, I'm serious. Yes, this is why we're not associated or affiliated with our employer today. Um, most of it is poorly executed and has been pushed too early. Do we even care about sensitive data structures anymore? And if not, can we at least pretend? Um, and then UBI keys. Uh, I'm so thankful that everybody has started putting hard tokens. And I I say Ubi because that's what most people are familiar with. Have put that in place for 2FA. They're not going to save you.

Um, so let's talk about that a little bit. And then if anybody asks, my name is Moose. Just Moose. Um, I work for everyone and no one. And I am definitely not here representing anyone. All right. So security is an emotion. Um so while you may resonate with some of the hot takes today, uh we are security people that have to work with other humans. Uh and in order to make successful changes at your organization, it really really matters how people feel about you, how people feel about the people you work with, and how people feel about your project and your missions. um that is actually how we get to a win. It's not you know how

good is it, how underbudget is it, how um much it makes sense logically on paper. Um logic actually is the last thing humans think about uh psychology-wise really people remember you based on how you make them feel. Um so having that forefront is really hard. Uh I say it's hard even though it sounds easy to say out loud. Um, I'm an engineer to my core. I would rather sit at home with my computer and my cats than really convince someone of anything. I'm a terrible social engineer, for instance. So, this is this has been a struggle my whole career. Um, but we're going to go into how we do this. All right. So, let's start by

filling up your cup. Hardest thing budget. Uh so I made a really hot statement uh that a lot of people are not going to like which is uh SIM or SE security incident uh event management tools as we know them today are dead. We should mourn them. We should like take take a moment and and take a beat to recognize why. Um but then we should ultimately move on. So why are they dead? Well, starting in 2005 is when this uh term was coined, but it's basically uh a tool that you know we all used to use of you aggregate all of your logs together in one spot and then you build detections off of it. Uh, and that

will be your alerting system. Your security operations center or your IR analyst or whomever is looking at that data is going to use that one-stop shop to alert them as to bad things or good things or misconfigurations happening within your environment. And the whole goal of a SIM was it catches everything. Why is that dead? Um, well, cloud happened, then containers happened, and then all of these applications happened, and then we did a lot of open source things, and then, oh, by the way, dev shops, like we'll just add anything to GitHub. Um, so data size, retention, all of that does not scale. And the companies that sell these know it and they are making so much

money. Um, and it's so much that now CISOs and senior directors, directors, managers, wherever you sit in the company, if you're in leadership in this room, my heart goes out to you right there with you. When you're doing budget, um, it's become the heartstrings of, oh my god, I have to pick between this tool and proper headcount. So, people to analyze the tool or the tool that really doesn't do its job on its own. Um, and when you have to pick between those two things, you just lose. Uh, because none of it comes out of the box configured properly ever. Uh, if somebody thinks it does, talk with me after. Um, and, uh, the data type

variance. So, like you have now all of these different data types coming in. There's a lot of custom data types. Um, it's a moving target. And these companies that build these tools, if they can keep up, great. But a lot of times they can't. And especially if you're building anything in-house, don't don't even count on it because you're going to have to create custom parsers yourself. And good luck figuring out the uh secret sauce of of how to make those custom parsers. Um competition has knives out. So here's a fun one. Um, if you think about different SIM companies who sell these tools, all of them have competitors elsewhere because a lot of these have become giants and they either

have been acquired or they're owned by different different branches, different vendor companies. And nobody should tell you what tools you have in your shop. And you will find at least one instance in your environment where a log type it doesn't parse correctly in this sim. Hm. I wonder why. It's because those two companies don't get along. Um and so that's why you know trusting a one-stop shop really can't do it anymore. And then duplication of storage. So talk about this for a little bit. Um with cloud structures being so prevalent. I think everybody in this room, if you haven't moved to the cloud, you're working weird public sector and I do want to talk about you afterwards or

your IoT IC ICS environment and I love you. My heart goes out to you. Your job is different and hard. I used to be you. Um, and your stuff doesn't go into a SIM either. So, um, regardless of that, you have these cloud environments. They're doing their own storage. SIM wants to charge you for their storage because you're you're forwarding logs. And some people will delete those logs, right? And they'll just have the SIM keep them. A lot of people don't. There's this duplication of cost uh when it comes to storing those nuts and bolts in the environment. And the more tools that have to use this, the more you rack up that that price range, um if you have a

dev shop, you're not necessarily going to give your developers access to your SIM. So now maybe you have data in triplicate. Um, and that just for an organization that's already struggling with headcount, for where our stock market is right now, for what every person in this room is going to face this year, um, I'm just calling it out now. Sim is dead. So, what do we do about this? Here's the new hotness, and this is my personal hot take on how we solve this problem. Um, I would like to challenge everyone in this room to really embrace creative engineering and architecture. um because creating a hybrid is so important today and it's really looking at where does it make sense to store the

data. Do we store it securely and then what actually needs the data at the end of the day. Um really a data lake is is probably what makes the most sense. You dump it all in one place if you can. Um, if you don't, you have forwarders or a bus in between and you have like a SIM light, but you have to keep eyes on things, especially if you're a responder or your sock. Um, and this might mean we're moving away from single pane of glass to back to many panes of glass. Welcome. The pendulum keeps just going back and forth. Sorry. Um, this is why we have four monitors, right? Like, it's fine. Um, so really with your data lake,

what you want on top of that is a front-end query tool, visual tool. That's your pane of glass. I think single pane of glass is probably not something we can achieve anymore. I hate to say that uh marketing humans in the room just la don't hate me too bad. Um, but but really we we have so many complex environments now that you'll have something that doesn't play nice. And that doesn't mean we should let it be a blind spot because I mean you can put it in your risk register and just go, "Oh, it doesn't fit, but I I would challenge you not to accept that risk." Um, and then you have a sim light. Um,

so what is that? Well, pay less. Put less in there. Look at what they do really well. What's pre- canned? What makes sense for your organization? Maybe maybe you have SIM light that takes care of certain log types. So if you don't have anything watching over your cloud infrastructure but you have an EDR uh or endpoint detection response tool like um uh Sentinel one falcon all of those uh defender um I am not representing any company but if you have that uh SIM light or that EDR tool on your fleet so what your end users are using or your virtual machines whatever have you your servers maybe you have in your cloud infrastructure something different where

you're looking at those logs and so you let your EDR do the thing it's really good at but then you have to build detections off of your other log sources. Um so use the two together rather than paying for both in the same right. Um and then continuing towards Soore. So that uh that whole automation engine of using your data as a bus basically put your data in different places. Um make it make sense but don't keep trying to fit the square peg into the round hole because some marketing human told you that this is just going to work. This is the the most bang for your buck. Something will not fit. And at that point, we do need to be creative

as engineers and get back to it and go, how do I detect on this or how do I even see it? Um, and you can do a lot of creative things. Uh, shout out to anyone in this room who uses like BigQuery and Looker, uh, just writing something to PubSub real quick, piping it over, writing your own query, and then Looker data dashboard. It looks a lot like a sim. You can actually do this on your own. um it's it's you know it's a band-aid to your logs don't fit anywhere else and you don't want to lose sight of them. Um so so trying things like that. So that's kind of a budget workaround but the trick here is what you're doing

is you're trading that really really expensive tool that you know you're checking the box on for humans. Um and I think that's worth it every day of the week and that's why this is a hot take. Next thing is baselines. Um, so all of that data creates this nice little visual of what we call normal or a baseline for what's going on in our organization. Um, what does that mean? Well, you have to have that data and take a look at it and uh analyze it in order to say okay this is what what's normal. I expect people to come in during these hours of the day. I expect them to use these applications. I expect

them from these locations. I expect them, you know, and so on and so forth. Um, really want to talk about how organizations usually do this from the outside in because we think about attackers as coming into organization. Uh, how long ago was it? Two years, three years ago, I think two years. Um, who knows a lot in the room about North Korea? I've got like three people. Uh, no, there's a couple of you. Um, let's talk about North Korea. Um, North Korea is very unique. Uh, I have just a ton of awe for the amount of skill that they do in their country to ramp people up into like security wizards, CIS admin wizards, uh, people

who are just incredibly good in any operating system, in any environment. um years ago because of all of the embargos and what was going on with them um they were really going after cryptocurrency and financials and that was how they were making money for their country um keeping things afloat having a military complex. Well, cryptocurrency has done some interesting things and eventually those kind of attacks run out or you you run into diminishing returns. So what happened when they ran into those diminishing returns? we started to see an uptick in insider threat cases uh from North Korea where they were actually planting their individuals in large organizations. Uh it started in the US has now spread to Europe um and

is doing a and Canada sorry best friend right here in the front row. Thank you Canada. Uh and Canada um South America everywhere basically they're spreading where the money makes the most sense. um where it does two things. They started out actually just making money through these individuals. Like basically North Korean citizen works at a job. That money funnels back to North Korea. So they're working a day's job. Well, that never lasts long, right? Then it was like, "Oh, you have some data we might like. We'll take that." So it ended up being Xfill. Okay. Data Xfill. Well, what else can we do with that? Um hey, ransomware makes a ton of money. why don't we xfill and then extort you for

it from the inside uh from insider threat and we started seeing that right um they started x-filling that way the other thing they do really ridiculously well um is insert code so like if it's a company that does business with a lot of other companies um have actually worked cases where they have taken a gold image or basically like the base image of something um virtual machines and containers are really popular for them, they'll change it and then that's what's deployed to everybody and suddenly they're inside every client that that company has in that supply chain. So I wanted to talk about this um because we are most adept at looking from threats coming from outside of the house and

really want to challenge people in this room start thinking about inside and knowing this specific threat, what can we do to change it? So, um, tactics, techniques, procedures, or TTPs on this slide. They're largely living off the land because you're hiring them as an employee. They're using what your business uses. Um, it's hard to baseline that if it looks normal. So, how how do we start tweaking of like where do we actually find this? Well, we know data has to leave the house at some point because that's what they're doing now. So looking at data out um we defined uh well- definfined tool usage and segmentation uh and identity and access management can save the day. So the

interesting thing about these individuals when they're hired typically they'll ship the computer to one location and then the usage will be from another location. So having standardized locations uh for your employees, knowing where they're supposed to sit and then checking against that and doing geoloccation data, that is that's a huge win. That is what's caught a lot of this. Um they actually have known shipping locations where they prefer to to ship it to and then it will go elsewhere. It will route from there. Um so if your company's able to do it, having someone pick it up or sign for it with a face, huge thing. um location we talked about. Um and you don't have to

do this alone. So what most security orgs are trying to do is to tackle like, oh, I'm looking in the logs. I'm looking in the data. Well, I just gave you all the intel of like, hey, they're they're interviewing. Who does your interviews? Okay, so some of your engineers, your hiring managers might do your interviews. They're not going to sit in the security stack necessarily. They might be the dev site of your organization, but most folks in this room, if you work for a mid to large size company, you have a recruiter somewhere. Let your recruiters know what this looks like. Um, and largely they're using like a chat GPT or something like that where somebody will ask a question.

You'll have a pause and then they'll answer and they usually have a headset on. So there will either be somebody in a headset or there's a pause. Your recruiter can just say, "Hey, it looks like we have a bad connection and I'm having audio issues. Can you take your headset off? See if that's a problem. If it is, it gets really fun very quickly. Um, something is going on here. Oh, you know what? That doesn't seem to be working. Let's retest our connection. Log off. Log back off on, you know, just test it." Um, and a normal interviewer is not going to be shy about that. they're working in tech, you have technical difficulties all the time. So,

really knowing like how to get around the social engineering aspects of this as well is a win condition you can put as a wall for your company in your shop from the get-go. Um, shout out to the very wonderful uh North Korean computer emergency team on Twitter that is one of my favorite troll accounts of all time uh for putting this bean together. I did not create it on my own. Um, all right. So, that's insider threat. Uh, this one hurts me. I've already got some people laughing at this meme. This is me. Uh, we're we're one with that one. Um, let's talk about the good. Like AI is the hotness, right? Like a lot of people

are getting conference talks off of AI. Let's talk about AI. Um, and this is why I am moose and not represented by anybody up here today. Um, I have some spicy opinions about AI. Um, I'll admit what it's really good for. Um, search. Search. It is an absolute win. Like, uh, people who put up their own shops, who do their own search engine optimization, who run their own websites, um, not everybody is an expert, right? and being able to serve up data that somebody wants to them despite, you know, having a great product over here and you have somebody who wants the product. Um, that might not always translate. There are language barriers. There are

uh biases, cultural biases depending on what region people live in. Somebody might call something a different thing. If I want to start a fight in this room right now, we'll talk about soda and pop right? Ha. Fizzy. Oh my god. Where are you from? Oh, okay. Once again, Jessica is on her own and will fight everyone in this room. Um, I mean, like, pineapple is regional and we can fight over that. Um, uh, uh, pizza, sorry. Pregnancy brain. Um, I I really love pizza. Uh, but I also have strong opinions about that. Uh, and we can talk about that later, but basically like you can take a bunch of different data that is publicly available and

create better searches and better products, better consumerism. And so I would call it an e-commerce one. Netflix knew this very early on. Their searches were great. They're a lot of where this stems from of like, hey, this was really successful. We should all do this. No, we should not. Um, big data sequencing for our friends in medical, huge win. genome sequencing, um, all of the cancer research, a lot of things that have to do with health, um, huge win because you have these large swaths of data and to go through them manually as a human is not possible. So, letting a computer do it, sequencing it, learning from it, and giving you the pattern analysis, huge.

It's machine learning though. Um, and then behavioral trending trained on system data is a win. I mean, who here uses an EDR tool? Oh god. Hopefully more please more. Okay, so uh endpoint detection and response tools are largely behavioral. How do they know behaviors are normal? Well, they trained it on what a computer should do, right? What you expect it to do. And that's why when you have lag time in like if if you ever have heard a vendor say this, hey, let it run for a week first. A lot of the identity and access management tools will say, hey, let it run for a week first before we tell you what's normal. They're doing

this. They're basically letting it feed it information, do that algorithm on the back end, and look at what is actually normal based on the data. And so this is big data, right? It's something that is beyond what you would pay the entirety of this room up against a machine learning algorithm. We're going to be behind, which is sad to say, and I hate to admit it, but you know, our computer o overlords are good at some things, right? Um, but I digress. Enough talking good about it. Um, let's actually talk about where it's not great. Data privacy. It's in everything right now. If I see another popup for Gemini, I'm going to lose my mind. Um, I don't want

it to have all of my data. I am one of those strange humans where I'm presenting on a Mac right now, but I locked that down. Siri does not exist in my home. Hello, Google does not exist in my home. Uh, what's the Amazon one? Alexa does not exist in my home. Um, we have Linux and dumb devices. I got very upset when we had to buy a new stove and they were like, "It's Bluetooth connected." And I'm like, "Great. You've just given me something I can get drunk and hack. Why? Like, that's all it's good for. I'm just going to get too curious one night and kill my my stove or my microwave." they came

together so they can talk to each other. I guess it needed a friend. Um, so where it's it's not great is those data privacy concerns. Where is it collecting? Where what is it collecting and where is that going? And there are so many asurances, but I mean how many people have read about security breaches of your favorite companies over the I don't know how many years now. Like everyone gets hit. So what is it actually collecting and how can you call that secure? because it's not if, but when. Um, and then the spend, like, okay, these things cost money. Um, and resources. Where does that money go? Where does where do those resources come from? And are we actually getting

quality out of it? How can you even assess the quality if you're not doing double the work and looking up the same thing yourself that's supposed to be coming from the AI? Yay, I have one. All right, somebody's excited about this. It is double work. So, and and especially the people like hats off to the folks in the room who have been testing this and going, "Hey, this is kind of garbage." Um, because those are the special creatures like myself who are like, "This doesn't seem right, and I'm going to prove you're wrong." And that's going to give me great joy. Um, accuracy concerns for areas requiring precision. I'm going to call a couple out that are

going to matter to folks in this room. I don't want my doctor using AI. Um, I don't want my IR team using AI. I want them looking at the logs. Um, I want a human to say, I actually looked at this and I know what this is. Some of my code. Um, so the very next one there is injected bias or malicious data. uh at what point does it become normal where you see this one string of code and there's I don't know a call out in there back door whatever you want to say that's the the machine is like I learned that that's good that's part of this algorithm and it just comes in and the

unsuspecting person is copying and pasting um ejected bias in hiring there's this great study right now where they did two interviews same guy same same birds, same voice, same tone. Uh, one of them he had a white background. The second one he had books behind him. They rejected the white background. They accepted the books. That's hiring bias. That's not fair. We need our human brains to step in. Um, ability to curate and test data is not feasible. Went over it. You're doing double work. And the work that you have to do is, you know, it should be from the get-go. One of my favorite memes, I want to say over the last week was one of the AI tools was like, "I

can't do that for you. I'd be doing your job." And I was like, "Oh, we're finally winning." Um, like I like this one. Um, regulations are way behind. So, if you had weird feelings about fintech, let's shift those weird feelings and put them on AI. Same thing. Our rel our regulations for what this should look like and what's secure and what's good is way behind and we don't have enough there for it. Um it is growing beyond what we can control. Um and then I will die on this hill. Uh you can't replace a human. Um we have ways to research. We have ways to check. We have ways to say you know is this bias even if it's being

said everywhere. Um I mean we've had over decades newspapers print the wrong information. Right. Is that just fact because it came out wrong? Did we have to go back and correct it? Anytime you see something like that where we've had to go back and correct the data, that's something an AI tool can't do. Um, here's an additional consideration, and I'm going to use this to go into the weeds for anyone that's looking at logs in the room. If you have a sock, if you are operating IR, if you're doing anything like that, um, sorry, I'm keeping an eye on the time. uh if you have anything like that, I have worked with some of these tools um because of

course I have uh and it's really interesting how when a user indexes the data like if you if you do a search how it shows up in logs because it might be querying another application or a data resource it might show an app ID but here's a gotcha and I'm not going to say which one did this so I'm going to let you do this on your own was looking at logs the other today. Um, and there was a little bit of a a panic because somebody who wasn't at the organization anymore was suddenly looking up all of these papers in this data, right? It looked at first like possible data xfill or that access had

been access came back something. Um, and there was this tricky little field that came into those logs that said app ID. What was actually happening is that person who used to work at the company, they had made the last edit on those documents and the application was doing the search on behalf of another user. It actually lost who was asking for the data and it was showing the app ID instead in the document logs. And so knowing how these work and how the logs function and how they're going to input like give you back information um is convoluted. It's weird. You have to have playbooks for it. Uh and this is also going to take strain on your

engineering teams. Putting this in terms of money for your seuite of like okay if we adopt this it might make things easier in this way. These are the man-hour you're going to sacrifice and how much those security engineers cost. Put it in dollars. Um it is a give take and then you're talking ROI of how much are you actually saving by searching or by doing something that maybe sorry for everyone who uses it. Maybe your dev should already be able to do on their own. Um, that is probably my spiciest. Like that will people will hate me for that one, but I'm I'm a purist. I I like going and searching and comparing data and and looking at other dev tools and

and things like that. And I'll I'll I'll give you this. My my code is garbage. Um, but it's my garbage. So, um, and I do think that this is a trend. So, one thing I'll say too is this was cloud like five fiveish years ago, right? Um, everybody get on the cloud right now. Okay, cool. Which one? Well, it's not tested well enough, so just grab one. That got us in a lot of trouble. Also, wasn't very secure. So, maybe don't be an early adopter. This is uh the tickle emmo for the seauite. Like, everybody has to have one. Everybody's running into a store to grab one. They're trampling each other. um and they're, you know, maybe going for the best price

or maybe brand name, but either way, we don't have enough data to say they're secure or even actually that good. Um, all right, refocus. So, let's talk about this for a little bit. Um, we're talking about present. We're talking about what happened in the past with insider threat. AI is present. Now, how do we think towards the future? How do we start to predict this? And then how do we get ahead? So what's actually happening in the attack space today? Um I alluded to this in the beginning. Uh for the last like five or six years, ransomware has gone from uh a lot of credential scraping and lack of 2FA or um even you have 2FA to okay cool you

have 2FA and good job now it's app-based or SMS-based. Oh, wait. There was a group that popped a bunch of BPOS or business processing organizations and Telos and now they can do SIM swapping. So, good luck. Have fun with those app-based 2FAS and your SMS 2FA. Those aren't secure anymore. Oh, great. We've got to move move it along. Okay. hard token, which is kind of ironic to me because who's who's been doing this for a long time? Good, good number of you. Um, did anybody ever work in a skiff and have the little RSA keychain? Yeah, my people. Uh, I loved that thing. I loved that thing. It lived on me. Uh, it was a

hard token. Like, I just plugged that thing in and it lived with me. It felt good. Um, at that shop I actually replaced those with UBI keys because UBI keys were cheaper at the time. It was when UBI was starting up and I was like this is really cool. I got stupid excited about it. But this was like over a decade ago. Um, and then uh so we went from those because hardware costs more money to appbase because it costs less money to appbase being secure insecure which ends up costing more money back to the hardware tokens. So this whole like what's what's old is new again is fascinating. So looking at the attacks of yesterday are are really important

because you'll start to see these trends in the industry and where to go. Um so this is not me going I'm predicting the future off of nothing. This is me saying it's interesting because we're seeing a circle. Um so we have fish vish sim swapping 2fa. This is what's yesterday now actually. Um it's still working but we're seeing it move away. um observe the shift when that stops working because the reason threat actors do this is because it makes them money. It's successful. Well, when that stops being successful, they're not going to work harder, right? They're going to work smarter. They're going to find another way around. So, with these hard tokens more prevalent and more focus on

social engineering training for our help desk for, you know, folks that are getting this ingress, maybe those tactics aren't working as well anymore. we're gonna see a new uptick and we're starting to do it already and it's it's funny to watch the shift. I really think this year and next year we're going to see quite a lot of the third party or software supply chain attacks. Um, a lot of that will be open source code. A lot of that will be things on GitHub, things that are readily used in a lot of environments. Um, and then exploit development and vone as an initial access factor will see that uptick and we've seen a little bit of it, right?

Um, but really starting to see the shift of, oh no, the threat is everywhere, all around us all at once. What do we do? Um, and I I I love this picture because that's like every conversation I have about a vendor or or a tool of like why why we use it. Um, it just works. Okay. Um, so this is what you're up against too of of getting folks to shift off. Um, so when everything is a threat, where do we even start? Um, well, first with a cup of coffee. Um, treat yourself. Um, but then we need to look at like where access happens or where we have controls because you can't you can't see what you can't see. So add

some visibility. Um, your vendor should not have god mode unless they give you a very good reason and at which point you sign them in to work for your company and they're now an employee. Um, so you need to put some access limitations on them and consider putting them in their own environment. So if they can be more segmented, do it. Um, but you know, one-way trust instead of two-way trust, things like that, like really think of restricting your vendors. Um, and and make it harder. So, like, sure, maybe you adopted a vendor three years ago and you're on a three-year contract. Make it normal for you to review that once a year or twice a year. Um, look at the

wording. Look at what they're actually accessing and test it. Make sure that in your statement of work or so, you have something in there for testing. Um, and that they test as well. Uh, and then consider uh what this is called as N minus two version, meaning two versions back. Um, I'm not going to name names. Who here has been affected by a major vendor outage? A people are laughing because they know I don't have to say it. Sorry. Uh, I dodged that bullet. Um, so N minus 2. Why is this important? Well, vendors and and software, they do changes all the time. And sometimes it comes out and there's a gotcha and they don't even

know it yet. So staying back a couple versions as long as it's safe is super important. Um, and this is everyone. This is not one company. Just because it happened famously to one company, it's funny. It's happened to a lot of people and people forget. It's just whoever it happened to last, right? Um, so we laugh. Uh, but it might be you next. Um, okay. So software. Um, deny allow lists are your friends. Uh, there are different controls in different kinds of software. Um, love GitHub. The only thing I'd ask for with GitHub is uh the allow list is universal for enterprise. God, I wish I could do it by repo because I'm that level of like meticulous. Um, I can't.

So, but making sure that you have that allow list in place and if something comes up like we had TJ actions uh come up this last week, you can just remove it mitigated like when you have an allow list that is your quick stamp and then you can go back and code and fix it later. Um bug bounty programs, if you have apps in house, make sure you have one of these. You want the good guys testing you um and to giving to give you that feedback rather than somebody else find it, right? Um, review and restrict your data types, access and permissions where possible. This is huge. This is about that strict vetting and review

process. Vendors software are both the same. Um, if somebody is asking, oh, we need workday to talk to this application. Let's say it's an LMS. That's common, right? You want workday to talk to your learning management system so that you can see who's done uh different trainings right? What else is stored in workday other than names and managers names? A lot of data. Sometimes PHI, right? Location data, all of the sensitive things about your employees, don't give that to your learning management system, make it restricted. Look at the data pipes. If you have to build something custom, if you have to have a custom SFTP, do that. Uh if it can't work via API, right? And

if you can't restrict via API. So really look at like putting pause don't go too fast and and restrict where possible because if these vendors and software uh companies like if if pieces of software pieces of code do get that that compromise that happens um if it's not publicly accessible you're doing better. So like shout out to everybody who had TJ actions in a repo this week but it wasn't a public repo you won. uh private repos not really affected but rotate your secrets um because it's still dumped but things like that where you're doing this defense in depth and it's really this layer approach. So um a good example of this is browser extensions.

Go in and give yourself a little bit of a a horror story right there. Check what it has permissions to. Um you will be surprised. Um and then do you have the right tools in place to automatically detect and block this? Um, one last hot take. EDR has never been a catch-all. Um, as much as it's marketed as one. And I say that because there are different things it doesn't do um that other tools do. Um, even though some now have built-in firewall that's still on an endpoint, it's still not like at your like ALB layer or your load balancing layer. like there's different layers and we just can't lose sight of this promise of I can make your life

simpler when your life will never be simple. Um so consider layering other solutions. Um I really like this first one. Uh binary and access authorization systems. Love it. Love the idea of it. Um I like the name of this one too. This is open source. You can go on GitHub and get this now. Um Santa is for Mac OS. The reason it's named Santa, and I talked to uh the person who built this about it, it's because it keeps track of the naughty and nice binaries. Isn't that adorable? I freaking love it. Um uh peer review for minor changes. You know, it doesn't have to be this big convoluted process of change review uh change, you know, every

week. If you work in a dev shop, that's you'd never get anything done. Um, but make sure there's another human on the other end because as soon as it becomes pro programmatic or you have a thread actor compromise one account, make sure make them work for it. Like they need at least one other person to push their change. Um, appdr this is new. Um, there are some startups doing this right now. I really love this too. Um, because if it does nothing else for you, it's API mapping and you don't have to create the network map yourself. I don't have time. Um, so the fact that companies are now doing this on the multiple layers, huge.

Um, and then shout out to the poor humans that do access uh management or or identity and access management and then um asset management databases. That's the bad touch. Sorry. Um, you're so important. Um, you know, it's it's a thankless job. Um, but continuing to revoke access, doing provisioning, doing access management controls, and making sure you have a good process in place to catch these um, session timeouts. Yeah, your users might hate you for it, but you can kind of do it in the background and make it less cumbersome. If you have multiple moving systems, have them do it once a day, but god, make it time out after 24 hours. Um, so this is having

the right tools in place. And no, it can't just be one tool. It has to be a bunch. Um, and this is going to take us to because I really didn't want to go over I don't think I am good. All right. Um, why do we fill our cup so you can fill others? Um, this all fits together. even though it was my like, oh my god, how do I cover all of the things that are happening in security right now um that are super important and I'm seeing all of these red flags and all of these things and all of these pitfalls. Um you can't do everything all at once. You have to do everything one at a time

and small. There's no silver bullet. Um, but you end up filling all of these different areas because every bit is going to allow you to have that holistic structure of a good security program. Um, and while we can't always predict the future, we can study the past and we can improve the present. Um, these things go in circles. Uh, and so really, you know, coming to this, you're already doing great. You're going to listen to everybody in the room today. Um, multiple talks, you're going to get wisdom from lessons they learned. Take all of that together. That's the studying. You'll make your present better. Um the big problems are just three smaller problems in a trench coat.

Break it down. Um you know, make sure you're dividing and conquering. Not everything has to be a huge project plan. Some of it is just, hey, I'm going to do discovery on this. And that's step one, and that's okay. Um but you can write that in. And then never underestimate the power of smaller or targeted solutions in addition to big names. So, there's a lot out there that gets a lot of notoriety and for good reason. It's good products. Um, but don't be afraid to try a startup on a trial basis. Get a design partnership. Work with a new company. See what they have to offer. Always be doing one of those requests for quotation. And hey,

your budget might go down with that big company too if you start throwing these little ones at them. Um, so it's a win-win. Um, and then create engineering alliances. So, I'm talking to you today as a keynote. It is incredibly humbling because I am aware of the teams I've worked with in the past. I'm aware of the people who I have worked with over the years who have helped with the knowledge that lives rent free up here. And I'm aware of my team at home uh that I work with now and all of the work they do on a daily basis. I am not a single shop. Like I I don't do all of this on

my own. I would fail. Um, so creating those alliances in different arms of the organization as well, devs, QAs, project managers, your PMO. Um, everybody's a friend. Uh, so letting them know, hey, did you hear about North Korea? Great conversation starter. Um, by the way, if you want one free bit of very useless info, uh, Kim Jong-un is obsessed with Swiss cheese. Um there is a not insignificant portion of that money that went towards having uh sophisticated cheese makers for him so that he could stay stocked in his favorite food. So there now you can do small talk. Um and then above all remember that you will have support if you can hit on that

emotional core. So security is an emotion. Um people will remember how you made them feel. Sea levels are a little bit different. They want to feel like they're spending less. So maybe think about your audience and what they care about. Um I had an actual awful boss once. Um we did not get along, but his voice will echo in my head forever of he would always ask me, "Okay, why do I care?" I was like, "Oh my god, why are you asking me this? Like I've just told you why I care." And his answer was always, "Why do I care?" And I h it shifted me. It made me better. Even though I hated it and I thought it

was the most callous thing I'd ever heard in my life, I had to reword what I was doing on, okay, why does name redacted care? Um, and and it did. I I actually was able to work with other companies and other people if I could just put myself in their shoes and go, why do they care? Um, and that's it. Uh, I I took uh a bunch of time. Thank you for letting me bounce around. I want to give some thanks before I close. Um, really thank you to everyone in this room who checks on other people. That's so important in this field. Um, it's a lot of weight. Um, and then thank you to everyone who's

checked on me and there's a few of you in this room. Um, to Besides Rochester, this is an amazing conference. Um, thank you. It's super humbling. Yeah, clap for Besides Rochester. [Applause] Um, thank you for getting me out of my basement and believing in me and asking me to do this today. It's an incredible pleasure and again, it's humbling knowing that I stand on the shoulders of giants. Um, to my husband for putting up with my bad memes and compulsive need to talk about these things only at 2 am. Um, to my best friend who's right here who watched me edit this at midnight last night. Um um and to you all uh you all are a

bunch of massochists who chose this field. Um so thank you for coming to this and caring uh and open to any questions. [Applause] Yes. Hey Moose. How are you? Okay. So you I agree with you wholeheartedly and you saw me like amening when you were saying that AI actually makes more work for us because of the amount of verification validation we have to do with those results figuring out what its sourcing was etc to be able to validate and we talked about having you talked about having to express um that this is going to cost us more money however the seauite is being informed that AI will replace us, which we know isn't true. How do you suggest we

counter those arguments when instead of us saying the AI requires more headcount, which I believe is true, they are being told by the vendors and are believing that the AI will allow them to save money by reducing headcount. What do we say to them? That's a really good question. You're in charge of that, Mike. Now, for anybody who has a question, I'm your person. I figured we'd be efficient. Uh, so what what you can say, so this is really difficult and you might have to try a few tactics. Um, but I usually ask, well, we never te we never purchase and go all in on anything without testing it. So, where are we going to start? And can we actually get

data that it's actually reducing headcount over time? And so, I push back in the way that they ask me to put my budget together of like, oh, well, you actually want to see my my like one year to threeyear plan. What is this going to cost over three years? But we don't have the data knowing it's actually going to do what it promised. And then I typically get a little bit shady and throw some other things under the bus that haven't worked over the years. And I'm like, remember when this costs a lot of money? Um, we should like test this and even if we do a longer purchase, maybe just do it for a smaller size of the business. Um, and

try and do things iterative iteratively. Um, honestly, there's going to be a lot of lose in that. They are going to conferences right now where it is being pushed and it's being pushed as part of every product. Um I am also encouraging seuite and those who work for them do as many live demos as you possibly can. If your words don't shoot it down, I promise you a bad live demo will. Um so get them involved to where they actually see a live demo of these products because a lot of them are rushed. Um, I'd also encourage as part of this, get your legal team involved, make the AI do something with legal. That's a lot of

fun. Uh, I my big issue is I don't believe AI is defensible in court and I deal with court. And so I totally agree on that. That's my to there are a couple of conferences who have done that. There's one based in Chicago. Uh, it's the state attorney general of Illinois actually had that point and there are folks working out of California on it. So there are there are allies for that too if you're worried about like the legal side of things. Thank you. There's one. Who's got a question? Thank you, Jessica. Thanks. I I just want to more double down on what you just said. Um so I believe that a lot of being a in

security leadership is sales and you have to you know when you say why do I care, you need to kind of sell it to them, that person, convince them. I think that uh one of the things as a log management person most my career I ignored was risk and compliance and that team and how they can help you enable like put an AI policy in place put things in the the the path of procurement to help prevent just like 35 AI tools or whatever tool might be coming to to point. So, uh, you know, don't overlook the ability to use policy and procedure and legal like you just said to to put the brakes on these

things, but also once those policies are defined, you might have a policy that says we need to retain for seven seven years. Well, now you can get the investment to do that because the ELT or the leadership team has agreed that like we care about this as a business. So, one thing that's been going away and sorry if anybody here has been affected, um, leadership is cutting GRC. um the the risk and compliance humans. If you have one left at your business, find them, hug them, cling to them, and make sure that your leadership knows that they're important um because they are our allies. Uh hi, thank you. Really enjoyed all of that. Uh so you were

mentioning the North Korean insider threat and uh wanting to reach out to other parts of the business for support. How do we do that without doing just McCarthyism, which I don't think is your goal at all? You're correct. That's not my goal. And I'm glad you said something kindly and gently. Um, so I do this this thing. Um, I'm a pretty goofy individual. I have never had a slide deck, even professionally, um, that has not had a meme in it ever. Uh, they can take it out of my cold dead hands. Um, but I do what's called a threat briefing. So at my company, I'm not just uh, you know, in the director space. I

also, uh, built a threat intel program. And so getting this like to others uh in the business, I was like, "Hey, you know, this is new. Would you like to hear about thread intel?" And the answer is almost always yes. They're very curious, no matter who they are. Um and I only make it a portion. So North Korea as like, "Oh my god, another country that's our adversary might affect our business." Horribly scary. Remove fear, uncertainty, and doubt. Make it twofold. So that's only a small portion of what you tell them that day. and say, "Hey, this is what you can control. This is what you can't control. This is just for your knowledge. This is not on your

head. This is just us sharing." Because the more you know, the safer we are. Um, take that stress off of them. And then the last part of what I always do, and this is this is important to me, and not everybody has to agree with it, but I think all good Intel is usable. I don't think Intel is Intel if it's not usable. So, the individuals you're meeting with have personal computers and they have phones. share with them something that matters to them in their life, in their family, in something that is also threat intel related, that is not North Korea related. You can pick and choose. There's a lot out there right now. It's

tax season. Give them a little seminar. Um, so layer it so that the only thing you're not coming to them with is North Korea because then yeah, it's it's like super scary and you're like, I'm in security and I'm important. Um, which you don't want to do. So, it's it's more about being the helper rather than the knowledge base in the room. That's a great question. Thank you. And I think we're right at time. I don't want to run too far over, but I'll let you be in charge of that. So, thank you so much. Thank you.