Shelfware, Threat Intel & Social Engineering: Why Tech Is Not the Answer

[Music] besides Legacy well hello everybody thank you so much for being here uh after that generous offer draw 50 more Blinky lights and you're still hair I feel really really validated by that so thank you for sticking around and preferring me um this is the last Talk of the day so I know a lot of you must be a bit Tied by now uh but before we kick off we've all heard of ransomware I'm assuming everyone's familiar with ransomware so we're going to start with a live demo of ransomware of sorts and I need you to do something for me um so I'm not going to start the presentation so we've been run somewhere we've been

locked out of the presentation so how are we going to start well we're going to start by my wife and kids don't actually believe that I do anything useful in my life they're always like you you're just a artist so if I if you could just do me a one big favor yeah and this will help everyone get through the this this talk because I've got a lot of information to go through is uh if I walk onto the stage and everyone just claps and cheers and says you're the man and then I'll record it and then I'll send it to them afterwards and they'll say like wow our dad actually is awesome yes so we we'll

just give it one go so uh before we do it look look at me treating this like my own party okay 3 2 1 hello everybody oh wow wow look at that look at that wow you see that they love me they love me yes yes thank you thank you so much for your participation um I don't really have a talk that's all I wanted to do so that's going on social media and now everyone's going to say wow he's a great presenter let's invite him to our conference and I'll do the same thing it's a great way you know snake oil is fantastic so I'm Javad Malik umom uh you can find out more about me

at Javad mik.com my Twitter handle is j4v v4d you can tag me on that with nice things or or horrible things it it's okay and I work for no before they do uh fishing simulation and security awareness training and building security culture and all that kind of good stuff so shelfware is where we're going to start and shelfware uh it's I use my treadmill as the example many of you might have fallen into this trap during lockdown especially where you buy yourself a home gym or some equipment and you use it good for a few days and then afterwards it's just a Dumping Ground in the corner and several years ago I worked at a uh uh 451 research

it's they're an analyst firm a bit like Gartner or Forester and um so this is where the whole question came to my mind like do security tools actually get used to their full potential or do they sometimes just get bought and dumped in the corner like like a treadmill uh and things have moved on i' I've kept a close eye on the market uh in this regard and and it's not just actually enterprise software although I I do love this this tweet years ago from Lori who says that uh enterprise software was not built to be used it was built to be bought um sorry to any vendors here I'm not I'm not I'm not

throwing shade I work for a vendor for myself so I can I can say this thing um but actually this this happens on the personal level as well we see especially with um cloud and SAS apps uh many people will sign up for apps and it's only what the price of coffee a week you can have access to all these fantastic tools and then by the end of the year you're realizing you're drinking like 50,000 cups of coffee a year but um regardless I think it happens a lot and what we see is um you know dark patterns emerge a lot on on these uh these s apps especially where they'll trick you into buying something or saying subscribed

even when you don't want to so shelfware isn't just something that it's um it it just happens it's actually consciously pushed by many vendors as well so anyway um as part of my research I went out to a number of vendors and a number of uh Enterprise users and I said well what security tools do you buy that you then feel that you either don't use at all or you underutilize and this chart came up um as you can see the most mentions went to something like Sim or an IDs a WAFF um anything forensics basically anything that you need to put a bit of effort in that it showed up as like ah this is a

bit too much effort so so it's not that they weren't being used in in many cases so actually a bit of background for for this waffs were probably the most underutilized even though it it it's not the most mentioned but they were the most underutilized because uh thanks PCI DSS uh qsas were happy to hear that you had a wa in place so it helped you tick that box and and move on so yeah you can take a picture of that for sure uh um the the the other end of it was then okay why did these things end up on the shelf and these were answers given from the from the Enterprise users so you know you can see

there is where customer only purchased it to satisfy a compliance or regulatory need uh was was uh huge um internal organizational politics getting in the way that was a big one and uh as as a sidebar to that that was really key when a ciso would come in and lay out a strategy and then leave before that was fully implemented uh no one's ever seen that happen before where a ESO just turns over after like 2 and a half years years after putting in place a 5year strategy no that never happens so so the predecessor the person comes in afterwards like I don't understand why they purchase this product I don't really fully buy into this Vision so

we're going to scrap it and and Implement a new vision so you've got all these tools that are lying around in the Enterprise that no one actually uses you see there's two empty ones here like one's called budget cuts and one's called Product was being you know uh replaced by by another one they're blank because no one on the Enterprise side actually said that as an answer but several vendors said that that's the answer that they were given by their customers as to why they're not going to renew their license so if you're a vendor and someone says to you there's a budget cut so that's why we're not renewing they're lying to you they just

want to be polite they always have budget no one never not has budget um so so that that was a really I think there's there's a bit of a a mismatch here and um from the vendor side again say as a vendor there's a lot of like poor sales tactics that are put in place especially when there's a VC involved and they have certain targets to me and what have you and they push products or they overpromise features and then they don't spend enough time helping people uh understand all the features that are there and how to maximize them so clearly no one really here takes security seriously that's John mck androy for I know there's probably

plenty of younger people here who probably don't remember him he was a tennis player he'd always question every every bad umpire call with you cannot be serious and um so you know I went out and I asked a bunch of security Pros friends and acquaintances and colleagues ex- colleagues of mine I said like okay this is the problem um you know people buy software they don't really use it vendors sell software and they're not really interested in people using it how do you tell when someone is serious about security and and how do we how do we make sure it goes own as you can see I was very very thorough in my sample size I wanted it to truly reflect

security two females two people of color and the majority of middle-aged white men so I'm spot on with that so I asked them all a simple question uh there's a there's a there's a company it's online it maybe sells something uh what would it do that would indicate to you that they are taking security seriously so this extends Beyond just the product set it's like what would you say like as a professional what instills confidence in you that they are taking security seriously there wasn't really a simple answer um people need to realize that customer data is toxic like nuclear waste so unless you handle it in the same way that you would handle nuclear

waste um you know unless you show that to me then I won't trust that you take it seriously Steve Lord uh never one to mince his words says no one wants to be known for having Equifax level security not even Equifax uh apologies to anyone who might work there and uh no one can ever know how seriously a company takes or doesn't take security so you're relying on proxy indicators says Casey Ellis so anyway from all the answers that everyone gave these were kind of like a Consolidated sort of I normalized list of responses they they gave and this is the number of times each of our security expert peers mentioned each of the controls so website infrastructure

was really high so you're looking at the website say does it have TLS does it like securely handle stuff I'm not a web app expert I don't know stuff that you look for if I run burp on it you know will I see anything weird you know that kind of thing but then there's all all sorts of other things like you know how how good is the is your security team do you know anyone that's off of any value in there like we we often hear like you know some companies they they hire someone who's a big name in security and you're like well that's good and they build a really good team and that by

proxy puts in some sort of confidence that oh these guys are taking security seriously um so so there's all these sorts of things that go on and then it's like okay I I went out and I put a massive survey out on Twitter and I said of all these controls how are easy are they to implement so now we're getting into the implementation part so now experts have told us these are the things that indicate to us that security is being taken seriously so I'm like okay how easy it is to to implement these because if they're really really hard then no one's going to do it even if they take it seriously um so we want to try and

find out and as you can see the answers were all over the place but you know something like incident response 53.7% said it's very very hard to do uh something like 2fa is all over the place and a lot of that is Bas on really what your your setup is looks like if you're running a lot of Legacy systems and you know that it's really hard to upgrade that's going to be really difficult but if you're like a Office 365 shop or whatever they call their product nowadays uh then it's really a switch of a button so so you know things vary uh bug bounties um you know it's setting one up is easy because you got all these

vendors out there but actually what you do with the the responses when they come on that's where it gets really tricky it's a bit like saying like this patches available great right now whose job is it to implement them so I mapped these out see Gartner would be so proud of me because this is kind of like a a magic quadrant of state of of sorts like so I mapped all the number of mentions so that proves how important it is versus ease of implementation and it comes up a bit like this so something like website infrastructure relatively easy to implement and it's approved by our um by our security process if you have a good

website set up should move to to this side you can't see okay uh I I'll block your view for a little while then uh if it's like you know there if risk transference or or like f putting security uh putting in place a security team uh quite difficult to do but um you know had pays dividends so there's all these things up out there writing technical blogs and Publishing them uh it's uh not mentioned many times but it's quite easy I suppose if you have a Blog set up but it's to share your knowledge and and assert your expertise so I said okay out of all of these controls uh let's go out and check

all these websites and see how many of them do they tick so if we focus on the bottom two over here they are Netflix and Yahoo Netflix doesn't actually meet all of the all of the requirements as you can see like their password rules are weak they don't offer multiactor authentication what a terrible company clearly they do not take security seriously uh but they have fantastic Tech blogs I love their blogs it's brilliant and they and they release tools as well so then you're like hm they do they take security they seem to have some really really good people there but do they take security seriously uh by comparison uh Yahoo um scores highly in well in everything it

provides everything so then I'm thinking like that can't be right I I personally don't trust Yahoo more than I trust Netflix when it comes to security does anyone trust Yahoo more more than I mean anyone trust Yahoo more than Netflix given their history I suppose I don't know I'm I'm relying on proxy indicators like everyone else here but you know there are things out there so so I sort of thinking some spurious correlations going on a spurious correlation is where two things correlate with each other but they are in no way related to each other so on this chart you can see the number of movies that Nicholas Cage stars in every year correlates almost perfectly with

the number of people that die by drowning in a swimming pool so it's really easy to say oh the less movies we put Nicholas Cage in the less people would drown in swimming pools no but it's interesting and so this led me to to my uh my my own spir correlation which is very very like mathematical and extreme just says well H one of our the industry's fallacies is that we think the more we invest in technology the more secure we get whereas there's actually very little evidence to prove that that is true Beyond you know features that are already existing so does anyone take security seriously and I know I do because I do this for a

living and I've got video of everyone saying how awesome I am and you can deny it all you want I don't care now maybe you do maybe heads of security do but I think Auditors really take security seriously because it's their job they come in and they evaluate they come in in their gray suit suits and their boring personalities no apologies to any Auditors in the room you're like the the the the parking wardens of the security world uh coming up with useless all the time but this is the audit cycle they come in and they'll find something completely useless and irrelevant because they can't think of anything else true story I was once at a a

company and the and one of the audit findings came back saying your documentation is out of date like that's strange where did you find this documentation it was in the archive folder there's a reason it's there so what we started to do as a and and I use a royal Wii the industry as a whole is uh creating something called the audit box and this is a true audit box that a friend of mine sent me a picture of this is a preprepared set of documentation Network diagrams sample data that you put in a box somewhere that doesn't actually reflect reality but it's fantastic to give to an auditor when they come in so you do the usual

thing the auditor comes in you put them in a nice room you give them tea and coffee you take them out for a long lunch on the other side of town you bring them back and then they're really short of time they're like I need to see some stuff and yeah here you go but you don't just give them everything as nicely wrapped up in a bow what you do is you throw something in there that is a finding but it's not a major finding and it's something you can fix really early because Auditors like most people have an ego and they love to find something they don't want to say I can't find anything they want

to find something so they say haha I found this and you said you're a genius none of our other none of our internal people found it you you are some sort of super Super Genius auditor thank you and then you go off and then you fix the issue and then you come back and the auditor is like yes well done so you're happy the auditor's happy everyone's happy and this is the audit cycle of seriousness that a lot of organizations go through an auditor will come in they'll have something useless you you you deceive them you throw them a bone and they're like happy you're happy and this is how when actually you look at some organizations they get

breached and they're like how will we breach we had a clean bill of bill of health from top four consultancy or Auditors here this is the game that everyone's playing so I'm like nobody is taking security seriously are they uh the tools aren't working they're not being made properly uh they're not being implemented properly um you know the people who we entrust with providing the assurance that everything's in order they're being gamed and there's a awful lot of money I I suppose still like you know deceiving the auditor is cheaper than actually going and fixing issues in many cases so I understand why people are doing it I'm not hating but this happens but then I thought we have all

the tools and we have all the knowledge so this is a uh the the Cyber defense Matrix that son you presented at RSA pre pandemic I I'm really bad with how years work now because the pandemic like wiped out two years but um about four years ago and so like we we're really good at coming up with models like this and like like um the previous speaker was talking about the the the the the meter framework and and you you have all sorts of regulations you have ISO Frameworks you have you know there's everything and and and if you look at this I mean this is very comprehensive you got people process technology you have all your layers users through

devices you have identify protect through recover and you will find 50 60 tools and processes and best practices in each one of these boxes we do not lack the knowledge we do not lack the tools so where are we lacking so I thought maybe we're just looking in the wrong places for the wrong answerers so maybe we need to take a more datadriven approach I say data driven because that's quite a nice buzzword isn't it makes it sound like you're actually thinking about what you're saying as opposed to like when you say best practice that just sounds like something just made up oh I I stretch every I do Pilates it's best practice but if you take a dayto

different approach that's like I've downloaded the app by The Rock and he's telling me the workouts I need to do that's that's more data uh focus on the root causes and then apply controls on where the risks are so being a sadist I went to open threat exchange otx alen va.com and what this is basically it's an open platform where anyone can submit a threat Intel report or it they automatically also collate all the threat Intel reports out there so regardless of what you what vendor it is anytime a a piece of research is published they'll import it in so you go on it's a bit like Twitter but for threat intelligence is kind of like how

I could um explain it so you go on the website and this is what it looks like so if you click on the top one uh you go in there and it's got some information and it's got the ioc's under there the ioc's you can export them you can um pull them into your sim or you can like manually search for it or whatever but also it has the link as to where it goes so you can see reference it says it's a foret uh blog that provided all this information so you click on that and you can go through on the foret blog and you can read all the information they have and what I was interested in in these

reports was what was the initial access Vector how did these organized criminals and state sponsored actors break into organizations any suggestions ideas on what that might be like you know how do they get in using fishing that's the the prize to whoever said it over there it's an imaginary priz I I'll let you have a selfie with me later for free so that's your prize so these were all the vendors I I read a hundred of these reports I do not advise anyone goes through and reads 100 threat in tail reports they're the most boring things they're not boring actually some some of them are really well written some of them I think some people could do with hiring some better

writers or editors to to help them out but cuz you have to dig around for the information but this was the 100 100 reports so you can see it's spread out around you know lots of different vendors and and and sources and what do they say spear fishing was the vast clear winner as to how organizations were getting breached uh there's stuff around uh vulnerabilities being exploited there's stuff around uh credential compromise or that kind of stuff so now we have the answer the top three things I I I was so proud of myself when I got to this moment I said I figured out cyber security I've solved it all forget your drugs you don't need them you need to

work work on social engineering authentication and Patch management if you can focus on these three things you you you are basically you know 90% of the way there everything else is just sort of like a long long tale at the end of it but but that's really it so you know stop people getting socially engineered by fishing emails um you know put in place MFA give them password managers let them choose unique and strong passwords everywhere and then just patch just patch yeah we sorted so I have solved cyber security you're welcome thank you for coming to my TED Talk um now this is cool because by knowing this you can focus on the right

things it's efficient because you're not wasting your time buying and doing proof of concepts of loads and loads of different tools that may or may not work that may or may not reduce your risk and it's a defensible strategy if anyone at the board ever asks you why did you invest in this program well because we have data to back it up so this is a success I am so proud of myself uh and this is what a datadriven defense cycle looks like it's got to be cyclical because we all want to stay in a job and we all want to make money so nothing should ever end in cyber security that's rule number one uh but you know collect

your data so in my example I only looked at externally available threat Intel reports the other half of the coin is you look within your own logs and you see what's affecting your organization so go through your incident logs for the last year or two years and say okay what was the the root cause of our incidents and that will actually give you a far better indication than any vendor or any external Source will give you because it's more specific to to your organization you might be finding out oh the reason that we have so many incidents is because X and you know rank the risk create the plan execute the plan measure the effectiveness of your controls uh

job sorted now this isn't anything really new the previous speaker also spoke about something along these lines for those of you paying attention I was um so you know we know the threats we know what technologies fix or addresses these threats and we also know what we need to teach people hey you stop clicking on links put in place a firewall a Sim or uh some EDR and you know surely we should be sorted but it still doesn't work um it's still all broken and this is where I get to the point where're like yeah we we don't live in an ecosystem where we have the lack of tools or the lack of knowledge we have we live in ecosystem

where we've got too much friction we're we're trying to go one way and friction is pushing us all the other way and and this is uh a problem that exists I think primarily in in U in a few areas but a good example I think is TSA uh I would say most airport security the same but I think the TSA is the worst they're there to secure to provide a safe environment so that no one takes something they shouldn't do onto the aerplane but the way in which if any of you haven't traveled to the US don't especially if you're my skin color with my kind of name don't but um if if if you go there

it's it's so painful they're they're rude they're aggressive it's like you take off your shoes no put your shoes back on take off your belt put you know assume the position why is this liquid um you know what they're trying to do and and you have sympathy uh you empathize with why they're trying to do it but the way in which they go about it makes you think you know what I never want to go through an airport again in my life and uh I I love this Tweet someone sent there a TSO spokesperson and they're like you know the the size limit is like what 3 3.4 o and these were all the bottles of

water and creams that were above that this is the great job we've done this is the equivalent of one of you going online and saying these are all the false positives we've had what a great job we've been doing and I think that's something that actually happens quite a lot you know it's like uh when when we report metrics up the board or what have you it's like oh we we our our software stopped 50,000 fishing or spam emails our email filter stopped great okay does that tell me anything it's a bit of friction sometimes or not just in in the process but also in the reporting uh it's reporting is a long thing I won't go

into that one but I think there are three areas in which friction really exists the most the first area is between the security team and their colleagues within the organization a and there's a hotel chain they done a survey of um a customer satisfaction survey they said okay how was your stay how was the food how was the beds all those sorts of things and it's you score them 1 to 10 and they found that people that had a pleasant check-in experience they would score everything else higher so if they scored high on the check-in everything else would be higher by comparison anyone that had a poor check-in experience they would score everything else a bit lower not

significantly but a bit lower even though it was the same Hotel same facilities and everything if they had a por checking experience the food tasted worse if they had a por checking experience the bed was lumpy the pillows weren't right so they really focus on improving the check-in experience because that first Contact is vitally important and I bring that up because I think within your organization what's the first Contact your colleagues have with the security team and how does that make them feel so normally it's it's it's a couple of options it's either during induction week they're given a policy or maybe they're given an hourlong presentation by someone and they're bribed with coffee and

donuts or it's they're getting told off for clicking on a fishing link and you done this or how could you be so stupid or it's in a meeting uh or a project meeting or something and they're saying we want to do this and there's a department of no there saying no you can't cannot do this you cannot do that you cannot do this so let's work out about how we can improve that initial contact how we can welcome and how we can create an open environment with PE with our with our colleagues so that they can come to the security team openly with any issues because the whole issue is isn't that they don't want to

follow security or they don't want to use the tools they're experiencing friction if someone's using unauthorized cloud storage it's because they're not happy with the options you're providing them so let's speak to them let them come to you let them explain this is the challenge and speak to them at their level as opposed to dictating down to them that's how you create a culture of openness um W with them and and I think just getting with you know I work for a security awareness when we do simulated fishing and we do a lot of security awareness and is the best in the world I I'll add that but that is irrelevant if people cannot come to you and talk to

you when they have an issue if they're scared or they're embarrassed so um open up those th those doors to them uh the second part is the tools and the users and I say users both in terms of end users but also in terms of your your your sock or or or the security team if you're investing in tools that add so much friction to the process um you know it's not going to work and Joe Carson he I think he's left I I was talking to him about this as well we we talk a lot we hear a lot about zero truste these days and zero trust is great except it introduces a lot of friction and I think

we need to focus more on zero friction as opposed to zero trust it's all well and good saying you'll use a VPN you use MFA you use this you use that and that's a really secure solution but everybody hates doing that I mean no one really enjoys doing that even I as a security Prof I'm like oh my God I forgot my UB key I'm going to have to raise a ticket and get allow them me to on some other way or what have you there's all these the these pain points in place same thing with like my previous company as well Alien Vault they they done a Sim product it was like a us anyway but um Sims are

notoriously bad at like you have to tune them it's like oh you can buy a product it's there and then you can spend like a quarter of a million dollars a year in hiring Consultants to help you tune it and configure it and and get something useful and meaningful out of it and then oh there's some orchestration here but then everyone's too scared because they're like this is so scary just to get to this point I'm scared that if I turn on Automation and it starts blocking stuff or or or or or doing things automatically we're going to Dos ourselves in the whole process so the confidence is in there so find the right tools that not only Inspire the right

confidence but also that uh reduce that friction you know there's there's there's modern ways we can look at architecting stuff I know this this stuff I'm is probably like a few years in the future but if you're starting now find ways like you know have adaptive authentication look at risk-based profiles if someone's logging on from their normal workstation in the office don't prompt them for the second or third layer but if they're traveling and they're logging on from a new location then start you know doing that risk profile getting them one push security more to the background the tools to the background and make it easier for the user and the third one is uh the

organization and security culture don't match and I think a lot of that comes down to security teams not understanding what the objective of the company is uh too often we we we think that the objective of the of the security team is to make the company as secure as possible and that's probably not correct in a lot of chance uh a lot of um lot of scenarios there was a CIO I spoke to and he was a CIO at um at a drinks company and I said to him well you're the CIO you you manage this massive it estate what's your job and he goes my job is to help the company sell more beer and I thought that was a really

good way of looking at it like as Security Professionals our job isn't necessarily always to secure everything is to help the company sell more beer or sell widget or whatever that that might be and do it in a way that's convenient and easy and fast for them uh some way again another tip someone told me years ago was um if you work for a public company how many times have you ever read the shareholders report or listened into the shareholders call uh if you don't know what you're seeing CEO is promising to the market how can you be sure that the the the the uh programs you're putting in place actually align with the company values um you can't

most of the cases the last point on on security culture is um one really convenient way easy way of changing it is to get exec on board and get them to share some of their stories with everyone especially when it comes to security stuff say like oh you got hit by fishing attack or someone BC uh fraud or something like that why don't you tell everyone at the at the next team meeting how it happened to you and again that creates a culture of openness people get become more aware of how to share those stories and it lessens the shame I mean nowadays like everyone ultimately everyone was going to get popped at some stage or another

that's not the issue it's like how do you handle it how do you make people feel uh as as a result of it so the takeaways and uh I've done exactly what the previous speaker has done and I've rushed through my slides haven't I don't worry it's all right more time for the Afterparty you're welcome so people just want you to buy their box or their ideas uh both of them are equally as dangerous when people are just pushing their their their boxes or their ideas onto you I think there's flaws in every stage of the process and this is where we need to stop relying on so much on external influences and and rely more in internal data I think that

that's a key part um having a datadriven strategy actually um even though I I I sort of like jokingly refer to it as just a buzz phrase or what have you it really does help you put you in a defens uh situation and um you know understanding what the risk is really really does help and uh architect to remove friction if you can do that uh the tools and people will work together a lot better so I don't think it's it's it's 100% the fault of the tooling and it's definitely not uh the fault of the users it's just like the way in which we architect things to work together that needs to be done a lot

better so with that woohoo uh thank you for your

attention and yeah now it's not yet time for the Selfies video but for questions so uh are there any questions in the audience and hands rising to get the microphone to them or everybody is kind of like your reference to the Beer oh there's there's a question oh there's a question Cool not everybody yet still thinking about beer yeah hello uh my question was that right now companies think that the most efficient and cost effective way let's just say that is teaching their staff about fishing a males do you think that in near future or like the specific time period maybe that the um way the fishing evils will be made will be so unre

unrecognizable for regular um workers that they this method of avoiding these attacks will just like the efficieny of it will go down and if you believe that this will happen like a graph right now everyone's thinking that the best and then it will go down and if you think that it will go down what's the period of of time and if people are already thinking about it is it even efficient right now to do it if it will fail in the end I hope it's that's that's a great question and I think there there's I'll answer with in two parts uh the first thing is uh as companies we need to think about if one user clicking on

one email or one link can bring down the infrastructure this something wrong with our infrastructure you know links are made to be clicked that's how they're designed and if someone clicks on it and then something catastrophic happens we need to rethink the architecture so that's the tooling part that I think we've as an industry have typically got wrong the second part though is I think it's very valid is like uh even now I think people are it's the the traditional fishing emails are very different today than what they were and people get fish not just on emails that social media and and through slack and uh even on SMS or phone calls what have you there's all

there um the the thing is uh you need to make people aware of it somehow and at the moment today I suppose if you if you give put them through a simulated exercise that's normally a good learning experience but it needs to be positioned in the right way to often companies will send out a fishing email as almost like a way to catch people out and then say haha see I told you you're stupid and then people they feel offended they feel like they've been attacked so what we need to do we need to create more of that culture and this goes back to what I was saying about the initial contact that security team has with the people

say like hey we want to do something to help you we we we we can tell you about stuff and then we can show you some live examples with your permission to so that we can demonstrate it's kind of like a dojo where people go to learn karate and they they can Spar in a safer environment without getting hurt and no one gets offended by that um the the the the point is whether it will be effective in the long run and I think what what we need to do is we need to build a framework of thinking within people as opposed to saying here's are the dos and don'ts um when you cross the

road I I don't know whether you have it here in Estonia but in the UK you have like the Green Cross code you teach kids when they really young uh it's like when before you cross the road you stop look listen and then you cross uh find a safe place stop look listen and then you cross so it's a framework you build into their mind then no matter which road they get to in their life they know a way of how to cross it safely and I think that's what we need to focus more on is to teach people the Frameworks on how they themselves can make better risk decisions so regardless of whether they

get a fishing email on email or SMS or Tech or or or social media they have a framework as to what to do now we're not going to make everyone security expert I think even for us we think hovering over a link and checking it is easy it's not intuitive for a lot of people so I think what we need to build for the most cases is like report it to the security team if you're unsure and we will search for it and we will and I think that goes back to building that collaborative team team approach thanks uh I think there is one question already there before that I uh up the game so we have uh more of

this merch uh available so for your questions until the merch runs out or questions are runs out every question gets uh to pick their prize or their merch yeah but there was one who was willing to answer the question even before knowing that so yes thank you for the good presentation I have a bit philosophical question can the technology beat um social engineering can technology beat social engineering

um it can it can help in some cases but 100% no I don't think we can ever say 100% anything any nothing can be 100% effective for for for any scenario so neither technology neither the people neither everything you could be the best driver in the world will that guarantee you'll never have a crash no because there's other factors at play there as well so um I think everything we do is all about reducing the risk but can technology reduce the risk to within an acceptable level I think that's what companies need to ask themselves and if you architect it right and use the right technology you possibly can so thank you thanks there too much I think you were

first as soon as you said there free be for everyone fre free beer I don't know free it was before free but nevertheless what what uh I wonder in terms that you spoke about treadmill that is a somewhere in your corner but uh what about the technology or uh cyber security treadmill for you uh what has been lost such kind of thing oh okay so what's a cyber security treadmill that that's l so I've got probably more UB Keys lying around doing nothing because I I I forgotten one time and then I degraded my security on on a few accounts um but um other than that oh I I um I went through a phase where I was

setting up uh Canary tokens for a whole bunch of things um uh if you don't know Canary tokens they're free uh you can just do a search for Canary tokens they're like um little files you can download you can make them look like Word documents or whatever you can put them anywhere on your network and then if anyone opens it um you get an alert but I didn't actually put good descriptors in them so now whenever I get alert I have no idea which Canary token it is so I've just resorted to ignoring them all so thank you I think

there you're talking a lot about uh the friction that security introduces to people and when it comes to security training uh uh employees also every now and then see it as a kind of friction hey uh you're interrupting my work and I now have to spend like one or two hours watching this boring video do you have any tips on how to integrate security training so it uh doesn't introduce more friction to the world yeah yeah no definitely so uh two things is well okay I I'll break it down to one thing I think we need to stop thinking as trainers and start thinking as marketers uh so think of it as a marketing campaign make it short but

frequent and use all the tools available to you just because there's an half hour long video available in your platform to share you don't have to uh you can you can do like posters you can do screen savers pick one or two key behaviors that are your most risky behaviors for your organization and for a year just focus on those and nothing else over time that will become the behavior so uh you know and and what happens is that when when new people will join during that period if they see for example say for example the behavior is you want people to lock their machines when they walk away from it in the office uh

people have this mircat approach when they see someone else do something they start adopting that behavior and then slowly that becomes a culture where like everyone is locking their machines as they're walking away from there so focus on one or two behaviors M build it like a marketing campaign and do it over the long term um and that way you can like um social engineer people into doing the right thing thanks uh any more questions uh I think next one is probably here so oh okay there's there's one um you speak about uh the culture and just building off the last question about the security department and how sometimes they're com like they just no no no no

no do you think that could add to the concept of inside a threat because some of the conversations that they have are with departments that have privilege access you think that could correlate with each other so uh help me understand your question sorry uh if if someone's saying no if security team's saying no to people then they might bypass it and become an Insider threat to the not bypass it's just it leads to disgruntlement and you're just not happy with the job and that's leads to a threat inside right right got it I've got it so disr yeah I think that's that's natural uh if if you want to do something and someone's putting barriers

in your way you will feel disgruntled and you'll either find workarounds or you'll be very very unhappy living within those constraints and we we see that happen sometimes where people just become very disgruntled and unhappy with the security team to the point where they they start to exclude them as much as possible from from issues and um that could that that then leads to things like Shadow it and um people doing stuff that you have no visibility over and that's the worst situ ation to be in yeah

hello just closer sorry um is there a so cultural variation does this play a role at all in security culture development so for example I haven't worked in Security in Estonia but my impression of Estonia is like e digital e Estonia everybody knows everything about cyber security but I work in the UK where we're like please don't use Liverpool as your password so do you see that kind of culture plays a role in the security culture development in like in in National variations because no before is an international company do you see variations in this yes definitely uh 100% you you see variations around the world and something that works really well in one part of the world doesn't

work in other parts of the world and so you need to be very sensitive to the the microcultures within uh especially a global organization so from a training point of view we try to build localized content so translating content doesn't work you need to localize it so U so it's more the the cultural references and the jokes or or whatever you want to inject are relevant to to the people there um also what we see is like sorry are the kind of topics the same and just like the communication strategy is different or is it just completely different aspects that you're looking at for the majority case the topics are the same but the messages deliver different

but then there are also specific topics in specific cultures that are handled a bit differently as well so in In some cultures in some part of the world so it's really easy to say don't share your password with anyone in other cultures it's like oh my mom asked me for my password I cannot say no to her H so so you need to take those into account and build build systems around that and then tailor the message accordingly okay so up we probably going to be out of uh oh there's one question over there okay there is uh yeah question there I I'll run until I'm a bit worried there's like three or four of you pointing there like that's the

question so I'm worried if this is going to be a tough question it there we go uh thank you for the talk I was just wondering um this concept of friction and sort of in a way information fatigue has come through here a few times now um I'm wondering say I've noticed at least in my corporation that um upper management especially tends to have this uh reaction of like ooh something scary happened we now have to send you know mass email to a thousand people about this so I'm wondering do you have any tips on how to like get upper management to understand that over sort of spamming people with you know continuous messages is maybe not the best strategy or any

sort of other tips on how to you know get them to understand that we maybe know what we are doing yeah so so that that's a really tough one and it varies from organization to organization and it also varies on on I think it it's important to understand where their fears come from and so I was speaking to one exec and they they were doing similar thing they were over over there and I said what why are you doing this this isn't effective and they're like well from a legal perspective I want to be covered myself that if something were to happen shareholders can't come to me and say I was negligent I didn't inform

people or there wasn't a so like okay we understand you don't want to be negligent how about we build you a framework that's easier to share this information so that you can say Okay legally you've fulfilled your obligations even if it's not a legal obligation just self self-thought of uh but it's in a way delivered in a way that is um convenient for the user because you're right it's these messages however important they are they get ignored and U you know and another way is like you can um help the exec frame it and um into a story that they can share with others so like here's a funny story we almost lost $2 million last

week you know and that that actually it it it it again it opens up the the conversation and then they've got the message out to everyone and seen some companies they've recorded a segment of cyber security into the uh annual sort of like video Christmas video whatever they put out so they will say like this year we've recruited this many people we've made this much profit and XY Z about cyber security so just finding out what their fears are and then leveraging what other communication channels you have in place I think that works easy but I I don't think there's a a standard way to approach all of these situations unfortunately okay thanks and we

[Music] are couple of minutes over our design time so actually we managed to keep them longer away from beer which is probably good for health or something like that uh so thank you thank you very much oh