BSides LV 2023 - Breaking Ground - Wednesday

[Music] foreign [Music] [Applause] [Music] foreign [Music] [Applause] [Music] foreign [Music] [Music] you're giving me wind away some kind of butterfly baby [Music] [Music] don't wanna overthink it baby [Music] [Music] don't leave me [Music] but I don't wanna jinx it baby [Music] my dad [Music] but I don't wanna miss you baby oh [Music] maybe you'll give me five years I'm gonna butterflies [Music] [Music] some kind of butterfly baby [Music] [Music] oh [Music] oh [Music] [Music] foreign [Music] foreign [Music] [Music] [Music] [Music] foreign [Music] [Music] [Music] foreign [Music] [Music] [Music] [Music] [Music] [Music] foreign [Music] [Music] thank you [Music] [Music] thank you [Music] thank you [Music] [Music] thank you foreign [Music] thank you [Music] foreign [Music] thank you [Music] [Music] foreign [Music] [Music] foreign [Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] [Music] [Music] foreign [Music] [Music] foreign [Music] thank you [Music] [Music] foreign [Music] thank you [Music] [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] [Music] thank you foreign [Music] [Music] [Applause] [Music] thank you [Music] thank you [Music] [Music] [Music] foreign [Music] [Music] [Music] don't leave me alone [Music] [Music] giving me Wind and Rain some kind of butterfly baby [Music] [Music] oh [Music] [Music] maybe you'll get you [Music] gently went away [Music] baby [Music] don't leave me alone baby [Music] foreign [Music] [Music] tomorrow [Music] [Music] [Music] foreign [Music] [Music] thank you [Music] [Music] foreign [Music] [Music] foreign [Music] thank you [Music] [Music] [Music] [Music] thank you [Music] thank you [Music] [Music] thank you [Music] [Music] thank you [Music] thank you [Music] [Music] all right [Music] oh yeah [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] thank you [Music] thank you [Music] thank you [Music] thank you foreign [Music] [Music] [Music] foreign [Music] [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] [Music] [Music] thank you [Music] foreign [Music] thank you [Music] [Music] foreign [Music] thank you [Music] [Applause] [Music] foreign [Music] foreign [Music] [Music] foreign [Music] [Music] thank you [Music] thank you foreign [Music] foreign [Music] thank you [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] foreign [Music] all right [Music] [Music] [Music] thank you [Music] good morning besides Las Vegas everybody seems kind of sleepy today so I don't want to talk too loud I see a few still shuffling in in the back but uh we're also at time here so I don't want to take too long either um I have a couple of quick announcements for today uh we've had some schedule changes uh first off uh the honey pot training in uh over in Platinum today in the afternoon at 1500 hours has been canceled we had a unfortunate uh travel complication for one of the speakers there so we will back away from the microphone which keeps ringing um and uh so that one's going to be gone and then we also have in the ground truth track uh two speakers who thankfully are not canceling but did swamp times it's updated correctly in the schedule but if you're going to the cognitive security and social engineering talk that uh with Matthew Cannon and Dr Ben Sawyer that's now at 1400 hours and Stephanie losi's System Dynamics and risk management talk is now at 1500 so that's the business out of the way uh hope everybody's been having a great time today we have the hardest or the the smartest working man in infosec uh [Laughter] so Neil you who's here to talk to us about how well this whole generative AI thing kind of plays into the broad field of what we're doing how we're thinking about what we're doing and uh maybe you know some of our conceptions of uh what The Core Business of you know guarding and uh and utilizing our intellectual property when our organizations is and uh a whole bunch of fun stuff like that so we like to do some of these kind of broader think pieces here and I'm really excited to see what he has to say about it put your hands together for Mr Sunil you foreign yeah I don't know why I got that reputation as the smartest person I keep telling Bryson and the others uh they need to meet more people but that's it um I've had a chance to really um do some really interesting things in my career uh currently I'm now actually I left the CSL role and it's kind of actually part of the story here too The Tale of Three csos but I'm now a security Ambassador at Jupiter one I used to be the Cesar there I used to be that Chief security scientist at Bank of America and while I was there I had a chance to create two things that hopefully you guys have heard about it in some respect or another if you're at uh the uh Chris Hoffs keynote last year he actually mentioned these two he mentioned the Cyber defense Matrix which I bought copies of and I'm more than happy to give them away please come and see me if you want to get a copy as well as the die Triad and I'm going to talk a little bit about those in context but um those are just two things that I'm generally known for um oh and if I run out of books um there's a book signing that if you have one of those expensive uh business hall passes that you should really get for free um I'll do a book signing over there as well all right now as I mentioned um I I don't really consider myself the smartest person in cyber security and I certainly would not put myself in the category for uh anything associated with this newfound new found newfango technology by the way so I I hate calling it I hate using buzzwords I prefer to just call it newfangled technology or nft and so if you hear me um just call it that just just make sure you understand why I'm calling it nft so okay so in this newfango technology I'm I think I've passed the peak of Mount stupid okay but I'm not that much further okay and so I'm sure there's people who are way way smarter than I am way more competent than I am in in this particular new space but I try to think more deeply about what are the ramifications what are the things that we can look at beyond the problem space that we might be facing and to kind of go and look at what Josh talked about yesterday he kind of gave that tenure recap cap so I'm looking for 10 years and that was kind of my role at Bank of America as the chief security scientist I said what kind of things should I be looking for 18 months out three years out so that we can be prepared to tackle some of the challenges that we might face and so that's kind of the perspective I'm taking as well but I'm even though I said 10 years maybe it might take 10 years but I hope it's much sooner and for us to be prepared to be able to take on the opportunities that come from this is what I would like to share here so as we look at what's coming it seems like we're in this dichotomous time where it seems like it's the best of times and the worst of times and if you're in security wow it seems like we're in the worst of times we have uh a lot of challenges with how employees use this technology how developers are building these Technologies and how attackers are weaponizing them okay and each of those poses a real challenge for us at three you know Three core problems that we run into but I think I'm not going to spend too much time on that because I'm sure um there's more than enough material on that okay and I'm not planning on sharing that piece as much but I'll give you a little quick snapshot of that just so you understand the context of how I'm thinking about it but the real question is how do we make this the best of times how do we take the opportunities that are presented before us and really capitalize that uh for our careers for our industry and what we can do going forward okay so what are those opportunities and that's what I'm going to focus on primarily now as I talk about these best of time opportunities um you know it's it's somewhat prognosticating okay as I mentioned I hope that these will come to pass and I have I've looked at this for a while to see the signs of it and I would say um I I well well you know I think one of the things I would look for is key indicators that this is actually trying to it's starting to happen and I've already started to see some of these things happen so um we'll see if it turns out but I hope it's not well as I as I predict a future for you I hope it's not the too highfaluting and high too Ivory Tower I think there's some real practical troops that we can take away from some of these things all right so first let's talk about the worst of times and how employees use this newfango technology well first of all is that we have a lot of fear uncertainty in doubt and as we have folks using these Technologies we have people saying ah wait um it seems like it's spewing out the same intellectual property that we just put in okay and I would say no no you got to understand this is not that's not how it works okay that's not how album works and and the way I characterize it is that llms generate but they don't commemorate they generate new information they generate information but they don't commemorate uh information that's already in the system unless statistically it's it's highly prevalent uh Caleb Simon actually gave a great example if you type in what is my Social Security number and you give it the first five characters it won't be able to figure out the remaining five even if it was trained on your associate on a whole bunch of social security information okay so the perspective that llms generate and not commemorate is one of the misconceptions or at least people thinking that we can um that will spend out spit out a whole bunch of information about our intellectual property and so we're seeing a bunch of things happen in the industry for this I was going to put a bunch of logos of companies but as you probably know the the curve for the number of companies being created on LMS is like vertical okay so it's it's hard to keep up I said you know what it's not worth trying to capture that but there are tons of those Technologies and I was also part of a group that helped produce a policy around how should we look at these this as a concern okay however that said okay I'm not gonna hit that much because you guys can I'm sure you're already well versed on a lot of that where you can hear a lot of talks on it but I think there's an opportunity for us to again uh change the role so I'll change how we look at our role and the opportunities that we have so how can we Elevate the CSO role in this new um new this new environment and so let me give you an analogy consider what a CFO does what is the CFO in charge of they are they govern the whys and appropriate use of money they allow businesses to essentially spend money to basically make more money right so that's the whole point of businesses right they don't actually make money too by the way they don't generate money I guess they can do fundraising but that's not really creating new money and if if a CFO said you can't spend any money you might as well fire them right they're not a really good CFO in that regard but what if the opportunity is for us to become the CFO for intellectual property so we have a bunch of intellectual property going out and we have these concerns around them but it's sort of like what if what if again it's a form of currency and we spend currency to make better currency so what is what's the role then we govern the wise and appropriate use of intellectual property uh we allow them to spend this IP and this IP by the way has different uh you know I don't know if I want to put a dollar value to it I'm really deep well versed in the Cyber risk quantification space and you know there's a whole bunch of stuff around that but I don't want to get to that let's just talk about it in the context of like are we talking about low denomination bills or high denomination bills okay are we talking like if I went to a CFO and asked hey I want to spend 25 on something they will come to me and say what what are you asking me for I'm like just go swipe your credit card and go on what what is a low denomination intellectual property for us might I suggest for example our source code is low value denomination bills okay do I really need to ask for permission to transmit Snippets of source code now a lot of those denomination bills may add up to a high denomination bill so to speak and so we have to be you know figure out what what that sort of threshold is but the perspective is we have a lot of intellectual property and if I said as a CSO you cannot spend any of that intellectual property well guess what you should probably fire me right and so what what if we change our role and the opportunity is for us to consider what what it looks like to be a CFO for intellectual property now with that comes actually some other interesting applications or interesting uh Concepts and with Finance and Accounting it's a very mature practice as you as you well know and in that context there is um lots of different things that we can borrow from that as well okay and we don't have those tools here but these practices are things that we can probably figure out how we can adapt them to security as well and so I I just pulled up a bunch of terms and generally accepted accounting practices I'm going to call them security practices and here's an example impairment impairment is a financial term okay and it did some slight tweaking just to remove some of the finance specific words but if you read it it sounds like what we can do in security what is impairment it's when some sort of resource is impaired okay it's it's designated as impaired when I can no longer have any sort of assurance that it can be fixed within a certain time frame okay sound like something we deal with on a regular basis right should we call it maybe impaired okay versus you know vulnerable or whatever else is yeah maybe okay and guess what when you have the term impairment there's also all these calculations that come into how we think about um like how do you calculate impairment cost assets we call them assets right it just seems natural except assets on a balance sheet is on the positive side of The Ledger but most of the assets that we do on security are actually more liabilities okay do we actually have it on the right side of the Ledger and maybe if we start representing it as a as a liability and not as a quote asset all of a sudden the business will see it as wait why are we carrying these liabilities not doing something about it maybe we should try to get rid of these liabilities okay so again just slight wording change but you can see how that helps as well survival metrics so if you're in a startup or if you um if you're any venture-funded company there's a whole bunch of metrics that we rely upon to see how much time we have before we die as a company so they're called survival metrics uh what's your burn rate what's your Runway what's your churn and in the context of assets and how we look at sorry liabilities I should say uh and the way that we look at the resources that we have to be able to run a company um what how how does how does an impairment reduce our Runway how does an impairment increase churn and I'm not talking about turning customers I'm talking about churn and other ways that we think about how these digital assets work as well later on later today I have a talk on Double Entry accounting so what is double entry accounting it's a simple way to be able to have two ledgers two different systems provide a check against each other okay and I'll share some examples of that later today during a talk specifically on that so I'm not going to spend too much more time on that and then um there's a whole bunch the industry the finance industry has been reshaped a lot because of the simple concept of ibita and we can think about like what does it mean to have income in the context of cyber security we know what the term technical debt means right but how do we translate that into how it offsets this notion of income and the value that's being created by these assets that are these assets slash liabilities that we have see even I still keep throwing myself off on these things but that's it the the the premise here is that we have a set of practices that we can now try to codify within how we do cyber security and I think the reason why this is particularly important is because I've been fairly deeply concerned if you haven't been deeply concerned you should you should be concerned about how the government is deciding some of these things for us okay and whether you agree or disagree with the Joe Sullivan's verdict um I could put myself in his shoes and there are many times many cases where I would have probably done similar things as he would have done maybe a few things I wouldn't have done but nonetheless I can see how many of us can follow into the same traps that he did and then Tim Brown with his Wells notice that he got served I mean there's there's a center of practice that they're assuming that we can't ever achieve okay so when we think about um when we think about for example some of these practices let's I'll talk about this in Double Entry accounting how precise is accounting okay or how accurate are the books how much variance do CFOs allow and guess what they do allow some variants okay it's not a perfect I mean the the ledgers don't always match and yet they don't get sued well if it's a huge various they might but within acceptable amounts they don't get sued they don't get fined they don't get these issues and it seems like that's not the same for us in cyber security and so we have an opportunity to to to well we have a couple opportunities one is to redefine our role not as a as a person that tries to secure as a technical weenie that tries to secure all these little things but rather in the sort of governance role of how we manage and govern intellectual property and the institutional knowledge of the organization and we have these tools to help us well we need to come up with these tools and in doing so we'll end up with ways that we can potentially provide guidance for the government and for us as a practice so that we can not deal with these in the future as well all right so that's the first um best of times opportunity how can we become the CFO for intellectual property the second challenge that we deal with the second problem is developers building and um I'm I'm sure pretty much every company out there is now and you know using these newfangled Technologies to try to do something with llms or generative AI here's a diagram that you can barely see because it's the wrong contrast that Andreessen Hurd sent out it's a reference architecture for how you build llm applications and don't worry about the detail at this point but I do want to point out a couple things that in the context of uh what we've always learned in security there are a couple inviable rules right um one you know never get into a land war of Asia land war in Asia but the one that's probably more important or well you know just slightly well less known but nonetheless important is to never trust user input and fundamentally one of the issues with uh one of the fundamental flaws with llms potentially the fundamental flaws is that we can't separate out the control plane from the data plane all right so we know that I mean this is like a such a well-known uh principle in cyber security and yet when I go back to that chart that reference architecture everywhere that I've highlighted in blue is user input unsanitized user input okay and it's pretty much everywhere right so okay um