Security as a Video Game

so our next talk is Rob fry presenting security as a video game hi everybody I'm Rob Frye nice to meet you guys I've been in Knoxville about 20 years I was so excited that I got selected I haven't been out of the house much the last few years anybody else have that problem no I'm here today to have a very again serious conversation about video games whenever it loads because you know you need internet for that anybody like uh caffeine raise their hands caffeinated beverages I love me some caffeinated beverages I hope you all don't mind but I brought my own I've got an extra if anybody wants it you can like share stories and talk

about video games all right so about me it's been an industry about too long more than 20 less than 30. um got to do all sorts of really kind of cool stuff mostly on the defensive side uh I think there might be a few red teamers in here I think I've heard some conversations and some some presentations uh today's conversation is it's both interesting but it's not super serious we're going to talk about how we broke in we're not going to talk about how stupid people are well we might talk a little bit about how stupid people are just because we're security so um where I'll start though is y'all probably never seen these Peak

before but every presentation I ever do I do a disclaimer uh there's a reason why because there's actually three reasons why I do this the one I usually tell people is I work on all sorts of research and other kind of interesting stuff and sometimes I'll do a presentation in a conference one year and people like that was really cool we went off and did it and I'll show up the next year and I'll be like yeah no don't do that anymore that was stupid and then they get mad at me um the other reason it's usually legal and you know maybe after drinks if you give me enough I can probably tell you about

those um so what did this presentation start so I think I think the year was probably 2017 I was at a security conference around the bar having conversations with some csos and some other folks and uh we were talking about the challenges that were affecting security at the time all right so 2023 2020 2017. what were the problems about six years ago anybody do we have enough people in security was it easy to get hired did we love our security products yeah so a lot has changed in six years is what you're telling me yeah that's it's all gotten better um what was interesting for me is what happened out of that conversation is I

got put on this freaking weird ass trip not that type of trip by the way it was this other trip although I tell you there's other conversations for that that's after drinks too um I started meeting cognitive phds anybody ever like know any cognitive phds you know what these guys do for a living they learn about how you learn it was really interesting about that is when I met them they were like well what's your problem and I was just like well I've got people that are really smart I've been doing stuff for 20 years and I got people that aren't and I'm trying to take the people that aren't I'm trying to turn them into this

and they're like who can we meet them I was like sure and then studies and research and other colleges and all sorts of other things happened after that and some interesting lessons kind of came out of that so here's the analog I mean if you sat down and probably saw that this was you know security has a video game so we're gonna talk about video games it oh wait a minute let's not I'm not going to ask you that question just yet gratuitous flash screen before we begin I don't do memes by the way so if you were looking for that I thought about it I almost did it research oh my God the amount of research I'm not

talking about security research I've done security research you all done security research we know people that do this is not this is video game research you know how much video game research is done out there compared to security dwarfs it absolutely dwarfs it we know all sorts of interesting things about you people so let's do a show of hands where's my hand oh there it was show hands show hands be honest who plays video games in this room because it ain't higher than uh 90 you're lying 90 percent 90 of people in security play video games 60 65 in the last 24 hours that's not about true it's like oh it may be believable maybe

not yeah no that's believable you sit down what's up last four hours yeah on the on the plane here in the hotel like I don't want to know what to do in your personal time but I think we all play video games pretty much all the time and it's I mean it's so much more than that right so my path ended up having me interact with NSF and Hewlett Foundation to help certain phds get funded for research I got to got to interact with the Facebook team specifically with the Oculus team because you know what cognitive phds use in order to learn about your brain VR it's like one of their go-to tools they hook you up to a whole bunch of

electrodes they threw a VR thing and then they start throwing things at you and they start asking you questions and asking you to do things they learn all sorts of crazy things from them uh and this taught me all sorts of different things I had an opportunity to go to Penn State they had this big dome big white Dome it's a VR Dome been there for a really long time so I'm by the US Army Army pays for the research Penn State's been doing it for a really long time why why well here's some here's here's a problem right uh Navy was having issues with kids coming in and teaching them how to do what

Drive submarines so all the phds get together and they're just like well why don't you make the controls more like a video game controller and see what happens the Army because the Army's always suck it to the Navy sorry if you're an army my bad but it's true the Army followed the Navy and they they started talking like experimenting with tank controls that were like video games learning curve starts to go down why it's all about how you learn coffee America's Army how many people played America's Army back in the day I don't even know if it's still out there like this was one of those ones where it was just like we're going to test you on

all sorts of things that we believe in and if you screw that up we'll know about it and then when you try and come in and get into the military we'll be like no thank you but if you do really well at it like you could potentially get a higher rank grade I'm not sure how that actually worked all right so then there's this two kids on a couch study don't worry the kids are coming it'll be here in just a second this was a really interesting study in that what they did is they sat one kid down playing a video game right next to another kid now one kid is an expert at this game

been playing it for months weeks years whatever kind of case may be and then they set a kid down next to him what do you think happened

it's this weird like symbiotic relationship that happens right like how many times have you been watching your friend play on an Xbox a PlayStation a PC or whatever the case and you're watching that what are you doing as you're watching them you're learning and so what ended up coming out of this this study was this cognitive understanding of how people learn when they're in groups anybody do that in security now I know there's the brilliant jerks out there that's I don't have time for you like if you don't have those and you have somebody that actually will take the time I think in the in like like especially on I think on the research and the red teaming side

the the massive amount of information sharing that happens and then the amount of of the ability to learn a defensive side is still a little slow on that but there's enough research out there that basically says like some of it's misery left company I remember like back in 2009 I was working at a tech company and um Chinese decided to come into town and just smack the [ __ ] out of all of us that was called operation Aurora and I was working 100 hour weeks I was learning a lot on the job I was pretty miserable but it was it was one of those ones where we were learning because we were all miserable too so it's not just

about video games and enjoyment there's a lot of different situations when you're with people that you can learn so no Norton Meyer he talks about it this way this very like cerebral thing I could never come up with anything like this I'll let you read it because I'd probably just butcher it but it basically it talks about like you know your brain can get smarter these things are applicable anybody got a parent out there that's just like brain's gonna rot your brain or games are going to rot your brain like can somebody find me a piece of research that's come out in the last five years well that's true because pretty much everyone that's come out in

the last five years has basically said video games good multitasking cognitive function hand-eye coordination over and over and over and over again there's all these benefits now what we're going to talk about today is RTS games any RTS game players here oh we've got we got a few we got a few so I haven't really touched but I'll be honest since like the late 90s sorry Command and Conquer or Starcraft Etc et cetera but as I was doing this research it was super interesting to understand security and then watch how you play these games all right so mental note number one video games can be an analog for real at jobs we're going to get it more into

that it also has the ability to improve yourself and others around you mental note all right here we go next splash screen is everybody it's like reminiscing right now like it's like oh I know though I played that one I played that one I played that one some super interesting things about the fact that you played probably more than one of these or new versions of these fog of War everybody remember fog of War like whoever invented I don't know if it was Sun Tzu U.S military whatever but the concept if you don't know what it is is you don't know what's out there you need to go figure it out okay put your controller down and go

if you work in security go work in security what are you doing every day do you know what's out there do you know what your service attack footprint is no it's freaking fog of War you gotta deal with this crap every day you think you know and even when you know the red team guys are going like you don't know let me show you so there's one here's something that's interesting though and it starts to we start to we're going to diverge a little bit this one's more about we're starting to get into something called a design principle right what do all these games have for the most part most of them all happens it's a mini man why do they have a mini

map there's another concept called situational awareness right I need to know what's happening here because I'm focused here but like I'm being taught multitasking by being aware of what's happening in other places by showing me a condensed version of information that's there command bar same thing right now one of them was all like cutesy and probably 30 years ahead of their time and they're just like we're gonna throw it up along the right hand side because we're cool these are design principles now what was what was one of the interesting things about this though I don't know if you I didn't think about this until I was old and I'm doing research on it now right

version one came out you came in here learning curve figured out pretty quick because it's pretty intuitive version two came out you couldn't wait to get your hands on it minor learning curve why because the design principles didn't change that much between versions that one of your friends was playing a different one and you were able to go download that or get it off aware site maybe buy it whatever I mean whatever floats your boat and that brand new game that you've never played before you are able to get proficient at it quickly why because the design principles in these things didn't change very much so that's stop there for a second let's just go

ahead and don't cross your arms over your chest and block the mic

here's some similarities between security I came up with these so attribution this did not come from research I literally put this together and it to me it's super freaking funny how close playing RTS games is to security literally security is a video game and a video game could be security and I see some of you taking pictures there are differences obviously the difference is interesting um more on the downside for the security operator than it is for the video game player if I'm in video games and I get killed New Life start all over you get pounds get all your drives encrypted you get all your customer data downloaded sorry that's just too bad mental note number two

RTS games are going to end analog and a log analogy I had a few too many drinks and I was greatness um but but also what's interesting is we're naturally attracted to to good design principles now another footnote down there there was research done around 2018 I can't remember exactly who did it so I can't give proper attribution but it was basically talking about people understanding that RTS games were good kind of overlay to security and they started to ask the question and they were initially positive results around RTS games and it like started to become hiring questions I don't know if it's still done I have not kept up on that research but it was interesting to me in that

there are a lot of if you think about it you know your kid in college in high school whatever the case may be and you go out you're trying to get hired they're looking for skills we don't have any so what do you come in with well I got all the certs how many people care about certs in this room well if you're probably 30 years experience like me I'll give a [ __ ] about certs but they're everything to somebody who's really young well what's another thing that you could potentially use I know a guy that got hired at Yahoo of all places because he was some master dwarf elf in some video game and he was the head of his

clan literally the reason he got hired he put that on his resume and it was the reason he actually was an employee there sometimes we have to rethink how we do things while it sounds funny that we would include video games inside of that is it really that crazy all right now it's time to get nerdy on you who here loves design principles we've got the artsy people creative types I got one if you guys got some yeah okay not surprising not surprising we don't have a lot of creative types in here um so design principle essentially a set of what values it's what defines your product right quick example I want to use red

okay well if you have two designers that want to use red for different things that's a bad design principle it's going to make for a crappy product red some of it is nature some of it is nurture we just are just wired to know that red is bad it's about circles squares triangles I can sit here and do all sorts of things in front of you I won't though I will a little bit to show you like design principles are just super interesting things another quick fact about me I always put a matrix thing inside of my presentations don't believe me go back through all my presentations for the last many years uh this one was kind of relevant because

the Matrix was a design principle that's essentially what it's saying it's just it's just everywhere are we ready we're going to do examples who's right everybody am I awake everybody's listening and I like this everybody's kind of listening I see some heads shaking

that's not all that's there that's all that's there is there anybody in here who doesn't know what this means raise your hand please we won't make fun of you that bad I promise all right this is a design principle you see it everywhere it doesn't even really need to be taught you just know it it's red it's it's that shape it's I mean Pac-Man just with the color and a shape you know what it means you have to put a word in I mean you could change the word still means the same thing and if you don't speak Spanish I could put a hand up there changing the design principle but does it mean something different to you

no okay design principles are everywhere you see these things every day you're not even thinking about them and if you're not thinking about them it's because they're really really really really really good all right so many years ago I had a 45 minute drive home I would do one-on-ones with blind police weird [ __ ] happens right see if this has happened to you before right jump in the car throw my headphones in start make the call 40 minutes later I get off the call I'm pulling up in my driveway do I remember the drive home no why muscle memory you have cognitively done something so many times the design principles are so strong that your brain offloads

cognitive function to your subconscious you literally can go you can do a complicated dangerous thing not think a thing about it because of really good design principles it's amazing anybody here had that happen to you yeah it happens to everybody all right now we're going to do some thought experiments by the way I have cameras all around the rooms and there's electrodes in all the seats so like taking in data right now from everything that you say or do another design principle easy one right let's say I change it it's just confusing to anybody do you like driving up on this thing you're like oh my God it's horizontal instead of America yeah there's lots of places that have

these around the country right I mean I could I could reverse it are you going to get an accident uh all right dang it I should have thrown that in the addendum we're not going to get into visual disabilities in this particular one I care very much about that I do a lot of work with that if you're colorblind there's a different presentation that happens three hours from now with alcohol all right so we all agree colorblind but let's say let's just assume before I go to the next slide let's say nobody here is colorblind just is otherwise it takes the thought of the next slide what would you do if you came up on a

light and looked like this I would be very nervous now if I know if it's in the middle I think I know what to do as long as like you didn't switch the order maybe I know what to do maybe thought experiment number two remember the time it was on the screen foreign

around it 45 degree angles okay pretty much everybody see a circle was there like a really big circle and then a metal Circle was a circle or a square or a triangle what was it anybody anybody know the color of the circle in the middle ah 80 percent of you through science through cognitive learning I know and I made that way too light like I know you look right the center I know this through science I knew as soon as I was going to flash I was going to flash it up for a second your eye when you look at this screen because of the design was going to go straight for the middle not only 80 some

of you I don't know not enough caffeine you're bored you're waiting for this then so you can have some free liquor I don't know look whatever the case may be but I know that 80 of you not only looked at it you probably remembered what the color was third one let's use one that's a little bit more home and security so let's just say it's like an argument green is no good yellow is suspicious red is malicious that resonate with anybody in here better all right I like circles as boundaries so this Outer Circle let's say it's an ASN let's say the inner circles are cider blocks let's say the little dots are IP addresses

everybody up to date on my design principle okay this laptop is connecting to an IP address is that okay based and don't like no theoreticals please like yes we don't know and yeah that somebody could get up just for the sake of the thought experiment let's just make an assumption that all the greens are actually green even though we know it's probably not true all right makes sense is that Green Dot that that laptop is connecting to is it okay it's still it's it's still as far as we know right

this is the easy one everybody's just like well it's obviously bad because it's connecting to Red okay well fine what if I change the green now if you've ever done threat research for any amount of time that green is not green but what I just explained to you without having to pull up freaking spreadsheet column and Rose I gave you a visual representation of data where you could start to make assumptions that are probably correct about this does resonating with anybody yet so this is real life one I was flying back from DC we had a particular application this was a whole bunch of network traffic I knew this was bad because black dots are bad

either because we knew they were bad they were marked as bad thread Intel is bad something was bad about it so we knew that when we got into this particular application when we saw Starbursts that was bad and when you see Starbursts that will have connecting things and some of these little tendrils off of it this was an attack and now the only question is is what's leaving what's being sent someplace else which offices which employees I didn't all I did was get in and look and I knew bad stuff was happening just based off of the design principle of this particular application mental note number three we love design principles as human beings shapes and patterns mean stuff to

us muscle memory is a good thing let's go through some problems some conflict some Stakes here's a problem in security is anybody here not have enough data do you do would you like more data adversary would be happy to give you more data the vendors would love to sell you more Tools in order to generate more data but the failure is we have so much data and what do we end up doing right like I always love this I built products before I've been on the vendor side for about seven years now and I love this request coming in hey can we just export to CSV what's the joke in cyber security what's the best UI

anybody every security vendor is up against the spreadsheet I've seen research done on that too one of them was done by some guy that I've actually already quoted inside of here um somebody been doing basically kind of like uh you know sir type stuff for 20 years and he basically you know Rewritten the synaptic brain processes in order to wrap his head around how to process information from a spreadsheet you know who can't do that anybody who hasn't been doing it for 20 years but we're so much inside of security we're just like spreadsheet Colin Rose let me filter let me do stuff and it's like well that sucks especially as how much data is coming in these days

another problem out man outgun totally completely surrounded oh by the way I love that I found this like the other ones I've had were not so good I was like anybody army men when you were kids they make those things still yeah so it's uh you know a hopeless feeling if you're a Defender you are completely just surrounded out landed outcome another problem with security resource Gap I would say the resource Gap is also going to be closely related to the skills and the capability Gap okay why is this right could it be possibly because we don't have tooling that's easy to learn could the fact that I constantly am seeing these wrecks out on the internet

where it's like we're looking for a junior candidate with 10 years of experience and a long list of capabilities because they spend a lot of money on their stack and like what does that what does that mean like I I need to have like my hiring bar needs to be high why well why not have time that's kind of BS uh two when it comes to like the hiring thing I need to make them jump really high I have high expectations and really where you're getting to is you have the security stack you've paid a lot of money for and you've got a People value and you don't want your people sitting around doing nothing

why are tools so hard to learn though not calling anybody's names out I think as far as I know for the most part yeah some of them are Cabana dashboards that's fair game but like uh the uis that we create do not have solid design principles they're not easy to use I think you know when was the last time a pie chart or a bar chart was helpful for anybody else other than to see so like does it have useful information yep Maybe your day-to-day work like is that what you just can't wait to get into the office to look at that bar chart to see if it moved the line chart the pie chart like that's

not a good design principle for security

absolutely correct if I'm an accountant might be useful security not so much I get tired of the request when I'm building products too it's like hey I need a pie chart right here I'm like how about I give you the ability to download it in CSV you can click go and pie chart anyway mental note a lot of them I'm not going to read through all of them all right so question why should we bother improving security it goes something like this so that we don't so we shouldn't or that we don't want to suffer any more stupidly than we have to and maybe that also helps us with our co-workers and provides us with a capability of

actually using a tool for what it was meant for for people of a broad set of skills and not the most advanced people at work here's an interesting one I I I've gotten one of the ways I've gotten to where I'm at in my career is I don't focus on one business vertical I've worked in a bunch of business verticals and what's interesting about design principles and I've kind of showed it to you here today is other business verticals and this is like one of the cool things like some people are just like yeah design principle security it's stupid I'm just like well here's a high-speed Financial trading app seems to be pretty important to them

Financial guys spend crap tons of money on design principles because they know that a microsecond a second a minute being able to understand what's up there there's a crap ton of information up there to make a decision it's super important Health Care Health Care you know how much money Health Care spends to make better your lives I go and I talk to design students in college you know where they want to go there's the video game ones we won't talk about them financials and health care their bleeding edge there's a lot of design principle there's a lot of talent there for this type of stuff anybody know this one that's right I put it up here because I

was building a product back in the day and Chris the guy that actually wrote this I was able to bring him in as a contractor now you might be but but that's fake and I'm sitting there like no like I've talked to designers the guy that did Tron like if you go through the problem like these guys literally will be like what am I trying to do here they will go through the entire iterative process and if you think of what this product here that's fake is supposed to do from a design perspective and a design principle perspective it's amazing these guys actually like the reason they wanted to work with me is they're just

like we don't understand why security UI sucks so bad it's like everybody just goes down and downloads Twitter bootstrap and changes the bar from the left or to the top and some colors throws in some pie charts and bar charts and you're done they're just like why can't you do this this would be so much easier for people to learn here's another one automotive industry and health and what are they doing a lot of right now spending crap tons of money on AR and VR I think any vendors that I've seen in the security world that have tried arv arts and gimmick they're trying to get you to come to their Booth so they can scan their badge

but there's actually real world applications I'll show you a slide here in a minute to kind of put a point on that it's actually this one what do you see there you know what I see I see a real-time strategy game that's exactly what I see like I've I've sat back and done thought experiments with different people where it's just like if an RTS is a video game like I need somebody who's kind of like these people right here they're seeing everything they're clearing the fog of War they're communicating with the troops on the ground troops on the ground they're going to have all these different displays augmented reality all these pardon me

it's massive amounts of data situational awareness operational intelligence might not they're spending a crap ton of money on this because it's valuable so mental note number five is that it can be done don't let anybody tell you that it can't be done can be done it's being done all over the place it's not being done insecure which would be kind of the punch line here the reason it's being done in other business verticals is just motivated by need money capabilities improvements are understood these these new uis have value they provide competitive advantages I'm not talking about pew pew maps and security I know those companies I've shamed them the sexy wiser I mean there's a

marketing aspect of sexy lives let's just be honest but if it ain't functional Don't Mean a Thing all right we're at the conclusion I can tell many of you are either thinking or just like waiting for another punch line trying to figure out how many drinks of this monster I'm going to take um so RTS is good for security right I would like seriously for kids coming up high school college if they're playing rts's and they like it I would tell them consider a career insecurity absolutely talk college kids all the time will love it uh they have consistent design principles why because the people building them know that they're important um security is hard enough why are uis

the bottleneck and then that last one which is kind of like a really big one coming out of this is why don't you expect more from your vendors don't set like the the standard status quo for security right now is I'm a startup I'm gonna go hire some kid out of college if not like get an intern out of college to build my UI is that really what you want like this should be a question I think like what does your product do it does all of these things ignore the mlai stuff who do you have building your uis what are their design principles how are they going to help us all right closing game's over I'm here for questions

hopefully this was entertaining if not just a little bit thought-provoking but regardless you'll probably see an update to this presentation about five years only because there's a whole bunch of research that's being done so if you have any questions I'm happy to take them yes sir so we all have a gazillion security vendors and I don't want to have to go into each bottle all the time so isn't this really just a call for someone like Splunk to build better visualizations so I didn't quite hear the whole thing there but it's like why Splunk why does it smoke do this yeah the first part was we all have tons of security vendors right and so I don't want to have to go

to like 20 different tours where each one is trying to build better uis like a literally single pentagons oh I hate that word it's a myth it's been it's actually been proven to be a myth there was a research done by uh I don't know some smart security company 1200 respondents and has anybody ever seen a single penny anybody single pane of glass work in security anybody 30 years I've been hearing this term it's not just single pain a glass though it's like everyone every vendor tries to build their own query language and it sucks that's SPL in Splunk is or you know whatever your sim of choice is is better than that so that's the other

reason it's not just like the getting the data to visualize it you have my permission and you can tell I'm Rob fries thank you to where when startups come and like they invent the terms that don't mean anything and you know that they love to invet terms that don't mean anything or they come in and with new design principles that are conflict to what you're like smack the crap out of them like it doesn't it's not helping you right like would you rather play an RTS game that plays like a security game or would you rather have whatever the garbage is they're giving us right now right and it's not that like I worked on

an email security company a few years ago right that I spent a lot of time in the UI no well I did research they weren't going to be in the UI they wanted all the alerts to go where to the SIM right so it's not that every product means the most modern you know it's like you're dealing with I've generated alerts before that have 10 000 data points ten thousand you know what the status quo and security for ten thousand data points is column and Rose Splunk elasticsearch a whole bunch of other products it's Colin Rose who can process that nobody oh I'm gonna filter it I'm gonna write a magic query it's like great or you might be capable

99 of people aren't so it's it's one of those things where like Splunk is they're an old dog like this isn't their Forte anyway they're never going to change they're incapable newer companies have to come up and do this there are companies that that have that capability but to your like your first point there's bazillion companies like focus on the ones or help the ones that aren't doing it focus on the ones that are help the ones that aren't doing it tell them it's important that I'm gonna give you my money do something that is going to help my junior medium and Senior employees any other questions

wow I dropped the mic on that last one

so one thing you brought up in your presentation I thought was kind of interesting is like the skills and capabilities of getting into security are so wide right and there's like like two or three year like constantly like you're always drinking from the fire hose right at least that's been my experience that's never gone away so like security is a video game like teaching all skills in a video game format like would you say ctfs or maybe like the most efficient way of teaching those or like what research have you seen that's like the most efficient way of teaching on those kind of skill sets does that make sense I mean it does uh CTF

um this is kind of gamified right yeah it is it would be a different type of design principle in that I mean one of the things I love about people that do CTF it's also the reason why they're really good at lock lock picking patience their patience they're persistent right um on a lot of the CTF and the red teaming side this is more for the defensive side it's more about the unknown and the known unknowns and then just beating the [ __ ] out of things in order to see what comes back and that's a different design principle than I'm being attacked every day I have bazillion data points coming in every day how do I make sense of that so I

would say it's more hyper focused I think a command line for a lot of that makes a lot of sense I think the information coming back maybe if I'm doing scanning different types of maps around uh you know what information uh like if I'm doing a random search on the Internet or if I hit a cider block and I'm able to get pop somebody and then I want to do a map of of their internal Network I think some visuals could definitely help you move faster from an offensive side some design principles would hold up but it is a different Beast to try and do it from like a CTF side for sure so I'll ask a question

so vendors are hiring designers they're hiring experienced product managers like like where's it falling apart what are they what are they missing what are they doing wrong that results in bad UI when they're hiring professionals that should know better right that's that is a great point I need to go back and edit my freaking slides because I actually did not talk about this so thank you for bringing this up Adrian um design is a skill set and it's a very very specific skill set you have to be taught it acquires so at a product I did several years ago I didn't want a designer that was from security I wanted somebody that specifically at the time from all the research I'd been

doing I want somebody from the gaming industry hide this kid out of Blizzard you know what he was doing there building web pages I looked at his art page it was freaking amazing I was like can you do this he was like yep what was really awesome about that is it proved two points one there's all sorts of really great talent in these other business verticals that aren't able to climb up because that particular business vertical is crowded and so people like me what are we doing we're gonna go steal them away so if a minor to your point movement the last year or two is you're starting to see design being taken seriously in

cyber security my friend that guy that I hired from blizzard I think he now works at uh one of the cloud Sim vendors he's getting paid what he should be getting paid designers weren't getting paid very well inside of security so there is a value it's it's slow I'm not saying this is going to take a year or two it could take a decade or longer but there are sub currents that are currently happening so you know kind of what you're saying security people are feedback loop they're the one of the most important feedback loops right but the designer has to be the one that says here's what a design principle is and here's what I'm going to show you and

then they need to validate it and pretty much everybody in here are the ones where if you ever have a chance to do an A B test like a whole bunch of wire diagrams you might not have the patience for them I actually love them but it actually helps establish what the design principle actually is for that company it's really worthwhile any more questions come on let's do more questions more questions so we can't go drink sorry it's probably not really a thing is it good your presentation did not directly address the changes in design Philosophy for accessibility especially for Disabilities and neurodivergence one of the things that I've been reading in the research lately is how when you make

something accessible for a minority group of users it becomes more accessible for the whole group of users do you think that we're going to start seeing behavioral and Behavioral Studies going into things like a Sim single pane of glass or something like that and actually changing the way in which we think about processing data because data scientists have been doing this for 25 years why are we so far behind uh I mean a lot of it's money so like one of the challenges with being able to do this inside of cyber security is the amount of Revenue that it's going to generate based off of doing that's much less than some of the other business

verticals money is what it is the other part to some of that is uh you could almost do an entire presentation just off of accessibility because of how complicated and complex it can actually get you know what type of disability what type of data you're actually getting into um it's not something other than when I have to build a product and I have to be subjected to what those things are I haven't read or seen a lot of research around that most of it's done by government it's done by health care so when it also comes to security data sets there's not going to be a lot of research out there as well a few years

ago the Regan Street institute in Indianapolis did a bunch on accessibility for UI it might be interesting for your research by the way you have to tell me about that later so I can go look and meet you at the bar yeah I like it anything else

over better design principles and kind of how do you balance that trade-off oh I love that question good uis and better data I call this a seven steps kind of philosophy of design principles right like let's say I have three people one's Junior one's medium one super senior right there's a massive amount of data set right hundreds thousands what is it that all three of them when they come into a UI that they need to see what do all three need to see how do you get that consistency right now you go to the Second Step okay I gotta understand the first the second the third user what's what's the first user if the initial information I give

them is not enough and this you'll start to hear some design people talk about like uis need to tell a story you're coming in and you're either being taught something or you're asking something and you need the the right information at the right time okay cool like I I you just told me something let me ask a question back additional information what's at that second level that all three people need to see right usually what you see in a lot of products today is here's a call in Monroe here's some initial information I click on it and boom it just inundates you with all sorts of stuff and Scrolls and all that type of stuff for me what I've found in the

research I've done is it doesn't usually go more than seven and what happens as you get further along eventually where you're going to get to is you're looking for something and like you need to go swimming in the data and now you can start to think of a can a canvas and kind of a blank UI where where the previous information might come in or you might do some type of blind query only because I've qualified you as you've gone through that UI and you're just I know you're super technical and you want to go into a set of data that is so complex and so what not that it's not something that should be displayed

by a UI from a design principle it like now you're at a point where search and something like a Splunk is not necessarily A Bad Thing but it's it's really it's understanding who is there the type of data and then every one of those steps of what that data from a story is trying to tell you all right so I know I'm the last one uh Juan thank you for having me this was a lot of fun for me first presentation I've done in about two years uh hopefully I didn't suck too bad love to meet some of you guys hang out for a little bit um thank you besides thank you Nashville and uh everybody take care

[Applause]