Choose Your Own Keynote

olio's my friend thank you this coming through yes right so word of warning we're running on windows 11 because we're crazy

so yeah uh and the story behind this talk is now it feels like minutes ago but uh ben ping me saying hey someone's dropped out could you do a talk it's like um sure uh it was then an hour later followed up with a could it be the keynote but what sure why not uh so i really wasn't planning on doing this uh at one point i didn't know if i was gonna be coming but you know in person at least but here we go so uh who am i so uh for those who don't know me i have two kids i'm a geek i am the head of my services at quorum cyber uh

and my favorite dinosaur is the greedy source which is a very small dinosaur uh it easily traps itself because it has a really large mouth but uh it's a very very nice dinosaur but uh yeah so uh i was an id guy for years and years and years uh and then moved to security because i knew some of the insecurity and because i'd been saying things on twitter and they've kind of reached out to me and said hey you seem to be doing way more sec than i t now fans are coming in for a chat so that's about me don't care if you want to know more about me uh trust me you can grab me and i will bore the crap

out of you without me but you so b-sides b-sides is a community i mean if you look at why b-sides came about it was literally because a big conference there was talks that were being rejected and the community said but we want to hear these things so if you look at it like you think well actually it was spawned out of the community want to talk to each other and it's amazing world spanning set of people that all just come together and you're talking crazy people like ben they just go well right okay let's look we need one in newcastle uh and there's it like it's all over the uk uh there's an absolute ton of people

there's no hassle it's relaxed it's not vendor driven you're not you know your email addresses are not being farmed so that you get spammed the crap out for the rest of your days uh there's normally pizza involved there's just about always beer involved and steak and mistakes are sometimes made but b-sides is about community it's about people getting their first talks up before they go and do a like a major paid gig or something along those lines it's about people it's about you guys basically newcastle uh so third year and i missed the first year which apparently was skate park it was very very cold i know people were there so it was very very cold but it was

awesome but again you've got this the community makes it you know it doesn't really matter where it is it could be in the back of like a you know really crap higher van bus thing uh but it would still happen and everybody said and you get an opportunity to meet people make friends ben is crazy and we love him to pieces he does generally run around with his like head on fire and he actually also makes fire but is the one that everybody sits and goes yeah okay we're going to make it and if you ask for something because of community like b-sides people will stand up and go yeah i'll help you right the way this is going to work

is that you basically get to choose your own keynote now we're going to run through this and we've got like 25 minutes you can pick anything and i will tell you about it uh it's not going to choose your inventory you get to then get more choices right you'll actually just get these ten right so uh for people online ping it in slack and i'm sure somebody in at the back will will grab it but literally just give me a number you may notice there's a mystery option number three

which we won't do first

so right somebody give me a number seven seven seven worse than ever right okay so if we do this by the power of powerpoint horrible people really so uh the question isn't ever how do you measure that so i've i've been in many the worst incidents of it i've done a fair few in my time [Music] reputationally the bigger the org the bigger the problem it that one is one for lawyers and when you're doing incident response you will never ever send an email out to anyone outside the incident response team essentially about the lawyers signing off financially uh the the worst one i've been involved with which is a review rather than the actual live one was

about 900 000 pounds uh and that's small potatoes by you know big incident standards because actually there's for all those really big ones that you get out there there's hundreds there's like daily ones of just little ones just little leaks little breeches i've just sent you know somebody's office 365 gets compromised and it sends like a thousand emails and stuff those ones you know those never make the headlines but you still need to deal with them you actually still need to do like all the legal stuff and make sure you've done it properly so it might not be the worst incident ever when i'm looking at it but for the people that i'm helping it's their worst

day ever because they're saying i have absolutely no idea like okay you know unless you work for t-mobile then it's like you know the annual party but um but ultimately when you are working in an incident the worst incident ever for that customer is generally the one you're working with so uh if you are having repeated incidents please come and talk to me about it because i'm sure there's probably a whole bunch of stuff we can probably do to help that but the worst things ever the org fine again it's that who's the worst for me and the staff one are actually the same it's actually the same as a financial one so uh for me i i find the the worst incidents

ever are ones that really affect the people because you end up talking to people and you end up talking to the person that clicked on the link and see what that does to them especially when they're saying oh i'm going to lose my job because x amount of money just walked out of the business the 900 000 pounds one that did the review i'd interview the people that were involved and when i interviewed the guy he was literally back from about six weeks off on stress uh and he still was only coming in a couple of days a week and he sounded broken and it was because he literally just went and it was a email compromise

it was a someone injects themselves into the conversation eventually goes hey no no chain move the money to this account instead you know we just updated it people then didn't fall processes and it was all like a big mess lots of money go out the door never comes back tracks are really well hidden uh and yeah with the things they could have done to prevent it yeah tons but you know when you look back in it your hindsight's 20 20 but ultimately the impact that had on the people and one person i couldn't interview because the one person that didn't do the proper checks got let go and so wasn't it available for interview so somebody lost their job on it

and the person that clicked the original link and allowed their account to be compromised they say allowed but ultimately yeah for me those ones are terrible because you see the people and when we work we're like we've had like charities call us and stuff like that and you're sitting working with them you know he's going back who's the scum of the earth that is targeting these things and they're not targeting these charities and stuff like they don't care they're sending it masses occasionally you actually see them going hey are they easy targets because hey they're raising money for you know kids for like homes for homeless whatever it doesn't really matter but what they should be doing

what they should be spending their money on is getting somebody off the streets or you know putting getting that child into hospital or whatever and so when you see those incidents you're just sitting there going the blood boils because at that point you're just saying humanity sucks keynote motivational speaker right flicking back give me another number not three because he's looking a bit scared oh that was go again two start some degrees right let's do that one that's easy it's kind of covered a little bit yesterday uh uh certain degrees a degree shows that you can stick it for four years might mean they've got basic level of knowledge but i've worked with people in

i.t and security that have degrees like film studies i i had somebody that had zoology in a team at one point the degree doesn't necess the content of the degree doesn't necessarily matter me i've got an i.t degree because you know i was boring and just hated handwriting until literally went into i.t to avoid having to write things instead of type them but ultimately the the degree it does show a certain mental aptitude but it's not the be all and endl a degree in as far as i'm concerned is actually that achievement for yourself so it's not actually something to like i i've known plenty of people that didn't finish their degree or just wanted to go

and do something and do an achievement for themselves and so for me a degree is the that person valued this and then went off and done it so if you come to me and i'm like a hiring and i see that you know after x years you went off and did the degree i'm like okay that person is still interested in learning and that person actually there's no direct they're going to get a better job because they went off and got a masters in forensics there's not necessarily an easy path for that so actually a degree for me shows yes that you can get through it yes a lot of them are now far more practical

than they were back in the day so there's a good element of the yeah you've had a good flavor of a lot of things generally in a degree and that's good because general knowledge in your field is a good thing but a degree for me is a as a thing you do for yourself and to get you started initially but yeah in terms of search right searcher as a person is hiring in a business some search i need i need to build people on my website that are thing or i can't get a certain bit of business and so the encouragement to go and get particular search and stuff can be a business reason other starts are they you learning a

very specific skill and the more specific that sir the more valuable it is in that field but do i need certain degrees to hire someone no i do not i honestly barely look at it in the cv i was like oh they've got a degree oh look they've got no icp brilliant that means that they stuck at something they passed something i have also worked with people that have certs that could not find the other end of an ethernet cable yes literally certainly going i once had a guy that was working for me in an it capacity that had uh the full suite of microsoft exams for server and workstation all that so according to microsoft at the time this

basically means this guy is a microsoft professional and i literally just need them to install some software so say like here's the software go and install it on all those machines over there and now he's like that username password go back round go around an hour later see kind of expected to have seen him and instead he's like he's sitting on is it what's the matter he's at the password you give me he's not working he's like wait wait wait a minute you've been sitting for an hour and you can't log in he's like yeah and he was literally logging in to domain when i'd given him a local account so this is what the local administrative

password they didn't know the difference and so you say go ahead and get all these microsoft exams and yeah it's not sunk in enough they make you actually understand the difference so certs uh are super useful for me as a business they do let me see that someone has a certain skill set to a degree as long as that's a practical one if you are literally going and doing a multiple choice at that point you're saying how good are you at remembering things for 20 minutes and then you're done so uh certs yeah if if somebody is sitting saying we don't hire anybody unless they're degree qualified that's an hr barrier and as far as i'm getting stupid

because some of the best people i know people in this room and stuff don't have a degree uh you're saying all right i've got degrees you can hire me my degree is like 20 20 odd years old so i'm going so what what does the concept of me pass and read 20 years ago have it on any impact on what i do in a job now so if you use it as a barrier it's kind of stupid but it is there uh there are ways to get around these things uh the the closing note last night it was the there was you know apply anyway and try and get through but yeah it's a it's a difficult one when you are work

looking for a bigger corporation and they have these entries to like a barrier to entry uh work around them if you can and if not then it's maybe another place right what was the other number was it five was it five right now this is like seamless i honestly don't care in fact does anybody know what the colour of an incident response team is supposed to be uh threat intel team anybody got a clue what number that is uh it really does not matter what role what skills have you got what do you want to do as long as you're doing the right thing having a color attached to you is more just for a laugh uh we mock the red team

all the time because we're in the blue team and the blue team's obviously much better but really what's your skill set uh i i i hired a guy uh and he wanted to be a pen tester in fact there was a big phase when i was hiring everybody everybody wanted to be apprenticed as i come out i come at you and say i want to be a pentester you're like do you like writing reports so what do you mean so so guy breeze through oscp like it was in there kind of came in and went like i really want to say dev wanting to be a pen tester applies for a soccer host joe so uh

so he goes from dev to thinking and say look we don't have any pen testing jobs but i tell you what when one opens up we'll move you across but cumbia come get your first infosec job and he did and because of that dev backgrounds because he can understood how things put together because of the pen tester because he understands it's one of the best sock analysts i've ever had and it was literally that you're sitting going you can apply the knowledge you have to getting that end goal and the end goal for us is literally everybody's here to help people you're there to protect people if there's a pen tester you're looking to poke holes in things before the bad guys

find that and then you close it all down and everything's fine so ultimately it really doesn't matter as long as you're actually bringing your company or your customer to the end goal that is protecting them and to make them a bit more secure and making sure that data is not likely to walk out the door money's not going to walk out the door uh whether you're a pen tester whether you're a violent analyst whether you're a sock analyst it doesn't actually matter what you want to do is find something that you are good at that makes you happy and that you can deliver good outcomes and then you can call yourself any color you like

but literally we're going to drop into rgb codes at some point because it's like lavender teams and stuff like that obviously the best color is purple

i'm not going to get right one quick one and then we'll do three because i'm presuming oh actually is anybody online deciding on a number that wasn't three i think this is saturday morning everyone's a bit tired or and or hungover or still drunk i nope there's no numbers online anybody else in the audience want to shout out a number what's four right four because it's a funny story uh number four once upon a time there was an incident and the customer was breached and they were we're seeing logins from many places and then the customer kind of like locked it down went like okay let's try and cut down what we're looking at let's

right do you have anybody who works inside the uk is anybody on holiday let's just do geolocation on the ip addresses of all these random logins and so we went right okay so i went right okay all these people that are not in the uk are a problem uh or an investigation um and so we had like your your normal like bits of russia and nigeria and all these sorts of things and you investigate them and go yeah that's bad that's bad that's that's bad and then one came across that was ireland and well okay i'll be the microsoft data center or something like that nope so right okay hang on a second okay well

somebody's pinging he's like like you're not going to be in ireland no no no right okay look who it is one of the directors of the company you like and so in the middle of the call that the customer's having whether they're like their phone and their director saying look your account's been compromised you're gonna have to lock you down where are you what you're doing bring your device in because you know we need to we need to take it off you and everybody's going oh god this is a director one quick google on the ip address you know okay who's okay where's that what's what's the vendor it's not one of the kind of vpn endpoints or tours that i

can expect to see what is it and then at that point can i say hey stop can you ask him what car drives and they kind of looked at me and went that's a very odd thing and said hey what do you drive said they're driving out you're like well that's fine he's not compromised now everyone looks at me it looks fine just just tell me it's fine we've managed to like sign off literally looking at the ip address you go right okay what's that company that owns that ip address that's really weird you google that company and then the sixth link down says hey they've just won this this isp won the vendor contract for autopilot

the in-car internet for audis so every time the guy went into his audi and his phone automatically connected he logged in coming from somewhere really weird basically some random bit of ireland that you'd never expect to see so geolocation is super important but don't trust it necessarily go and have a look and make sure that when you actually say something like hey there's an ip address and i'm not expecting that and i've looked at the geolocation in multiple different places and they're all agreeing that it is there and it's owned by this company then go and look up the company don't just sit there go i'll immediately assume straight off the bat that anything that is not coming from the

company office is a problem because actually you have to be really careful all the assumptions are and you have to just do it's always worth doing that little bit extra digging especially if someone doesn't feel quite right it's easy when you're looking instant to go i've seen this stuff before yeah yeah and then something does do feel right and either in a positive way or a bad way sort of thing you just sit there and go there i'm not expecting that sort of traffic that's a bit weird if you look at the network traffic for uh just about every company when you're working what does it look like when you summarize it into days of the

week it goes big on monday big on tuesday big and wednesday big on thursday big on friday quiet saturday quiet sunday and even during the pandemic that stays roughly the same for most companies and you can apply to network traffic you can apply it to the number of emails saying you can allow the number of logins all of these things will follow this graph and every sock analyst that works at quorum cyber gets taught that hey look this is the normal pattern uh and things like ai machine learning will come along and like spot these sorts of things but literally you look at it and go that doesn't feel right if i suddenly see more traffic on a saturday than i do in

the rest of the week and that's not normal i go and ask a question why so similarly when i look at it and go hey that that's weird that you know i've got all these really malicious places doing bad stuff and then the good folk of ireland that seems a little bit strange that's not something i normally see so you take the extra couple of minutes to go and figure out right scott come on you know you want to so who would like to see number three

[Laughter]

you trust me i do trust you so jesus cup

safety glasses

oh i'm gonna regret this

should i kneel or stand i feel like something good for ice cream does it actually make a difference i'm still getting a shot in the face

you might want to turn sideways over and see your face and also less likely what do you think

anybody want have i lost anybody want to see the bangkok version this trick it's not like that scott really [Laughter] right

thank you very much uh oh we'll have a great rest of b sites uh if you do not sit and make friends with two other people who don't know you're idiots so go find someone and just go hey who the hell are you because really the best i mean there's a whole bunch of stuff that we didn't talk about but a lot of stuff is there sitting there going there the guy that gets you your job three jobs down the line is sitting in the room behind you in too literally i have hired a one there one there one setting up virtually all because we knew each other from b sides and from infosec happier and literally all i did

was say hey i know these people are good human beings shove them into the process and they would normally not have come into the kind of sphere of the agencies and all that sort of stuff that we you you normally use and it was literally who you know is so important they will get you through really bad times like crappy pandemics uh and they will sit there on a friday night and get really drunk with you while looking down with anything the people around you that's what makes b-sides so the talks and stuff don't really matter they're just an excuse to be able to be here so make friends grab someone say who the hell are you

what do you do and have a good rest of conference [Applause] awesome thank you so much does anyone have any questions for dave any time [Music]

[Laughter] okay so new rule any speaker that overruns were using this um yeah no that was awesome thank you for that oh we have a question off the back let me dump the safety um maybe keep these for a minute hold on stand by standby so i missed the start we talked you to the networking you were just talking about from last night good job but the last point how much does networking hinder diversity

i employed lots of people that i knew from students so i'm not it's really you know i i do the same off we've got really good people because i knew them but there is a downside to that which is if you're not going out and coming in late in the morning then that's an issue uh if you look at the i mean the for the pandemic and and the infosec happier there is a pretty good spread yes there's a lot of like white males ah but then there's a lot of white males in infosec and that's slowly but surely changing i don't hire somebody because i like the sex so i mean i literally don't

care can you do the job and are you a good human being and so yeah i'd like for me it depends on what your networking circles are like so if your network encircled circles are only white males then yes your networking will only involve like white males and shame on you because there are plenty more different types of people out there in the world so expand your circle and go and find people that don't look like you uh for example so uh it does it's a problem uh it's something that the industry doesn't do enough to address it in certain places yes but it's a slow movement always but uh change is not necessarily easy on a

society level uh i have at least three or four stock analysts in a team of eight so i i do my best but i don't hire people because of their sex or because of anything it's literally are you a good human being and good human beings will network with each other so yes it is a problem but it's a problem of our own making and our own only us only we can solve it i'm exactly the same but i'm not criticizing off coming across a bad point i do exactly the same and it's hard thank you now you're coming welcome mark morning i oh no oh no scott you've got what's your question no you're banned

right what's your question well mark's just missed number three so you're gonna have to do it again no no i'm balling you from that dude honestly it's like why do you think i held on to these does anybody else have any questions for dave oh one day in the front certificates and qualifications uh uh side of things uh we recently well not recently about in the last uh a couple of years uh hired a load of graduates and most of them uh in fact all of them had degrees but they were like you said like zoology and history and geography and whatever like that there uh so when it actually came to ask if anyone had any

uh scripting skills uh to do some work not one of them i had because none of them had an id i t degree so what's the balance that uh kind of you have if you're hiring uh kind of people on there what percentage you know are you looking for with it degrees uh depends on the job and the role that you're hiring for like some like if you're hiring for like a senior security engineer to go and deliver like azure stuff then you need to hire somebody that isn't a graduate that has those skills sort of thing for the the people starting the kind of graduates or people that just are breaking an infrastructure it's not the

fact that they're graduates the fact that they just want to get their first job insight and they'll come and be a soccer analyst or a junior kind of consultant sort of thing uh it's about the can you learn and do you have the hunger do you have the curiosity i the i can teach skills i can teach anybody to be a soccer analyst as long as you're curious as long as you you have the aptitude to send the gun uh yes there are times where you're saying hey if you don't say hey i can do all this like scripting like brilliant because that has a particular mindset and an understanding that i know that i

can immediately work with but uh again fantastic stock analyst that we hired moved from a completely different industry could barely find the any key on the keyboard but during the pandemic decided to go and try something else and with a lot of help and kind of coaching around getting some of the basic technical stuff up to bill the mindset he had of being in an investigative role before means he's an absolute fantastic stock analyst because he knows where he when he hits a question if it's a technical thing you can go and find that answer i can find someone who knows it already they can go and learn it but the actual drive to investigate and

to do good and to to get to the bottom of things and to not necessarily take the first answer that appears in google that sort of stuff that's the bit that's really hard to get it doesn't matter what degree you've got at that point if you have the right mindset for the role then that's what you're after it's not a brilliant mindset for a salesperson is it they don't really need to be able to get to the bottom of a problem they want to be slightly mercenary if they want to be you know that commercial sort of sales thing but ultimately when i'm looking for a sock analyst or something like a painters i'm like i'm looking for people

that solve problems and problem solving is the one we think that's what i'm looking for so the degree whether they come in whether they have a degree or not doesn't really matter yes you see a lot of graduates sort of thing and we have like in edinburgh we're completely spoiled for choice because you've got like napier you've got the glasgow appetite they're all doing really good programs and stuff so really big universities with really good degree courses all within an hour of us is awesome because you actually get this like massive flux of people but i don't just take people from there i will go and like think i don't care where they come from it's about are you a good person

and can you investigate do you have that drive if you've got that i can teach you the turkey stuff or anything against uh sort of like graduates but we tend to get them in like wholesale as it were like let's hire 15 people and then see what we can actually fit and then do yeah and it is i mean it's not uncommon and there's like like uh graduate programs and stuff like where you are deliberately taking in a mass thing and you shop around different parts of the business and see what they stick and that works especially when you get to a company of a certain size and stuff and you can afford to do that and you go

well i know i'm going to have grants to do sweeping of the floor and stuff like that while we figure out exactly what hole they fit in if i'm looking to fill specific roles and graduates are coming in then yeah it's the you i mean if you're going to come to me as a soccer analyst i think all right okay tell me like you you can't interview them saying give me a good ex like in one of your jobs tell me how you dealt with like a high pressure situation so you're at uni you've not and you don't know what high pressure situation is you're literally going that oh god i've got to hand that in tomorrow

is the biggest bit of pressure that most graduates do so you're suddenly going to write but okay so you then have to sit and you change your entire attack but how you interview them and say okay right tell me about you as a person tell me what you thought of uni what did you think what's your favorite dinosaur uh but ultimately you suddenly go okay and then somebody says so one analyst i hired a i said all right okay it says here you've done a talk i mean yeah i've done that oh yeah i've done the tags all right okay see when you're doing a talk you terrified you're gonna get asked a really horrible

question at the end because that's like the fear that you have when you're doing your first talk especially if you're doing a technical content to peers and stuff like you're like right okay somebody's gonna ask me some [ __ ] in the back's gonna ask me something i don't know the answer to and they're then just gonna poke at me and i'm here saying and that's your fear when you're doing your first talks as you as you go on you realize that you don't know everything and you just go hey that's another guy let's talk offline and then you can deal with it like that but you don't know that when you're doing your first ones and so it's

all right okay like tell me a time when you did this oh yeah i did i got one of these terrible questions like brilliant here we go he's going to tell me how he dealt with something under pressure and he completely fell to pieces absolutely terrible interview uh absolutely felt pieces because he got really stuck on that out i was like oh yeah is that the question was the question was the question was and for like 10 15 minutes he was trying to remember what the actual question was i don't care what the question was i don't care what your talk was about i'm just trying to find out how you dealt with pressure uh and i looked and went you know what

you actually dealt with that but you can't do interviews and i can actually help them with interviews interviews are you know are stressful that they're a different sort of stress but actually you look at the rest of you go you know the rest of him he's absolutely fine he came out that thing and he had a terrible interview and the uh like you know the the person that kind of like brought them to me so i'm really sorry that went really badly i was like didn't they go badly at all he feels terrible but i'm not going to phone him and go hey you got the job so that because you're a good human being you've got the ability to do stuff

and you know what if you can't handle kind of a pressure situation well let's go fix that because we can teach you how to do that thanks for question does anyone have any other questions for dave no no hands no no um it's really really interesting because we had the kind of like talk yesterday about uh what was it what was the word to use they said the infosight carrying is [ __ ] um i think it's i think it's pretty fair to say that you hire good people you get the skills later we seem to be ten years ago we seem to focus purely on the scale of peeling how many degrees you got how many pieces of

paper how many crest certifications have you got are you ceh certified yeah but you know more people need to be like that more people need to be looking at the good people rather than the good paper i feel yep definitely and it's getting better start-ups are easier to because they don't you don't walk in with a massive entrench this is how the way it's always been done so there's not barriers to that and there's a lot more chaos and fluidity and stuff of that uh but trying to make sure that you keep that in a culture and a company is quite hard and he says knowing the from the experience but ultimately yeah you're hiring people you're not

hiring numbers you're not like you are trying to fill a role but you're hiring people is that person going to be a good fit from a team uh can i help that person uh if you come in completely arrogant stuff i'll probably not like you uh hey you know it rubs me the wrong way sort of thing so anyone who happens to interview me in future you know that but similarly feel free be proud of what you do that's that's that you know be proud i mean don't be arrogant be proud and and that ticks all the boxes yeah no absolutely right um amy said yesterday you've said that again today and not in less words but

tldr you're also interviewing the company as much as they're interviewing you you need to remember that yeah if you go along and you think chris it's not me it's them they're arguing you can walk away you know it's it's a two-way street it's not a single-track road and you're not stuck there for life a lot of students come out university and think oh my god i have to get this job at this one particular company or ah no go where you want do what you want go self-employed you're fine does anyone else have any follow questions for dave awesome well thanks very much everybody thank you very much big boy please