Does DoD Level Security Work in the Real World?

security work in the world world there you go Jeff thank you for the outstanding introduction hey it's great to be back here again at beside San Francisco glad you came out to hear me talk this is more hopefully a discussion starter that's me contact information is pretty much my twitter handle right now I thought about putting my email address up there and then I thought I wouldn't do it quick audience survey how many people think the answer to the question is yes just EOD security work in the real world nobody's gonna go out there on a limb how many people think the answer is no how many people are just waiting for me to tell you and how many people would

rather to get this start party started and move on to the bar all right this talk kind of comes from my background so I have to tell a story about myself I've been around the security business for quite a long time going on 34 years spent quite a bit of time in the Department of Defense I've been out in the commercial world for the last 20 years or so I actually did PCI as a qsa for 10 years go ahead and say something funny anyone ever hear of a company called TJX companies never heard that they got breached I was there qsa for six years after the breach not before ago I helped him clean up I spent

a couple years working for a vulnerability management company who I shall not name because I'm there longer with them but you can figure it out and I actually got started in this business in 1984 strangely enough I thought that was kind of appropriate to bring out today my very first job I was a summer intern I was getting ready for my senior year of college and I went to work for a now-defunct agency called the Naval Surface weapons center why is that thing moving because there's wind my job for the summer was I was working for a physicist that was an expert in anti-submarine warfare in fact when I went to work for him he said the best way to describe

what it is we do is to read this book that just came out so my first week on the job I got to read a book The Hunt for Red October because strangely enough because when we could get into open source collection which is probably another talk a lot of really good information in that book about what really went on in terms of any submarine warfare but he had this filing cabinet filled with researched material and he had gotten some money and bought one of these brand-new newfangled things called a computer a desktop PC notice it didn't have a hard drive and he wanted me to play around for the summer of building up building

some sort of simple database with simple search criteria so I had to go through this whole filing cabinet and find you know find each document read it write the title down write down you know all the pertinent information read enough of the document to get some keywords so I could start building up a key circuit keyword search and that was my summer job that's kind of cool I was young naive and I I got introduced to data security because I broke a rule I came in one morning and I opened up the safe and there was a little note in it because there was a security guard that walks around in the night trying all the

doors and he was able to get into the safe because how many people do lockpick Village know a little bit about combination locks if you don't spend those things far enough they don't actually lock so guilty so I was young I was naive I was thinking what's the big deal I'm in a locked room I'm in a locked office inside of the locked building there's you know a fence around the building you have to go through some sort of checkpoint Guard deaths there's a locked door into the office and there's guards that's walk around so what's the big deal if I lock left a safe unlocks hold that thought as I want to get into talking about des

DoD level security work in the real world I think it's appropriate first a sort of level set on what we're talking about because what you think DoD level security is may not be what I think DoD level security is I think a lot of people when they hear DoD level security think it's the ultimate highest degree of security don't laugh if you know people in the military or in the government but is that a perception I think the answer is true in fact I know I've experienced that with customers I've had over the years they think that that's kind of the highest level of security what I want to suggest to you today and what I hope is a conversation

starter or something at least for us to think about is a different way of thinking about what is DoD level security this is just a quick sampling but just in my time in the DoD we were involved in all sorts of things and I spent most of my time at NSA and we do a lot of things with communications and signals analysis and things like that so we had all sorts of abbreviations for all the different aspects and elements some of these carry over now into the computer age technology internet age some don't but a lot of different things going on a lot of different activities a lot of different disciplines but one of the basic principles and by the way none

of this stuff that I'm saying is new I'm talking about DoD level security that and the DoD has been doing it for a long time so you're gonna see things that hopefully are familiar to you I'm hoping that we talk about them in maybe a little bit different way like the basic risk equation has anybody seen some form of or is aware of some form of a risk equation where risk is some sort of complicated algorithm simplified algorithm here that's something to do with all the vulnerabilities you have all the threats that you have and you subtract off countermeasures and that's what you're left with so you know obviously a lot of the business is

reducing vulnerabilities or identifying and detecting threats this all should sound very familiar if you're going to RSA tomorrow you're gonna see these words all over the place but at its most basic level what we're talking about is some combination of this working together to produce risks and this is a DoD principle this has been around I was working on risk equations more than 20 years ago when I was still at NSA vulnerabilities go around how many people are going to RSA tomorrow anybody go around and if you see a booth where they're talking about vulnerabilities or threats or risks threats are risk in particular just go ask up and ask them what the definition is how their company defines risk how

their company defines threat and just see what they say I'm guessing you'll get some interesting answers and I'm guessing if you just go different people at the same booth you may not get the same answer I find that curious because there seems to be a misunderstanding or a lack of understanding of what these words mean in the larger context I very often hear people sort of interchange the word risk and threat but in my way of thinking a threat is a component of risk it's part of the equation it's not the same thing I guess it could be if every other variable was zero but let's not get too much into the math for now

but vulnerabilities at its most basic level it's a weakness it's something that could go wrong it's something that is potentially bad it's something that could potentially be exploited back in my day threat was basically who it was the people it was the bad guys it was you know nation-states like what we call them today it was our adversary that wanted to do bad things to us wanted to steal our data want to dis intercept our communications countermeasures as a catch-all phrase for mitigations account detections anything you do to try to counter the threats and vulnerabilities and it really all evolved around you know historically back in my time data security it wasn't about securing the

systems it wasn't about securing the networks it was about protecting the data and there's classically and again these are not new concepts probably a lot of you are familiar with it there's three ways of affecting or impacting data its confidentiality integrity and availability you want to steal it you want to alter it you want to make it non available think about that in the middle cherri context it's a lot different from what we think about today in the internet world and how we run our businesses and corporations but you know there's a basic concept here it's all about the data security it's about the underlying what it is which are all about as a company that you're trying to

protect I used to be a Crypt analyst I used to work as a manual crypt analyst I used to break codes and ciphers I used to zine codes and ciphers and everybody know what that is it's a one-time pad is it breakable if you use it correctly it's unbreakable you can you can crank away with if there's no such thing as brute forcing it you know we have cryptography today and the internet and we you know we've heard talks today talking about it and while the numbers might be large there's still a compute computational total number of combinations there's a way to if you have the computing power and enough time you can solve all the cryptography that

we have out there today not so with a one-time pad so to my way of thinking it's been downhill ever since those things are slow we sacrifice security for speed I should give a talk on that so how this talk came about is years ago I was working for one of my PCI customers may or may not have been the one that that I mentioned earlier and I was explaining cryptography to him I was explaining encryption I was explaining why their sensitive data in this case credit card information payment card information needed to be encrypted and because I'm a Crypt analyst I had to explain cryptography to them and how encryption worked and the guy's eyes

were getting a little bit glassy glassy and and by the time I was done with my conversation he said yeah but we don't need DoD level security fast-forward to the last couple years we're very large companies have been breached and we hear almost daily if not weekly about another big company going through the breach I keep hearing that guys say yeah but we don't really need DoD level security and I keep thinking you know this is the typical PCI customers and I keep thinking yeah you really do but I think the reasons why most people think DoD level security doesn't work and and I there's probably another half dozen dozen other reasons but I think these

are the ones that I ran into a lot probably the best probably the the biggest one is the the amount of money because you're perceiving that it's additional higher levels of security that's costly companies that are selling food companies that are selling clothes clothing they don't want to spend all that extra money because they have a profit you know uh they have to make money they have to earn a profit they have limited budgets all these other reasons apply but as I was saying my response lately is yeah you really do need to consider DoD level security but not the nth degree but the way that DoD level security was approached and that's what I hopefully will convey to you this

is a very sanitized I hope Network diagram from one of my customers a few years ago this is a retail establishment they're showing their corporate office their data center showing their typical retail location they had two different versions and they had hundreds if not thousands of them I show you my fancy laser pointer here and the red circles were every system where there was credit card data simple right segment segmentation is a big thing scope reduction that's a big thing on PCI not so easy to do in reality historically I think in the commercial world why a lot of these companies fail other than they don't want to spend the money they don't want to invest in the

resources and the training I think they just don't have a fundamental you know background a core competency I mean if you think about it the DoD the military has been in the business of national security for hundreds of years the grocery store that you shop at you know the department store the clothing store the shoe store nobody goes to stores anymore it's all online right but the place is where you shop and conduct commerce 20 years ago they didn't worry about the security that we talked about today because they weren't connected to the Internet they didn't have computers they did things completely differently so they don't have the background they don't have the history the way if you think about it

who knows security who's been doing it longer than anybody it's the military it's the DoD so what can we learn and again these are meant to be discussion starters you can agree or disagree with me it's okay I'm just throwing out some ideas based on my my years this is my life history so be nice because this is my past but it's okay to disagree with me and might know what movie that is makers yeah did I mention data security it's all about the information in fact I have the the quote here from the movie there's a war out there old friend a world war and it's not about who's got the most bullets it's about who controls

the information what we see and hear how we work what we think it's all about the information so how many people you know have some sort of consulting role where you're doing work for other companies whew you might experience this assuming everybody else works for a company you're trying to make that company more secure how many people feel like their own company or their customers often don't really get security should be just about everybody at some level okay let's go back to the risk based model the biggest difference when you take the risk based model out into the real world the commercial world is you add a value to it and that's the value of data

somebody spoke earlier today and they were talking about the risk equation and they were talk about coming up with a with a number value the number value for the risk based model for the commercial world is a dollar sign it's a dollar figure think about it it's all about the money how much are you willing to risk how much are you willing to invest on losing the data that you have whatever company you are how much is your corporate person you know corporate company reputation worth for some companies that's worth a lot especially a certain somebody tweets and it impacts you know the valuation of a company because they say something bad about a company you

know money matters money is what's important and I'm not convinced that then everything that I'm talking about actually works when it comes down to dollar values but what's cheap is education knowledge awareness of mindset thinking about what are we trying to protect and and and taking a systematic approach to protecting what it is that we're trying to protect a lot of my customers over the years even the PCI customers really didn't fundamentally understand what it was they were trying to protect they're like well I'm the I'm the network guy I'm supposed to keep the network running I'm the server guy I'm supposed to keep the operating system patch they didn't have the big picture I

think everybody in the company needs to have the big picture and they need to be involved and they need to know what's going on most you guys are probably familiar with the fact that in the government there's data classifications somebody got in trouble because they had an email server that had classified information on it what was never talked about and what was an important concept when I was within the DoD and I'm pretty sure it's still true today is confidential information isn't as important as top-secret information it doesn't necessarily require the same degree of protection it doesn't have to be required as long as perhaps top-secret information it expires it has a life expectancy and so there's a point

where you don't need to protect it anymore information can be very valuable for a short time the analogy that was taught to me many years ago was if you think about a battlefield command calling in an air strike in these in the I have to put it in a modern context calling in a drone strike the target that's pretty top secret highly classified information because you want to be you want to have that laser precision but once the drone has done its thing does it really matter to protect that data that that command of where the where the drone was targeting no because we kind of know where it was targeting so very highly classified but

only for a very short time and then it's useless anymore there's there's an approach to data security that's that's in that's ingrained into the DoD that values data differently depending on what the data is and I really don't see that in the commercial world we we talk about customers need to have data classification they have policies to talk about data classification but it's usually unclassified or we don't care about it or it's company confidential I mean it's usually a binary there isn't usually layers there isn't this set of information is more valuable than this set of information and we have to protect it differently and if you think about it then again to from a from our

community perspective and this is where I start to think we need to have a conversation is is there a way to provide levels of security to the network to the systems that are dependent on what's trying to be protected because we seem to run around breaking things all the time and everything's broken and one and of course you know everything is connected so if you break into one thing you can pivot and get around to everywhere and you know it seems to me there's an argument for segmentation it seems to me there's an argument for compartmentalization is what we used to call it the DoD calls its security and depth where you know the very simple

concept whatever is most valuable to you you put it on the inside and you have layers of protection you know this this particular picture is a city in Italy and it was built I think in the you know 1300s 1400s you know this concept of layered security is thousands of years old I mean how long has there been castles when was the first fort ever built it's a very old concept and it's still used today in a lot of ways but I never hear anybody talking about one of the one of the premises of this is make it too hard for the adversary to bother oh I'd rather go to the next city where there's

only one wall rather than this city where there's four walls I used to I used to make the analogy everybody well you know that owns a home they're out in the suburbs they have their have to have to have their home security system and I always thought it would be good enough to just have a little you know the little sign on your your front lawn because you don't really have to have the security system you just have to fool the bad guy into thinking you do but a bad guy comes to your neighborhood he's probably going to be more likely to break into the house that doesn't have the sign there's another common analogy

that talks about you don't have to unwrap outrun the bear if you your friends encounter the bear in the woods you just have to outrun your friends I've had a lot of customers over the years that have asked what are our competitors doing what are our other companies in our industry doing we need to do as much not no more no less goes back to the dollar figures but even going back to my early incident that got me started in data security because I got my wrist slapped and my boss was apoplectic I mean he got red in the face because I did it twice it was the second time he got mad but I didn't understand

but slowly it dawned on me even though there's components there's different parts and this is a this is a physical analogy of protecting paper that's locked in a safe the safe has to lock on it that lock is rated you know the lock-picking bill which could probably rattle it off number and verse but you know that type of lock it takes X number of hours to break that's a measure and it was in a office that had a lock that lock was rated and evaluated how long does it take to get through it the security guards they would walk randomly different floors different times even as the the guards at the front desk in the early days you had to have a

badge and they had to see your picture on it and then we have you know we evolved proximity badges and things like that but they had a culture where I worked where they would switch out the security guards on a regular basis not to give him a break but they didn't want them to become familiar with the people that were coming through they didn't want the guards to get facial recognition and just let somebody in I think that has something to do with social engineer I think that has something to do with reinforcing you challenge everybody you look at everybody's badge you don't see Joe and he comes here every week and you don't know that Joe got fired yesterday so

even the fences the fences were out there and if you live in the DC Maryland Virginia area and you see a building with a fence around it with barbed wire it's probably DoD probably has cameras on it as well as just this perimeter protection and in some places they might even have sensors on it to detect if somebody touches the fence and it might need to be fine-tuned to sort of filter out if it's a squirrel or a bird and not a person I'm just saying hypothetically I have brought in my career I have learned and I've tried to teach this to my my customers and anybody who listened that security which again is something

that I think a lot of my customers believed is the state that you get to we just buy this we just buy this we just buy this we're done no security is you live a lifestyle you live a culture everybody in your organization is involved and knows what their role is and what they should and shouldn't do and everybody has a culture of doing this that's what I used to experience in the DoD this is almost a 20 year old slide and you know things have evolved we used to talk about the security lifecycle much like a software development lifecycle we would talk about it in terms of months and years nowadays this life cycle can be hours

and minutes because our technology moves so quickly and there's so much data flow in these days we have new variations it I think one of the things that are problematic here though is this begins to and this is where I start to maybe step on toes a little bit this is very oriented towards the technology and if you remember or technology there's a lot of what we do but if you go back to what it is you're trying to protect the data maybe you take a different approach to the technology maybe you think about it a little bit differently I gotta move quickly because we're running out of time information about security lifecycle just kind of explains the

different steps and now my random parting thoughts I think what makes DoD level security hard to implement in in the real world is customers and I think our whole industry or at least that industry that starts tomorrow down down the road has bought into don't tell me about all the process and paperwork and policies and training just tell me what I need to buy to fix the problem how much is it gonna cost let me put it in and I'm done vendors because of that are kind of controlling the industry the experts have become the ones that are selling you the solution I think that's a little bit of a conflict of interest but it go

take a look at RSA tomorrow and you're gonna see it all over the place and again I'm not you know technology is obviously vitally important but if you have a more holistic view you're you know what your company is about you know what's what matters to your company in terms of data in terms of corporate reputation in terms of what you're trying to protect I like to think you start making smarter decisions about what you invest in and you make smarter decisions about what you need and what you don't need anybody know what this is rainbow series it all started with the orange book I think that came out in the early 80s I used to have a copy I think it was

classified so I didn't keep it and the second book that came out was how to interpret the first book literally so you've got all that and those people look at that and say yeah you know there's too much going on with DoD I mean that's basically a big collection of standards but I saw this just the other week somebody put Souths so this is sans I think these are all the things that if you're a C so that you have to keep your keep being you know be smart about and be making decisions on and implementing in your in your operations and I think I haven't read every one of those but I think every one of them ties pretty much back

to a technology solution so if you're a C so you've got to be expert on a thousand different products mm if you count all the new stuff that's coming out tomorrow at RSA and you have to make a decision whether you need it or not and and really whoever's the best vendor with the best sales pitch very often wins and that's probably not a good idea this is a variation somebody put out again I saw this just in the last week or so all the different cybersecurity domains and some people were commenting oh you're missing this you're missing that I put this here I put this here and my point is simply wow that's a lot to

know I mean there's a lot going on here I don't think any of us can claim to be an expert on all of this I know a lot about a lot of that but there's a lot that I don't know deeply about everybody familiar so this people processes and technology those are sort of the three components of security in your organization my final point is simply it starts with the purpose know what you're doing know what you're trying to protect know what you're about I think we need to move beyond just protect and secure everything because it's all connected and it all has to be treated equally I think we need to be smarter about what we're doing and why

little quips that I like to use technology isn't the solution it's the problem so on and so forth and did I use that word at the bottom of the screen once in this talk thank you very much I didn't say what it is though I said I had somebody else put it up there any questions or comments we got about a minute left yes

that's too long an answer I mean where I come from you don't use your own stuff it's always company owned in corporate owned but then this thing called BYOD came along moving stuff to the cloud is a lot of what's going to be going on tomorrow to me that's passing the buck you're not necessarily losing your liability the money part if something goes wrong by throwing it over to a third person we used to talk about you know your network perimeter when we talked about the network perimeter extends to whoever touches you if it's a third party it's the third party for AWS and those types of companies read the small print know exactly what they're

saying that they're going to do for you and what they expect you to do and don't assume that because they're selling you a magic solution that takes care of all your PCI needs that they really are yes yep yes I love skiffs the men they sort of did historically when in the old days before the the internet came along there was a mainframe doing processing and it was in a darkroom it was Anna data center and nobody could get in but start plugging in everything and connecting everything it's kind of hard to have that concept of a skiff anymore I think it's more layer protection I think it's more compartmentalization any other questions all right thank you very much hey thanks

Jeff on behalf of B sides and Fitbit I'd like to present you with a Fitbit thank you guys for the two men who gave up questions here are some electronic badges just as a reminder our next