Opening Remarks, Monday: Breaking Ground

Good morning besides Las Vegas. All right. So, uh, usually I sit here and jabber at you for a bit when we start this thing, but, uh, this year I, uh, I found someone else to talk about all the things that we think are really important, all the values that we hold dear, and, uh, someone who's probably going to be about 150% more energetic than I am because I'm working on about an hour of sleep right now. So, uh, caffeine for me, but for you, a very exciting moment where you get to hear from our very good friend and, uh, someone we admire very much, Mr. Bryson Bort.

Does that work? Check. Check. Check. Can you hear me? Can you hear me now? Does that work? Okay, there we go. All right. from me to we the way of the unicorn and I love your participation because it isn't a wei unless it is a wei together. Wow, that's phrasing. But so I have I custom um I had um custom ninjaorn stickers made. So if you participate, if you stand out, if you join, you will get special stickers.

It's not that hard. >> All right. So, I've done some things. Um, I founded an offensive consultancy called Grim, which created my full-time job right now, which is the founder of Scythe. And then I co-founded the IC Village with Tom Ban Norman. Come and check us out at Devcon. So cyber security is national security. What is so unique about this discipline is whether you work for the government or the military or an intelligence organization and most of us work at a private company or commercial. So why are we going up against national security? What is it so unique about what we do that isn't just sitting there looking at computers, but every single day you're fighting the

Russians, the Chinese, the North Koreans, and it's not just random citizens there. It's state sanctioned, state sponsored operations. The organized crime that we face is tied to those countries. Ransomware, they are given target packages. They are given tools. They are told what to do or else Vlad's going to come and say hello with a gun. This is what makes our space so different. We are not just every day waking up and assuring that the email works. We don't work just the help desk. We're helping our comp Whoa, it advanced twice. Somebody could have helped me out there. [laughter] Like he's talking about national security and there's an ass and a unicorn out there. [laughter] I mean, you know, if you think about it,

>> I mean, it seemed appropriate. I don't know. You can write the jokes or the jokes can write you. It goes both ways. This is what we face every day. This is what you're up against. This is why your passion, your interest, your capabilities matter because it isn't just another business problem. It's a national security problem. >> Yeah, that so there are two kinds of leadership. I got this idea from Dmitri Peravich who a number of years ago he said there's two kinds of companies. Those that have been hacked and know it and those who've been hacked and don't know it. And I came up with this because how many of you have just had the greatest time

in cyber security? You get unlimited budget. You get all the resources. Your leadership every time you come in and say, "Hey, we've got a problem." They're like, "Thank you so much for helping us. We appreciate everything you do to delay the shipment of that product three months because we came to you at the very end and it's your fault." Anybody? Anyone love the way you just feel like management leadership gets you, values you? Nobody. >> Not even for a sticker. >> You do. You don't have to lie for a sticker. Do not lie for a sticker. Only tell the truth. There's seats up here. I can personally escort you if you like. >> Well, I appreciate that. Get that man a

sticker. So there are two kinds of leadership asses and unicorns. The ass which is our perspective leadership does not care about cyber security does not care about security. Leadership does care about security. Well let's back that up. Do you really believe that leadership doesn't care about security? No. They really It's not that they don't. It's that compliance is what matters. GRC is the existential foundation of that organization being able to operate. That's what I need to execute business. Cyber security is can I assure myself against something that might happen to me. You don't do what you're supposed to do in GRC. There is no potential. The impact and the probability are 100%. That's why I care. And the reason I

mention this is when you look at your leadership, when you understand which category they're in, change your headset, change the story and how you have to reach out to them. If GRC is what they care about, meet them there and establish that foundation and convince them peacemeal if you can to add the critical thinking of security as a process on top. If I hadn't already given you a sticker, I would have given you another one. Because here's the thing. If you work for an ass, you got to vote still. You don't have to continue to work there. If you don't feel valued, go somewhere where you will feel valued. Now, I know the job market is tough,

right? How many of you are still looking for jobs? For those of you who are hiring managers, look at those hands. Right? Since 2022, this market has been tough. And we're now getting the double side of it from artificial intelligence. AI is taking jobs because leadership thinks it can do your job. Can AI think? No. You can go where you're appreciated. Go where they get it. Burnout is when we don't feel valued. And you can control that. You can I mean, you're not going to change an [ __ ] boss, but you can change their proximity to you. You don't have to be perfect. Did anyone feel like a little like twinge at that? our perfectionism, the

passion that we feel. We have an engineering and analytic mindset on average in this industry which makes us really prone to the following. We approach cyber security like engineers. But is societ is cyber security truly an engineering problem? >> Why not? >> It's a person problem. >> It's a person problem. It's a people problem. But we keep throwing technical things at it and we keep thinking that there's an answer. Has anyone solved cyber security? >> Not even first. >> We're all sitting here, right? Because it's peace meal. Cyber security is this. We put a bunch of things up. We call it defense and depth. Doesn't that sound good? And yet like what every pentest as I get

in I escalate known domain and I drop mic. Where's your defense and depth? Well, we had all those firewalls over there. Cool. I have AD. I went right through them. So, we have this mentality that we have to be perfect because we have an engineering mindset as our culture, as people, as our archetype. But the problem is an engineering one. Part of it is social. Part of it is the fact that we do not today have the ability to have a discrete answer. You can't engineer a number in cyber security that matters. So I used to run an AP advanced persistent threat. I was the threat. And it never occurred to me no matter what mission we got. And by the way,

social was a huge part of what we did. We weren't just sitting somewhere hacking things. We got close and personal and we always won. And we never got caught. And this isn't like we were going up against mom and pop's cookies. We were going up people who really, really did not want to be found. And let me tell you, fam, we found them. So why? Because the entire attack space is infinite. There are infinite number of ways. Again, courtesy of my great friend right now, my new best friend. What's your name? >> Josh. >> Josh. I'm g have to call you Josh number two because Josh Corman is my best friend. But you're now second. You're close. If

you had another name, I would have given it to you. But I will give you another sticker. >> All right. >> Cuz you you've really done a good job of setting me up here. So, because it's mixed with social. So, first reconnaissance. I'm the thief pacing the neighborhood, deciding what house to break into. I like what you got. I'm going to break into your house. >> So, I watch. When are you home? Who's there? Do you have a dog? Is there an electric fence? Is there an alarm system? I build a target package. Now, there's not a whole lot we can really do about that, nor should we care. It's minimal organizational impact. Building a piece of paper about me does not

impact me. The second step, oh, sorry, this has animations. So, press button. So, reconnaissance, right? Nerds. Lord of the Rings. I mean, yes, that's pandering. I'm pandering. So next button,

they will get in. Anybody who wants to will get in. Now, here's what's interesting. Going back to the two kinds of leadership, to the burnout, to the challenges we face, and I'm going to bet some of you in here will even argue this. We are psychologically held up on that point, the breach, the hack, the breakin. Because back to our thief metaphor, the thief comes, picks the lock, the door opens. So what? Have they done anything to you yet? I mean, your door's open, but nothing has actually happened, right? You're already thinking of the next step, right? You're thinking impact, but impact hasn't happened. Back in the cyber security world, I've got shell. I mean, you don't like that I have

shell, but again, it's not what I've done. I haven't done impact. And this is where we get caught up because we keep thinking, how do we build higher walls? The CEO who flies a private jet read something about installing a moat with sharks with laser beams to defend the house. So, we're going to buy that. Guess who gets to install it and maintain it? But it still fails. All of these things fail. And so we spend all of this energy on it. And here's the thing. The dirty secret of cyber security is technical prevention there fails. And isn't most of cyber security. Again, it's users using computers. And the thing we can control is what

happens next. The funny thing about that picture is that's actually me. [clears throat] That is not doctorred at all. That is actually a literal picture of me. Look, co was hard for all of us. Okay, we can we acknowledge that that's me discovering I have an Olympic level ability to grow a beard. That was like 12 months a beard. >> Thank you. >> Yeah.

So, it's actions on objective that matter. And here's the thing. That's what you control, right? We keep talking about we don't have control. We have anxiety. We already leaped to the next step, right? Your anxiety led you to that because you were already feeling what could happen even though it hadn't happened. That's actually the psychological definition of anxiety. I am now potentially at risk of falling. Am I falling? But no, but I think I might. And I focus on that instead of the perch that I now have. That's anxiety. That's what we tend to do. But here's the thing because it's flips the trope. You all have heard the defender always needs to be right and

the attacker only needs to be right once. Everyone knows that [ __ ] It's wrong because that only applies to initial access. Everything I do afterward as an attacker, if I'm not perfect, you catch me. The defender only has to be right once on what they control. Which, by the way, what do you control? Those are your computers, aren't they? >> Everything. You control everything. Yes, you control everything. >> I knew you were working it. I could feel the energy. It's like the the pocket was getting pulled. They are your hosts talking the way that you dictate. Computers have communication protocols that are limited. I do not I do not have I cannot have unlimited

ways to speak. So, I have to talk the way that you already speak because you don't have to speak Russian to recognize me using something special that's not in your environment. It'll stick out. And then the third part, there's only so many things I want to do on a host as an attacker. So, more data isn't always a good thing. We as an industry in the last 15 years have invested all of this energy into visibility. I can't act if I can't see. So therefore, let's just get it all. I call it the NSA problem. You might have a Snowden in your company. I can't say. And the NSA problem is they hoovered everything and then went, "Oh my god,

it's really hard to look through everything to find what we want because there's more. More gets in the way of more." This is why detection engineering is becoming so popular because instead of looking at this entire hunk of marble and trying to figure out what we just go, all right, well, I'm just going to carve what I need. This is why tier one sock analysts get burned out. Anyone done that? Anyone make it longer than 18 months? Really glutton for punishment. Sticker worthy nonetheless. Can you

There's a reason I'm not an athlete. So, we need to be conscientious and not just collecting more. We need to be purposeful because it will overwhelm us. This is what our tier one analysts are going up against. There's all of this information and it's not curated for me. I'm fighting the system that's supposed to help me do my job. And why are we surprised it doesn't work?

One more button click. Now it's honest. We need to get out of the main mentality that it's us against the user.

>> Ground zero. Clap. >> The user is the best defense. >> The user is the best defense. The no before guys right up there are going to love you right now. >> They're gonna hate you. >> Eric and James, he's right here. >> Why do we continue to blame users for using a computer the way it was designed? >> Easy. It's cheap. [laughter] >> Anxiety. >> If them clicking an email can burn your company to the ground, I'm sorry. That's on us. That's on us. We need to work around users. Going back to different kinds of leadership, leadership may not consider this a priority, which means why would users? So why are we getting into this

adversarial relationship with them when the reality is it doesn't change anything anyway and they just start ignoring us? That doesn't help. We're supposed to be partners, aren't we? Everyone keeps saying that, right? I feel like I hear that over and over again. Cyber security is supposed to be partners. And yet, first time we get this, we start beating up users. Oh, that guy kicked that email again for the 17th time. Well, you know what? Maybe we can do something about that guy where we let him do that, but we quarantine around him, right? We can build additional measures. A partnership means let's look at the problem and let's come up with creative and collaborative ways to solve it

together. The other reason I use that picture besides it's really funny is anyone ever worked with users who think they are smarter than you? Everybody who works in an engineering organization, right? Have we gotten past the point that not everybody should have CIS admin? We solved that at least. All right. Good start. Good start team. Good job, fam. But I picked this one because this is also part of the challenge. You will have business processes, business divisions, business leadership, business people, users who think they're smarter or think they're entitled. You don't get to fight that. You have to work with it. It's a cultural challenge. And you individually cannot just change a culture. That's the point of

leadership. That is the onus that is on them. So to avoid the burnout, stop going at it directly, start offering it up as their problem, not yours. You don't have to be this tall to get on the ride. Has anyone in here felt the gatekeeping? What does it How does that feel? Terrible. Why does it feel terrible? Makes you feel worse. Shouldn't we are going through this problem together and yet we make it harder to bring people into it and we condescend. I'm sorry. I don't think there's any person in this room, including me, who was born knowing everything. >> I still don't know everything. Our job is to be students for the rest of our lives. When you stop being a

student, you're dead. And part of being a student is being a good teacher when you've learned it. In fact, it's the funniest thing. I love to teach because it's what keeps me current. It's how I learn and I learn. And as a teacher, we should be looking at how do we help others get to where we got? Whether that's helping them find a job, not being an [ __ ] so that we hurt them, and truly building each other up. You know what? That's your inspiration.

You went too far. Offense is not the top. Who thinks that offense is the top? to the career to this industry. We venerate red teamers, pentesters, hackers. We all go, "Oh, I wish I had I was one of them." You want to take a hacker down the size just point out, "Hey man, hey woman, all you do is quality assurance." [laughter] >> Am I wrong? >> Yeah. You find bugs. You find bugs. You're quality assurance. You're a bug tester. Now, I'm not saying there aren't cool parts to this, but that's what it is. It's quality assurance because the end of the day, I can't do offense unless I have something to do offense on. And that's the base of

the pyramid. That's what all of us are. We are GRC. We are blue team. We are all of those functions that actually help our users and our organizations do what they're supposed to do. And Red's job is to just check the work. That's what they're supposed to do. For those of you who've been seeing me speak in industry for a long time, I was the one of I think I was the first actually who took Red Team to task publicly because we had these egos and red team was being driven by ego. What's the cool thing I could do? And I'm sure a number of you got to experience this personally where you got the professional [ __ ]

who came in and was just like, "Man, I just wrecked all your stuff." Okay. And how do you help me? Here's a poorly written report. And you look up and they're already gone. [laughter] Wait, so you're not even going to help me fix this stuff? Check cleared. That's the way it used to be. It's still like that in some places, but that's where I honestly I first stood up because we kept as an industry lionizing that we were systemically locking in [ __ ] Why? They're QA. You're what matters. And them being a part of what we are doing is what matters. not them high-fiving each other and talking about, "Oh, we still found the same vulnerabilities that I didn't

help you fix." So, this is fun because we are actually where this story happened. The fish tank. There are two takeaways from this story. The first is your organization has a fish tank. Your organization has something that the operations side says this is important and you go it's a fish tank. I have to secure a fish tank. Is this a real job? Now in this case we like the fish tank and operations because we're a casino. It gives an ambiance. People are likely to come in and spend more money. There's an operational reason we're doing it. They may never communicate that to you, but it exists. The second is you have a fish tank because you have assets or asset

categories that are not visible completely outside of where you are looking and what you are defending. In this particular case, the Iranian Revolutionary Guard found the fish tank, popped the IoT sensors because if you ever want to feel like an elite hacker, just look at IoT. You will find zero day in less than five minutes if you have never even done it before. That's how bad IoT is. And whose organization actually has not only a policy, but a defensive posture that includes IoT in it? I stopped teaching it five years ago because I saw no companies actually doing anything about it. I just gave up because it's an entire class we don't even track. What better way to just hop into a

network again, low barrier to entry and I have invisible access in to whatever I want. If you want a demonstration of that, look up my 2018 RSA talk, no IUs with IoT. And I actually demonstrate it's not a privacy problem. It's a lateral movement problem. And so in that story, they popped the fish tank, $50 million of damage to the casino, not pretend statistics. $50 million in a revenue hit because we didn't see the fish tank because that's where the APS are looking. They are looking where you are not. They have the imagination and that's part of our challenge. But again going back to the BAM model, this is just initial access. If we are

truly building the detections around that, the second they cross into the core enterprise threshold, we will see them and we will stop them.

Cyber is people. talked earlier about the fact that one of the challenges we're having in our job market is driven by artificial intelligence. And I know everybody is well aware because you can't help but miss the hype train that artificial intelligence is this new revolution. Everything is going to change. Well, the revolution today is knowledge management. We went from a datacentric model to an information ccentric model. That's the current artificial intelligence revolution. That's it today. There is this promise that at some point it will be able to be the equivalent, a cognitive equivalent of a person to matter. But we're not there yet. So what is AI? There is a YouTube video called the racist soap dispenser.

And the racist soap dispenser, as you can see here on the right, we see a dark-kinned hand trying to get soap in a bathroom. In that story, he takes a white paper towel and puts it under and gets soap. What did we learn? Do we think the development team for the sensor is racist? >> Yes, >> they're not overtly racist, but we have a training data and a unconscious bias problem. So, I'm going to do a little bit of play acting. My name is now Chad. I live in the Bay Area. I make $450,000. I don't even know how or why. I still got Meta Stock. We called it Facebook back then. And me and my bros, I mean,

we're just vibe coding in the garage. And I got the light sensor to work on this new tech. So I asked my friend Brad, "Hey Brad, check it out." And Brad comes over and Brad puts his hand under and he's like, "Ship it. We're good." Because we have a homogeneous development team. And so the first lesson that we can learn from here for artificial intelligence is the value of training data and our unconscious biases. How do we assure that what we ship doesn't become Mecca Hitler in 24 hours? It's a Gro joke. The second, while not getting soap in a bathroom is not a life-threatening situation, we look at where this stuff is going, it's going to increasingly affect our

lives in unintended ways, too. We need to build the execution guard rails to be looking at when something gets out of tolerance, a human comes in the loop to fix it, to understand it, to do that. So those are the two aspects of what artificial intelligence is, where it's going and how we need to be thinking about it at a high level. But at the end of the day, this isn't about tech because cyber is people. Cyber is you. Cyber is the users. Cyber is the leadership. And cyber is us. And whether we are a community

I know that DEI is a dangerous phrase these days, but I'm sorry. It's something we need to address. It's part of the gatekeeping,

but it's more than that. Security is a critical thinking process. We need people who think differently than us. We need heterogeneity. We need difference. We need weird. We need eccentric. We need calm. We need crazy. We need rational and irrational because irrational is going to think about the think the think tank. You need everybody. We need everybody together. But here's the thing where we are failing. We're inviting all of those people to the table and then they don't feel safe. We need to focus on inclusion. It isn't that you're there, it's that you feel safe to share your voice. And so, everyone in here is potentially an ally, whether that's in the community or at

your company. How can you help others feel safe? That's what an ally is. It's the courage to stand up and help create that safe space for somebody else who can't. And I don't care if that's here in this room. This conference for the next three days is your chance to start to put that into practice. That kindness goes a long way. And every one of you has that responsibility if you can step up to it because it is only together that we're going to do this better. So whether you work at a random company, your city or your country, this is humankind. This is what we do. This is what we will do. Thank you.

[applause]