A Programmatic Approach to Enterprise Security

you all hear me okay in the back show me thumbs yeah that's what I wanted to see thank you thank you so much for coming out for b-sides Pittsburgh really appreciate you guys supporting the event and the the greater effort of what b-sides is around the world um for those of you who aren't familiar with the back story on this stuff it was all created years ago uh in Las Vegas following a situation where Chris Nickerson Jack Daniels handful of folks we all had a big party house out in Vegas and some of our friends that had gotten denied the opportunity to speak came out and presented uh some pretty amazing content at this big party house

we had out in Vegas and that kind of became the birth of now what has grown into this amazing thing that we all go to so again thank you for coming out and supporting b-sides uh and thank you for coming to my speech my name is Pyro uh or Luke mccomey depending upon how you know me and today we're going to talk about a programmatic approach to Enterprise security uh the alt title on this one is how to not waste your security budget on [ __ ] that doesn't matter um I have worked in this industry exclusively in offensive security since 1994. I have founded and started or helped grow five different security practices during that time

uh and a lot of the work that I have done where originally you know people would come watch me speak because they wanted to see us talking about breaking into Banks or federal reserves or hospitals or all the other stuff we do it has now kind of turned into uh me trying to take lessons learned from all of those different years of of doing the work and we're creating something new and different with with the team and with the approach and the way that we're doing things with uh our customers um had a TV show called tiger team back in the day with Chris Nickerson Ryan Jones uh a lot of people remember us from that

kind of work I'm part of the 303 security tribe and family um I'm a retired goon I worked for Defcon and ran contest events and Villages for 23 years and now I'm just happy that I get to go to Defcon and sit there with golden badge and sit on my ass at a bar and talk to everybody so if you see me please come up say hi let's visit and we'll we'll go on about stuff in other words I'm a big nerd so in the next hour one of the big things that we're going to talk about is the challenge that we see in a lot of different environments when people are trying to integrate or bring in things

like offensive security into larger Enterprise environments and historically as we'll talk about a lot of this stuff has really been point in time type effort or work it's the kind of thing that happens you know not necessarily as often as it should but we're going to kind of talk through why some of those old ways are not necessarily the best ways the idea of this speech is really to kind of change your mindset and approach about how you guys think about this and and really understand why we've potentially been focused on the wrong metrics and we want to address the the bigger challenge that I see with businesses right now which is that budget is one of the biggest controlling

factors I was sitting with a c-level uh I guess it's two and a half months ago at this point at a conference in Estes Park and I was going on and on and on in my speech about how everything's got to be risk and impact focused and that that's the big thing that should make the decisions around how you're prioritizing and what you're doing with your spend and he looked at me in the middle of the speech heckled me stood up and goes [ __ ] budget's the deciding factor in almost every single organization out there you can have all the best plans all the best ideas in the world but budget's going to be one of the big

bigger limiting top-end type factors that's going to slow you down or stop you so it made me start thinking about other types of things being time and individual capabilities within the organization that really do Define those limits the big point of the talk is we're going to talk through better ways of being able to do this type of work and approach so the challenge why is it so damn hard right we talk about this to all these different customers and all these different businesses all kinds of different Industries and yet we hear the same challenges the same problems and the same issues throughout each individual thing this is audience participation and when I say audience participation not like

when she just asked if you're having a good time I want all of you to answer these questions when we go through them are you ready [Music] you're already failing all right are we ready that's what I want to hear all right why do you conduct Assessments in your environments yell it out you're required why are you required who requires it okay audit right you're having to check a box right that's the bigger issue that we keep seeing when my team and I talk to a customer and we hear them say the reason that we're doing this work is because we need to check a box the actual thing that we're hearing from them is that they're

really not getting any value out of the work they're going after what's probably the legally minimum viable solution they're not secure and they're never going to be secure if that's the mentality of how they're going about this type of work how often do you perform pen testing good answer Rick smart ass once a year we heard everybody yell quarterly what we hear that's the equivalent of essentially I'm barely scratching at the surface it's like I go to the gym once a year this is you guys [Applause] how often do you change up your security provider I heard three years what else yell it out folks never heard one year two year what else what makes you make the big decision on

why you change

good answers all the way around usually what we hear from people is that they change either once a year or every other year and the biggest reason that they do it especially when we're talking to Executives is they want a fresh set of eyes they want to make sure that something's not being missed something's not being overlooked they want to actually validate make sure that the partner that they've been working with is doing a good job my problem with that is is that when we hear that what it really means is that every single year they're wiping the board clean right they're starting from scratch they're having to go back through the process of of procurement they're having to find

partners that they can trust they're spending thousands and thousands of dollars on the phone trying to vet different companies to then take that business to all of that money and time and effort could be spent continuing to advance their overall security program or posture with customers that say this to me when we go in and we do the testing especially if it's something where we've done the test they bring in another provider we come back a year later we do the test again guess what we see from a vulnerability standpoint the exact same [ __ ] we've already seen three years ago because they're not making forward effort in what they're doing All Right audience do you find yourself

fighting fires and are you focused on immediate need for your day-to-day efforts yes no everybody's nodding their head yes remember shout it out I'm not the only one that's supposed to be speaking right now yes is good smart ass what we actually hear is that they're spending all of their budget and when I say budget I don't just mean money I mean their resources the time any type of of theme that you would see as some kind of a a resource within the business that stuff just gets blown fighting fires and dealing with symptoms instead of actually addressing the issues on why those problems actually exist within their environment in the first place the the problem with that is is that

they are literally just sitting on a ticking Time Bomb waiting for things to go off the rails waiting for things to fall apart all right what are you focused on this year okay what insecurity what are you doing this year and why come on Shout It Out folks

one of the things when I asked this question that I usually get from folks is that they'll tell me that they've got a compliance driver the insurance companies told them that they now have to have MFA uh they're trying to make things easier for the company so they've gone to SSO whatever it is the problem that I hear in that is that they're putting all their eggs in one basket usually when you talk to larger environments especially they're going through these types of things implementation of something like MFA if you don't have a good partner a good provider that's working with you that is doing this day after day or single sign-on is even a little bit more

dangerous around the time spent with this stuff it can really really drag on one of the stories that I have with this is that I worked for one of the largest medical organizations in the world many many users many many different remote locations around the planet all kinds of research education clinical environments and everything else they decided that MFA was the big thing that they needed to get in place they want a multi-factor authentication on anything that was externally facing and they were going to lock it down they go through all the project planning they identify all their different assets they figure out all the other things that are exposed that are out there they spend

all this money they bring in some of the biggest companies in the world to help them deploy and put this stuff in place top-notch software Cutting Edge all the way across as soon as MFA is deployed hacker came in did a push and guess what the user did approve exactly so now you just watched them flush millions and millions and millions of dollars and over a year of project time to implement a solution that stopped nothing for them because the user did the wrong thing right once again focused on the wrong [ __ ] the challenge that I really see with that stuff is that while they were doing all that other work everything that we

were trying to work on in these other divisions or other areas of the organization got put on the back burner so all these other things that we would have been doing around user security awareness training phishing all these other things that would have actually maybe provided a little bit of knowledge or information to that user specifically a doctor who clicked that link it may have been the difference between whether or not that had happened or not the MFA installation of millions of dollars and months time didn't stop it but if that doctor who is not a technical person as far as computers go would have actually sat through a basic course a no before training anything like that it may have

been the difference of where they would have thought for just a second before they clicked accept how do you know your secure audience I love speaking at technical conferences because you guys get it the answer what do you think I most often hear from executives I [ __ ] you not I hear this at least once a week one of these once a week from a customer and and these are good people people that are working hard people that are on top of this stuff but this is what we hear and the challenge that I have with that is that what they're actually saying to me is that they don't care they don't feel like it's their

responsibility they're leaning on their insurance policy which if you've ever this is a fun one how many of you have actually ever gone through an incident and had to leverage your insurance is it fun did it work did they actually pay for [ __ ] did they get you hooked up with good providers and and get you back up quickly not usually so again the problem that I have with this when somebody sits there and tells me that they're leaning on this stuff or that they've never been hacked or that they're not a Target it just really tells me that they don't get it and at that point as as an advisor to them it's my job to help educate and tie

them back to why this stuff is important and why it matters and why they have to approach and think about this stuff differently right that's essentially what they're doing big thumbs up head in the sand how many partners do you have and when I mean this this is this is you know you probably have a partner that you buy your intrusion detection from or your firewalls from you probably have a partner that you're leveraging for endpoint protection and you probably have a partner that's helping you with infrastructure and just about everything else right when I visit with people they usually sit there and tell us you know I've got an mssp but we work with a

different company that's got specialization and offsex so they come in and they hack us once a year and we've got a whole other division that we work with that's responsible for governance risk and compliance and they come in and they perform an audit two or three times a year maybe depending upon which compliance set that they have to go after oh and and yeah we buy all of our computers and the people who do our infrastructure are you know company d really what I hear is that at that point you've got a lack of focus communication connection you're constantly having to repeat work you probably have audit and third-party assessor fatigue meaning that what I mean by that is if you work

it just about any industry you probably have two or three different compliance requirements that you have to go through and you end up spending all this time to generate all this paperwork to generate all this data to then hand that over to an auditor so they can come in and spend all this time to check boxes to then tell you yep you were compliant within this controller you were not compliant within that control guess what happens as soon as you're done with that audit you go on to the next one and then you're burning all your time filling out paperwork it's a rinse wash repeat process and it's painful to watch especially when you start looking at

industries that have all kinds of different regulation like anything in fintech anything in the medical industry anything in government operations they have stacks of paperwork and different compliance requirements that they have to meet and it ends up becoming literally a full-time job which is why a lot of organizations now have dedicated GRC teams where that's their whole job all day long is trying to sort this stuff out answer questions and put check boxes on a piece of paper the issue that comes up with that is that they are always overtasked overworked buried in paperwork and the work effort that they're putting out there really isn't actually advancing their security posture in any way it's just documenting

where they're at spooky this is a fun one how many of you do pen testing out there raise your hands how often is your point of contact your Champion within the business the person who's hiring you and working with you bringing you in to do the pen test how often are they the one that actually get to define the final scope of the test it's rare it's really rare what we end up seeing all the time is that the legal teams usually get their foot in the door or they'll stop things from happening because they're concerned about the potential impact or the potential of a system going down you'll see compliance come in and say oh

well we can't have them doing pin testing in these various environments because we have to meet these specific audit and controls and you know we can't let them into the CDE for instance right there's credit card processing data in there or we'll talk to Executives and Executives really get focused on whatever's on fire in front of them whatever their teams have been telling them that whole time the issue with that approach is that they don't have an understanding of what it is that you're actually supposed to be doing and getting out of that assessment or that test there is an overall lack of technical depth and and I'm not picking on this stuff right I

know a lot of Executives out there they're top-notch Folks at this stuff that do get it but it's not the norm and the issue that we really see is that in the end they miss the whole purpose of why we're doing the testing which then costs them the value of what would be the return from the reporting in the work effort that we've done so they end up paying for a pen test with a limited scope during a limited amount of time on certain systems or certain areas within their business and they try to use that sampling approach to try to justify what their overall security posture is of the business and I'll tell you this there's not a hacker

out there in the world or a malicious actor that's going to give a [ __ ] about what your legal team thinks the scope should be right the people that are hacking you don't have to follow a piece of paper or a piece of work so when I sit there and I hear this from teams I try to sit there and Coach again where it's getting them to understand that if they're not holistically looking at their environment then they're going to be missing things that are probably going to end up being mission critical and Mission capable depending upon how it gets targeted I'm not here to pick on people or vendors but the Equifax is Equifax hack

is a great example where because they had such a large super complex environment and the way that they had all these internal teams broken out batch of servers ended up not getting patched and then every one of us that are in this room had our data leaked right it's a good example of how when you start siloing and you start making this stuff way more complex than it needs to be it becomes very very problematic this is the last one do you have executive support this is the one I always go in and ask the people who are actually boots on the ground Hands-On keyboard talking to us right the Champions within the business that want us to come do the

testing do you have executive support and the most common thing that I end up hearing I can't get leadership to understand the risk the impact the challenge or the need the sad thing is when I hear that what I'm really hearing is that you have no budget there is no Focus within your business that ties back the things that you need the things that are critical for you to be able to be successful and honestly most of the time the person that I'm talking to they're the ones who are at fault because they're talking the wrong language what I mean by that is that if I go in and I sit down with the CFO of a

business someone who's responsible for the finances the money the ins and the outs of the business and I go hey we just did a pen test we found out that we've got a whole bunch of broadcast protocols there's a lack of SMB signing you know these hackers were able to come in here in under 10 minutes they were able to compromise domain administrative credentials off the wire they cracked those they did pass the hash attacks whatever they did with it and it absolutely you know just handed us our ass every password every username within the domain was dumped they were able to crack all these different things CFO heard foreign the entire time I'm talking that Tech to

him but if I go into a c-level executive and I go hey here's a project plan this is what it's going to take the time that it's going to go this is not an expensive thing we're going to make changes through group policy object which again understand you don't know that but the point is it makes it to where all the different computers within the environment we can essentially fix them very quickly and very rapidly the result of that is going to be something that makes it to where we're spending less time we have less risk and the finances around this end up being way more positive because we're using less resources and wasting less

people's time to try to chase this down now all of a sudden I'm speaking a language that the CFO is going to start associating with and understanding he's going to hear less money less time better approach those are the types of things that will make him want to buy in and be committed to you same thing if I'm talking to a a c-level executive that's responsible for operations or personnel to them about the things that matter to them and then all of a sudden you'll get the support that you need you can help them understand what's important by translating it into the language that they're going to be able to eat so once again why is it so damn hard

well we're learning and it's not hard it's just new to us right one of the biggest things I tell people when you kind of take on this approach and you're trying to take a different path or a different direction maybe you're working in an organization that's been using technology since the 80s or the early 90s and there's still all kinds of old Antiquated systems the way they defined and laid out their infrastructure in their network is still very much that old mentality around kind of the Hub and and thought process of let's put out this many systems in these many locations and plug them all together and see if they can talk it it's it's so far behind the times that

you literally have to think about different ways to architect an engineer so I always tell people adopt a learning mindset be prepared to fail and it's okay to fail it's okay to struggle through these as you're trying to find the right Solutions and the right way to get this stuff done by adapting adopting you'll be able to achieve if you see a company or if you go to one of these speeches and you see something that could be beneficial to your environment adopt it go figure out ways to implement it in your own networks it can make a huge difference and a huge change the biggest part that I say about this is find a good partner right either hire

brilliant people to come into your organization who are going to be your employees that can help drive this stuff right surround yourself in smarter people it's that old kind of adage but at the same time if you don't have the resources or if you can't go hire yourself an employee that's probably going to cost you a quarter of a million a year at a minimum then go out and find a partner that you can leverage and work with that's going to be able to bring those types of talents and capabilities to you right because then you're paying them for the time and the effort versus having to pay somebody for their insurance for their onboarding for the

laptop you're issuing for all these other things take that money and put it elsewhere where it makes a difference the biggest thing I tell people is practice practice right it's the old how do you get to Carnegie Hall there you go see some people in the audience are still awake it's good the reason I've got the pictures on the side there these are all examples of something in my life that when I first approached it seemed impossible seemed magic right my uncle is one of these people where every single time you go sit at a bar with him he pulls out some you know parlor trick where it's this well if you can put a quarter in this

bottle then you know I'll buy your liquor for the rest of the night kind of deal and of course there's some trick to it every single time and once you know the trick you know the whole thing seems kind of stupid but it's something that you can then take to other people and go get your free drinks with right he used to teach me all these little tricks all the time lock picking is another good example how many of you gone to the lock picking Village while you've been here oh way more you need to go try this if the lock picking Village is busy come to the blue Bastion table we've got a bunch

of locks and handcuffs set up uh picture there you guys can come play with all that stuff at our table as well but lock picking was one of those that just seemed magical to me when I was a kid I watched this like locksmith come over and pick a lock and I just was blown away at how it was possible to open a door without a key just mind blown now that I know how our lock operates it's the silliest [ __ ] in the world anyone can lock pick usually I can sit down with somebody and in 10 to 15 minutes of talking to them and demonstrating and showing them how like a pin and Tumbler lock work they've

picked lock it's not hard it's just something you didn't necessarily know yet the the third from uh or third from the top there the the chip uh who modded their Xbox back in the day excellent how miserable was it to try to get each one of those little pieces of wire right on the right pin and get just the amount of solder so that it didn't bridge and completely destroy your Xbox it was miserable I ruined like three or four Xboxes and one of my friends walks over and goes do you know what solder ribbon is you ever seen a solder Wick and I go hell are you talking about he goes That's this little piece of copper here

put that on there I put on there he runs this whole wad of solder like over the top of the the chipset and the pin set and I'm screaming at them I'm yelling them I'm like you just destroyed another Xbox man these are not free he goes no no check this out puts the foil on there puts the heat on there pulls it off perfect solder every time again looked like it was magic I couldn't believe it when I watched it happen but now that I do surface mount soldering this is something I do every single day on every single one of the engagements I have not because I necessarily need to but because it looks

good and it's easy and it's fun coding for me was definitely probably the big one it was incredibly intimidating when I first want to learn how to do coding I have attention deficit disorder I'm dyslexic that does not help when you're trying to learn a new language and what people don't get about coding is it literally is learning a new language but as soon as I started understanding structure and syntax and form and all these other things that put the code together then all the rest of it just kind of fell into place now it seems silly if I want to go code something it's more about deciding which new language I want to learn

by using the project so that I can learn something new versus it being something that I'm afraid of or scared of same thing with this larger Enterprise or programmatic type approaches this stuff will seem as we talk through it really complex but the truth of the matter is once you've done it once or twice you'll kind of wonder why you haven't been doing it that way all along and right when you think you're good at it you can get smacked in the [ __ ] head every time on any of this stuff so again be prepared to fail practice practice practice don't give up on this stuff now I'm I'm a child I was born in 1977.

Nintendo Entertainment System was like the coolest [ __ ] when I was growing up there was nothing like it it was remarkable right if I wanted to play games when I was little I'd go down to the arcade or go down to a local you know convenience store and pump quarters into something all day long and then the fact Nintendo entertainment system came out and I could have those same games at the house was just remarkable to me my family was not a very wealthy family at all so it was a really big deal when I got one for Christmas and I remember throwing in Super Mario Brothers one the the game you see up there at the top and

the first time I played it I was so pissed off because it was so hard I threw my controller across the room right just angry could not get it couldn't figure it out played the game played the game played the game played the game played the game now I can beat Super Mario Brothers 1 in under 10 minutes I know where the warp zones are I've memorized all the jumps that's something where I don't know that I've actually dedicated any time to it since I was probably about 13 or 14 years old and at 45 years old today my brain still remembers every single bit of it it's muscle memory at this point it's never going to go away it's kind of

what I'm telling you about the way to approach this stuff in the way that you do security is stop falling back on stuff that's always been the way that you've done it try something new and if it works then master that Mike Tyson was another great example for those of you who don't remember the Mike Tyson games again ridiculously challenging but the moment you figured out the timing and you knew which way to lean one way or the other or you knew when to throw that uppercut or that jab all of a sudden the game seems simple you could chew through it in a single quarter uh a bit of like bragging and self-promotion but the bottom game there

how many people know that game on the very bottom very good sir it's rare that folks remember Bubble Bobble that game was stupid hard if you've never played it ah thank you sir oh that's tasty what is that which bourbon oh it tastes good for Jim Bean that's amazing I gotta get some of that bottle but the beautiful thing about it is is that you know Bubble Bobble my neighbor and I we sat down and we wanted to beat the game and if Nintendo power back in the day if you're the first person to beat a game and send in a picture of the end screen they'd put you in the magazine so I was super stoked when we

got our parents to agree to let us have one TV in the house where they wouldn't shut it off the crazy part about Bubble Bobble is is that if you died it'd give you this little five character code so you could jump back into the level right not Nintendo hard you go back to where you were the problem with it is about half the time the codes that you'd put in wouldn't work and it'd take you to some other random spot flaw in the way the game was coded so we sat there and we grounded out level over level over level over level took us like three days to go through it and then we were in Nintendo

Power again as a kid nothing was cooler than being able to see all the people like go and buy this buy this month's worth of Nintendo Power there's me and my buddy sitting in front of the TV screen with it beat it was so sweet I feel the same way today as a 45 year old man when we go into organizations and we help them kind of decipher their security challenges and approaches where I can step back after we've beat the challenge and we can look at what we've accomplished and I can be proud of it because I know that it's made a positive impact within that environment the key in any of this stuff and the reason it's

so damn hard is that it's not just going to be an easy flip and you're going to have to take time to practice it and work through it so here's where I piss everybody off as I start this let me State I am not picking on any specific vendors or products I love them all they all have a place within our industry there are purposes and uses for everything that I'm about to show you but if you were relying on vulnerability counts industry risk scoring reputational damage threats or even zero trust you're probably doing it wrong yep there's that look I get from people so let's go through it vulnerability counts again love tenable we spent a bunch of

money with them every year great product I'm not picking on them for this but if I go into an environment and an executive sits down and tells me that they are really focused on their vulnerability scores and counts and they're trying to be proud about how things have shifted over time and they're trying to use that to justify and show me their stronger security posture I really lose hope quickly the reason being is that it's a limited view the data that you're getting back is a lot of times not real right a lot of false positives a lot of other issues it doesn't know the difference between whether it's an internal or an external network that's a pretty big difference

in how a vulnerability is going to be rated right the exposure standpoint likelihood of attack these types of things you're kind of missing the point so the industry said well cool vulnerability scoring or scanning isn't just the best way to do it so let's create scorecards and we're going to take all these other things within the business so we're going to put them together and we'll make it break down into primary colors and single syllables so all these Executives that aren't technical can get it and we'll get maybe CD EFG scores and we'll we'll just make it great well the problem that I have with this is that they roll up so high so tall that if you've ever dug into any

of these products and you ask them how they developed the score or how the score was enumerated they'll give you some fuzzy answers around you know various weighted measurements and blah blah blah blah but when you really get into it you find out really quickly it's not real again show me a vulnerability scorecard out there that can assess your environment and understand what mitigating controls are in place what type of accepted risks you have and really what are the types of things that are happening in the back end that are bad business practices that are introducing risk there is not a scorecard out there or a product or a solution that is some AI driven machine

learning whatever great tool of the of the environment that's out there that's actually going to give you a real view of what that environment is this is one of my biggest issues with insurance companies right now is we have all these insurance companies that have decided that they're going to offer cyber security policies and insurance but you have to pass their scorecard first so they've worked with some vendor out there they scan your [ __ ] and they go oh look at all these SSL vulnerabilities you've got you're bad you're a week we're going to give you a policy but it's going to cost you all this extra money because you need to clean this

stuff up truth is they don't have a clue where you're at from a security or a responsibility perspective of how your environment's set up it's just not a good value for your spend and again not picking on this stuff all of it plays a part in a larger game but if it's something that it's the only thing you're leaning into you're doing it wrong it's like trying to sit down on a stool that has one leg and probably flipped upside down if you know what I mean so this is the one that really pisses people off I'm guilty of this let me start first off by saying been doing this since 1994. sat in thousands of clients

environments and I've sat there preaching about how if you get hacked it's going to be business destroying it could cost you millions of dollars and all your clients are going to leave you and nobody will ever want to work with you again well there was a study done uh 2001 and they went and looked at like 45 different companies big and small that had been companies that have gone through critical and major compromises meaning over a million records had been lost in every one of the situations that they looked at not one of the businesses was out of business you recognize all those logos on the bottom every one of those are companies that have had hundreds of millions of your

records compromised and yet you still spend money with them you still run their software you still shop there the example I love to give people Target had one of the largest data breezes of credit card data in the world at the time when it went down how long was it before you went back into a Target and swiped a card yep for most people literally the next time they went to Target didn't even slow them down so stop pushing and trying to get support from your Executives by telling them that the world's going to burn instead focus on things that the spend is going to make positive the way that it's going to bridge a gap and make things better

and my favorite to pick on right now is zero trust again at the base level on paper zero trust approaches are brilliant right assume the bad guy is already there isolate everything away from itself Implement multi-factor authentication all the different layers and everything they're talking about are on point but when they went out and queried tons and tons of different companies 24 almost a quarter of the people that they talked to who had tried to implement zero trust Solutions into their environment said that it had been almost impossible to find a qualified vendor that was capable of doing all of the things to unify a solution that made it to where they were actually able to

manage it leverage it and to where it made a difference within their environment you can see all the other examples on there of different things that went down but the real truth of the matter is is that unless you or somebody who's got a budget like Microsoft or Google IBM you're probably not going to be able to afford to take that type of an approach towards technology or towards security it's a little easier if you're building your environment from scratch with modern approaches modern techniques but how many of us are in a situation where we're starting like that not many so I've done a lot of bitching and whining so far now we're going to start talking

about the other side of the coin the better way to do this stuff is by going out and figuring smarter more effective and efficient ways to leverage your time your resources your people and your money one of the big things that Corey spoke earlier about today is my co-worker he was up at 10 o'clock this morning was about the need around automation within environments right he has this thing that we we tell our employees which is if it's something that you're going to end up doing more than you know twice you probably just want to write a script for it and automate it right there's no reason to sit there and grind grind grind the same

day and not have any forward movement the other thing that you should do is bring your team your tools and your talents together and if you unify them and you kind of hone and sharpen them and use them in the right ways you can be far more effective I talk about shared knowledge and what I mean by that is that the traditional approach really popular late 90s early 2000s that I still see carried on well into today is this siled approach where people think well you know it's important for me to segment my network so I also probably should segment my business right need to know least access these types of things we hear it all the time

the issue that I have with a lot of that is that you can spend all the money in the world trying to take care of everything that your it department wants you to do but if I can walk up to your building and throw a brick through a window walk into your data center and walk out with a server you're screwed so where is your business support people where is your your management your property management people better yet when I tell companies to build out and put together uh you know steering or advisoring advisory committees about this one of the key people that we usually bring in are janitorial services the people who are actually on

on the site working with the business they're the ones who have the keys to the doors they're the ones who know all the different things that work or don't work within that business yet how many times when you've watched somebody go out and create a steering committee around security how many times have you ever actually seen them involve someone that's responsible for like maintenance or security of the physical aspect of the business it's almost always overlooked report once or measure once report many we talked about earlier about GRC right and the audit fatigue that people get into the cool part is if you take a unified or programmatic approach with the work that you're doing you will already be

addressing all of the different compliance controls that are necessary for your specific business by exceeding them just by applying simple best practices the idea here is to not get lost in this having to chase to check a box I hate when people come to me and say that they've got to buy a product or spend all this money simply to address some box that needs checked out there it's not the right answer or the right reason to be doing the work you need to implement those controls and those Solutions because they're positively impacting your security posture not because it's something where someone tells you you have to do it in order to be legally viable

the other thing I tell people is to focus on risk and budget versus vulnerability accounts we covered that a little bit earlier but but the real Focus around that is again make sure that the budget that you're spending is addressing the things that are introducing the largest risk into your environment that's not chasing some requirement that's been pushed down upon you by an insurance company or by a third party partner that's mad that you haven't gotten an Atta station letter for one of the environments they're working in maybe that's not the most important thing to your business right now so the idea is to really start figuring out ways to do prioritization that make a difference

um this is another one collaborative approach versus zero knowledge what I mean by this is that if you're a pin tester you're probably used especially point and time pipe pen testing you're probably used to clients coming to you saying that they don't want to tell you anything about their environment you know yeah we'll give you network ranges but that's about it we want to know what it'd be like if you were a bad guy coming from the internet and all the different things you're going to Target and all the different things you're going to hack the problem is that if you look at the real world and all the incidents that we see and all the different things that we

go through right now that has absolutely nothing to do with what makes something protected or secure instead leverage the knowledge of the people who already work there talk to them and understand what's critical what's important what are the things that are top of mind right what are they most worried about and the things that are most important to their business then when you're doing your testing you can prioritize looking at these different environments in these different areas with that knowledge of someone who's potentially been within the organization of 20 years skipping you way ahead making it to where you're not wasting time just doing Simple Discovery and trying to understand what the environment is the bigger part here is really all of

this can lead to quicker decisions and actions not just for compliance but for your overall security program we tell people to take the compliance approach because it makes all the difference in the world to where if you do it right the first time you're probably not going to have to do it over and over again or waste money so I am short on time apparently so I'm going to go quick through this the programmatic approach when we talk to customers we break down a couple different areas of the business this is not going to be complete but it's going to give you an idea of how we do this maybe if I don't break my computer when

I go in and I talk to a company I want to understand their mission their Vision their culture their budget the focus who their customers are how they're generating money I want to talk to their leadership I want to talk to their governance risk and compliance and I want to understand their disaster recovery their business continuity how are they going to be able to continue to operate if they get compromised the the example I'll give you off of this page is that you know if I'm going in and I'm writing a security program and I'm trying to help a business that is a you know in a skiff out in Reston Virginia that works you know somebody

within the government their approach is going to be very very different than someone who's manufacturing surfboards out in California so why the hell would I take an industry wide accepted approach for both businesses it doesn't make any sense with technology we talk through the things that you see up there on the page as well really trying to identify gaps understand the different types of things that they have in place where they're strong and where they're weak in security we go through and we do interviews to understand the overall maturity what controls do they have in place what Solutions do they have available to them have they bought a whole bunch of products that are just

shelf wear sitting there with a flashy blinky light not doing anything that nobody ever logs into but you're spending 50 000 a year to have this box sitting there or are they actually leveraging the tools to do something and and make something different within their environment and finally one of the more important ones that I don't hear enough people talk about is talking through who your enemy is right if I'm going to get in a ring and I'm going to box somebody I'm going to watch thousands of videos of every single time that opponent has been filmed fighting so that I can understand maybe they dropped their left a little when they lean in to take that that

punch that gives me an opportunity to be able to come up and you know pop them in the chin it's the same thing here understand have they been hacked before are they prepped have they done things like instant response and tabletop testing have they gone through an actual incident and been compromised were they able to recover right or did it take them down how long did it take him to go up we do a lot of this work to really then help us form an approach that develops a risk model that really looks at the bigger picture bubbles Up Priorities and the key is to help them have big wins quick right not getting lost in something because of a specific

risk score but doing something because it's going to be the thing that makes the biggest positive change within their environment big part about the program execution to make sure that this is successful is you have to do this with the executives the people who are responsible for being able to sign a check they're going to define the budget the timelines they're going to get you the support that you need you need to have good project management and good approaches the key is to make sure that you stay out of the weeds and try to get it right again you probably aren't going to go right on the first time so live learn and adapt make it better as you go

really in the end the big thing that we push towards is is unifying prioritizing and executing so that you're successful I've been picking on GRC a bunch but the truth is is that they're absolutely critical legally required and it's important so if you've got to have it then figure out ways that you can go through and look at the different control sets that are defined in the requirements of whatever compliance standard you're having to follow and then understand do those controls apply to my business right if I'm if I'm not a credit card processor then why am I spending thousands and thousands of dollars a year to try to segment a CDE out doesn't make sense why am I doing PCI

that's it's just silly and all the time we talk to different people and really try to help them understand what are the types of things that you can do through policy and procedure that will then enable or or add support to the effort of what you're trying to create and do the biggest thing to remember to ask yourself when you're going through the different compliance requirements is why does it matter and why does it apply to me never ever let that answer be because I need to check the box oh my slides are going crazy here we go maybe there we go so playing together again bring everybody together unify make sure that everybody's able to speak together make

sure that those walls are knocked down don't get people lost in having to go up through different chains of commands in order to get an answer the whole idea behind putting together a steering committee for for Security is to be able to Define and understand the things that are most important within your business and really what are the things that are going to make that biggest positive change for you and last the key points that I'd really want to talk about today is that when you move away from one-off engagements and you start moving to a programmatic you know relationship or approach the bigger thing that you're going to start focusing on are what are those big

changes not what dumpster fire do I have to put out today again better spins of time money and effort when you go through and you've got to you know quote unquote eat that elephant figure out what bites are going to be the bites that make it to you where you're going to have the biggest positive change and again do what's right for you not just adopting some industry standard or some score system or whatever framework's been thrown in front of you today that looks good figure out which one's going to be right for you and focus on that big picture then drill down it's really easy when you're talking about something as complex as a large Enterprise

environment to get lost in the weeds the bigger thing that you need to do is make sure that the decisions and the actions that you're doing have a play across the entire environment not just rabbit pulling into the one thing that looks like it's on fire to day so I'm a little over on time sorry I rushed that a bit but tonight this is the part you've all been waiting for after the happy hour that they're doing here around 7 30 we're going to be over at burn please come join us it's a cigar and Whiskey Bar we're going to open up about 7 30. the password to get in on my tab is going to be I know Pyro

so be sure to say that uh other projects that I've got if you want to come chat with me about and talk through I'm into mycology I live off grid in a bunker on the side of a mountain in Colorado 100 percent uh self-reliant self-dependent I was one of the first and early adopters of starlink I do gold mining have a thousand foot deep mine that goes into the side of a mountain really into ham radio and digital Communications and even though my wife's probably going to kill me for it I ended up spending an insane amount of money to upgrade my solar system lately with commercial level Schneider gear so I can hack that for work and

write it off as a tax write-off for business research and purposes versus putting some [ __ ] into my house um please you know come hang out tonight follow me on Facebook LinkedIn all the other stuff I'm I'm out there I'm pretty public I will be at hacker summer camps if you're coming out to Vegas please hit us up um it's it's an insane amount of fun out there and I'd love to visit with you about the projects the things you're passionate about and the things that really make you tick as well so questions I am a little over time but I'd love to take some if you got some excellent that made it easy well thank

you so much everybody I appreciate your time and your effort today uh please come hit me up if you've got some of this that you'd like to talk about or share some War Stories of stuff that's relevant to the speech and uh enjoy the rest of b-sides [Applause]