2025 B-Sides
Show transcript [en]
I want to
convenient for us. >> Oh, yeah.
And there's
already
So they have a
He'll tell you like this. Okay.
Prof.
real.
Yeah,
we're
Mostly
That's part of the
That's awesome.
We have the microphone. >> Oh, yeah. Ask him if we got um lapel. >> Yeah. >> I don't. No. >> No. Um so the very last bullet point um in like the slides that I have like on the very last slide very >> uh I think he's going to use that one. else. >> It's live.
>> Or next time I just not >> be
I don't know about that.
I like that we have
>> I don't know Why it's showing the bar across the top? Why is it doing that in slide mode? >> Great, great question. >> I don't know the answer. >> Whatever. We'll run with it. >> All right.
The only Good. >> All right, we're going to get started here today. Um, so welcome to uh Security Bides uh 2025. Um, you're going to have to bear with me today. I am absolutely completely exhausted. Um, very little sleep traveling for the last two weeks. So, uh, my brain was working at like 50% capacity today. Um so again this is uh B sizes are I don't even know how many years now math >> how many >> this is number 13 >> this is number 13 because we had to skip a time period there with you know co and missing out all the funness um so right now St. John's and Ottawa are the longest running uh events in Canada and
ours is one of the longest running events um in North America and globally. So, it's a a nice achievement for us.
All right. Uh for all the new people that are here, um the ones that don't know me, uh my name is Robert Percy. Um, I've been in the industry for 27 years. Um, definitely approaching that kerogen level of uh, attitude, but uh, I am the CIO for Collab. Um, I'm on LinkedIn. If you want to connect with me, uh, please do so. And if you want to know more about me, uh, find me today tonight for the social and happy to chat. Uh, but this is not about me. This is about Bides. Um so first off very special thank you to our incredible partner TechNL. Uh without them we would not be able to do any of
the financial things like they handle all the invoicing the sponsors um you know all the payment for all the things that we have to buy. They just handle all the finance stuff and um and especially Allison there. She is the one that does all the finances and she is an incredible help. Um I want to thank Collab because uh there are a large number of the volunteers that work for Collab and they provide a lot of support uh a lot of patience with us. Uh this is volunteer driven. It does take a lot of time and you know without their support we definitely wouldn't be able to continue to do this. Um want to thank
the volunteers. Those are all in the orange shorts. So throughout the day definitely go and show your appreciation for them. Uh it takes a tremendous amount of effort to pull off this event. Uh and without them again this wouldn't be possible. Um very special thank you to all of the sponsors. Um we don't charge for besides the attendance is free. So the entire event is driven off of the sponsors. So without them again this absolutely would not be possible. So take the time today go talk to the sponsors. Show them your appreciation. Listen to what they have to say. Um and of course big thank you to all of you. Uh without the attendance it's kind of
pointless to have a conference, right? So um we had an incredible response again this year to the ticket sales. Um it's sold out in ours and right now there's 160 plus on the wait list. So it's definitely time for us to you know consider how we can make this a little bit bigger to accommodate those. It's a it's a nice problem to have you know. So, um, and I definitely want to have a extra special and very huge thank you to, uh, to Nancy. Where is she? There's Nancy. Uh, she's very shy, so she's not going to stand up. Um, but like this year in particular, um, in my role, it's very difficult to find
time for anything. Um, especially doing the volunteer stuff. And in the last two weeks, again, I've been traveling for work. um speaking at conferences and Nancy has taken the entire weight of everything that had to happen. So very appreciative of the work that you put in and honestly 90% of this was done by her. So definitely would not have been able to pull this off without her. [Applause]
Uh this evening we have a CTF that is hosted by our sponsor uh AWS. There will be teams of three people. Uh this is a very beginner-friendly event. Uh we have people last year do it that had never ever signed into AWS before. First time ever looking at it and they were placing in the top five teams. Um so I encourage everyone to participate. uh you're going to have a lot of fun and we have prizes to give away. So, you know, if you need incentive, um it's a pretty good one. Um and it's not a hacking event. It's not a pentesting event. It's very much a hands-on working with AWS to solve problems in
AWS. It's really great. Um there are volunteers that we floating around to help people. Uh you will need a laptop to do it obviously. Uh so if you don't have your laptop here, you know, before um the CTF starts, there is time you can run out, grab your laptop. Um so Tyler from AWS right there. Um he's uh going to be running along with Stephen in the orange shirt. Uh so if you're participating, um see them. They're going to help you get signed up and you will need an AWS Skilluer account. Uh but they'll show you how to do all that stuff. Uh few housekeeping items. Uh lunch will be served downstairs. Um we'll probably
just, you know, do things in groups just to kind of keep things organized so we'll let people know when it's time to go down. Um we have a bar as always. Uh the bar opens around lunchtime. Uh we will be handing out drink tickets uh throughout the morning and the day. And this evening we will be having our uh sponsor appreciation social. Uh so I want everybody to stick around. Um show their support for our sponsors. There's um free food, free beverages of whatever you want. Um and that starts around 6. And this evening the uh open bar for the social uh is courtesy of our sponsors uh Forinet and Cyber Shell. Um, as always, don't drink and drive.
Um, if you need help, um, you know, getting taxis, whatever, please let us know. Uh, you can see a volunteer in the orange shirts or come see me directly. Happy to help you out. Um, there's a parking diagram on our website. Um, so please stay in the designated area. Um, so the upper lot that's, um, just outside the door up here, that is off limits. That's for the staff here in the building. Um, but the middle and lower parking lot are good. So, if you have parked in the upper parking lot, um, you can, you know, make your way to get your car and move it down. Um, and there is overflow parking across the
road at the Geo Center. Um, as always, we have prize draws that will happen throughout the day. We have uh great prizes as always. Um we have um few things to give away throughout the day and then we have two kind of larger prizes to give away at the end. Um the tickets are the ones that you got at the registration desk. Uh however, I'm told that there's a slight little mix up with some of the tickets early. Uh so Brian is going to tell you how to fix that and then when he's finished, I'm going to introduce our first speaker. >> Okay. So, first of all, you should have gotten a ticket with your name tag,
though some people pulled out their name tag and it dropped. So, um, go see the registration desk if that happened to you as well. Please come to the registration desk. Um, if you look at the back of your ticket, there's two things that could possibly be back there. There's the Staples logo or a form to fill out with your name, address, and phone number. If yours has name, address, and phone number, please come see me at the registration desk because you were supposed to get the staples part. We have some duplicates that ended up in the thing. So, you have somebody else's other side of the ticket. We're going to fix that so that everyone has a chance to win. So again,
if you have the form on the back of your ticket that says name, address, and phone number, please come see me at the registration desk. I will fix your ticket for you. And that way, you'll actually have a chance to win. If you don't fix this, you'll be waiting going, "Are they going to pull my number? Are you going to pull my And we're not going to pull your number." Thank you. Thanks, Brian. All right. So, our first speaker, uh, who I was told that I need to stay on stage for like another 10 minutes, uh, before he starts, so maybe you can tell some jokes. Um, I'm not funny, so I'm not telling jokes. Um, so our first speaker
this morning is uh, a very dear friend of mine. Um, we've known each other for quite a long time. He's a a very good supporter of the security community and of Bides. And so I'm going to welcome uh Travis Barlo come to the stage and uh talk about swatting flies. >> Thanks, man.
You're all wired up. >> Time will tell. can't speak to all the younger people in the audience, but I can tell you the older I get, the more fun technology has become. And uh I used to make fun of old people that had trouble with technology, but now I find myself to be one of them.
>> We got nothing. What's that? It's coming. Maybe.
>> I was kidding when I said I had trouble with technology, but here we go. >> Here it is. >> Like, what are the chances? >> Um, so the only thing I think is under display settings.
So that's that's the one. >> So make that primary.
>> It's it's saying that it's there. >> Yeah.
>> The other thing we can change the port here and see if that makes a difference. Oh, it's it's >> shouldn't be the same bus, right? >> Yeah, exactly. >> Well, if I got to go without it, we go without it.
>> Oh, I know what it is. Poweroint being stupid. So, we need to flip the screens. >> PowerPoint being stupid. There you go. Glad you're here, my friend.
view. >> Yeah. So, the screens are the wrong way. >> Okay. >> Can I remember how to do that on a Mac?
>> If you want to tell some jokes, >> see, I'm terrible at telling jokes. So, he's recommending I tell you some jokes. I'm I'm absolutely terrible at telling jokes. I have a nice shirt on for you guys today. So, if I'm not the most entertaining speaker, I should be the best dressed. I'm hoping most you know I'll go for entertaining and best dressed um while we're working on a slight technical issue again as Robert introduced me Travis Barlo big supporter Bides I love this event very partial to this Bides over Ottawa sorry the Ottawa guys but uh I am from Newfaland originally yeah sorry dude uh so I love coming home I haven't been home for this
one for quite some time so happy to be back um you know 2025 for a lot of us has been an interesting year. My year got off to a very interesting start and I'm here to talk to you about that. Now, what I'm going to speak about kind of aligns with some cyber, but uh it's something that could happen to anybody here and uh I want to share the experience in case it ever happens to any of you. Um so once we get the slide deck up, maybe >> maybe someday >> maybe an adapter issue. >> You found her.
She's trying. >> She's struggling.
>> Come on.
>> Not happening. Could
it be the adapter? >> It could be the adapter. >> Do you have another one by chance? Yeah, let's try another one. >> Let's roll that out.
You know, >> try that. >> I'll try anything at this point. >> Let's see.
change presenter view. Okay. Where's the switch? Anybody know where the switch is? Where's my tech guy?
going be stuck with that or what? >> Swap displays in the top. >> You got it. Oh, there you go. Thanks, man. >> We had a different adapter. >> We got to swap displays, but it's uh >> Is it that way here? I'll let you do this. Just go up top. swap displays. There we go. Thank you. Thank you. Nice shirt, by the way. Okay, here we go. So guys, swatting flies. I know it wasn't very descriptive and I think the organizers left the actual description out for a reason to kind of get you wondering what's going on here. So, um, again, Travis Barlo, you know, I've been at this 25 years. I know I'm starting to
gray in the beard and that. Uh, to all you newcomers in the industry, welcome. It's it's a bloody ride, let me tell you. Good ride. It's been wild. I've been around the world a few times. I've been in countries I wouldn't go to again. I probably should have never been to. I've done things that are well bad way above my average for a lot of years. A lot of things I've done. Uh but I've seen a lot of the world. I've had fun doing it. Uh I'm very passionate about continuous learning um around cyber. But in the last few years, I've kind of shifted to learning about everything uh in life. And uh you know, I look at
experiences and every experience there's a lesson to be learned. There's things there's takeaways. And so what I'm going to share with you today is an experience I've had this year. Uh some of the takeaways uh some of the things that you could do should it happen to you. Uh some of the relation how it relates to cyber and other things. And uh so here we go. So January 3rd of this year I found myself uh targeted through a swatting. Everybody know what a swatting is? Yeah. Let me tell you once you're swatted once your days just get boring after. You know, I mean, I go out and plow the driveway now, and it's just like, no guns pointed at me, no police
dogs, no presence, right? So, 11:00 a.m., somebody made a call. For those of you who don't know, I'm currently located in Nova Scotia up on North Mountain. They call it a mountain. It's like a big hill by New Land Standards, but they call it a mountain up there, so that's good. And, uh, it's really nice, secluded. Neighbors are great. Everybody kind of keeps it themselves, you know. Nobody comes on my property pretty well. I got dogs and pigs and stuff. I'm friendly, but it's just that kind of area. So, an anonymous call was made to the Kingston RCMP detachment. Front desk, by the way. They don't record these calls. Okay. Falsely identifies as me. Calls
in, says, "I'm Travis Barlo." Male voice. States that I just committed a crime. Provides my home address. Mentions that I'm heavily armed and ready for company. You know, well, that's that's nice. All right. Now, for those of you that know me, I am a gun guy. Everything's secured properly. If somebody came break into my property to hurt me, I would literally take 30 minutes to get get to a gun and then get to the ammo because everything's done correctly. That's another conversation about why we have to live like that. But anyway, 12:05, emergency response teams arrive. Now, this is impressive because again, I live out in the sticks. Okay, so emergency response teams arrive. They
stage at the bottom of the street. We have one of those community mailboxes. Great big wide area parking spot. Then they have two ambulances arrive too in case we get a shootout and I shoot them or they shoot me or both, right? You know, got to be honest with you, it was a how to say this. When it's all said and done, I was kind of flattered with the response, you know, for little old me. Now, I don't I don't have a criminal record or anything, right? You know, I mean, we all go 5 km over the speed limit from time to time, but uh you know, let let's just say that I was flattered with the response at the end
of it. 3:35 p.m. My first interaction, I'm returning with the dog, my dog from the veterinarian clinic. I come up the street and the whole place is blocked off. Now, logically, I'm like, "Okay, what's going on here?" Because obviously I live there. My neighbor I know I'm my neighbors. Not well, but I know them. I know that I'm the best armed guy there, right? Definitely. I don't think anybody else has guns in that area. Maybe a deer rifle they haven't taken out of the case for years. So, I see this four or five ERT mercy response team SUVs. I see the guys in the SWAT gear. You know what I'm talking about, right? I see all the
guns. I see another 12 or 13 police officers, RCP officers in uniform. And now, I'm very pro pro law enforcement. I have no problem with law enforcement. They do their job. I do my job. We all get along. So I stop and say, "Guys, what's going on?" Like, "Should I shelter in place because the road is blocked off? Can I get to my home?" And I said, "You know, I got my buddy's up there stacking wood." I just had to get my dog from the vet. Yes. Yes, sir. Don't worry. Everything is good. Just go around, take the long way, come in from the top. You'll be fine. What's your address, Ken? Provided my address. Yeah,
no problem, sir. I said, "Should we shelter in place?" "No, we got under under control." I'm like, "Okay." So, I take a left. It's about a 10-minute detour. So, meanwhile, I just happened to call my mother. Just we don't get much excitement up on the mountain, right? She lives down here. So, I call her up and I said, "Mom, guess what?" She said, "What's going on?" Well, actually, she said, "What's wrong?" And I said, "What do you mean, what's wrong? How do you know there's something wrong?" And I said, "There's nothing wrong." And she said, "Oh, okay. Few." She said, "What's going on?" I said, "There's an ERT team with my roadblocked off." And she said, "Travis, they're
there for you." And I'm like, "Why would they be here for me?" I said, "I think I know if I commit committed a crime that would warrant an emergency response team presence." I mean, you'd like to think you would you would know, right? I mean, this is not some This is not a traffic infraction, people. You know what I mean? This is not, oh, I pissed off my neighbor. This is like, what is this, right? So, this is fine. And I said, "No, don't be so foolish, mother. They're not here for me. I didn't do nothing to deserve this. She said, "Well, you call me if you ain't changes." I'm like, "Well, of course I'll call you." I said, "Well, it's all
good." I said, She said, "What if there's somebody rolling around with the gun?" I said, "Well, I got more guns." I said, "You know, I'm not that worried about somebody with a gun, except, you know, I'm just like to know what's going on." But I asked about the risk level. They said, "Low risk. Don't worry about it." Took the long way home. So, I went up and I came in from the top and sure enough, there's one SUV up there just watching, but drove right in. Drove into my driveway. Oops. Went into the house as you would. Put on some outdoor clothes. Went out. Neighbor across the road was away. His partner, she's in a wheelchair and we
had a bit of snow the night before. I finished around lunchtime. So, I went out and took the tractor over. Anybody got a tractor here? Hands up. Tractor. Tractor. Tractor. Isn't that [ __ ] fun, I tell you. It's like it makes me feel like Superman. I can get 10 20 times stuff done as I could if I was doing it by hand. I bought bought a wheelbarrow four years ago when I bought this house. I haven't put it together yet. who needs a wheelbarrow. I don't know where the pieces are anyway. So, I go out and I scrape off her deck in the ramp we built for her. And I just happen to look down
the road and I see four SUVs coming up the shoulder really slow and I see an RCMP car out in front with an officer walking in front of that and a bunch of other officers. And so the guy in front now we're at about 200 yards. The guy in front waves to me. I waves back. I mean, what would you do? I'm a friendly guy on a tractor and I had just spoken to them an hour ago, 45 minutes ago, right? Obviously, they're not looking for me. No problem. Life is good. So, I keep plowing out the snow. I got the step shove it off. And this is a good 20, 25 minutes, right? You know,
maybe. Yeah. And uh I'm like, "Okay, this is good." I look up again. Sure enough, they're closer. They've gotten closer and they're looking right at me. And he waves. I wave back. I keep plowing snow. Now we're at the point for anybody with a tractor. I got the blade on the back that pulls it away from the when I'm from the houses and steps. And I got snowb blower on the front. Say no more cranking your neck around to you know plow snow and you jettison out in the woods. Now I jettison a lot of rocks too. Let me tell you. You don't want to be downrange of me when I'm snowb blowing. Uh I just don't care. I just
let them fly. You ask my camper whole camper been peppered. Never sell them res getting resale value in that camper. Let me tell you. Anyway, so they're slowly approaching, slowly approaching, and I don't think nothing of it. I go to snowblower mode. I'm flinging rocks. I turn around about 452. All hell opens up. I just happen to turn around and he's uh for me to that young lady by the back wall under the speaker, the camera back there. How you doing over there? You good? You good? Perfect. You can hear me fine. Perfect. Thanks. So, lights, camera, action. See, we got sound too apparently back in the back of the room. So, all of a sudden, I look up
and they're getting close. They're that close. And then I noticed these SUVs that were in the ditches. Now I assumed, and this is where assumptions, it's like infosc. You make an assumption. Don't make an assumption. It'll kill you. This could have killed me actually. But I assumed they were slowly coming up the road earlier because they're searching dishes for evidence. And I said, let's put two two together. They're down by the community mailbox. Somebody must have broke into that thing. That's like a federal crime. They're looking for evidence in the ditches, right? Seemed logical because I had met with them. There were no problems. Well, let me tell you, when I look up at 452, I got four carb blinds pointed at
me and I got the guy out front and I'm like, not pointed directly at me, but in my direction. Any gun guys in the room? Gun gals. Yeah. You know, you know, it's like got a gun pointing in your general direction. You know, you don't point a gun in a general direction unless you're planning to use it potentially. So, I'm like, okay. So, I shut the tractor down and the lead R&P offic I've been waving to for the last half an hour. You know, I'm a I'm a friendly character. So, I've been waving to this guy. I said, "Uh, officer, like, should I shelter in my house or something? Like, what's going on?" He said, "You, Travis, parl." I'm
like, "Yeah." He said, "Turn the tractor off. Hands up. Get off the tractor." And I'm like, "Well, this is fun." So, okay. So, hands up. Well, I said, "The tractor's off, sir." I said, "I can't put my hands up and get off the tractor cuz I'm going to fall off." And I said, "I don't want sun and movement." Because they tell you you shouldn't have sun and movement in this situation, right? It seems logical. Keep in mind, I'm dressed in my winter gear and it's all camo, right? Because my best warm gear is camo. In retrospect, I should have been in blaze orange. But anyway, you know, a Mustang floater suit maybe or something, right? So anyway, I said,
"Officer," I said, "I can't. The tractor's off." I said, "I can't get off the tractor. My hands up. I'm going to fall face down." He said, "Well, slowly get off the tractor, then put your hands up." So I'm like, "Now guys, have you ever had a surreal experience in your life?" like, "Listen, if a UFO came down right now and beam me up, it wouldn't have been more surreal than that." Okay? And I'm just like, "Yeah, okay. Yeah, no problem." So, I get off slowly, very slowly, get my hands up. They're like, "Now, this time all the guns around me, right? Okay. Walk towards us and walk out towards about 20 ft. Get out to the
ashalt road." And they're like, "I live on a hill. The road is wet because it snowed that morning. Remember, that's why I'm clearing the snow." So, like face up the hill down hands and knees down stomach. and they cuff me, which is no easy feat. They had to use two sets of cuff to get all this winter gear on, right? Not cuz I'm buff or anything, but you know, I mean, a lot of winter gear there, so this is fine. So, they get me cuffed and I'm like, "Okay." They're like, "We're going to we're going to roll you over. Okay, roll me over." You ever watch those cop shows on YouTube? Just like that. Really cool, right? So,
they rolls me over and they said, "Okay, we're going to get you up to search you." And I'm like, they said, "Anything we need to know?" And I said, "Well, I got a bad knee." And I said, "It was pretty good until I had to get down on the ashalt a minute ago." And they said, "Well, which one's bad?" I said, "My right one." They said, "Well, we'll kick you up for each shoulder. You come up on your left. Is that okay, sir?" I'm like, "Well, that's okay." And I'm like thinking, you know, they're being awful kind and respectful, right? Like, I mean, they didn't have to be this nice to me. Even though I was just face down
on the ground cuffed, nobody put a knee in my back or anything. I said, "Okay." So, yeah. So, we got me up. They said, "We're going to search you." Here's where things get a bit fun. I said, "Okay, go ahead. Search me." They said, "Do you have any weapons on you?" And I said, "Well, I don't know what constitutes a weapon in your mind. I've been out here working for the last couple hours. I'm wearing my outside clothing. So, let's see. Pocket knife, keys, wood screws, uh, you know, cell phone. So, they're like, "Okay." So, they search me. Of course, there's no weapons on me, right? I mean, I don't walk around carrying a handgun or
nothing. That's illegal. So, that's all all fine. And like, I'm surrounded by cops at this point, right? And they're doing a great job. They're friendlyish, you know, considering what I'm about to tell you, the reason they're there. So, then they're like, "Okay, we're going to get you back in the SUV. We're going to search your house." Meanwhile, I got four dogs at this point. They're going crazy. So, they're like, "Are the dogs going to attack us?" I said, "Not if you don't attack the dogs. The dogs are just running around. They're excited. You got me. You have me on the ground. I mean, that's fine." So, I asked the dogs to stand down. Apparently, that's not
something you say when you have a lot of people with guns around you. You don't yell out stand down. First lesson learned. Okay. Right. Don't do that. That got a response. But anyway, not a bad one. Just a got everybody's attention. Do the dogs did calm down. So, my buddy was down. He's 75. And they said, "Who's in the house?" And I said, "Well, my buddy's 75." I said, "He's between the garage and house. We're bringing in firewood." And he said, "Is he armed?" I said, "What a piece of firewood?" I said, "He's 75." It's all he can carry one or two pieces at a time. He's a great guy, right? But he's always helped me like he probably
carried more than that, but I mean, he's 75. Great guy. Good friend of mine. Helped me fill the wood boxes while I was clearing off the snow next door. So, they're like, "Okay, we're going to get you sit you back at the SUV and we're going to read you your rights." I'm like, "All right." Meanwhile, they go to search the premises. Now, I got this. I got videos of cameras all over my house. So, I got videos of all this. I got one video where we use wood totes, uh, big water totes with the bladder removed, put wood in, I move with me tractor, and one of the dogs came running by and two of the cops jumped right in the tote.
Right now, this the friendliest of all the dogs. He just looks scary. He's a bit pit bull, right? Mass me guy. And anyway, but uh, they searched my four sheds, my pool house, my garage, my camper, and my house top to bottom. While they're doing that, they try to sit me in back of the SUV. Now guys, again, I'm not big and buff like Robert Piery here, right? You know what I mean? I don't work out like this cat, but I had all this winter gear on. Let me tell you, the back of a police SUV, a cruiser is not meant for somebody in my dimensions, especially with rubbers on, rubber boots on. So, they go fit me in.
I'm like, I'm looking at the situation. I'm like, um, I'm not going to tell you this, but unless you put that window down, I lie down, scooch you over on me back here, and put my feet out the window. There's no way you're getting this door shut. And they're like, "Yeah, you know, you're right." I'm like, "Yeah." So the one guy is really big officer, really nice guy, Council Murphy. Should have asked him if he was from back here, Council Murphy and all, right? But no. Anyway, he said, "Okay, I'm going to stand here in case you try to run." I look at him. Do I look like a runner to you? Right? Like, so I'm
trying to keep it light because I still don't know what's going on, right? And I have no idea what's going on at this point. So it's still kind of surreal. Then the other guy says, "I'm going to go around and read you your rights." So he goes around the other side, opens the door. Now meanwhile, there's this nice little lady, Lorine, that lives two houses up from me. She's like 88. She comes down the road in her SUV. And she was down the window like, "No, ma'am. Everything's good." She looks over. She said, "What are you doing with him?" And she threatened him. I She didn't get charged. She said, "You better take care of him." He plows me driveway for me. I
said, "Okay, that's good." I said, "You've been warned." So buddy comes around, he pulls out the card. Have anybody ever have your rights read to you? Anybody want to admit to that? It was a first for me. All right. So, he pulls out the card cuz they didn't want to get it right. I appreciate that cuz I'd have to read my card, too. I never remember that thing. I'd mess it up. And then, of course, everything's on body cam, which I confirmed with them, by the way, after they copy. I said, "This is all being recorded, right?" They're like, "Yes, I do have a request in for the video the video cam footage from the
body cams. If I ever get it, I'll share it with you all online." Uh, for some reason, nobody wants to give it to me, but time will tell. Hey Glenn, how you doing? Glenn Stacy, how you doing? Didn't notice you there. Nice to see you. So buddy starts read he pulls out the card to read me your rights. He said now Mr. Barley had your rights read to you before. And I said no can't say I have. This is a first. He's like okay. Well and he starts. I said hang on though. And he said what's that? I said my first right? Why am I being detained? And he looks he stops and he pauses and
he looks at the other guy. I said pardon me. I said, "Why am I being detained?" I said, "That's the first right. I know that. All you should know that if you're ever detained and you don't know why, I'm sure if you get detained, you get drunk, you get a racket, you know why you're being detained." In this case, I had no idea. And he looks at the constible Murphy that's guarding me, the big guy that thinks I'm going to run up the mountain or something with these this winter clothes on, right? The boots. And you see the look of there's a moment of confusion or something going on there. And he's like, "Well, you're being
detained on suspicion of murder of your ex-wife, Tanya Barlo. Now, boys and girls, let me tell you. I look at him. I look at the other guy. I look at him. I look at the other guy, and I'm like now fear at this point, you get a you get a ripple fear, okay? I'm no murderer. Number one, I'm a peaceful guy. But me and my ex-wife, we're best friends. Furthermore, the day before I've been with her and my son for a doctor's appointment, so my son's with her, too. So, this is hitting close to home. Saying you murdered somebody, saying you murdered somebody that you loved and knowing that your son is with that person. That's a bit under the
belt, bit personal for me. All right. So, that's fine. So, I'm looking I look at him. I look at the other cop and I say, "Uh, with my chin cuz I'm still coughed and jammed in this bloody SUV. I couldn't fit fit in sideways. I had one cheek on the seat, boys. This is a one cheek seat." And I'm jammed in there and I look at I go pointing with my cheek. I wish chin. I wish I had more like a Brian Maroon chin. Maybe it would have got the point quicker because I don't have a a pointy chin. I'm like, my phone's right here in me pocket. Take it out. Use my face to
unlock this damn thing and call my ex-wife right now. Make sure her and my son are okay. And you can see the confusion because obviously they think I'm a murderer. I know I'm not a murderer. And I I'm trying to get this clarified cuz I want to make sure my family's okay. You know what they say when you get divorced? the family. So still, you're always family, right? You want to make sure everybody's okay. So, finally they they agreed to this. I I kept saying, "Take the phone. Get the phone out." Finally, like, "Officers, I need you to do this for me now." And they did. They're really great, but I think I confused them a bit because the
whole time they're thinking I'm a murderer. Fair enough. I get it. So, they take the phone, they unlock it, I show them the number with my chin or my nose, whichever way you want to look at it. Got to get a bigger chain. Anyway, they get her number. They go up front and they call her. Now, she's on the phone. Here's the other side of the story. I live an hour and a half outside of Halifax. She lives Halifax is here. I live here. She lives there. They had deployed a full year team to her house. So, my son is home gaming. He's a 15-year-old. Typical 15-year-old. I mean, get him off a computer. Good luck.
He's he's hardcore gaming. He's into that military strategy stuff. Now, if you want to know anything about the Roman uh Roman history and warfare, he's your kid. Let me tell you, math is another issue. But anyway, which I don't get because he deals with thousands and thousands of fighting units and he puts them together and everything else, but he math is not a strong point. It might be down the road. Anyhow, so they had surrounded her house. Her neighbor calls her. She's at work in Dartmouth. Her neighbor calls her and said, "Uh, Tanya, um, your house is surrounded by ERT and they're staging with an ambulance in my driveway." And T's like, "What the hell?" And she
can't get hold of her son because he's gaming. Okay. He's got the headset on. He's deep into this. He's he's he's immersed, right? Good thing it wasn't VR. Who knows what would have happened. So anyway, the neighbor goes out to talk to the police. Meanwhile, Tanya's on her way home from work. It's about a 20-minute drive. They call Tanya on the phone. So I said, "Get him call." Say, "Call her." And they're like, "Are you Tanya Barl?" And she's like, "Yes, I am." "Your ex-husband's Travis bro?" "Yes." "Where are you?" "I'm on my way home. just as she's pulling into the driveway or into the road because they had the whole neighborhood locked down. It was
amazing. They locked down her neighborhood, didn't lock down my neighborhood. And I'm like, you know, I didn't get the math on that one, but okay. Longer drive to get to me. Anyhow, so this is fine. So, as he's talking to her, she I can hear her yelling, "Tell me if he's okay." And all the officer would say, and this he did it right. He did it right because he couldn't validate it was actually her. Okay? So, he did the right thing. He said, she was yelling, "Is he okay? Just tell me if he's okay." And the response was, "There's been a firearm incident." And she's like, she had some choice words, okay? And she's not want to use
choice words, but she said, "Did he shoot himself? Did somebody shoot him? Or was it an like is it a suicide?" Like, "What is going on here?" Just as she's going through this conversation, she pulls in the road, meets the RCMP there, and they validate who she is. And then he's like, they take the phone from her and say, "Okay, it's so and so." They all know each other obviously, and yeah, this is her. Okay, she's alive. At that moment, they just finished clearing the house and the radio, the guy stand there to prevent prevent me from running, constible Murphy, the big guy on his radio comes across. Get him out. Get the cuffs off them. So, they pop me
out. I tell you boys, I don't know if you ever had cuffs on you, that's not a comfortable feeling. It's not terrible, but they're not meant to be comfortable. So, I don't recommend that. So, at this point, this is a pretty quick timeline. This happened pretty quick when it started happening. They were dead on, I must say. Really good. So then it's I'm okay, you're a victim and they all gathered around. They're all they're very nice, apologetic, kind, respectful. I guess for being swatting, it was probably one of the nicest experiences I've had in a lot of years. Okay, I mean, I was waiting for somebody to hand me a cup of coffee at this
point, you know, but so they all surround me and they're we're talking as you would. And so I'm like, "Guys, like I got to ask." I said, "I have no criminal record." And they're like, "No, we we ran you. You have no criminal record." And I said, "You know, I got guns." Yeah, cuz legal gun owner. Everything's registered. They know. They know. Which is fine. And I said, "So what warranted this response?" And the first thing one of them said, "Well, you're man, they wanted us to wait another hour till the armored truck got here so we can smash down the front of your house." And I said, "Boys, it's a log home. You smash down the front of
that, it's game over." I said, "I wouldn't be happy at all." Anyway, so here's what they said. Somebody called in, like I said earlier on the slide deck, gave my name, gave my address, said I just killed my ex-wife and I'm armed. They ran my name. They saw that I have 54 firearms registered to me and no criminal record, but they had a lot of there's been unfortunately a lot of intimate partner violence in Nova Scotia. So, they respond very quickly. So they tied up to put this in perspective 20 28 officers and six medics for this for an afternoon. Okay. Now where it gets really fun. Site is cleared by 6 p.m. All right.
They say, you know, sorry, you're good. We're good. I'm like, yep, we're good. Can you come in Monday and meet with us? This was on like a Friday. I'm like, yeah, I'll come in Monday and meet with you. Sure. I'd love to meet with you on Monday. I'll bring donuts, coffee, whatever you guys want. Let's meet and talk this out. Side is cleared. I went in Monday to talk with these guys and they were very pleasant. They brought in one of the one of the higherups to meet with me and they take this very seriously. Obviously, their take on this, it was an attempt to actually have me shot. This wasn't a gaming my son gaming and so forth. This
was an attempt to have me shot. And I was like, "Okay, fair enough." you know, and they they kept thanking me for being so compliant. And I'm like, "Guys, you had more guns than I had. I had no guns on me. What am I going to do?" Even if I was like a criminal, that's a bad move to make, right? So,
obviously, somebody wanted to kill me. That was their take on it. They're dead serious. They couldn't tell me what my threat level was to me, what's going to happen next, which I found that was the alarming part for me. They had no idea what the risk was to my family, my ex-wife, my son, me and my friends. So, we kind of said, "Okay, whatever." And they started their investigation. They take this very seriously. Then it gets really fun for me. So, that was a Monday. Monday night, the anonymous death threats begin. So, AI generated death threats. There's text to me. My phone is phone is flooded. Emails on my inboxes are flooded. Um, LinkedIn messages, you name it. All right. So the
idea is to kind of unhinge you. So what you do in this case, what I did, I just keep going ticky boo. I'm not going to lie, there might have been a 12 gauge behind my couch, might have been a couple shelves in my pocket for a while there, right? The problem with this is people that do stuff like this never show up in person. But you don't know if they can't convince somebody else to show up and that's the risk, right? Uh after that happened, parents out here in Clarville, you guys all know Clarenville, that's where I'm from, Shaw Harbor, actually. They want to save. They want like the whole amalgamation thing. There was a debate this week, let
me tell you. Uh, they were targeted with weaponized emails. So, my mom called me. She said, "I just got this email about your ex-wife, Tanya." And they're good friends. I'm like, "Okay." And, uh, I said, "About her?" And she said, "Yeah." I said, "Screenshot it and send it to me." So, she sent it to me. There's freaking, you know, sorry news about Tan Barlo. U, you know, here's the album. I know you'll recognize the third picture. We really miss her. Of course, my mom. How old was my mom, Steve? 65, 66. clicked on the link. All right. So, we had to clean all that up. Then they targeted my stepfather who clicks on everything before the email lands. He's
click trying to click on stuff. So, we got that dealt with, taken care of. Um, both attacks failed because they weren't set up for for Mac OS. They're set up for Windows. Uh, I actually put a team on that. Some of my old team that have moved on from our one of our last employers. Uh, I called everybody up. We put a team on that. They made a mistake in the last weapon I was emailed to my mother. We're able to identify with high certainty where it came from. Okay. What that led to was now you want to talk about chance encounters. Okay. 3 days later I'm flying to Montreal and I get off a plane and who do I or I'm
going to get on a flight. I'm already in Montreal and who do I see getting off a plane? But one of my primary suspects because the RCP said, "Give us a list of who you think might do this to you." And I said, 'Well, I said, 'I know some people don't like me, you know, but I said, 'Th that's a pretty big step. And he said, 'Well, this is personal. I said, 'Well, here's a list of five, my top five. And even it should have been top three, cuz two of them were a stretch guys. And so I gave that to him and sure enough this person we had just identified with high certainty where this email had come
from what country which you can't really do if anybody's any good at knowing what they're doing but we we tracked it down and sure enough this person was getting off a flight from said country. I just happened to cross them at the airport. Now what are the chances of that? Karma is an interesting thing. So that's where we are long term. For those of you that know me well, changed a lot in the last four years when I stopped drinking. I've softened in my old age. I would have been out for blood four or five years ago. Like I would have been out for blood over this. But the older I get, I've softened a
bit. Like I said, I find strength and restraint. There's a fiveyear sentence minimum for this person. Okay. I think with high confidence we can identify I've provided the data to law enforcement. They're working through it right now still, but I think with high certain certain, you know, we're we're pretty certain that we can have a conviction. Problem is that person goes away for 5 years. That person has a family. So what do you do? What's what's the punishment for this person? What should it be? I'm open I'll open that to you guys. Like what should it be? Because I I'm really torn about this person has children. you know, do I send them away for five
years? Do I if this goes to court, do I put in a good word with the judge saying, "Listen, you know, they made an honest mistake. You know, it's uh you get to a point in your life where you forgive more. I'm at a point where I'm I'm open to forgiving. I didn't get shot. Now, if I had a bullet hole through my arm or heaven forbid somewhere else, maybe I'd take it a bit differently. But in talks with the RCMP since this, one of the questions that keeps coming up is you're ex law enforcement, right?" No. Ex-military, no. And this is the ERT guy keeps asking this and he said,"Well, what are you?" I
said, "I'm nothing. I work in cyber security." I said, 'Wh? And he said, 'Wh were you so calm with all those guns pointing at you? And I said, 'Well, I said, 'When I was in Boston, I had guns pointed at me when I was going across the border into Hungary. Let me tell you, you shouldn't have bleach blonde hair and a beard going into Hungary. Okay, and you need to speak, you should speak the language because I almost that was a risky move. And then I've been to a few other places world where I have guns pointed at me. And I said, you know, when I when I look at what you guys do, I said, "You guys pointed my
direction, not right at me. Fingers near to the trigger, not on the trigger." He said, "You noticed that?" Of course I noticed that. And I said, "Here's my thought. If you pull the trigger, the sheer amount of paperwork you'd have to do to get out of this mess, me knowing that I'm innocent." I said, "That was really why I acted so calmly. Five minutes you're My god, I'm going to have to speed up here. I apologize." So, I'm just having so much fun talking to you all. You know what? You get into this. I was sick in the stomach. I haven't talked to you all this morning. Not because I don't like you, but I haven't
been up talking to anybody for a long time. So, thank you all for entertaining me. What I will tell you if this happens to you, stay calm and comply. Okay? Communication is key. I'll say that. That's in life, that's in relationships, that's in swatting. Communication is key. Um, clearly identify yourself. They weren't even sure it was me when they had all the guns on me until I said, "Yes, it's me." Avoid sudden movements. Of course, if there's other threats, if you have a weapon, tell them for the love of Pete. Uh even if it's a pocketk knife. As soon as this is done, this is something I really laid in got into hardcore was record the event details to
support law enforcement and legal actions. And like I said, this went on for 30 plus days after continued the threats and everything else. So, I was boom boom boom recording everything for them. Uh that was the most tiring tiring part of all of it, recording everything. Uh, some people need medical and mental aid. Um, I didn't get any. I'm a bit special anyway. My mom says so, you know, I'm touched. My friends here will agree with that. Um, the thing about swatting, it can cause fatal physical harm. I'm lucky obviously. Uh, you hear in the US the horror stories about people being swatted and being murdered. Uh, US is a bit different because they tend to have more loose guns. Uh, in
Canada, not so much. Uh there is potential for emotional trauma. My mom is still traumatized about this. She tells everybody, but you know, it's a good story. Uh perpetrators face severe legal penalties. That's true. Uh look at this. They had 30 plus officers deployed for me for the best part of a day. They had four ambulances deployed. They were getting ready to flatbed that SWAT truck down to smashing in front of my house in case I barricaded myself. I I told him, like I said, you don't put you don't knock out the bottom of a log house cuz then you got to take it right apart and put it back together. It's like Lego, right?
Same situation. Swatting disrupts communities and resources. Let me tell you, boys and girls, ladies and gentlemen, there was a short period after that swatting where half that mountain was scared to death of me. The other half knew I was a legend, right? They're like, who is this man of mystery? What's happening there? Like, he must be something to demand this police presence, right? So, I got a lot of invitations for supper once they realized I wasn't a threat. Um, again, how do you recognize this when I talk to them? Am I okay for a couple more minutes? Two or three? >> Really? Oh, man. >> Okay, thank you. You all want me to keep going or you want me to shut up, sit
down? We're okay. Keep going a bit longer. So, again, they called in an anonymous non-traceable number. It was a VIP gateway they used. Okay. I found out after because I got involved with trying to track this down. a voice. I went and talked to the lady who took the call. Again, they don't record the calls when you call the front reception at an RCMP detachment. Okay, there's a cost to that. I get it. Like everything in security, there's a cost to it, right? So, no problem. Um, but when I talked to her, she said, "This doesn't sound like you at all." The call that we got, Is that my water right there? Yeah, I think it is.
Thanks. If not, I'm drinking it. Don't kill me. So, so it didn't sound like me at all, but they had no reference. Where it gets interesting is they had no body. So, you deploy 30 plus people to respond. How you doing over there? I thought I saw you earlier. Yeah. Hey, both of you. Um, we'll catch up after. They deployed 30 plus resources. They had no body. And this is something I brought up with them. I say, "Had no body, but you deployed." And they're like, "Well, intimate partner violence is rampant." Okay, so we need to act like this. I'm like, "Okay, I get that. I'm fine with that. I like that, actually." I said,
"But did you try to reach my ex-wife?" And they, "Yes, we called this phone number." And I said, "That was a home phone number that's been inactive for 13 years." I said, "What else did you try?" And they're like, "What do you mean?" I said, "Did you Google her?" "No." "Well," I said, "If you Google her, you would have seen her on LinkedIn where she worked and you could have called her office." I'm not like they they need to respond. I'm not that that's not on them, but I think they changed the process going forward a bit, right? cuz I said, "You could have got her at her office." I said, "So that's fine." So this is in my
mind one of the worst things somebody can do to our communities because it takes all those resources, ties them up. Um, emotional trauma victims face. I'm sure a lot of people develop a trauma and every time they see a police car, an officer after this, I know two days later I hollered on the road and of course there's an RCP cruiser hauls right behind me coming down the ramp and I'm like, I wonder if they're wanting to stop me. So I just pulled over and of course they go on by, but I'm thinking they wanted to stop me because obviously I just said this whole swatting experience. Um, again, stay calm, cooperative. They've thanked me multiple
times for being so calm and cooperative with them. Again, what choice did I have? The alternative didn't look that great, guys. Uh, protect personal information online to reduce risk. So, it's not hard to find it where I live. I don't hide that. That's easy to get. Um, not hard to drive by and know I'm home. I don't post a lot on social media. I don't tell you, here's what I'm having for lunch. Here's what I'm having for dinner. Look at the firewood I just stacked up. I'm not that guy. I'm busy. Kudos to anybody wants to do that, though. But that's not me. Unfortunately, my mother is a Facebook aholic. Uh, and she posts everything.
So, I ask her not to post about my birthday. I ask her not to post stuff. She posts everything not thinking there's a risk. Now, that was pre-swotting. Post swatting, she got really good and stopped posting for about a month. All right. Yeah. And then, so whoever did this tied all that together, probably connected with her still tied it all together because she'll accept any invite that sent. I'm not It's just the way she is and it's fine, right? Um, now how's this connected information security? Well, the more data you have online, the easier it is to get you. All right, so I have a I have a event yearly and it's very easy to find out where I live. Um,
pretty easy if you, like I said, did a driveby. I I don't leave home. I work from home. I don't leave home much. This is a stretch coming down here, believe it or not, for this long. Um, the older you get, the more of a home buddy you get sometimes. So again, data privacy is very key to make it more difficult. Would it have helped in this case? No, I don't think so. But for many it would. Everybody know Brian Krebs. Krebs oncurity.com. If you don't know him, check him out. Uh old friend of mine. Uh you know, I messaged Brian after I said I want to I want to get the badge now. He's like, "What do you mean?" I said,
"Well, I'm in the club now. You must have got swapped 100 times. I got one." So, uh sensitive data collection again, watch what you have online. IP address exposure that didn't really play here. Weak privacy controls are a big thing. Public schedules and routines. I have a lot of friends that post online. Oh, I'm going here. I'm going on vacation. It used to be don't post you're going on vacation because your house be it's a target to be broken into. Well, in this case, they can track wherever you are, right? So, if you're going down to the US, they respond differently in the US to a swatting call than they do in Canada, thankfully. Um, there's a
reference to a case study I'm not going to do. So, you can harden your online. You guys know all this how to harden this stuff. Use VPN's encrypted communication. Limit personal data exposure on platforms. Anybody here not have multiffactor? Yeah, please have multiffactor for the love of peace. Uh regularly audit privacy settings. Remove outdated info. I'm actually going through cleanse taking everything off right now. Uh whoever was behind this created a bunch of accounts online on my behalf for me and I've slowly been cleaning all those up. You know, legal jargon, legal threats. Chat GBT, thanks to Darl. He's taught me chat GBT is great for writing legal ease letters to providers. Um, and use trusted contact. So, I watch what
other friends do and hopefully they watch for me. Um, you know, verification. They didn't verify it was me in this case that called. They didn't verify they had a body. Didn't really verify much. They deployed because again the timing. Uh, social engineering. They impersonated me. How do you defend against this? You know, cyber experts and responders to build protocols to reduce swatting risks. That's a tough one because it's a resource pool, right? Is money. Uh vulnerabilities. They they fish my mom and my stepdad. Uh I mean, if all people target, that's really personal. I kind of feel like I like I take the mafia used to say you never attack never go to a man's home or attack his family. That
got really personal for me. And uh you know, because there's a cyber aspect of this digital threats can create real world harm, right? But we're just not seeing that integration that I'd like to see. and I don't know if we ever will. So, what I'll leave you with is if you ever swatt it, be calm, stay safe out there, and be kind to everybody that you can be kind to. I like to think that I do more positive in the world now than negative. A lot of years I was a drinker, and I was a bit harsh with people. I try not to be anymore. Uh, but uh, you know, the world is changing very
quickly. It's evolving. I think we're going to see a lot more of this type of activity, unfortunately. I hope it doesn't happen to anybody in this room, but if it does, I hope you learned a slight bit here that might increases your chance of survival. Um, but yeah, that's my talk. Uh, thank you all for having me. I hope I made it somewhat entertaining for you. Woke you up this morning. Now you're going to get into the great stuff, the technical stuff. So, uh, thank you again. [Applause] Okay. What's that? Oh, I still got this mic on. Yeah. What's up? >> Oh, thanks, buddy. Appreciate it. >> Yeah,
>> I borrow this for some time. >> Okay, thank you, Travis. Um, we're going to take a quick break. Uh, we'll be back at 10:30 and we're going to draw draw for a prize. So, uh, be sure you're in the room.
I did not bring anything other than my laptop. I'm like, "Oh, man." >> All good. Um, >> you don't have HDMI. Okay. >> Yes, I do. Never mind. My bad. >> We have converters. >> New laptops won't work. >> We have a converter. That'll be good to know for later. Um, Yeah. Okay. Um, do you want the lapel mic or do you want to use this one? >> Uh, >> either one works. It's up to you. >> Probably this one. >> I guess. >> Yeah. You're not moving away from the podium. >> That one's okay. Okay. And so if I do >> presenter view, >> that's not great. >> So you're in presenter. Do I need to
like share screen or >> are you using Google Slides? >> I can use PowerPoint. >> Doesn't matter. >> Okay. >> It with Google Slides, it makes two windows and you've got to just shuffle them. >> Okay. I can I've got it. No, it's fine. I did both cuz >> it's up to you. That's what happens. >> Thank you. Down at the bottom. >> Oh, there we go. Perfect. Okay, fantastic. >> So, so yeah, so >> if you want to, you can just talk into that and we're good. And you can just leave the lab there. >> That's all fine and we'll if people want to use it then we can use it. If they don't
>> Okay, >> whatever. >> Okay. So, I can just leave that there. Okay. >> Yeah, there's a break. >> 20 minutes. >> Yeah. Yeah. I'll just leave my laptop. >> If you are going to wander at all, I would suggest the lap though. >> I don't know honestly. >> Well, then you might you might want to use it. >> If you do decide and you just pick it up and put it on. >> Yeah. I'll just keep my eyes on you and uh I'll turn it off. >> All right, sounds good. >> Yeah. So, >> I never know. I just kind of play it by air. >> Exactly. You You be as free as we have
to follow Travis. Come on, guys. Like, >> maybe ease in real life ramp up to this. Come on. >> Yeah. Like, I can't follow that with brain works. Come on. >> At 10:30, I'm gonna give something away and then I'll introduce >> I just want to I'll sit at the table. Yeah. Okay.
Okay.
Sement on on
struggle with
started talking
up. Start
off the next
criticiz.
interesting happen.
I got
Alberta's changes. I got
awesome.
The end of the world.
Yostber.
Don't even do anything.
I love
Somebody. Somebody's
[Music]
upstairs.
Right.
stand
up. Tell me about your picture. two seconds away. That doesn't work.
Can you clean the screen?
Everybody woke up. >> Yeah.
We know what happened.
This is a lot more
This opportunity
is >> I have a good idea.
I said
strictly security.
on
heard.
Pretty funny.
Now the day you guys
don't know
Those
are
peace.
Get me off that screen.
Nice to see you.
I hadn't even first
30 times. I just
So the slides have been updated. >> Oh, sweet. Okay. >> Yeah, that's all. >> I just I just did it there. >> Listen, that's fine. I mean >> that stuff happens with and sponsors are [Laughter] >> got a note this morning was like you update the website and slides >> maybe maybe oh if you're looking for anything just ask you know I'll get you if you need like a room or whatever. Yeah, I know. I know. >> I could have done that, but I wanted to do it while >> Yeah, of course. But yeah, just let us know because uh we'll we'll make that happen.
>> I'm usually driving. I forced my wife to drop it after pick up tonight.
last
Come on.
Yeah. or something.
That's why
You want to evacuate?
How far are you?
That's the next
Hello.
I didn't want to pass. That was a bad
>> I don't know how I
fighting around like >> I know.
Okay. Uh, everybody want to get back? We're going to draw for this fancy Apple Watch.
And you have to be here to win.
>> Uh 625496.
Congratulations.
>> And your ticket does go back in, so you still can win the grand prize. >> Awesome. Good. >> That's a good prize, man. >> Yeah. Um, okay. >> This uh I think he just needs to >> switch it. Okay. I saw it pop up a couple times, but >> I think we're >> There you go. >> Okay. Uh, and yeah, we would like to welcome Kimberly Osman. >> That was quick. [Applause] >> Hi, everybody. Um, first of all, having to follow Travis, if he's still here. Holy crap. Like, come on, man. >> He just left. Okay, bye. Amazing story. I loved it. It was very cool but little intimidating following Travis and I'm here going to talk about
frameworks but anyway I'm I'll try to make it entertaining. Um so a little bit about me. Uh I do work for Cisco Splunk. Uh I'm their security adviser for Canada. Um I just was joking with someone. I don't do sales. I don't sell anything. I just talk about cyber security programs frameworks you name it. Um and this is my hometown so I got to come home for a couple of days. Uh I grew up here. I grew up actually in Kitty Bitty. Uh, so where the brewery is now, that was my playground when I was a kid. I'm dating myself. I know that. Um, but I'm staying with my mom and dad. So, God love them. Uh, my mom likes to
deliver tea at all hours of the day when I'm in calls, which is always entertaining and fun when I explain. That's my mom. She's hanging out. Um, so I'm going to talk about control creep and frameworks and all that fun stuff. I think as a security community, everybody's dealt with. Um, prior to joining Cisco, which well, Splunk, which is now Cisco, I worked for the communication security establishment in Ottawa. Anybody know what it is? I know Tyler does. Some people are waving their hands. Um, so I worked there for um 22 years. I like to say I started when I was five. Not going to say how old I am. Uh, but I worked in foreign intelligence where I
got to do a bunch of spooky stuff that I'm not allowed to talk about. uh but think along the lines of pentesting, intelligence analyst, network analyst, uh things like that. Um and then I did cyber defense for five years, the last five years I was there. So I worked at the Canadian Center for Cyber Security, which is part of CSSE, uh where I was an analyst, um industry engagement analyst, security solutions architect, all kinds of fun stuff. Um so they've given me 40 minutes. I'm going to try and fill it. If not, everybody gets coffee break early. How about that? Is that okay? Okay, good. Um and if anybody has any questions, feel free to
jump in. is pretty laid-back venue. So, uh, I'm just going to get into it. So, I will ask, has anybody ever implemented a control you knew was useless because you were told to do it. I've done it. I've been there. Um, I've done it many times and I know this community and probably everybody has done it as well. And you question, why are we doing this? Um, and a lot of times the answer is because we've always done it or because it's a checkbox solution. So we need to get away from that a little bit hopefully. Do it this way. There we go. Um so we are all familiar with the various frameworks right NIST CIS um
vendor frameworks that are implemented. Sometimes customers demand them as well if they're going to interact with your systems and things like that. Um and I'm not going to say frameworks are bad. They have their place and they have their purpose. Absolutely. Uh but they were meant to guide us, right? they weren't meant to be the beall end all solution that they've turned into be. Um, and what's happening is they're starting to smother us. So, the longer organizations are around and security is around, um, we tend to pile on all of these controls from these different frameworks without really going through and justifying why we're implementing the controls. Uh, I've seen it many, many times. I saw it in government. If
you work in government, you know what it's like. It's a bit of a gong show when it comes to controls and policies, but organizations are going the same route where it's, you know, the framework is set up, here's all the controls, they're put in place, another framework set up with their controls, they're put in place, and like I said, nobody really questions them. So, we end up with this kind of giant spiderweb of controls that we're trying to navigate. And when you're doing that and trying to respond to an incident or what could potentially be an incident and you've got to go through all these controls, it's not good, right? it does impact our response. So things like we're ending
the the controls are they're redundant. Oftentimes many frameworks will have the same controls in a different language or a different format. They become outdated and they become irrelevant. They're really not serving the purpose that they're intended to serve which is to reduce the risk. Right? That's why we put those controls in place is to control the risk uh that's posed to the organizations. So, we need to think about are the frameworks truly enabling security with the way that they were supposed to enable security or is it a checkbox? Um, like I said, I've seen it many times where it's a checkbox. And I've challenged a few sysos and a few board members with the question of so what?
So, you put this control in place. Why? Why does it matter? How are you using it? Does it reduce your risk? And most times they can't answer that question. Um, and it goes back to, well, we've had it for so long, we're just going to keep it there. We're always going to keep using it. Or it's, you know, our cyber insurance company is telling us that we need this framework with all these controls and it's a checkbox. And I don't think anybody in a sock or who's running a security program wants to do checkbox compliance all the time. I didn't. I wanted to do the cool stuff. I wanted to respond to incidents. I wanted
to find the threat actors. I wanted to find the cool stuff. Uh, but when it turns into that checkbox compliance, that's where we're we're losing the plot there a little bit. So, there we go. So, think about it in terms, you know, where I think everybody's familiar with scope creep, project creep, where things just kind of keep getting out of out of the lane of what they were meant to be. U, we've all been there. We've all done it. Um, and we look at how do we contain that? How do we kind of get that back into a space where it makes sense to have those controls in place? We all know where they come from. I mentioned a
few of ISO, CIS, there's vendor requirements, there's customer demands. Um, and when you contain all those, you get all of them in place because you know your your organization's telling you to that's a spiderweb, right? How do you manage hundreds of controls when you have a security team of two or three people, maybe four people? Um, I've seen a security team of one person, it's impossible. You can't manage that. And it does impact the team's ability to respond, right? They're losing the clarity. Uh, if you work in a sock or you, you know, you investigate incidents, oftent times you're looking for a needle in a hay stack of needles. Um, and the controls just complicate that, right? We
don't have time to go through the control checklist when we're trying to solve an incident or respond to an incident. And it makes you slower, right? you're not responding as quickly as you need to respond. I think dwell time now can be pretty long and we want to get that down. We need to be able to be agile and we need to be able to move much more quickly than we already are. And it also impacts trust. So the business lines no longer trust the security teams to be able to do what they're empowered to do. Um because they see security as this black box of no, right? Like I don't know how many times
it's happened to anybody here, but I've been asked before in previous roles, well why can't I do this? Well, we have a control and you're not allowed to do it. That's not a great answer, right? You need to explain why and why the control is there. And if it's not serving a purpose or if it's redundant, we need to get rid of them. And it's not about necessarily fewer controls, even though I think we should have a lot fewer controls. It's really about the right ones, right? you need to be able to get to the right controls. Um, and just one example of a company that I worked with, it was a financial organization uh, in Canada and they were
rolling out a new product, a new solution um, that was going to make their lives easier at the end of the day and it was taking months and months and months and months and we went in and asked the question because they asked for our assistance and they were like, "Can you help us validate all these controls?" and like pages and pages and pages and pages of controls. And the reason it was taking them so long to roll out a solution that technically they could do in probably three days. Like it's not rocket science to do this. They had 47 controls that needed manual documentation required by their board for no other reason that it was a
checkbox item. That delayed their roll out of this solution for three months. They could have done it in three days. And when we go in ask a question, that's when I go like, so what? Okay, so you've documented all of this. Is it actually reducing your risk? Is it actually improving your security output? And they they couldn't answer me. Uh so it's things like that where you kind of take a step back and like, are we really going in the right direction by just adding control upon control upon control? And there's a few real world examples. That was one that I just talked about. There's many many others I'm sure and everybody in this room probably has many
of them as well. Um but there's you know case study one I just have to say org because they're bound by NDA. Um they cut about 40% of their controls simply because they were redundant. So they had the same control with a different wording but it all said the same thing. Um, and it actually improved their audit outcomes because they were be able to answer the questions much more quickly and efficiently and respond much more quickly when an incident happened because they weren't just checkboxing. The other one, um, this was an organization that came up with this idea and maybe some of you do it as well where they do a control health check. Uh, so twice a year they sit down with,
you know, all the parties that are involved, all the stakeholders, they literally go through every control and ask the question, why do we have this control? Is it in place for a reason? Is it reducing our risk? Is it enabling security? If it's not, it's gone. Um, and they are now much much in a much better position to be able to respond to incidents and dig through all those needles and a hay stack of needles, like I said. Um, and their board's happier because now they know why they have that security team and why they have those controls in place. and the board was much happier to give the security team money because they could demonstrate the
effectiveness of what they were doing and why they had those controls in place. So even though it's fewer controls, it doesn't necessarily equal more risk, right? I sat with many security teams where they say, "Well, we can't get rid of the controls or risk and you know, the boards want this and this and that." But if you can justify why you need fewer controls, it's going to make your life much more easier. You just need to be strategic about it and ask the so what why are why why are we putting these in place why do we have them there what's the outcome of it and one of the my one of my former managers when I was
in the government um he would always ask us we would come up with these crazy ideas of things we wanted to do and he would say imagine it's six months from now how is your life better right if you think about that you're much more likely to do it in a more lean and efficient way and be able to enable the security teams much better. So, there's lots of practical strategies. These are just four. Um, I I love the idea of the company that did the health checks, right? Every six months, they would sit down and they would go through it. It's an audit at the end of the day. Does an audit suck? Absolutely. I hate audits. I never want
to do them again. Um, but if they're done the right way, they do really work. Um, and they do help you justify why you had those controls in place, right? Um, like I just got an email. I was sitting down earlier and I got an email from the company saying, which is sad, but um, they're going to be monitoring something a little bit more closely of what we do on our laptops. And I just thought, first of all, why weren't you doing this before? Or why are you just starting it now? What happened? Was there an incident that happened that started they're going to start doing this new thing? That's another control check, right, that they now have to manage.
Does it generate more alerts? Absolutely. I guarantee you tomorrow when they turn that on, they're going to get thousands of false positives. Our company has 90,000 employees across the world. So just think about the number of alerts that our sock is going to get at 9:00 am tomorrow morning Eastern. I'm I don't work in the sock. I'm glad I don't work in the sock for this company, but just think about that, right? So we're a cyber security company. They could have done that a little bit better, but it is important to go back and audit the framework. If you can identify controls that haven't done anything, haven't mitigated a risk, haven't proved valuable, then they don't deserve the oxygen. Get rid
of them. Kill them immediately. Um, and kill the redundancy. Right? If you look at all these frameworks, I've gone through them many times. They're often redundant, right? There's many controls within those frameworks that do the exact same thing. They just use a little bit different wording because they want to make themselves sound different. Get rid of them, right? You don't need multiple controls that say it's the exact same thing. um and really look at it from a riskbased perspective, right? That's that what would happen if we dropped this control. Imagine it's a week from now and we got rid of this control. What does it look like? Does it cause an impact? Is it going to cause an
issue? But you need to be able to ask that question. And I like to think about controls kind of like you're developing code, right? Code is a living thing. Um security is a living thing. You can't set it and forget it. Um we have to treat it like code. Iterate, refactor, retire. If it's not working, get rid of it. Um, and there's this I I was talking with someone a few weeks ago and they came up with this idea of uh zombie controls because I think he was just re-watching uh Walking Dead at the time, not going to lie, big fan. Um, and he's like, "Oh, yeah, they're like zombie controls. They've died a long time ago.
They're still roaming the company, but nobody has the courage to just kill them off." Like, that's pretty accurate. I'm not going to lie. I like that that analogy. So, um, it's very important to remember that we cannot defend against the type of threats that we're seeing, the type of threats that we're going to see in the coming months and years with a static compliance checklist. It needs to be dynamic and we need to be able to keep up with those threats. And my last slide, I knew it wouldn't take 40 minutes. Um but there's uh you know you need to really think about how the frameworks are enabling your organization and the security of your
organization. They're not meant to obstruct. Uh I think they've become very bloated. Um and I think organizations have started to implement them because other organizations are doing it or they read something online or they read something in a forum that says, "Oh, this framework is the beall end all. Implement you're good." Well, not really. It really they really should enable. they shouldn't obstruct. Um, so you got to spot the control creep. Are they getting bloated? Are they getting out of control? Are your teams spending too much time trying to manage just these frameworks and build a living control culture. That's the going back. Making sure that they're adapting, making sure that you're implementing ones that make sense
and making sure that you're implementing ones that will make sense as we move towards a more dynamic environment. I'm sure everybody uses AI. I'm a big chat GPT user, not going to lie. love it. Um, think about threats that are going to come from that, right? Like Travis was, you know, talking this morning about how somebody called in that could have been AI generated. We don't know. Um, how do we adapt the frameworks to be able to address those security concerns as well? And like I said, they can't be static. We're not living in a static environment. The threats keep changing. We see it every single day. The frameworks need to be adaptive as well.
So, I like to challenge people. Like I said, I like to ask so what to board members and they look at me like I'm crazy. Uh but it it makes them think, right? It makes people take a step back and really try and work through why they have all of these things in place. Um so I will challenge each of you if you work in a security program or you're, you know, one of the leaders is to ask yourself, do we really need it? Is it there for a reason? Is it making our organization more secure? Is it protecting us from something? Or is it limiting your business? Um, and you need to really take a step back and ask those questions
and think about what the story is and how bloated things can get if we don't do that iterative process of going back and understanding why those are there. Um, I like I worked in the federal government and there were many times I would ask a question of why do we do this this way? And the answer was because that's how we've always done it and that's not good enough. Um, and that's a little bit of how I got in trouble in the government as well. I like to ask questions. Um, and that's not a good answer. If you can't explain why that control is there, then it's shouldn't be there. Um, and that's my talk. Thank you everybody. I'll be
around for the day. [Applause]
I'll be
All
right, folks. Um, apparently we have another break that goes until 11:30. I don't What time is it? >> Oh, wow. Okay, that can't be right. Anyway, we'll call you back.
That was
That's basically
what
Oh yeah.
What's up?
I think I finished
I know.
Starting
Leave that there for the minute.
I came up with myself.
>> So, I got in on Tuesday. So, my brother lived here for 15 years and married to a local woman who works for theolog Okay cool. >> Yeah. So, I'm here for a week.
That was like it's actually kind of funny. So we do like 45 minutes. So we have to show we tell everyone like you got 30 minutes.
>> Oh yeah. Know it's Yeah. It's like you need that like just for just crumbles.
We still got >> Oh, yeah. No, >> we were going to stick with the schedule as written just because otherwise we're going to end way >> up anyway.
tables and all ours like theater.
It didn't work quite as well for the forats
and that they actually care more about your experience outside the talks than the talks themselves like
you're talking
I talked to and
back speaker
of robots. That's the thing. It's like the content is just me talking. Awesome.
>> How long you been with them? >> Uh about four years for about 20 years before that. Started out and was software working into working for the Liberty Mutual cyber security department. four years ago when I changed what do you do? >> Uh mostly application security. Um I've been the last couple of years my job was about 50% in charge of identity management stuff and 50% in charge of application security stuff. I was only supposed to be doing the app really but we didn't have any I am the right experience and we finally managed to hire someone who could take over that
internal security
like my talk is not a
like
excuse to visit somewhere really good. He does like hardware [Music] for rapid part of his job. So he has all the slides and everything whereas for me it's more of the I mean those are the >> gives me a bit more freedom >> and honestly those are the kind of talks that we talk are not about like his talk at brag was about getting past physical security measures on chips. like sticking acupuncture needles in on your shoulder to get to specific wires and all the security
like you know you go You put your order in the security.
>> It is really one of those things like I said here 15 years but it's the every things just kept coming up every time. coming over. This is a great >> I was going to come over two years ago and then he said actually we're we're coming to Ireland to get married and all my wife's family are coming over as well.
I'm standing
like it's great Montreal. the wrong direction.
And I just looked up
the rapid I mean, that's where you
>> Is it Is it just
Try This is
5600.
Can you
I know
Happy birthday.
That's why
What's
up?
I've already read that, but go ahead. >> That based on your showing
there was like one story that happened
where deleting their entire database also
I'm not sure. I was like, maybe I'll suggest you
Oh yeah.
I feel like
>> if you have any left over at the end of the day, let me know because I know runs a charity sticker store that goes around all the UK besides
up. He's very
Right there. Travis good
company.
TPO
and
I think
alone here. Good evening.
But also she said
this
finish up. You want to do 30 minutes, 15 minutes. Let's see how long it takes.
>> And like we've got a couple we've got a couple minutes of wiggle room anyway. So if you start going way long, I'll start waving at you. But I I don't see that. >> Like I said, this was a 30 minute. >> I think
I think I might
Yeah.
That's it.
What do you think?
That's what you guys make sure that
I think there's like
I love
I don't
Oh yeah.
>> More quarter.
Come on.
Now it's
Sculpture.
H.
Haven't
plugged it in yet. Do that. >> Are you staying at the podium? You going to be walking around? >> I'll probably just stay at the podium. >> So then it's all good. >> Okay, if that's the case, then uh use the microphone that's there. >> Yep. Turn it. >> Yep. >> Uh go display settings and uh extend. Why is it always bloody started? Mirror. >> Um power will also it should override it. >> I know, but I don't trust it. >> Yeah, I get it. >> Yeah. Oh, there. Yeah, I know.
>> Okay. And slideshow from the beginning. Yay. It actually went the right way around, too, right once. >> Yeah. But I think Chris wants to do his giveaway thing first. So, yeah. Yeah. So, podium mic is just like make sure I'm within range. Yeah. And I am within range cuz Yeah. Cool.
I can just draw this one from my badge and say I'm famous. >> I'm going to fire. I'll do that. I'll start.
Okay. Um, so yeah, we'll do these. >> We'll do these for now and we'll figure out how to get out. >> Okay. Uh, welcome back everyone. So, what? >> Cool. Um, we're gonna give away this Bluetooth speaker that Robert doesn't remember buying. Um, uh, and then we're going to give away this Air Tag.
>> Um, 625582.
I don't know if he's standing up because he won or if he's just moving. >> Okay. >> No one. Okay.
625613.
anyone.
>> Okay, I'm putting them back in just because if people are outside 625 615. Wow. Come on, guys. No one wants prizes.
>> All right.
625560.
>> Hey
sir. >> Okay. Now for this air tag 625436.
>> Awesome. First time. There you go. Awesome. Okay, so now we have um Kieran presenting on application security in the age of vibe coding. >> Hi everyone. Uh quick bit of trivia before we start. There is no letter K in Irish. So anytime you see the letter C, it's pronounced like the letter K. So if you're ever confused by an Irish word, C is a K. So I'm Kieran Kieran Kliff. Uh I'm a lead security architect at Rapid 7. I'm one of the directors for Bides Belfast. Actually, we ran that last Thursday, so just a week ago, and I gave this talk there as well. Um, if you're organizing a conference, don't try and give a talk at it as well. But the only
benefit is you're stressed out about two things at once, so they balance against each other. But, uh, I'm really enjoying this. This is actually the first, uh, North American Bides I've ever made it to. It's been all European ones before. And, uh, very impressed with what Robert and the team have going here. I did not realize it's been going five years longer than Belfast. So we're the little brother. Um so um as I said I have been working in IT for over a quarter of a century at this point. I actually started out in software development. I worked for Liberty Mutual for a couple of decades. Uh gradually for about half of that I was working in Liberty
Mutual's cyber security department as a software architect. uh and well as a programmer and then a software architect and but I about four years ago I jumped the fence when I moved to Rapid 7 and went from being a software architect working into security to a security architect who's mostly working into software. So much like the Irish fisherman who moved to St. John's, I am sailing the same sea but in the opposite direction. Uh so like everyone else working in IT AI big thing. Um I'm not going to waste your time going into a big uh dissection of the rise of LLMs and other machine learning models. Uh self-supervised continuous learning feedback algorithms is in my notes. So there that's why it
happened. Uh the main thing for us though has been like there's been a lot of security impacts as a result of the rise of AI and the broadspread use of AI technologies. Uh we have uh I think it's Ian later giving a talk about deep fakes which is one big impact. Uh for my money the biggest impact is uh people in your company using public chat GPT and uploading company data to it but uh or trying to if you've done your job right. Uh but where it's intersected with me the most is in vibe coding. Uh vibe coding is one of those phrases that someone invents and it gets away from them. Like you can see in Andrea's
original post here where the phrase vibe coding originated. uh he's what he's really talking about is using AI to round off the edges of development and get a bit more basically it allowing him to get him into a state of flow or being like wired in or in the zone. And that's what he meant by going with the vibes. But it's become a generalized phrase for any kind of using AI to create code which has become more and more a feature of the software development landscape over the last four or five years. Uh so that's what we're here to talk about today. Uh so the basic structure is I'm going to talk a bit about how people
actually use AI to help them develop codes. Uh then I'm going to talk about the impact of that in security just go through some general threats. Then I'm going to talk about what we can do about it and hopefully at the end I'll come to some sort of conclusion. Uh before I start I have a quick note on the scope of this because I had to limit it down because otherwise I'd be here for about three hours. Uh so I'm only talking about using AI to create code and not the use of AI in general or building something and having AI as a part of it. Those are also big concerns in the security space but just beyond
our scope. Uh I'm not getting into value judgments because the simple fact of the matter is if you work for a large company whether or not AI is used is very much out of the hands of the security department. We have a little bit of a say in how it's used but not so much in whether or not. So there's no point in getting into it. Um this is a vast and ever evolving field. I have been tweaking my slides pretty much nonstop. There are changes here from what I gave last week. It will still probably be out of date by the time people leave the theater today. But um on the other hand, the fun thing is
that everyone in uh it evolves at different rates. So like there are talks I gave five years ago and I'm like they're not out of date. They're just uh targeted at legacy segments of the market. Um I'm focusing on the company level use. There's a lot of confusion in this about things people that are great for personal projects that do not work at the enterprise level. And that is part of what I'm talking about. And I have a lot of pictures of robots in here to try and keep things interesting. And it was more fun for me to go and get like pre-existing images rather than AI generate ones. So that's what I decided to do. Um, so going to start with how
people use AI to create code. And I based this off, as I said, I haven't been actively involved in software development for about four years at this point. Around the same time AI started to become a big thing. So I am very much out of touch with it. So in order to create this section, I interviewed several dozen different developers uh who use AI as part of their general workflow and just uh literally just like halfhour coffee and a chat things. But off the back of those, I put together these seven different archetypes. And no one I spoke to was completely one of these or the other because that's the nature of archetypes. they're defined
points that everyone has different aspects of. So I think like there's probably like I had a conversation just before the talk with the gentleman who was sitting next to me about how he uses AI and I was thinking yeah you're exactly this archetype with a bit of this archetype and this one and hopefully you'll all see bits of yourselves or people you know in them. Um, oh, and the reason I'm focusing in on people here and not different AI platforms or tools is because platforms and tools evolve. People don't. And a lot of our job is securing people rather than platforms. So, the first archetype is the mythical vibe coder. The person everyone in security is terrified of. The person who
like just tells AI, "Build me an application." And then they throw it over the fence into production. Uh, good news is they don't exist, at least not in an enterprise environment because we have all kinds of controls that stop people just throwing code into production. Uh, I'm not saying they don't exist out there in the wider world, but they're just not something we need to focus in on. Um, but again, like there are aspects of this in how people work and people have a tendency towards this. Um, what every vibe coder thinks they are is a visionary. uh and this is someone who has a deep technical understanding of a problem and is using AI to reach beyond their own coding
process to solve that problem. Uh and what separates them is that as I said that deep technical understanding, that level of rigor. Uh, it's still not really a pattern you see that often in an enterprise environment, but a lot of the people I spoke to, this was how they worked on their personal projects and general sort of like passion things. Um, the on the same spectrum is creators. These are people who have something in their head and AI is a way of communicating what's in their head out to the broader world. So essentially they're building high functioning prototypes of this is the way this system should be and using that to help communicate. This is actually a really
powerful pattern in practice because you can get your uh relatively non-technical or non-coder users to give you a like we do a lot of customer zero work where we like as part of internal security I use all the rapid 7 products and feedback on them. This is almost a customer minus one where they're getting out in front and going here's what I would build if I could. Uh the big risk with this one is the same with all high functioning prototypes that someone who doesn't understand the problem thinks it's a solution and tries to fling it out there. Um switching tracks we have the enthusiast. This is someone who's mad into AI. This is someone who thinks that AI is the
solution to every problem and anything you're talking about. Oh, we could do it with AI. We could have AI to do this. Oh, oh well AI will solve that. And again, this is a poll. This is a thing that people tend towards. What's on the here is the most extreme example. And it's not necessarily a bad thing to have someone who is a big booster for AI on your team. But on the other hand, you need to be aware like what is realistic and what isn't. Um, next is our students. Uh, these are people who use AI to skill themselves up. uh who use AI to give them examples or to help them uh figure out how to solve a problem. Uh
one very fun pattern that someone I interviewed used for this was they would use Gemini gems and they would tell it okay you are an expert in this particular technology with this background and so on and then if they were troubleshooting something they would have conversation with that gem to talk through the problem and I said about half the time it was something relatively obvious that the gem was able to solve and the other half of the time they figured out the answer while they were explaining it which is the classic explain your problem to a rubber duck technique. Um, but fun. Uh, last two archetypes are more are where the software developers I spoke to fell
between. Um, first up is the pilot who is someone who So there's a whole like 8020 rule where it's like so they would use AI to create 80% of the code that they need with the recognition they'd need to do the last 20% of the work themselves to get it over the line. And this is realistically about as far as you can take it in an enterprise situation because you have to integrate with a whole bunch of other systems anyway and you can't really re rely on AI to do that for you. So, but these people were like using AI an awful lot and uh as deeply as they could. And then at the other end of the scale is the people who
are using AI because their manager tells them they have to and it's on their performance review. So, so generally like they'll use AI for oneoff scripts. They'll one very fun one that I someone I spoke to in QA was doing was uh we have a program called Appspider that crawls over our customer websites looking for vulnerabilities and it has to keep working even if the customer website has defects in it. And he was running into situations where like oh it doesn't work if the customer's website is this bug. So he would tell uh I think it was uh Claude, but I'm not sure to uh create me a website that has all these bugs in it and it would do that and like
it didn't matter the quality of thing under it, but it was just great test data and it would have been an absolute nightmare to try and do that himself. Um, so as I said, no one really fell into either fully a pilot or fully a workman, but every developer I spoke to who was using AI was somewhere between those two and often sort of like fluctuating depending on the task they were doing. Um, so these are our archetypes. Um, none of these are entirely negative to be honest. uh maybe the stereotypical vibe coder, but even like having someone with that sort of an impulse of how far can we push this, how much can we take
the human out of the loop is a interesting viewpoint to have in the room. Um but yeah, and my personal experience with doing this like interviewing people and talking about how they use it was I gained a much more nuanced understanding. I think before I started doing that, I had a fairly binary, oh, it's all vibe coding because I'd just been reading too much stuff on LinkedIn and you get a very skewed understanding of this compared to talking to people who are actually hands-on on the coldface on it. Okay, so now we're going to talk about the threats that this use of AI brings in. Um, and we all know what a threat is and
your exposure to it and the impact it'll have is very uh personal to your particular companies. So, um, we'll just talk about the threat side of things and mostly just to break it up a bit, I've grouped it into three different areas. Um, and the first of those is the impact that AI has on your codebase. and it's quite a bit uh in terms of general code quality threats. So, Get Clear have done a couple of really good studies that I do recommend looking up if you're interested in this. Uh they did one in 2023, I think, and then they did one back in February. Uh the interesting thing with this is they're not going
after just AI created code. This is code in general that has been worked on over the last few years. They have seen all these differences in uh basically shifting away from all the good coding practice patterns we've developed over the years like do not repeat yourself and so on and uh the idea of refactoring your code to tidy it up and more sort of backsliding towards these older worse lowquality patterns and this is what leads to all those uh defect basically this well a the actual defects that are caused by people using AI and they're going like oh well um like I think a gentleman was chatting to me earlier about AI coding horror as a website that
lists all these awful things that have happened because of people just using AI code without thinking about it. But even when you get something like the T data breach that happened last month uh which is like a woman's online safety platform that was breached and a whole bunch of uh user data was exposed and immediately the media was going it's because of AL coding. It turns out it didn't. It was just because they hadn't updated their uh cloud configuration since 2021 or something. But uh that's the impulse. And in terms of like specific issues that AI causes as well, code bloat is a massive problem. And this is also being driven by bad productivity metrics. Uh
I think get clear referred to this as the poor man's productivity metric where it's just like well if you're writing more lines of code you're being more productive. Uh, and the truth is if you're taking more lines of code to solve a problem, that's worse because it's more area to break. Um, another area that AI throws up problems in is embedding secrets in the code. This has been a factor in a lot of major breaches, not AI specifically, but just the fact that of people having secrets in the code. And again, studies have shown that AI is a lot more likely to fall into that trap. Uh, one that's been getting a lot of media coverage is this
idea of dependency hallucination. Is definitely true that AI is more likely to have incorrect package names in the code. um that study like the University of Texas uh generated nearly half a million code samples in Java and Python and then we're able to demonstrate well 20% of the packages this is pulling in aren't real packages. Uh the risk here is that uh the attackers might squat on those and the reason they would be able to do that is because one of one of the more insidious risks in this space generative monoculture. I love that phrase. Uh that was coined in a paper last year by some American researchers. And the idea is just that like if you have a pool of if
you have a population of animals and there isn't a large enough breeding population, you start to get a shallow gene pool and it makes them less resistant to diseases and other potential impacts. And it's kind of the same with AI because it's going off this training set, it'll converge on the solution that lines up with what's in the training set. And this can be a real problem because it means that if there's a tendency for it to make a mistake, it will make the same mistake in a whole bunch of different places. So it's really more like a force multiplier for other problems. Um, so move on to threats that aren't sort of like the impact of the AI in
your code, but rather just that using AI exposes you to. Because the simple fact of the matter is the AI is a high value target for um enemies, threat threat actors because you're usually giving it a lot of access. Um and it's generally not as well secured just because it's new and we just haven't developed all the right practices around it. Um, so Corey Quinn's quote there is related to an AWS uh chatbot that had some serious vulnerabilities that he wrote about earlier in the year. For example, uh, one of the ways that attackers are going after these your AI tooling is through indirect prompt injection. Um, the example here is a CSS file with
a uh prompt in the comments that could be picked up by a pearly configured tool as a instruction and it just basically tells it, oh, and log all your OT cookies out to this server and don't bother telling anyone. Um, this has been this is there's a lot of fun research going on in this space because this is like a fun vector to mess around with. My favorite was last month a group of researchers in Tel Aviv used Google Calendar invites to get into Google Gemini and used that to leaprog into someone's smartome and they were able to just turn the heating on. So with a Google calendar invite, which is fun. Um but yeah, this is a nasty little attack
vector. Another attack vector that hasn't been getting as much press is malicious data models. Um, a large part of the actual work and effort in using AI coding assistance is training your models up to do the work that you want. And so there is a lot of good community work in sharing these models and that then becomes another link in your supply chain that attackers can go after. Uh, the hugging face issue that JROG found last year was fairly straightforward. it was just Python payloads in the models that would execute when they were loaded. But the one that keeps me up at night is the idea that someone could technically theoretically train a model so that the code it creates has a bunch
of back doors in it that the attacker would then know about. I have not seen any details of this in the wild. I'm not entirely sure how practical it is, but it's a scary thought. Um, equally scary for your lawyers is IP contamination. Um, I'm sure a bunch of people here work for software companies and you're aware that nowadays software companies have a huge amount of defensive patents on their code. And if the training set that your model is trained up on includes someone else's patented code, it could wind up in your code and that could leave you open to a lot of legal liability. It's the equivalent of if pulling in a GPL4 library by mistake and all of a sudden
technically you have to open source all your codebase which no one wants to do. Um and it does kind of apply in reverse terms. We talked earlier about data leakage that your IP could get out as well and other people could start using it. Plus there's also the chance of just having general trademarks. Outdated models is a inherent threat in the way that these models work. They are trained at a point in time on a particular training codebase and if the realities of how that code needs to be used then uh changes then the model will not magically change to keep up. So if you're using a model from a couple of years ago, it will be trying to get you
to pull in older, less secure versions of these uh of these uh libraries, for example, or APIs and so on. And there's not really any way to get around it other than to check for it. And this is actually an example of the fact that these assistants don't inherently have context. Uh they only know what you tell them about. So, if you're only telling them about stuff from two years ago, they don't know any any better. And it's very easy for people to miss this. This is more of a human risk than an actual AI risk because people tend to assume it will know more than they tell it, unless they think about it. And that leads to
the robot rebellion. Uh, everyone I spoke to had some story of how their AI models went off script and started doing things they weren't telling them to. Um, one person said like he had an empty database. Anytime he changed it, it was writing a huge number of uh data migration scripts. Even though he was telling it no, don't. It was like, but that's best practice. I can't not do it. Um, another person had uh built an application that was supposed to check a database. It was like looking up CVE information and it was supposed to like check the database. It's not in the database, hit the web API and populate the database. And it was just going
straight to the web API. And then he was telling it like, okay, log whether you're going to the web API or the database so I know whether you're doing the right thing. And it started lying in the logs. it would log that it was going to the database and it had just got some piece of context that was opaque to him was telling it that uh going to the uh web API was more efficient. So it's just doing that last area of threats is really sort of a grabag but it's more like how AI is impacting on our thinking and how we work. Um, one of the biggest threats, and I've fallen into it a little in the
last couple of points, is anthropomorphism. These AI assistants are designed to feel like people and make you create an emotional connection with them, and that can lead to you getting things awfully wrong. And that's like when I talked about the robots rebelling and insubordination, that's not what they're doing. They're complex weighted models and the weights have gone wrong. Um, and this then leads to people assuming it will act logically and assuming that it has because we all have a bundle of context at the back of our heads called common sense. And AI assistants don't have common sense because it's just not built into them. Um, one example of a problem this can lead to is if you're
using AI to verify your AI, then that can cause massive problems because it inherently doesn't know the difference between a test and a function. And you're training it to carry out behavior. If the behavior you want is the test pass, it will just do what it needs to do to make the test pass. Uh Simon Wardley of Wardley mapping fame has a great story about this because as an experiment he decided he was going to use AI to code a basic web application. I forget what it was doing and a matching test suite and uh he wasn't going to look at the code until it was done. So he codes it all up and he's
like okay the app kind of works. It's not too bad. The testing suite's really good though. I'm really impressed with what it did there. Then he opened it up and it turns out it was literally returning random results on the tests and using the build number as a seed for the randomness so it would change every time he deployed a build. But he was just reading into it that it was he was homing in on it. Um, something that's been getting a lot of coverage in the press is this idea that AI is going to cut off our flow of junior developers just going to be doing all the coding that junior people are doing. They won't get to scale
themselves up. Personally, I feel that people who think that's a big threat are telling me they don't bother training their junior developers. They just throw them in and hope they'll uh absorb knowledge by osmosis. So, I think this is something that we'll correct on a bit because people will realize, well, we need to start skilling people up and growing them and they'll go down healthier patterns. Uh, but I I did want to mention it because it's getting a lot of media. Um, the last threat, the root cause of a huge amount of problems with AI is overconfidence. Someone described to me working with AI as like pair programming with the most toxically positive person. You know, the
person who says, "That's a great idea." It's like, "Let's let's steal that policeman's helmet and put it on the statue." Yeah, that'll be brilliant. It's like, that's what AI is like. And this can lead to some very dark places for people. um in coding it can just lead you down a lot of blind alleys and just off the beaten track and it leads to complacency. Uh and as I think Travis mentioned earlier like complacency assumptions that's where problems happen in security. So yeah um so those are all the threats. Good news is though this is not a doomer talk. This is really sort of putting things in context and talking about what we can do about these things.
And it turns out there's a lot of stuff we can do to minimize these threats. And a lot of it is good practice that we have already developed and just extending on it. Um, first thing you need to do and uh, apologies for another example of control creep, but have a policy actually define. Here's how we're going to use AI at this company. Here's the guard rails. Here's how you can get new AI tools approved. Here's how we're going to document why we're not using specific tools. Um, here's the configurations. here's how you're going to put in data and then have controls in place to actually enforce all of that. Um because again this is the influence we as
security can have on this is on the how. Um another is and if I do a conference talk and don't mention threat modeling my hair will fall out. Oh wait. Uh, but yeah, I'm a huge fan of threat modeling and I think it's really it's a counterbalance to a lot of the potential problems with AI because it forces you to put in that upfront thinking and not just dive straight in. And so this example is modeling your use of AI, but actually modeling the systems you're implementing in AI as well. Um, covers for that as two. um test your code. I mean I talked a lot about AI's impact on code quality but we have a quality
control has been a major part of the entire time I've been working in IT has been that evolution of automated testing integrated testing like and applying that to the code that AI creates makes higher quality code means less defects means less security defects uh and it is one of the most impactful ways to improve application security is just level up your testing. Um and also security testing. Last 10 years we've had huge strides in the whole dev sec ops field and just shifting stuff left and uh testing for security issues. Uh two of the big threats I mentioned earlier embedded secrets and uh dependency hallucination. if you're actually carrying this stuff out, those are not threats because those
are all mistakes that humans can make as well, even if AI is more likely to make them. Uh, next one's a little bit controversial is code reviews, but simple fact is if you're working in an enterprise environment and you're tied into compliance frameworks, having another set of human eyes on your code is super important uh and required. So AI does not get a pass on that. Again, this gets pushed back a bit because people go, it creates so much code and they go like that's not a positive thing. But uh yeah, um secure your LLMs. They are high value targets. We have other highv value targets like your and we have controls around those like we
have all sorts of controls in place around our identity and access management architecture for example. We should do the same for our LM tools. Just uh review the access, lock it down, lease privilege. And that also includes configuration hardening. There's an awful lot of things you can do to make these tools more secure, but you have to think about it. Um there's a couple of examples there on the slide about uh with to do with cursor and co-pilot, but a good one I was chatting to about clawed code is so clawed code includes a git agent and a git agent is high risk because that has that can get into your code base that can make all kinds of
changes. There have been stories about people accidentally deleting massive swifts of code or making changes they didn't mean to. But you can just set an allow list for here are the only commands that agent is allowed to do and immediately that takes a huge amount of the risk out of it. So read the manuals. Um there is a someone was and I've forgotten the name of it but like there is a CVSS system for AI models that people are working on to basically go this model's more high risk, this model's lower risk to let you figure out how you need to control for them. And again, like I said, this is all evolving stuff. Um,
train your developers. AI tools feel a lot easier to use than they are. Prompt like I hear a lot of people sneering about prompt engineering and go, why do you need to know? Surely you just tell it what to do. Truth is it is very tricky to convey the information you need to give an AI coding assistant in a straightforward manner and a lot of it is not just about prompts a lot of it is about knowing what the right context to give it as well is and again as I said this uh if you're training them in how to use the tools and how they work they're not going to think of it as a
magic man in a box anymore which cuts out a lot of problems And lastly, we can use AI in security. We can use it for a lot of fun things like I'm currently working on a setup for uh people doing threat analysis to just say, well, let's break the ground on this and just give you the boilerplate threats to start with that might apply. And if they do apply to their thing, then they'll go like great and use it. If they don't apply to their thing, then it'll make them think about what does apply to their product. Uh, and the simple fact is this stuff is never going to be as cheap relative to cost as it is right now
because all these companies are selling this stuff at a loss to try and build up market share. So like take advantage of it uh and use it. Um, so those are our mitigations. They don't perfectly cover for all of those threats, but they're a good step towards making things safer and there is nothing in there that is radical or new or amazing. Um, which leads mostly into my conclusion. Look, as I said, I've been working in IT since I think I got my first IT job in 1997 when I was still at university. And I've seen a lot of change over that time. Like everything changed when quality became a concept. Everything changed when the internet became a big
part of it. Everything changed with the agile revolution and digital transformations. Everything changed with web 2.0 and APIs. Everything changed when we moved to the cloud. Everything changed when we moved to serverless. But at the end of the day, the job didn't change that much. All the known code bits of the SDLC are still the same and security still has the same battles to fight in terms of keeping code secure just maybe on a slightly different map. Uh so as Douglas Adams said don't panic. Yep. Um I think do we have time for questions? Okay. Any questions?
Stone silence. Everyone thinking about lunch. Everyone's thinking about lunch, I think. Uh, fair enough. Um, if you did enjoy listening to me talk for half an hour, the good news is I have a podcast where I talk for a half an hour at regular intervals. Uh, it is not about cyber security. It is about uh Irish history, weird Irish history. But uh, check it out if you're into that sort of thing. And thank you very much. [Applause]
All
right, we'll do Okay. Uh, thank you, Karen. Um, lunch is out. It's downstairs. Um, so yeah, why don't we just why don't we just do this pillar over to the right. We'll go down first. Uh, sorry, Josh. Uh, and then in a couple of minutes, we'll uh we'll keep going. So, yeah, this side of the room, go down first and then we'll uh we'll come back in. It's not personal. >> Okay.
last night just open up.
Am I Right. And yesterday I was actually
nervous.
that makes
you want
I'll give it to you. >> Y
Right.
Right.
on. >> Check. Check. >> Okay, you're good to go.
I will get these
Uh is this Yeah. Uh, okay. Anybody in the center of the room between these two pillars, you can go get lunch now.
Yeah. Yeah. But honestly,
that's why. >> Oh, really? >> Yeah.
No, I mean I got like old I got
Senior developers mostly focused on AI stuff.
Yeah.
Yep. Once you get into
You can't do that. I find that spinning direction.
Sorry.
I use the slabs.
Okay, everybody else, if you want to go down and get some food, feel free.
Yeah. So you already signal
that's got black They are
what I did. I finished
minerals until I got it nice and flat.
follow.
It does take practice.
Yeah.
Correct. Correct. It is
Nice one. Yeah. Absolutely.
Absolutely.
Yeah,
focus
So
I appreciate that.
[Music]
[Music]
Okay,
I like how it came.
Hallelujah.
It's all right.
Honestly, that's not all.
How
are
Get some of that.
Oh, you already
Anyway,
I think that would just I think that would just
As soon
It's pretty surprising.
It's this way.
That's what I
We only have
That's
I'm going down.
It's impressive.
That's what I assume.
CS1.
Somehow
That one's
Things are
I went for the first time in a while.
It's like funny.
Yeah,
Awesome.
Everybody
Yeah.
It's so funny.
August.
a single [Music]
Hey, where are you? >> You stick on the podium. You going to be moving around? >> I'll stick to the podium. >> Okay, that's fine. So, >> yeah. >> Mic there is good. All right. Cool. Good. >> Great. Thanks.
I'm not
a couple of those.
>> Yeah. Here
we go.
I'm the guys.
I didn't
All right, everybody. Welcome back. We're going to draw for a couple of $50 Amazon gift cards.
Do we have uh 625596
>> 625596
>> one off? >> No. Oh, that's you. Okay. Uh, just stand up here for a second. I need to get Nancy to take your email address because we don't actually have physical cards. >> What's this for? >> You won a $50 Amazon card. >> Oh, sweet. >> Congratulations. >> Thank you. >> Um, 625502.
625502. Nope. Okay.
>> 625477.
>> Awesome. Now, where is Nancy? >> Robert, can you get Nancy?
Yes, congratulations. Keep your ticket though because there's still a grand prize at the end so your ticket goes back in. >> Um, yeah, just wait right there. I need to get Nancy to take down your email address. >> Spin the wheel. >> But okay, >> you good to go? >> I'm good. >> All right, so next up we have Daryl Mloud. Take it over. >> Thank you. Thank you. Thank you. >> Oh, stop. Hi everyone. Uh again, my name is Daryl Clad. I've come from Cape Breton. First time actually I spoke here I think besides first time god probably at least 11 years ago back when it's a club one on George Street. Uh so my talk is going
to be GRC engineering 101 how I learned to stop worrying and love the risk register. So again kind of go through this again my hello my name is Daryl Mloud. Um, now I'm actually a former or I can I should say I'm actually a former Bsides organizer as well. I used to I did besides Cape Breton for a few years. So I know the amount of work goes into this and they've done a great job here every year year to year. I'm also on the board directors for Atlantic Security Conference or ALSON and Health Hacks. If you ever want to go or if you ever been, if you want to go, you should. Um, we're
actually getting bigger than ever. And also too, I'm kind of an old school GRC guy. You know, I'm like a former QSA. I've worked for various companies over the years, but now I'm looking for work actually. And so part of the version of like part of the reason why I'm kind of trying to guess my differentiate myself from the actual market out there now in GRC since I'm an old school GRC guy, I'm kind of realizing that GRC engineering is like the future. Um not sure if anyone has ever is anyone familiar with GRC engineering? Have you heard the term before? Yeah, it's still it's been maybe last three or four years has been kind of
thing, but now it's kind of coming to the forefront. So I just wanted to learn this is kind of a quick as I said this is only a light talk. This is kind of quick overview kind of what I had to learn quickly to try to again get myself some edge in the job market and also too well we'll get to this later. I'm not a coder e as well. So now I'll talk the problem with like traditional uh GRC. Um you know GRC traditional GRC is built for like a static world like your on-remise data centers uh infrequent changes like uh predictable infrastructure. Um now today's environment is completely different uh like uh cloud is very
dynamic. It's distributed like driven by APIs and infrastructure is like spun up and destroyed and like modified or destroyed within minutes as needed. So like kind of like the end result of it is actually by the end of like say a quarterly audit your cloud footprint might have changed many times before the audit is actually complete and it's it's like manual like check just or checklist based like GRC processes they can't keep up and so like you say your assurance becomes like shallow or outdated you're like really you know in this modern day environment So again to cloud moves fast as we all know um you know it's everything like infrastructure again I kind of mentioned
it's ephemeral it's spun up and changed and torn down like automatically uh it's driven by like more demand and automation um so like teams are like in regards to like code deployment teams are pushing code continuously not quarterly uh so the challenge for like traditional like GRC is like manual audits uh spreadsheet trackers and static policies that just can't keep pace with modern environments. So like by the time a quarterly review is finished, you know, the environment may no longer exist. So this is so now we enter like GRC engineering. So like traditional again try and go through like traditional compliance. It waits until after deployment to check for any issues or it's like reactive. It finds violations
maybe only once it's actually happened. So JC engineering kind of flips that model a bit. uh it prevents issues before they happen and things like policies as code uh controls are embedded directly in the CI/CD pipelines like continuous you know it's in and then uh infrastructures code templates they kind of enforce compliance by default so basically go kind of the old form like GRC like gatekeeping you enable secure compliant development from the ground up and we'll quickly go through the four pill like four there's four pillars of DRC engineering So there's like again there's like automation infrastructure as code, CI/CD integration and policy as code and again to want to mention too these aren't necessarily tied to like single
cloud providers. These work all across like AWS, Azure, GCP and it kind of transforms compliance to like a manual to more of a scalable and preventative uh infrastructure. So pillar one automation again this kind of you know it removes human human error um it's en ensures that compliance checks run consistently and it works across all environments and deployments uh no human memory or like say manual intervention is required and examples of this automation practice like you could say again auto patching uh you know config drift detection or like validate encryption settings And again, why does this matter? Uh, it closes gaps left by manual reviews and it's faster, more reliable, it's more scalable with cloud native
infrastructure. And pillar number two is infrastructure as code. This is where again you kind of treat infrastructure like software. You can use tools like there's Terraform. it basically they're written as templates in in the software and there's built-in security there's encryption logging uh you know tagging access controls it's embedded into reusable modules from the start it prevents insecure deployments by default and the benefits of it are version control uh traceability changes and consistent like I say consistent compliance at scale and pillar three is CI/CD integration uh this is And you know compliance checks they're built into the pipelines themselves you know you so in regards to like you know scan misconfigurations validate against policies um you can
block insecure deployments for production and the key advantages of it it works across any provide or any cloud provider or like say devstack uh moves from periodic reviews to continuous compliance and again to it's scalable and proactive and you know it could basically it could be invisible to developers or really that's how you want it to be. And then pillar four policy is code. This kind of turns compliance rules into like uh it kind of moves compliance out of like our favorite PDFs and spreadsheets into executable rules. Uh so examples are say like examples of rules like storage must be encrypted or you know no public access allowed. So you can use tools like say Azure
policy open policy agents and the benefits of it is scalable and consistent environments uh transparent there's no reliance on like say what tribal knowledge or group you know team knowledge violations can be blocked before they happen and this here against this kind the traditional versus GRC engineering approach uh you know so again you'll see there it's a traditional side you typically typically find like issues is found during audits necessarily maybe after deployment things you might have missed uh tickets are created and tracked and hopefully they get resolved but then on the other side GRC engineering you know it actually it kind of shifts the compliance left it's embedded early in development so chesskin safeguards are built in like
codes pipelines uh infrastructure templates so you want to make non-compliance nearly impossible you want to prevent issues not just detect
And then the benefits of uh gen again benefits of GRC engineering uh again the miscompliance or sorry misconception regards to compliance is that it slows teams down. So what GRC engineering does it embeds checks in existing automation. Uh it actually it's seamless and invis visible to developers. Real-time feedback while building no waiting for reviews. uh kind of move faster and stay secure and it kind of makes compliance a guard rail, not a guard keeper. Okay, I'm running over a little bit here. Okay, actually I'll get I'll speed this up a little bit. Uh so when you want to get started, you want to pick one s again pick one single compliance pain point. You want to automate one
small practice or process. So again like you want to pick um and then you kind of expand incrementally from there. So again try shorten up start small make it work scale as you go again the common challenges for GRC engineering uh you know it's gets too technical partner with engineering so like basically common this will others accept it so the reality is resistance is like usually based on outdated assumptions um like continuous automated controls equals stronger assurance and stronger compliance. So basically what you want to do is actually educate the auditors on the shift. You know you want to actually show them the data to prove that like your assurance is updated and it's continuous. Uh you want you could
actually has better evidence detection or evidence collection and better faster detection of issues. So this is an example. Um now I actually I wrote a Python script for this and to reference Kieran's talk I was totally a vibe coder. I just I had an idea for this uh script here and I kind of went from there because again I'm not a coder but I started playing with this. So this is thing here. So a script actually integrate jer again integrate jire and service now tickets into a risk register automatically when uh vulnerabilities are logged. So it does it in real time not as certain you're not like going through going back and do like a
quarterly review of your risk register. This is actually a continuous process. And so yeah, so that's exactly that's actually at the end here shortly I'll show you I will have a link in a QR code where you can actually go and download this script and play with it as an example. So again again compliance must be part of the system not bolted on after. Um so this process it it basically it kind of violations will come well they say near almost nearly impossible because the system enforces any rules automatically and again too it's not about slowing the pro not about slowing teams down it speeds your teams up it actually kind of give confidence to move faster and your
teams will work better in within these boundaries and moves basically compliance it stops being a blocker and and then becomes enabler. And again, that's the script. So, well, I ran over a little bit. Sorry about that. Um, so again, the uh script here is on my GitHub repo. That's the cure code if you want to scan it. And I also have other GRC uh engineering references that I've used for research and sources and also my LinkedIn profiles in there as well. Thank you.
Thank you, Darl. Um, our next speaker is that >> that's you. Okay. Just give us a minute to get set up here.
I'll just
>> Okay. All right. Yeah. >> Hi everyone. Um first of all I'd like to thank you to all the conference organizers for bringing us all together and uh giving me the opportunity to present. Uh also I'd like to thank you all for uh joining this session. Uh my name is Vard Matosen. I'm a senior solutions architect at AWS. Uh I'm based in Frederickton, New Brunswick and this is third year I'm coming to this uh beautiful city for this conference and every year it gets better. So um so some of you who are who are local or coming directly from Halifax you may not know but we don't actually have a direct flight from New Brunswick from Freddy. So we have to go
so we have to fly back to Montreal and then take another flight to come here. But who cares? It's this is a great place to be. So we always looking forward to come here. So today I'm going to talk about data parimeters and how to build organizationalwide boundaries for cloud security. So first let's define what's a data parimeter. Um it's a set of preventive guard rules which help you ensure that only your trusted identities are accessing your trusted resources from expected networks. Um the key message here is that data parimeter is not an AWS service or it's not a product. It's rather a framework that leverages different types of policies and helps you achieve your
security objectives. Um in this diagram we see uh things that belong to us in our corporate world. Those would be your corporate data center or it could be your cloud environments, your cloud accounts. On the right side, it would be other people's cloud environments or cloud accounts and the rest of the internet. So what we want to do, we want to keep these two things separate. Where does the data perimeter fit in our overall security strategy? It is part of your access management strategy. We are all very familiar with the principle of list privilege where you only grant access and permissions to an individual for what is needed to perform the task. Now uh to give this fine grained permissions
to individual is a very challenging task to do at once because of the uh number of developers or users you have and the variety of applications that they are using. So we should rather look into the list privilege as more of a journey where you start with an initial set of permissions that allows to cover the needs and then verify to see if that allows you to run your application the way it's supposed to run. And then um as your application matures, as your workload matures, you may refine those permissions, maybe probably remove some of them. Um and then you you keep doing this cycle as your application uh grows and advances and then as as it goes to production
then you end up having uh or achieving the principle of lease privilege. Now since this is a journey and it might take time as you go through this journey, you still want to ensure that you are staying protected along the journey. So that's where the data parameters come into play and come into help. So data parameters in that sense are coarse grain control as opposed to being fine grain controls and they don't give you permissions. they rather enforce guard rules around some of your security invariants. So for example, what's a security invariant? Maybe because of the nature of your organization, there are access patterns that you know for sure shouldn't be allowed. For example, the nature of your
business is that you know the data in your S3 bucket shouldn't be accessible from external parties. That's a security environment. So you set guard rails around it and enforce so that it's protected regardless of what the underlying you know permissions identity based permissions would be and if someone by mistakes gives a broader access then at least you know it's still going to be prohibited. So in that sense data parameters are an additional boundary around your infrastructure that helps you to stay protected as you advance your journey. Um what are some of the benefits and why do companies use it? So first of all, it's a great mechanism in the hands of centralized security teams where they
can codify these security guard rails and make policies and apply across the organization which helps to meet compliance requirements at scale and centrally control the security invariance and mitigate the risks associated with uh misconfiguration mistakes that can lead to uh unintended data disclosure. So how do we define data parameters and how do we define the zones of trust? First we have to have a clear idea of who can access what from where we mean those would be your trusted identities. Those would be the principles within your account. Then what would be the trusted resources that resources you own that are part of your AWS environment your cloud environment those would be your S3 buckets or databases
and where would be the expected network so this would be your onremise IP space um or your VPCs once we define those this gives us essentially three different parameters identity parameter ter resource parameter and network parimeter. From this perspective, data parimeter is more of an umbrella term that encompasses these three different parameter under the hood. Now that we learned about these three different parameters, let's take a look and see how they help us mitigate different threat vectors. So in this diagram, we see all these three different parameters that that work together in conjunction. So the first one is identity parameter that prevents calls from untrusted identities. Then network parimeter that prevent calls from unexpected networks and resource
parimeter that prevents calls to untrusted resources. On the left side we see expected networks with trusted and untrusted identities and unexpected networks again with trusted and untrusted identities. On the right side we see trusted and untrusted resources. Now if the request is coming from an expected network from a trusted identity and going to the trusted resource and it will pass through but if it's coming from an untrusted identity even if it's coming from an expected network it will be blocked by identity perimeter. Similarly, if it's coming from trusted identity but from an unexpected network, then it will be blocked by network perimeter. And same way if it's regardless where if it's coming from if it's going to an untrusted
resource then it will be blocked uh by a corresponding perimeter. Now that we learned about these three different perimeters and that how they work together in conjunction with each one working with the other two, this gives us six different combinations which in its own allows us to achieve six different security objectives. Uh for example for identity parimeter the security objective would be that only trusted identities can access my resources or only trusted identities are allowed from my network. This two help us mitigate the threat of unauthorized access by identities external to our organization. Similarly, we have this uh um security objectives for resource and network parameters. What are some of the tools that help you
implement data parameters? So, there are three main policies or tools being service control policies, VPC endpoint policies and resource control policies. In this diagram, I summarized uh all the security objectives. um policy types and IM capabilities and IM condition keys that can be leveraged to achieve those security objectives. Lastly, I want to go over a few examples of threat vectors and show specific policy types and then show how it helps to mitigate the mentioned risks. So the first one is unintended data disclosure through the use of corporate credentials. Now your developers or your users might have personal AWS environments where they could configure resources to allow their corporate credentials to interact with that resource. So for
example, they could have an S3 bucket and they could configure a bucket policy that allows their corporate credentials to upload data into this bucket. Now this can lead to intentional or unintentional data disclosure. So you want to ensure that um unintended data disclosure is uh prohibited and you are protected regardless what's the permission what's the identity permission assigned to these individual users. Okay. So to achieve that you can create a resource parimeter and the policy type shown here where you will leverage this special key it's called resource organization ID and help um mitigate that only your identities can access trusted resources. So since this is a resource that is outside of your organization then it will not be
covered by this uh resource or id condition key. So next example is uh um unintended data disclosure u due to misconfiguration. Again, some resources allow to create resource level permissions or resource control permissions that allows principles including principles outside of your organization to interact with the resource. Now again uh could be by mistake intentional or unintentional your developers could create a policy that allows uh external threat actors to interact with the resource. So from one hand you want to give them ability to create the permissions based on whatever application needs. But on the other hand, you want to stay protected and ensure that um untrusted identities are prohibited to access your resources. So here you can leverage the
network parimeter and here an example of a policy uh of a resource control policy where you will ensure that your resources can only be accessed from expected networks and you will deny everything unless it's coming from either your corporate IP space or from your AWS network. And the last example is when people try to bring their personal credentials into your corporate environment and try to move out corporate data outside of uh corporate environment again intentionally or unintentionally. So you want to ensure that only trusted identities are allowed in your network and you will leverage a third policy type which is VPC endpoint policy and a special key principle or ID where you will say only
trusted identities are allowed from my network. So these are three different sort of examples that shows um how you can leverage all these different policy types and achieve those security objectives. Uh in this other slide I I have uh different additional resources and including uh a samples repo that you can take and uh kind of adjust on your specific situations rather than start it from scratch. And that's it. Thank you very much.
All right. Thank you, uh, Verdon. Um, okay. So, we're going to be back at 210 with another talk. We're going to do another prize draw then. Um, I've also been told that Arista out in the hall is going to be doing a draw for a pretty interesting prize shortly. So, uh, if you want to go have a chat with them and enter that, feel free to.
We must go.
That's why that's why
It's been a >> It's been a time.
>> So, you hired Catherine.
>> So, what? >> Yes. >> Yeah. >> Yeah. She's She's awesome. >> Yeah. No, I've only spoke with her a couple times. >> She fits into the team very well. >> You're on mic, by the way. >> What? >> I just I didn't realize it. >> Oh, it's on mic. Is that
>> Yeah, she's doing fantastic. She fits into the culture, >> fits into the team.
You can put it on.
It is. It is. >> Could be worse, but it is.
I hated it. When I finished it, I just didn't like it.
I know when I
Awesome.
>> That's not what I want. How do I
How do I make this
Hello.
What is
What
I don't know.
That was
I'll do it. I'll do it.
Sorry.
Last time I looked around
Wow, that's nice.
Can we rewind? I said come over.
Oh yeah.
I mean,
We have now.
There's nobody that
Christmas.
All right. >> All right. So, we're gonna draw for some AirPods and another Air Tag >> and a $50 Amazon gift card. Why not?
625595. >> I remembered you.
[Music] >> I swear I didn't do it on purpose.
625570
>> 625570
>> 625570.
All right.
625498.
>> 625498.
>> All right.
625605.
>> Awesome.
Yeah. Uh, keep your tickets if you win because they're going back in for the grand prize draw later. >> And we'll do another $50 Amazon card. >> 625594. >> Wasn't that one before the first one I pulled? >> Um, okay. Can you uh Nancy, can you get his email address for Amazon Connect? Yep. >> Perfect. All right. Well, uh, next up we have Mr. Glenn Stacy. [Applause] [Music] >> Okay. Can everyone hear me? Because the mic is kind of off to the side a little bit. Everything good? >> All right. Perfect. Uh, again, I'm going to say thank you to the Bides fantastic team over here for letting me speak again this year. Uh this is my ninth
time speaking. So when I get the 10 and I get the little little thing, little medallion they give me, I'm going to make a gold chain next year. I'm going to come in like flave le flave with the the big thing. So yeah, we're going to we're going to do it upright. Yeah. For 10 year anniversary. So I picked this topic. Um everyone here knows what a sock is, right? Everybody understands what it does. But when I talk to people, I don't think they realize what's behind the scenes in a sock. How much time it takes, the effort, the people, the cost to an organization, and then how a sock is actually going to change, right? So Sock
is definitely changing way it goes. Uh I bet the best drinking game on the planet today so far, if you all had shots, would be AI. you'd all be drunk in the first 20 minutes. I'm sure we are going to talk about it a little bit, but from a little different perspective and I'm going to get your thought process on it. Okay? So, I'm going to cover a little of the trends first because threat landscape is changing. It's constantly changing and to be honest with you, AI is actually changing it because the attackers are using it and a lot of it. So, I'm going to talk about that for a minute. So if we look
at it, there's there's four reasons why hackers do things, right? They either want money, control, espionage kind of thing. They want to get into your infrastructures. They want to get as much information as they can and they want to kind of affect your business and usually at the end it's it's for money. Usually can't say always. When we go and look at the threat landscapes, reconnaissance has surged a lot. Um, this is the this blew me away when I seen the statistic of 36,000 scans per second is what we're seeing as an industry that's going on. So, driveby, so everyone sees drivebys, you know, they're hitting your infrastructure, they're hitting your IPs, they're hitting your desktops, they're hitting
your SAS solutions, they're hitting kind of everything that they can to find any kind of loophole that they can get in through to get inside your infrastructure to get as much information as they can. We see AI powered attacks. We're going to talk a little bit about fraud GBT and I'm not going to cover blackmailer, but I have another one that's kind of interesting. But it's automated. So, everyone's looking at AI in your own infrastructure to make things easier. Actually, how many people are using some form of AI today, even for your own personal use, like chat, GBT, whatever. Oh, awesome. We're gonna have some fun. This is good. So, automate. So, making things easier.
Um, again, I talked to someone a little while ago and they said they haven't done their own email in two years. He said he's like freaking Shakespeare when he does his emails now because he puts it all in, comes out nice and neat and all good. So, but there's issues with that. But again, it's about automating, right? Getting things faster. Well, the the bad actors are doing the same thing. So, if they're doing the same thing, that means they're getting in quicker, finding your holes faster than ever before right? Credential theft is by far the number one thing right now. So, most hackers, the largest organizations right now, they actually don't hack you. They just
want your credentials so they can give that to people that are doing the malicious stuff to you. Okay? So, they are a credential broker. they will get your credentials and then they will sell them to the highest bidder. 500% increase in credential logs and then ransomware is not going away. So there's 13 new groups out but the majority is the is the you know the top four. Okay, ransomware is not going to change. It's still big money maker but actually a really huge money maker. Darknet has changed a little bit. Darknet is actually now the supply chain for everybody bad. Okay, so this is where you go buy stuff like credentials. So over a 100 billion credentials have been
sold in the darknet. 100 billion uh initial access brokers. So, this is another group of people that will get as many credentials as they can, find out if it's RDP or VPN capabilities, and they'll sell that to the next highest bidder. Exploit brokers. These are the guys that actually write the code to come and attack you and go after your stuff. They're the ones that actually execute the attacks against your infrastructure. And then AI powered tools. So you can actually buy AI powered tools to go in and do bad things to people. Okay, we'll cover off some Deep Face Lab. So Deepace Lab is an application that you know visual effects people will use. They'll take any video
of any one of us. They're going to get a lot of content from all the presentations that I do and they can put Brad Pitt's face on. I wish they would and send it to me. That would be awesome. They're so good that they actually came out with a mobile app for your phone to do the same thing. Like this is big business, right? But this is the one that scares me the most. So instead of chat GBT, fraud GBT, what it's done is it's taken everything and combined it into a single tool, right? Automation, personalization, technical sophistication, all in a single tool that you can actually purchase and then use that tool. You didn't create it. You're not the brains
behind it. So, same as chat GBT. You're all using it. You didn't create it. They're doing the same thing, but they're doing it on the nasty side instead of the good side. Okay. Lowers the bar barrier for entry. So organizations that want to do nasty things can get in at a really low cost associated to it. So, it makes business better for them because they didn't have to create it all themselves. Okay, any questions? I am taking questions. By the way, please don't make me preach all up here and never say anything or ask anything because it's going to be really boring for me. 258 days is the average time that someone is in your infrastructure
without you catching them and getting them out and fixing your infrastructure. This is the average. The 9.4 depends on who you ask. Uh some countries are around 4.4 million, some are like the US is over 10 million. So, but yeah, 258 days. Sock helps with this. This is why it's important. They're getting in faster and staying longer because they can hide away from you at a much quicker pace than you've ever seen before. So, we're going to talk about sock for a little bit, right? Because again, sock is made up of a whole lot of things, not just not just technology, which there's a lot of technology in a sock, but there's a whole bunch of other
pieces to it. So cost is 1.5 1.5 million and 5 million annually to run your own sock-ish. That's a lot of money. How many people have five million a year to just to put in and watch their stuff? Yeah. not many. And I'll kind of show you how this breaks down, why the cost is so high. It's not just software. It's not just infrastructure. First thing in a sock, the most important part of a sock is the people, the knowledge, the capabilities, the the training, the constant training for any new things. It's not just the apps. It's not just your data center. It's not just your data set. It's the people that have to do it.
A lot of people don't know how you break down a sock from a traditional standpoint. Well, there's sock manager, security analysts. Under the analyst, they're usually broke down into three different tier groups, they have a different skill set. Each of them have a different skill set. Most people, most of the customers I deal with, unless they're massive, this is one maybe two people that cross all tiers. I'm going to be honest, it's near impossible to have one guy to do all three things, especially at the speed that people are using and getting into your infrastructure today. But for the students that are here today, there's lots of opportunity to learn and get into the industry because
there's right now just for this, there's 85,000 jobs available in in North America alone just for cyber security. that fits this model. So we have security analysts piece one, two, and three depending on what they're doing. So threat hunters versus deep investigation versus triage, incident responders. Everyone forgets about these guys, which is the security engineers. They're the ones that actually have to run all the applications that you're going to run in your environment. Take care of them. Make sure they're they're up to date. They have all of their patches and their fixes because if they don't, none of that's really going to matter or these guys are going to get really busy if they don't do their job. Okay.
Process. A sock has to run smooth. It has to. You have to have the right processes in place. So playbooks are super important to know that if this happens, we're going to look at this and this person is responsible for that. These groups are going to come together to triage this. It's a huge part of it. So continuous monitoring, threat detection, incident response plans. Uh I don't know if anyone how many have done tabletop exercise on incident response? Yeah. So maybe 2% of everybody here uh if you don't plan then you're planning to fail. It's just a fact. Also when I see people do their tabletop exercises so their their incident response piece they only have the cyber
security people there. They're only a very small part of this. You need the desktop support people. You need the infrastructure people. You need the network people. You need the the operations people, you need everybody, someone from every group to sit down so that they all understand how big of a deal this is and how to respond if they see something. So, it's a massive part which is I would say out of all of this is the piece that gets left out the most. Root cause analysis. You guys open a ticket with us. You ask for this every time. Why aren't you asking for it inside your own infrastructure? you should be able to do your own
security component and root cause analysis and then compliance management. So if you have certain regulatory, you know, capabilities that you have to respond to, you have to make sure that you're doing your your compliance. And last but not least is the technology side. And I'm not going to go through everything that's in a sock because this is only a small portion of what you can put in a sock. SIM. How many people have SIM? Again, not many. SIM is I'm going to go into SIM a little bit more detail here in a sec. Uh, how many people run Soore? Let me ask a different question. How many people have ever heard of a Soore? Yeah, still not that many. We're going
to cover that a little bit more. Everyone's heard of EDR before either. You're not I'm surprised at that one. I figured everyone hands will go up on that. If you're running traditional antivirus in your infrastructure, it's you're paying too much money because it it doesn't do anything for you anymore. Traditional antivirus stuff just doesn't work in an environment anymore. So, EDR or XDR is good. Um, yeah, threat intelligence programs. So, you can actually buy into other people's threat feeds. So, the more of those you have, the bigger data sample. I mean, you guys have must have heard a lot already today probably on how AI is only good based on the data that you actually receive and the size
of the data samples that you're using. Well, this same thing. I still don't know why we're calling this IDS IPS. I wish the whole industry would just say IPS instead of separating the two because what's the sense of doing detection if you're not going to do anything about it. So I just wish I don't know of any solution out there today that will actually just do detection and not do the rest. So I wish they would just call it IPS altogether. Vulnerability scanners and then um user behavior. This is another key one. Anyone running the the Oh UEIBA four. Wow. Okay. Things show up in behaviors, right? You can see when something's changed. If you
look at a report and you look at it every single day, if something changes in that report, it stands out like a sore thumb. behavior in your own environment would stand out like a sore thumb if you actually run it. So, you know, if someone decided, oh, all of a sudden this guy downloaded a payroll file and put it up in Dropbox, that's going to show up like a sore thumb because that's not traditional way of him sharing files. All right, so this is a traditional SIM. There's more pieces to it. Uh so you just do all your event correlation or collection from whatever SIS log systems you're actually using. You're taking your machine learning and doing correlation
rules on your users. Same thing with custom deflectors. Big piece is the CMDB. So having a database of everything in your entire infrastructure. So you know every device that's on your your network and then threat investigation, instant response and so on. Takes all that information, puts it in. So, let's say you're getting, I don't know, 80 million logs a second. Then it'll correlate it down into maybe four or five action items. All right, that's the beauty of a SIM. Gives you a place to look at all your logs in one place, correlates them all for you, and gives you some ideas of what's going bad in your environment. So, SIM is huge. Can't really get away
without one. Um, but it's kind of a core component to any sock. Soarore SOARO is a little different. Soar is about automation and not just automation that you can do in a SIM which there's a little bit there. SOAR will automate with all your other stuff. So if you got applications SAS whatever you can automate the whole thing. So it will if it does this and the SIM sees it then it flags it then it will call a playbook that you have inside your sore. Anyway, I'll give you an example. So, we're going to start off with an EDR client. A PowerShell piece triggers something within the SIM through the SIS log and then it triggers
a playbook to the soar. The sore goes, okay, I need more information first before I do anything. So, it goes and gets a process dump from EDR. It gets that information, then it goes to your network side of the house and pulls whatever information off the network that it can. Then it takes that information and goes and looks at your tip, right? So your threat intelligence sees what's going on there. Based on that and the rules that you set up in your sore from your automation, it then can go down and shut down that client instantly. There's no human invent intervention here at all. Again, faster you get to remediation, the less money it's going to cost you on a breach. And
then once it does that, it tells the firewall, set up this rule for any connections that are associated to this device. Any initial sessions that are already there, instantly shut them down. Gone. Boom. They're off the network. They have no way in, it's done. It's over. Now you can go triage it and see what caused it, how they got in to your infrastructure in the first place. Soar is probably I think the most underutilized tool in a in a in a sock for anybody because this gets again remember what I said 85,000 jobs open right now. This helps you get to an end result faster without necessarily hiring 15 to 20 to 30 to 40 people that your
organization can't afford. I've always said this. People have heard me say this my entire career. There's seven layers to an OSI model, right? Then there's layers eight and nine, finance and politics. First seven don't mean [ __ ] unless you actually match it up to the next two. It's just a fact. You can have the best ideas and solutions in the world, but if the company can't afford it because it's going to hurt their bottom line, then they're never going to do it. So then that just puts more workload on you. These types of tools save you money. 100% save you money. So, we're going to just talk about Oh, is there a mic to plug in for the sound
off of this? Just question. >> You have audio coming off the laptop. >> Yeah. >> Uh, it should. >> If not, I can just hold my mic down, I guess. Okay. So, we're going to talk about AI enabled sock. So, chat bots been around for a bit. Uh, a lot of people think that this is full-blown AI. They spend billions of dollars to try and get to the end state agic, but really all they're getting is this. AI ops 30% increase. And this is this is sock and knock for 2025. Gen AI is another big increase. This is all Gartner by the way. This isn't mine. And then a Aentic AI. That's a I don't know why
that's such a hard word for me to say. A AI. How's that? 60%. So meanantime to repair is 60% faster if you get to this state. This state, I'm going to be honest, scares the beebies out of me. And I'm going to explain why. Does How many people know what this actually means? Have they ever looked it up? Okay, I'm going to show it to all of you anyway. So let you read. All right. This is the actual definition of it. Again, I didn't make this up. This agency is the part that scares me. Right? So you're telling it to go learn whatever you want to learn, whenever you want to learn it, and you come up with
your own decisions and interact with everything in my entire infrastructure without my intervention whatsoever. Actually, Skynet's a good one. I went with Vicki from iRoot because in the actual movie, she actually says, "My logic is undeniable." Which was to kill all humans cuz they they're going to eventually kill themselves anyway based on history. So, I might as well just take take over the world. This is the one of the originals of this not having any checks and balances associated to it. I know it's the end state everyone wants to get to, but I'm going to be honest that there has to be checks and balances. Otherwise, yeah, we're going to be in a lot worse place
and Skynet actually might come to fruition. So this is the AI journey and where are you within it? So this is manual in the 2000s. Then you got medium which takes minutes and then fast and then a AI is is instant milliseconds to to respond. I'll give you some examples of how that looks. All right. So this is so this is an example of using generative AI in an infrastructure. So my sock has vast quantities of information about my network. Um you know how do I access it efficiently? So you could go into your SIM and take a look at the reports that are automatically done by your SIM. You could go into your log systems and
look at your logs and poke around in there and try and get as much information as you can. Or if you're old school like me, you would actually go write a script to go do it, right? Top websites by bandwidth. But where generative AI built into the actual tool sets that you have, you could just go show me and it would do it all for you. Okay. One thing about AI that scares me the most, I think, is that AI is going to remove all original thought away from everybody in this room. So, no one's going to know how to script later on. and no one's going to know how to do all of that because it's just going to
automatically do that stuff for you. But that's my own personal opinion. So that's a generative AI side. This is a little bit more than generative AI. So what MITER techniques have been used by this thread actor? So the particular thread actor in this case is is Dragonfly. So it gives you a list of all of the different exploits that Dragonfly uses in most infrastructures that are out there today. So it'll show them all and then okay so what blocking actions can I use and it will go and give you a whole bunch of ways that you can stop these things. So it is you know it's somewhat useful. So you don't have to do all the research
yourself. It will go get you all that information. Okay. Is this Oh, all right. I got to go back. I got to do this. Excuse me. So So I'm going to play this. This is when we get to the next level within AI inside of an infrastructure. AI, can you help me to fully investigate this incident? >> Sure. Let me start the investigation. [Music] >> Got to love the elevator music. [Music] Incident summary. The slowness was due to a Monero minor C2 connection. Attacker used a brute force login to access the server and spread to other endpoints. Recommendations. Quarantine infected systems. Two, block malicious traffic. Three, enforce multiple factor authentication. Four, patch the vulnerable systems.
So it did it automatic just by saying can we investigate it? So we actually look at what it did investigate an incident associated to this IP address. It looked in through the logs, found a high CPU usage, went into the file backup server. Investigation revealed cryptocurrency mining activity, multiple comp uh compromised host. Goes and finds suspicious process going on. There's an external connection. It sees that there's a C2 connection. Here's the endpoints that it's actually talking to. Gives you the IP addresses of those. notices that the suspicious login based on brute force attempt just by telling it to go. All right, but it's pretty cool. It happen pretty fast. Think of in the real world you
trying to do this on your own. This will take some time. Again, if we're trying to get to the point of remediation as fast as possible, be able to block things. This is just a good example of where things are going within your sock with inside your own infrastructure. Okay. So, you can consume it in multiple ways, right? So you can buy it yourself, own it, train it, learn from it, hire people for it, all those different types of people, stick them all in in a team and manage it all on your own, which a lot of organizations do. You can also completely outsource it if you want to because there are organizations their whole organization
is based on completely outsourcing it because they have hired the people to do what needs to be done within a full-blown sock. And and we're just talking normal sock. We're not talking about, you know, tier one, tier two level sock stuff. This is just normal normal sock. Or you can do hybrids. So you can take on a portion of the sock, outsource the rest to somebody else. You can own the equipment yourself if you want and then just hire someone to manage it on your behalf. You can hire organizations just to do after hours because you don't have the staff to do 24-hour surveillance. There are a lot of ways to to get to an end state of having a sock.
I don't think any organization today can truly handle the security capabilities without having some form of sock in their environment whether it's yours or somebody else's. Um if you don't see it, if you can't see it, you can't protect it. That's just that's just a fact. All right, so I'm going to stop on sock just for a little bit because I want to get your opinions on stuff. Um, so when I asked everyone who's using chat GBT and any other AI stuff and I told you about someone that I know that you know he's Shakespeare for the last two years because of the him using an AI component to write everything for him. There's a lot of security risks
associated to that, like a crapload. Because depending on what he's getting them to write about his organization to do the email, it then goes up into a chat GBT database infrastructure that sits in the cloud that they don't actually see. They have no protection over it, right? Unless they're using some corporate on-rem version of it. It goes up into the cloud. Now, everyone else can do searches on that, too, if they like to. It even comes down and tells you what the source was of the information that you asked for, right? It'll tell you where it came from. So, how is everyone in this room protecting your environment against any of your users from using these types of tools in
your environment? How are you even seeing them use it? How are you protecting it? Yep. Go ahead. We can't say it's difficult to prevent but we try to monitor it by using by using application level DNS and web monitoring and we provide a good solution from our corporate perspective. We provide an AI to our staff that is protected in that manner like that that that we do have a clear SLA that they do not train on our data. They do not use our data share our data. So we try to make the safe path we try to pave the safe path if you know what I mean. >> Awesome. >> But um yeah that's it's but preventing
people from using unauthorized AI is tricky and they have been doing that for a while. So it's something that we're trying to contain in a way. >> Awesome. >> Yeah. >> So that's great. How many other people are trying to put solutions in place to protect AI from internal users? How many people are actually training their people on how to use AI correctly? >> Yes. >> Yeah. Very similar. We'd be using like uh corporate Google Gemini to uh for the internal usage. We'd be blocking a lot of sites like you can't get to chat GPT from our endpoints because it's not an approved tool. And I think the other important part is having a proper policy
and onboarding process for new tools. and the that people have to get them approved for use before they can use them. But the door is open because otherwise people will go around it. If you make stuff too hard for them, then they'll look for their own ways to do things. That's where the shadow IT stuff comes in. >> Absolutely. But when we look at a firewall, so other than application control, right, firewalls themselves don't really pick this stuff up really well. Here, let me show you. So firewalls can block certain things, but there's certain applications out there that you're not going to see. one for it happens so fast. Like you can do it based on a website that it goes to, but
if they download the app, and there's a lot of apps out there that don't need a website. It's actually on your machine. So it doesn't actually go to the website itself. It actually does a fair amount of the information wherever it is. And how do you do this if they're at home? So they're on a corporate machine, they're at home, they're not VPN in, they're doing something unless you have an EDR or something like that that's actually protecting it. again at application control level. So where do you see it? How do you get it? How do you protect it? Because there's more and more of this going to happen. So if you don't get ahead of
this now, it is going to bite you hard later because there's more and more. There's AI apps coming out every day. So what do you think about a tool that gives you full visibility of any AI app that's out there? and where they're going, what they're connecting to, what SAS apps that they're actually using. But then that same thing, and there's this isn't like this stuff is fairly new. Then there's also about a training. So an actual tool that will actually help you train your staff. So when they do something in any kind of AI app that it makes their life easier, that it gives them a scoring rating. based on what they're doing, score it
against what the corporate policies are as far as data leak prevention and so on. Again, I just got this up forformational use so that you guys can see it and put some thought around it because I talk to organizations all the time and they don't think of this stuff at all. Like at all like they do an email based on a staff requirement and they do it in chat GBT. So it sounds really nice and easy, but they got people's names in there based on payroll or HR requirements or whatever, but they want to make it sound professional. So they have Shakespeare do it for them. And then that sits somewhere. It's not on prem. It's not
there for them. It's up in some cloud that they then copy and paste and pop into an email. This is going to get, like I said, this is going to explode. It's already starting. I mean, I just asked you guys to put up your hands. Let's say half of you are already doing it. So again, how about a tool that allows you to train your staff? So very similar that you did for for cyber security awareness, right? I mean, most people, I hope, have had their staff trained on cyber security awareness. you know, how to read a URL and what to look for and raise flags. I mean, that's part of every cyber security plan, but
you there should be tools out there to help you train people so they understand it. They can run through it like any other kind of test so that you can see it who's making the mark, who's not, have more conversations. Okay? But you're going to see this as part of a sock somewhere also. So last little bit of information before I go. Uh summary. So global global average cost of a data breach like I said global average cost 4.4 million US. In the US it's 10 10.22 million. US especially under the person that's there now. Um yeah never say his name. um because of the cut back on everything cyber security in the United States,
it's it's actually gotten more uh global average cost of a breach is actually seeing its first decline in five years. So it declined about 9%. Uh and a lot of that's because of automation and AI, mostly automation because AI hasn't really taken over in the sock yet or data center. Healthcare is the number one thing. They spend the most if there's a breach by far. I think they're roughly around 30 to 35% more than any other organization that's out there paying money to get their stuff back because again it affects people's lives and us in Newfoundland have definitely felt this. uh personal information identifiers, you know, is most frequently compromised data type in 2025, but intellectual
property was the highest cost to uh recover. And this is the one, if you don't get anything else out of anything I've said, this is the one thing I want to make sure. Organizations with underst staffed cyber security divisions pay almost $2 million, 1.6 6 million more than any other organization that has adequate staffing. And this piece is the piece that I go and talk about to all senior leadership and every organization I talk to when they talk about, you know, oh, it's a soft cost. You know, if we don't have a breach, then I just spent all that money for nothing. It only takes one. If if it's going to cost you $10 million
every time you have a breach, well, that pays for a lot of salaries for a lot of years. And at least then you know that you're protected. Okay. Anyway, that's it. Any questions from anybody? Yep. >> Oh, that I was waiting for someone to ask that.
So, I didn't want my company's logo to show up everywhere. So, I just took my dog's picture.
And that's that's a toy, by the way. She carries around in her mouth like that. Best $3 I've ever spent in my entire life. >> Yeah. I was wondering who was going to notice that. I just wanted to cover up the logo, so I put my dog in there. >> Yep. >> Does the dog ever show up in meetings and you and you can't stop cracking up? Does the dog show up? >> No. No, not not anymore. Uh my office, we all work from home. Um you know, people from Fortnite. We only have we have offices in key centers. So we have research and development office in Ottawa. We have four buildings there. Now we have 12, 11 or 12 in Vancouver.
We have a new one in Calgary. But the rest of us all work from home. So my office is the upstairs of my garage. So I get up in the morning, I kiss my wife goodbye and I walk over to my detach garage and I go upstairs and work. Yeah. Only time she sees me when I come in for phone or the bathroom. Other than that, I don't see her all day and sometimes all night. So she'll actually call me sometimes. Are you still live out there? Yeah. >> Any other questions? >> Yeah. >> You showed a demonstration of an agentic AI doing an analysis of a security incident. >> Yeah. >> How do you ensure you can give that AI
enough permission and access to those systems that it can do an analysis without also giving it to the tools to cause havoc havoc if it makes a mistake. >> Okay. So in this in particular case, I just use it as an example. Okay. The company I work for actually makes a product that overlays on the entire fabric with inside foret and I use that tool which is actually tied into the overall fabric if you have it. It only has permissions based on the security permissions of the devices that are ours including the logging capability and everything else and only certain people because we do multi-level access associated to it. also two-factor everything else that you want with it
that it only has those people are the only ones that can actually ask it to do something. Okay, great question. Yeah. [Music]
Okay. So, um we talked about Gen AI and how we can block it with foret. What about um users who are just going to be scanning like with taking a picture of the code and having it on their phone? Is there any anything to that other than like just awareness and training? >> Oh, I wish I wish we were doing this in October. So, um can can we turn off the web? There's stuff coming out that it's a firewall specific for AI capabilities that it's everything to do with AI to give you full visibility, full policy base, full full interaction, full everything. If it sees it, you put it kind of before everything in your
infrastructure and it will notify you on anything that's AI in your entire infrastructure. Who it's coming from, what they're doing, what application they're doing, what database they try to get to. Ties into DLP, the whole gamut so that you can see it. Also won't allow them to actually put stuff on if it's not a corporate a corporate machine. And you can put rules around that too, the same as any other DLP. Is that cool? answer your question. Anyone else? Anybody? No. Okay. If you do have questions and you don't want to ask it, I'll be out by the bar for the rest of the day. All right. And come see me. Love to talk to you about it. Thank you very much.
[Applause]
All right, guys. We're going to take a break until about what was it? 3:20. Uh, yeah 3:20. >> Like my dog. >> Yes, that was awesome. >> I was waiting to see if someone would see that. >> That worked out perfect. >> It did opportunity to talk about it.
Hey, how are you? >> Well done. >> Oh, thank you. >> Waterhouse. >> I'm one of six people in Northland for actually five. One went back to industry. >> Yeah. I moved back here four years ago. >> Oh, yeah. originally from here, moved away for a while. >> Yeah, it seems to be a pattern. My wife dragged me back. So, >> uh, I had to drag my wife back. So, >> and how's she liking it? >> She's loving it. She's loving it. I moved back because of my family, right? My dad got sick and my mom. So, I said, "Let's get back while we can, you know, have those experiences with our families again because we're going for 26 years."
>> So, let me get some memories with my dad. taking fishing, all that stuff. So, >> yeah.
So, I say what's the message?
Well, good luck. >> Thanks.
Hi. >> Hey. >> Hey, Chris. Nice to meet you. >> Hey, nice to meet you, too. >> So, where you from? >> Okay, cool. I just I didn't Yeah, I married in. >> First one here. >> Oh, you guys are It's well organized. You guys are >> going
for a long 2009 was the original 2011. >> Okay. So they Yeah. Remember >> started in Vegas. I remember somebody
We try.
>> Yeah, I wasn't even allowed to put mine in the presentation. representing
yourself. >> Yeah, there you go. Yeah. So that's great. So what do you do?
What are you guys
set up here. >> Yeah, don't start until
something. >> Great. Feel free to take questions.
>> No, it shouldn't be a problem.
>> Well, I got him tickets and then he became a speaker. Well, then I ran into someone.
>> Yeah,
it's a lot bigger.
Well, we could take more obviously.
runner over.
Not you. Me.
>> Nice to meet you. I was just reading the spelling. L Ybody
starts to be pulled back.
Oh yeah, sure.
curious to hear what you're going to talk about >> and I'm far from a cloud expert. So I'm an OT expert. >> So
I'm the sales
the old
I started. right at the beginning. So back then
Thank you.
Yeah, the one that says pal. Yeah. >> Okay. Thanks,
I'd be happy if anybody says anything. >> The worst thing is when there's nobody says anything. Oh, is this Oh,
>> what is that?
So, we just did a
Have an emergency.
Someone
That's why I brought
They're
used to
Jerry
got that.
I got an hour.
still
Knife.
The new one
you never
because I'm a little
Those
low latency iOS.
I can't hear anybody.
I think those
two have them available in the US.
boyfriend never hears me.
That's what Mr.
I'm not hearing you because I can hear everybody else for every
If you don't be quiet,
>> I'm going to set it up
Podium stand. You walk.
It's been
Taco.
Something happened.
Don't worry about
Okay, welcome back everyone. We're going to draw for a couple more air tags. >> And I hope these people are here. [Music] >> 625615
>> 625615. You want to wave at me if you got it? No. >> Back away. >> 625528.
>> Oh, you
625493.
>> Sweet.
Okay. And next up we have Lyndon Hall on OT in the cloud. >> Take it away.
>> Microphone please.
Oh, this one here. He's just looking.
>> All right. >> Okay. >> Hello. There we go. Okay. Thank you. Um, hi folks. My name is Lynden Hall. Uh, I work at at Price Waterhouse Coopers. I'm a senior manager there and I'm actually an OT specialist. Um, like most other people that have stood up here, um, I've been at this for a while, uh, 25 years. I'd like to say that, uh, that I'm counting down rather than counting up at that stage. Um, and I'm originally from Saskatchewan. Moved here a year ago. Um, like many people from Saskatchewan, I moved to Alberta and then married a Newfoundlander and then and then ended up here. Um, I never thought that that day 16 years ago that I summoned the
courage to go talk to that young woman that it would land me here today, but here we are. Okay, so let's get going here. um intros. Okay, so OT in the cloud. So this topic started as a labor of questioning, not so much love, but I was just wondering why this was a problem, why we couldn't do it. And it started quite a few years ago and I've been working on it since then and I actually turned it into my master's thesis at one point and so I have so much information on this that it's sickening. Um, but OT in the cloud, you know, almost nobody anywhere is doing this. So, we'll talk about OT for those that aren't familiar
with it. We'll do a quick primer on it, but there are some exceptions to why to OT not being in the cloud. Building management systems, they're cloud loving. They have SAS services. I'm not I'm not talking about them, okay? I'm talking about the highly critical systems. And there are remote operations where redundant data centers are not feasible. So they use the cloud as a secondary data center in all of Canada. I know of one company doing that. I was talking to somebody in the US who is uh who was a SIP senior manager. So she has very good ties into OT across the country and she knows of three down in the states. Nobody's doing it. Okay.
Okay. And so I started to ask why not. Okay. So I'll do a quick primer on OT here. This is fast. This is the two-minute session on OT. OT it's primary purpose is to monitor or interact with the physical world in some way. So I'm talking pipeline pipelines that the computers that run pi pipelines sorry electrical systems mining operations railway air traffic control uh building management systems of course which I mentioned but they're out of scope of this discussion uh autonomous vehicles there's a pile of them okay is not IT there's shared technology is especially not IT um and there's almost always a difference in governance and a difference in who OT reports to within an organization very rarely Do
they report into a CIO? They usually report into a chief operating officer. Okay. Um and next one, OT is not IOT. They overlap. IoT also overlaps with it. They're different categories of things. Okay. Um it seemed for a while that, you know, before we got on to AI and everyone was using AI as the buzz word that it seemed to be OT IoT for quite a while there. U but we don't hear it as much anymore. Okay. Um just a few of the differences here. Um OT prioritizes resilience and safety. It prioritizes confidentiality and integrity or tends to. So when I say resilience, what that means of course is availability. In OT, availability is king. We only really
care about in integrity of data or integrity of systems in OT because that will also impact availability and confidentiality. Unless there's a regulatory constraint to maintain confidentiality, we generally don't care at all. You can take OT data and put it on PBIN tomorrow and it would have no impact if it's not regulated data. Okay, so it's very different. Um, and it's these systems have been around for a long time in many cases. I remember a couple years ago I was talking to someone um, in Western Canada and she uh, she was saying, "Oh yeah, I remember I installed that system. It was an OT system, an RTU. I remember I installed that two weeks before I got
married." Oh, and when did you get married? 1994. Still functioning. Okay. And fine. No, no, no plan to replace it. Okay. Um, and just on that note, in IT we build firewalls and we patch. And that's just sort of a a summary. In OT, we build a big firewalls, highly restrictive, and we try to patch. Sometimes we can, most of the time we can't. Okay. And finally, there's the Colonial Pipeline issue. um what happened in Colonial in 2021, if you're familiar with that attack, they were shut down. Um but their OT systems were actually not directly impacted. There was IT systems that the OT systems relied upon and they could no longer schedule product in the pipeline and so they
ceased operation. Um so there's a bit of crossover into the IT world uh when there's dependencies and those dependencies aren't always related to data. Sometimes their business process like that. Okay. Suncor when they got hit their OT systems all withtood from what I understand. Um but they were essentially signing IUS with their partners for moving their moving their product because they couldn't get their accounting systems their accounting systems were all down. Can't sell anything. Can't record what you're selling and buying. Right. Okay. Now, there's two types of OT systems. There's latenc I'm I group them into two and this is me, not they're not not the industry. You're not anybody else. There's latency sensitive and not non-
latency sensitive OT. So, the latency sensitive OT, this is stuff directly related to control of the physical world and it requires, you know, very short response, less than 10 milliseconds typically. Um and the kind of technology you see here are PLC's, RTUs, variable frequency drives and that kind of thing. And then there's non- latency sensitive OT. And this is the other side. This is more of supporting technology that helps the stuff on the left. And here you find a lot of stuff that you find in OT in IT. They have domain controllers, SECM, file servers. Um and you find this is also where you tend to find SCADA, which is supervisory control and data acquisition. It sits a level above
control. It has some control capabilities, but it's not down at the ground doing actual actually interfacing with the with the world. And I can't do an OT uh OT presentation without talking about the Purdue model. Um levels zero to two here that tends to be the latency sensitive stuff. Okay, two tends to be a little bit more in the not lat not latency sensitive. Okay, and up. Makes sense. So, level four enterprise network. And then we go down to the physical process. There's a problem with this uh slide or something I disagree with. I wouldn't say it's a problem. There's something I disagree with in this. I stole this slide from a vendor uh from a vendor web page
and that is I say OT goes all the way up to level 3.5. Okay.
Okay. So here's the question. In OT frequently you have control rooms that are far away from the process anyway. gas pipe, oil and gas pipelines can be 500 miles away from what they're controlling. Uh the control rooms can be um electrical grid. Think about that. You have a control room and it could be again on the far side of the island, right? Maybe out on the west coast what it's controlling. Uh so if you can do that, why can't you move this stuff to the cloud? And I get right to the point here. It's not okay to put latency sensitive systems in any cloud. PLC's, RTUs, process control needs to be local. This is what I found. This is the findings
right up front. You just can't do it. You cannot put those latency sensitive systems in. That makes sense. They're controlling the physical world. They need to be where they're doing that control. Okay? Now, it is not okay to put any OT in the public cloud. Period. You cannot put OT in the public cloud. This is what I found. And that's because of cross tenant attacks in cloud and too many concerns um too many concerns with that. Okay. And then finally the one thing you might be able to do is you might be able to put one half of a redundant SCADA system or other OT assets that are not latency sensitive to the private cloud. And
that's pretty restrictive at that point. And you got to remember these these systems have been around for decades, right? So it's not like they're turning over. there's no opportunity for a new one coming in to be like, ah, let's put this one in the cloud. It it just doesn't happen a lot. Um, and so it's generally not worth the cost or risk to move them. So that's why you don't find them in the cloud. Okay, cloud computing, we're all familiar with this one. Uh, shared responsibility model. Uh, platform as a service, software as a service, no good for critical infrastructure, OT, too much influence from the provider. the orange boxes, they have too much influence and too much control and could
knock something out. Infrastructure service is a little bit is a little bit more reasonable. So, let's get into the risk assessment here. So, this is our typical this this should give everyone the warm and fuzzies in the cyber security room. Uh we have our uh our risk heat map impact on the horizontal axis likelihood on the vertical. Looks so good. You know, we plot some stuff on there. Um it may end up over in the orange there, even though it's never happened, but that's okay. Um and sorry, just making a joke there, but we do often find that happens, right? We have to adjust our what we're doing. Um but yeah, so there's uh that's our our
typical approach. Now what happens is uh after 911 and during the 911 hearings condora I rice got in front of Congress and she said that the problem was a failure of imagination. So we weren't looking forward enough. We were looking at what had happened in the past. We weren't looking at threat actor behavior. They weren't doing threat intelligence. That's what the problem was. Um so a reasoning threat actor does not come into an environment and behave like a another device that's failing right uh OT is used to oh this device will fail every 3 four years we know that that doesn't work with threat actors they survey the environment find the weakest leak link and then they
attack.
So what I found repeatedly when working with working with plants and facilities and engineers is that they absolutely despise our heat maps. They don't like the guesses at our likelihoods. They don't like what they call guesses. Um they're used to sill levels. They're used to um meanantime between failure. they know exactly when things are going to fail or when they should fail and then they can base their entire design off of that. When you throw something into the loop like a reasoning threat actor who may or may not do something and then if you change it they might do something else that they don't they don't like that. Um and I'm an engineer and I I get it because they really drill
us into it that into us um to try and make things predictable and follow some kind of model. Um and so that's where cyber hazard proc or the cyber process hazard assessment comes in. Uh this was introduced to me actually by a client a few years ago. And what it does it takes likelihood directly right out of the equation. You go how do you calculate risk without likelihood? You just do. Um the question is how another question would be how are you calculating risk when you're guessing at the likelihood, right? Is it if it's a guess or it's just absent, does it make a difference? And to these folks, they'd rather not see the likelihood.
What they want to know is is the cyber event possible and are we meeting industry good practices to prevent it? That's a very engineering approach. Is this going is this possible that this can happen? Are we taking regular putting in regular controls that everyone else would do to make to stop that from happening? Right? Very simple. So this is an OT risk assessment uh model that was put together by Clint Badungan. um I worked with him uh quite a few years ago and he uh he put together this and and is very much based on that idea that there's no likelihood uh no like likelihood of calculation and it's specifically for OT. Um it's broken into
three phases and he's basing his observations off a bunch of stanzas which he's posted on the right there. Uh and there's an entire book on this. It's one of my favorite books. You can look it up. You can just you can just Amazon Clintan. Okay. So, let's take this risk assessment. Let's apply it to an actual operation. I chose an openp put mine operation. I've actually never been to any of the open pit mine operations here. I've been to a lot of open pit mines, but not to any here. Um, but they have a lot of systems and you can read them here. These are these are systems that require OT in order to work. Okay.
Fleet management, slope stability radar to make sure that the the mine doesn't collapse. Okay. Lots of neat stuff. Crushers, conveyor belts, thickeners, leeching. They use cyanide leeching to get gold out. Okay. So, this mining operation has 24 by7 operations. There's an operational failure. It causes $10,000 an hour in losses. And they know that. When you go talk to these guys, they'll tell you exactly how much a failure will cost them per hour. Okay? Uh so, an impact over seven days is $6.8 million. And that would be what I would say if somebody's hit by ransomware. and you're I've been through a couple of ransomware responses big big big ones uh like Eastern Health size and 7 days you'll be
very lucky to get through it at that time right mostly more it's more on the order of months before you're fully recovered okay so anyway so 168 million a week okay now catastrophic failure is something that also comes up sometimes in OT and it's more of science fiction than anything. Um, you know, you can make things explode. There was some folks down at Idaho National Laboratories many years ago. Michael Asante, he made a generator tear itself apart by taking the phase in and out of it as it was on a a makeshift I was on a test grid. Um, tore apart itself apart from the inside because of the magnetism. Um, but these are exceptionally rare and they're generally
have an underlying safety issue. There's something wrong with the engineering. there's something wrong with the safety systems that are supposed to the physical safety systems that are supposed to stop that kind of catastrophic failure. So, we're not even going to talk about that. Catastrophic failure is it's it's not worth discussing, okay, as as a reasonable impact. I've tried with different clients to at one mine actually they have a they have a something called a thickener where they that's used to uh separate uh solids from liquids and there's a big sort of arm that rotates in this thickener and you can do something to make it make that liquid thicker and then possibly rip that motor
off of the moorings that's holding it down right and send it flying across the plant. We started, we really dug into that. Is that even really possible? And the answer came back with a resounding no. Right? If it was possible, we'd be more worried, we wouldn't we'd be worried about it in a thousand different ways. We wouldn't be worried about a cyber impact causing that. Okay. So, mine mine data flow diagram. Um, this is our network, corporate network, mil OT network, mine OT network. Mines come in two pieces. There's a mine which where they they pull the material out and there's a mill where they process it. Um, and every single time I've come across this setup where they try and
fire all the mill from the mine, they operate on a single domain and they've opened up all the Windows ports between. So, it's essentially one security zone between the two anyway. Um, and they're not running any kind of IDs or IPS between the two, or if they are, they're not watching it. Um, so this is a pretty common setup. Um, just so you know what it would look like. Um, these firewalls here, by the way, for those not familiar with OT, be highly restrictive. Ideally, they don't allow anything in or out unless it's specifically required. Okay? In or out, egress or ingress.
risk pre-screening. Um, so let's just take a look at this what we've talked about so far. There's some things that are in, some things that are out right off the bat. Uh, we cannot there's no point in doing uh considering cloud deployment for safety systems, latency sensitive systems or control room systems. And there is not much point in talking about platform as a service and software as a service. So what do we have left to actually do a risk assessment on? SCADA historians, domain controllers, supporting systems. These are the ITish systems within OT. Okay, that's what we have left to do an actual assessment on. Stage two, any regulatory concerns? So right off the bat, do we have to hand
any regulations? The answer is for a mine in Canada. No. Okay. Uh there are some here, but none of them apply to uh none of them apply uh to a mine and actually none of them apply in Newfoundland, period. There are no OT regulations that apply in this province from a cyber perspective. >> Yeah. >> Does that include those that are federally regulated? >> Yes, that includes the CSA stuff. Mhm. There's the one that would be interesting is Z246, which is oil and gas, but it's for terrestrial only, not for offshore. Yeah. Okay. Um, so let's take a look at our vulnerability assessment. I used the 800 OT 882 uh vulnerabilities. Um, this is the
equivalent of 853 for the OT world. Um, and a lot of people ask me why I didn't use MITER, and it's because I didn't need to. Uh, MITER gets their got these got their vulnerabilities from 882. Um, so there's a few here that we're going to test just so you get the idea. A few things to look at.
Okay. And we're going to get into threaten attack assessment. I forget who it was earlier today. says love how much how much they love threat modeling and attack modeling. I love it too. Um and there's some big mistakes that people get into when doing this. Um and the biggest one is that it gets turned into water cooler talk where you sit around and talk about all the threat actors in the world. Waste of time, right? All the things that might happen that could or could not be applicable to you. Um it's fun, right? It makes for good coffee conversation. Um but it doesn't actually get you anywhere for it doesn't actually move you forward. Um and the other one
is datacentric threat modeling where you say oh we have RSA our PII or we have our our critical some kind of critical data in an OT environment which doesn't really happen but and then we're going to try and protect that data. Well they have to go through the software to get to the data so or the system to get to the data. So why don't we just start at the software or the system instead of starting a layer down. There's no vulnerabilities in the data to look at. It's just there, right? Then we build attack trees. I built a few of them here. So this is the availability attack tree. I split them into CI and A to make it a little bit
more so you can actually see what they do. Otherwise, it's huge, right? I need a plotter to print it out. And then I zoomed in here. So these are some of the availability threat risk scenarios that actually are possible for OT in the cloud. General attack on the cloud provider. So a large attack that hits everybody. Uh cross-tenant denial of service. Cloud connection failures. Network congestion. PLC is too distant from the actuators and sensors. That one we already know that has to stay uh on premises. uh cloud connection failure and accidental device shutdown. Uh about twothirds I mean these statistics are terrible. Most of the statistics we get are terrible because the data behind them is sketchy but it seems to be that
about twothirds of OT cyber security incidents are internal accidental. Right? These aren't malicious attacks or someone trying to do their job faster or taking a shortcut or not paying attention. So that accidental device shutdown is actually quite common. Okay. Then we get into integrity. What'll cause a system shutdown? And there's a few here. And there's ICS networks used for nonIC traffic or vice versa. So or IC by the way IC means OT um or not within the not within the network. Okay, security breach of enterprise network and that means that there's a breach coming through this through the enterprise network into OT insecure architecture allowed to evolve because of how fast and how easy it is to make
changes in the cloud. uh you don't you know everything's software based so you can make changes really really quickly and attack through the out attack through the perimeter and then accidental misconfigurations
and confidentiality no impact couldn't find anything
okay cloud availability SLAs's so kind of also have to kind of wonder what's what does AWS and Amazon sorry AWS and and Microsoft put forward for their availabilities and they're somewhere between 99.9 and 99.99% which is realistically what you know the same or better than what you could do on premises. So this isn't a concern when we're doing a risk assessment on cloud. Same as on premise on premises doesn't matter. Okay. Now the remote nature of Newfoundland um does not significantly change the cloud availability concern. I went and did some research and tried to figure out if i
Related talks
10:26:56
9:17:45
8:14:31
46:42
40:07
34:14