Oops! … I did it again: Security Pitfalls and how to avoid them

[Music] all right hey folks thanks for coming it's really warm in here so so sorry so thanks for like hanging out with me while it's I think it's winter but I'm not sure all right so I'm used to moving around a lot so if you just see me bopping that's cuz like I'm one of those people who can't actually stand still so I apologize in advance um so who am I am a principal security engineer I work at a big cloud provider you've probably heard of them I actually used to work at a different cloud provider so I just move around Cloud providers I've decided um that link is not super helpful I'm realizing but I

did an interview with tldr SEC about what it's like to be a principal engineer in security so if that's your path like go check them out there's maybe 10 or 12 of us who talked about our Journeys um I like the security community so I come out and talk with all you folks and I actually help Run Security conferences um how many people are here from Portland area okay how many people are here from Seattle all right awesome so hi Seattle folks um like I'm also from Seattle I'm one of the organizers of bside Seattle so feel free to come up and if like seriously we're just as cool please come up I'd love to see see you um so why

this talk I've worked at a lot of different companies I've seen the same sort of like bad behavior if you will and like pitfalls that we all run into and it's kind of funny CU you don't even realize you're in them until you're in them and you're like wait a minute this feels wildly familiar so I thought i' would do this talk um normal disclosure these are my opinions not my companies all right so the first one techn will solve all the things I mean how many people have like been pretty excited by all this AI stuff and do you think it's going to solve all the things right okay so my point is like we

often say oh we have this problem I'm just going to go get a tech solution I actually saw a job posting the other day that was like preferred something about like their preferred requirements and like the person solves problems with tech not process and I was like oh wow I wish them luck um so what does this ignore it ignores the humans and the processes like I know that's not the sexy stuff I know we're all really into Tech that's why we work in security we like technology but guess what you got to deal with the humans and you got to deal with the processes you ignore those your Tech solution is pretty fragile um so like let's say you find yourself

and you've like launched some tool or you've you know going to build some tool like the X kcd um and you're like oh oh no like this isn't working like it's an easy correction right like go and look and see like okay well how does this interact with the humans and you don't interact with the tool and like what's the process but I would say like if you're going to avoid this don't start with what's the tool that will solve my problem start with what is my problem and do like your actual root cause an analysis like rot cause analysis is this amazing tool that we can use for everything right but if we actually use

it for solving problems we'll actually get the right solution versus just the easy solution okay does anybody know what I mean by Nas anybody want to guess

it's so what I usually call it is know as a service and I think security Pros are awesome at this like Dev team comes we built this cool thing and we look at them we're like no and then they're like okay but why and most of our response is just like well you did this wrong you did this wrong you did this wrong you did this wrong like you didn't follow this checklist you missed this policy no no no no no okay but here's the thing like it's a negotiation right you want the dev team to push something secure at least I really hope you do they want to push their feature product new whizbang thing we just

talked about AI um so how do you how do you meet them in the middle like if you've ever studied negotiations there's something called your best alternative to a negotiated agreement otherwise known as your like bat like know that before you talk to the team like how do you get them to meet you in the midal so we really can't do Noah as a service like it like I do it's my running joke like because I do think we're actually really good at it by the way um but we can't do that right security is a partnership unless you work like even if you work at a security company I guess if you work at a security consulting

firm and everybody else around you is just security Pros maybe you won't run into this but I don't think that's the vast majority of us the vast majority of us work with you know devs product managers program managers marketing I can't there's so many other things that I'm blanking on at the moment so just remember like this is a partnership right like go in with that and like you just don't like my biggest recommend is like if you're about to say no just say no but and give them an alternative right like no you can't release that really awful product you you really can't you know have passwords in the clear how about you do this instead like give them

a solution right don't just say no because we've got to be we've got to shift our mindset away from this and like I do want to say that I do think the industry has a bit of a reputation and a lot of people have a bit of a ation of being this way so like my call to action is like let's be a little better all right so how many people have a security review process okay how much of it is self-attested like how much does the dev team just go and do in a Hole by themselves how accurate do you think the thing you get back from them is like this is the problem with with

self attestation and checklist I just don't think they really do a lot of good right like they're easy they're wildly easy and to be honest if that's all you got because you're super Scrappy and you're a team of like two or three like start there but don't stay there because we're not going to get the data we need from the Dev teams to help them be secure so my correction or my avoidance is just is automation it's actually really interesting someone was presenting a new proposed program at work I'm just and I was reading through it reading through it reading through it and be like this is weird like where's the automation like there was no

reference to it it was just like we're going to have these people F at this checklist and I was like let me neat might be helpful might work might get us somewhere but I actually think a lot of it could be automated and so I would start with like what can you automate and what can't you automate and so like that will really help you understand where you have Telemetry gaps and where you need to go address those one of my favorites in security everything is urgent nothing is urgent by the way if everything's urgent like it's just not possible um so I actually look at this as the struggle between reactive and proactive security and so obviously if

you're in the middle of an incident you know focus on that like focus on containment focus on you know your incident response but for the most part I think we tend to react versus try to prevent or protect and I know we T talk like in the industry we talk a lot about shifting left right like we've got a shift left which by the way if I ever do a talk on Expressions I don't like that's definitely one of them um but I do think you know a lot of what we focus on is just like we're reacting to these constant events like if you're in incident response you're getting inundated right you're getting lots of

detections there's like logging alerts there's monitoring alerts there's you know alarms going off like how do you actually get proactive and that's why you need like not just incident response normally you actually need whole team but if you don't actually focus on prevention you're just going to keep reacting you're going to keep reacting and you're just going to keep reacting um the other thing I think is kind of tied to this is that security people like to focus on threats vulnerabilities and issues like it's kind of interesting right so what' you find like you ask somebody like what interesting things did you find in the threat model they'll tell you all the things okay cool uh what are detections

fine and again they'll tell you all the things if you have bug Bounty what did bug Bounty find oh all the things but the business doesn't care that we found vulnerabilities and threats and misconfigurations they care about risk and so when we hyperfocus on the things we found versus the risk of to the business we're not actually showing the business why we should be in the room um so that's when I say like what security cares about versus what the business bus cares about I just you know I've come into a lot of security teams and I've seen that exact Behavior over and over again we're reactive and we talk about things that no one cares

about I mean literally I that sounds terrible but I don't actually think the business cares if you found a 100 crossy scripting vulnerabilities they want to know what the impact the business is and if you can tell them that whoa totally different conversation um last year I was here talking about uh shared language and understanding and so I think this is where it gets really important because again we're all security Pros or we want to be security Pros because there might be some people in the audience that aren't in security yet right the business is not they don't understand what you're talking about like I had a VP who once was like can you guys stop with the inside baseball I

was like inside baseball and it took me a minute to figure out what he meant but we're all talking he out there explaining like what's going on and he doesn't it's it you might as speak in a foreign language right and so we've got to remember that for the most part we're there to support the business and so if we don't use language the business understands they can't really understand the value we provide they don't understand the value we provide we can't get head count can't get budget and so on and so forth so how do we like get around the whole everything is urgent we're talking about the wrong stuffs um um I do think

this is a partnership with the business to understand scope impact and criticality right so if anybody does risk does anybody in this room actually do risk management like okay we got one person yay um one of the classic things in risk management is we talk about likelihood and you'll notice I don't have that um I just don't know what that does for you like there's a lot of incidents that if we reflect back and we'd say what would we have rated the likelihood of this incident I think a lot of us in this room and say not likely and yet it still happens right and so that's why I think you need to understand things like scope

and blast radius and impact and be able to tell the business what that looks like um so how do you avoid all this fun Shenanigans I I think my big thing is be wary of recency bias um if you have a to the shout out to the gentleman who does risk management like if you have a good risk management program and you say here are your risks don't change all of them because you just had an incident like be very wary of recency bias it might actually show you that you've got the right idea or it might actually put you on the wrong path um and I would say build a risk management program or and

this doesn't have to be like go buy a tool go byy a bunch of humans like this could be super lightweight just document the risks and share it with the business and see if they agree and if they don't agree keep having those conversations right you want to make sure that you are aligned with the business okay does anybody know what I mean by opsac yeah can you want to like shout it out no does anybody want to shout out what I think by what I think OPAC means security yeah but what does that mean what you do for security day to day awesome awesome like I wish I had a prize now see dang it um I actually have

a friend who talks about bringing prizes to talks and I'm always like that's such a great idea and then I like totally forget about it because I have to drive distances and I always forget anyways I will argue that OPC is almost never what we focus on which is wild to me like we're all security Pros but like how many of us you know do all the proper marking of our emails to say this is a confidential email I'm going to go with most of us don't or how many of us actually properly a a document so you wrote a document it's got all the risks who has access to it like the problem is it's

really easy I think to do the wrong thing like it's just it's wildly easy right so I think standards help here even though I'm not a big fan of policy that should also be in words I don't like um but I do think standards can help here so if you have a tool that actually will mark this for you like go ahead and say like you know use the tool to Mark the thing appropriately if you don't just tell people the expectation right like when should you put something in email when shouldn't you put something in email when should you pick up the phone right like we have to protect the business at the end of the day and if we don't do this

ourselves the business isn't going to either so what are my key takeaways um I think you have to reframe how you think about security at the start right we shouldn't be reactive we need to be proactive we don't want to show up with no as a service we want to understand what actually is critical and important to the business versus just what we think is um if you find yourself in one of these pitfalls or headed towards one just stop like it's okay take the foot off the gas pedal or in my case off the battery pedal because there's no gas anymore um and correct right like you don't have to keep going down a bad path

you have the opportunity to make a correction and then this might be obvious but if it's not Security's iterative we're going to we're going to like let's be clear we're all going to fall into these pitfalls at one point or another there is no way any of us are good enough to avoid it there's just so much momentum in business that you're going to hit some of these and be okay with that and just remember it's iterative and we can keep going and we can correct and that's all I got folks so thanks so [Applause] much I don't know if anyone has any question questions I that was like a very like quick tour of all the I have

more pitfalls I just for 20 minutes I just want to pick on the ones I thought were the worst yeah go for it so yeah um if you can translate it into money which is kind of what I meant by impact and blast radius that tends to land well so like if we don't fix X we'll have a total Cloud compromise if we have a total Cloud compromise this this is how much business we forecast you would lose and if you don't know how to forecast that there's somebody who can help you on that risk management team cuz you you explain like here's kind of the scope of what I think Could Happen what would this cost us and those

folks are Dynamite at that and so that's how I've that's been my Approach and it seems to work pretty well and it may not work like this is the one problem I will warn you like we're always like oh we can just automate everything there we there's going to be gaps right but I do think this is an important point right like if you have the opportunity to turn on a policy that says you can't send an email unless you you know rank it because there's all these rankings in email nowadays which fascinates me that makes it easier right or you can't save a Word document or an Excel sheet or a PowerPoint or whatever your jam is

without actually saying what is inside of it why it matters I would say like if you're going to automate everything you probably need really good telemetry and really good alarming for something that looks Anonymous which is not easy it's kind of the the classic trade-off between like security and convenience and and like let's be clear we're all security pro so we're all here to solve hard problems so I agree it's a totally hard problem so maybe you should do a talk on it in the future hint hint get up on stage all right anybody got anything else if not I'll let you go eat if that's of Interest all right thanks folks really appreciate it

[Music]

[Music]