Rise of the Advisor

my chicken tastes like everything which character I didn't get Korea Mouse all that we are asking to in return is your cooperation and bringing a known terrorist to justice yes Agent Smith those two easy John you got that do you need more coins okay we'll do some more after all right our next talk what did they have the name of your talk let's right there rise of the adviser Neal is currently a threat intelligence engineer working for threat quotient he has been active and and advising in the security industry for over 15 years and in technology for 20 plus years previous to his current position he was a technical solution architect francisco and before that he

was a principal security engineer at source player please welcome Ilan free [Applause] well this is voting well oh there we go okay so apparently I'm supposed to use this for recording purposes so I apologize and there it goes again

maybe it doesn't want me to move if I go this way all right see what okay afternoon all and I do know that this is getting towards the end of the afternoon so I'll move through this as quickly as I possibly can while covering some some pieces that I think are fairly interesting or fairly relevant for us today so this is obviously going to be a great talk like we really hope that it works out that way but first of all I want to set some ground rules and if anyone's ever done any form of public speaking or any any form of presentations and you know that things are going to go wrong shits gonna happen

right so we've established some ground rules on how to recover from those we've also gone through and said that there are some certain golden rules of PowerPoint presentations that everyone must follow however I choose to be a rebel right this will not happen and you'll notice strange things that pop up across the entire thing and I almost want you to call out when you see the picture call out the the movie if you don't mind so this one there we go okay so the agenda first off and I do not have any I thought my company basically folded out of Sourcefire many years ago so we have been starting to do squishy rhinos instead of squishy pigs from the

sort side I don't have any with me but if you find me in the future I'll give you one so what we're gonna talk about first off we've done the introduction congratulations we're done and then we'll do mandatory fun to go through the problems and then we'll talk about some other pieces but again as it's already mentioned Who am I most of this is stuff but the important part for you guys is I like to talk in analogies be ready for that it will happen and also I may or may not know what I'm talking about that will be for you to decide at the end of the presentation and I do sincerely hate boring presentations I'm sick of

PowerPoint so the movie Thomas Crown Affair there we go all right so quick question first off the movie so let me ask you a quick question this is a little bit of get to know you for I get an ID on the crowd and then I forget that there's another group of people up there anybody above y'all I'll see a head ok anybody in who works in the sock who's in a sock analyst anybody know anyone in risk maybe okay anyone in network security meaning the security engineering so the plumbing a couple of people any CISOs the men with their women with the pocketbooks no one okay anyone in I'm sorry they won't admit it

could smart people anyone in threat intelligence not really anybody NIR incident response Wow cool so the reason I'm asking this questions is I want to play a little bit of a game first off are you sure about that you positive about that saw I cheated the first one is saw the second one is wargames and just because I I love that little bastard I'm doing that to my family over Christmas so let's have a quick game out stephane courts yeah what's the movie quiz show all right let me get my handy notepad out since I couldn't do exactly what I wanted to do we're gonna go low-tech okay so here is my question for you guys

and yes you are seeing some of the slides coming up but we'll get into that so first off which one do you want start with what is intelligence or what isn't intelligence we have two diametrically different voices at this let's do is it is it okay so what isn't intelligence anyone have a guess start off with anybody anybody anybody raw logs okay we'll call that one that's fine actually you've got number one on that one large amounts of atomic indicators lots of IP addresses lots of domains lots of noise that pops up the same thing as your logs that you get in your sims right alright next guess what is not intelligence activity observation okay we'll give you

that one external risk scores I believe that this person has been hacked well you've probably been hacked so what do you have to say about that up next next choice anybody I'll give you a hint one of the vendors out front is gonna be fairly pissed off by this way though cool sorry anti axe no nope adversarial cartoons right putting together that this is an adversary adversary profiling is hard it is not truly threat intelligence as the dossier that's put together by a particular group with a particular eye opinion and a particular bias and generally they try to talk about it based upon a cartoon associated to that and it's gone again and it's back

so for and this one will get me in hot water based on my current employer sharing groups why would I pick on sharing groups so the ice sacks are some of the community's very good collections of information but if you notice I refer to them as Facebook herd mentality echo-chamber right this is the only thing that's important to us because everyone else in our industry is saying that this is important yeah you might want to take the blinders off right fair statements am I gonna get fired for that one it's a chance hopefully not so what is intelligence visibility let me check my notes okay actually I'll give you that one and that's actually two of them but I had to

break them out let's start with this one everyone familiar with the term tribal knowledge right that's intelligence what happened before what happened yesterday why does beti and accounting continually opening those damn PDFs right because it's gonna happen and Alex they give you the other one which is a little bit harder but I think is part of this one it's part of visibility it is market understanding intelligence isn't internal or external it's both right being able to understand what may be happening external to your environment in the greater world or in the greater ecosystem versus what's actually happened or could happen or has happened in your past any other questions or any other guesses on one or

on four I'll give you a hint I'm sorry

focused and timely external data actionable information and also so that we can move on long I'll go ahead and open this one because it's tangental everyone remember the CSI theme song we had who referenced up there before who are you right hard evidence give me something that I can work off of make sure I understand what's going on where did it come from can I do I have multiple sources of attribution to it or is it just some one person's opinion so let's work off of that as we go through this so here's the problem and again I'll come back to why we had the little game show in a second but here's the problem that we're dealing with in the

market today first and foremost that's not a movie sorry but I thought it was great but here's the problem moving good people my people they understand this we have a situation that have resolves around organizations and it's not that the organization is good we're an organization is bad but we'll go back to what we refer to as one form of intelligence tribal knowledge right and in particular I want to focus in on and we'll deal with this more the seaso area in the bottom right hand corner right the reason I asked who are you and what are you doing are you an incident response are you an admin access are you in risk management or even threat Intel

are you in sauk are you in security engineering each one of these are separate groups that have different meanings different reasons for being they have a different goal in mind which leads us to the effect of that problem which is silos and I am NOT going to beat silos to death everyone's heard that The Sopranos in silos this group has this group this group has that group everyone talks everyone ever communicates but I do want to show a couple pictures of silos because I think they're kind of cool and in particular the one that no one expects right but what we end up with in general and talking about silos in the problem and this is endemic silos are inflexible if

they do flex or they do bend a little bit they tend to do with that one on the side does right which is just flat ass break and that's not what we need to have from an organizational perspective the other problem or the other piece of this problem that we'll talk about people are people right and none of us have ever done this Fletch good has anyone ever done this before come on guys someone's been around somebody drunk and you drew something on them I mean let's let's admit it just go ahead you're not going to be persecuted right but also none of us have either done this right even to our spouses to our families to our friends right but

the point is that we've become very much attenuated into those silos where we're paying attention to what matters to me I have metrics I have deliverables there are things that I have to do these are my pieces of tribal knowledge these are my victims right and this is not a problem with organizations it is a people problem in the way that we address ourselves today right and the reason why again I call the sharing groups Facebook all right this is the situation that we have to deal with so now the other people problem not a movie but Ross Perot who played by there you go so why do I have Ross Perot up here negative unemployment the giant sucking

sound all right anyone remember that one from Ross Perot this is the other people problem we have an issue in organizations and in intelligence where we hire someone they work for us for six months nine months a year and a half actually let me ask this question it's again this is not part of the presentation but just for my own edification who's been in their current role more than two years Wow that is different than I expected right by the way you could go get another job fairly quickly just so that you're aware right if you were a cybersecurity professional with any kind of skill set you already have a job and multiple offers on the

table and someone mentioned ceases are sitting down and hiding this is the reason why right they're not getting more budget but people are getting hired if I'm underneath them and then finally from a company that I have questions about and I want to focus in on this one when businesses can't find people with in cybersecurity experience they make easy targets because they simply don't have the right solutions policies or procedures in place I think this is quite frankly the most interesting quote I have ever seen in cybersecurity what's not on here detection mechanisms the right edr the right this the right that right it's policies it's procedures and it's solutions now those of you that

don't know me which is basically everyone here I love military history I'm a military history guy went to a military college it's in my blood so if you guys will let me entertain you for a little bit I want to walk you through a quick case study that I think is applicable to what we're talking about and I'm not even gonna ask if anyone recognizes this tank but this is a world war two relic that was specifically found and is now in a war museum outside of Dulles Airport base or airport base airport blaah right it is specifically a jumbo Sherman wastes 37 tons got a v8 engine associated to it it runs on gasoline which may or may not be

a problem but it's got a 75 millimeter tank Kasturi cannon I associated to that one why am I talking about that particular tank we'll come back to it anyone familiar with that acronym in the military history give you an idea the timeframe we're talking about the Sherman's should be a hint World War two Eisenhower that is correct which is what we have here and in particular the story we're going to talk about revolves around the 21st Army Group has led by Omar Bradley which we have actually I'm sorry in this case this is from early September where the first army as it's actually this round deed post d-day organization of the US Army in World War two and we're going to talk

about the first army under Bradley and how that moved so this is from September the 1st 1944 and if you'll notice we have a completely different organization across the middle here Omar Bradley transferred over he's still head of in this case the 21st Army Group but he is in charge of the central group of armies if you noticed on the left hand side actually on the right hand side I apologize you have the northern group of armies as led by Bernard Montgomery so this means that Omar Bradley was in charge of the central and southern campaigns against Francine moving through the Ardennes and in particular he had a little guy underneath this command by the name of

General George S Patton in the 3rd army group also known as this guy not this guy right but the story took a little twist for me so a couple days ago I've started I was doing more prep work on this and was doing more digging into the history around this particular story and I ran into something I thought was incredibly interesting and very very poignant for this which is this guy and we'll talk more about them in the first place but anyone recognize him chances are gonna be very very slim if you do you know military history better than I do nope good you'll have to listen because he gets bigger so walk this through very

quickly December 18th 1944 we have the organization of the 12th Army Group sorry dyslexia got it confused 12 versus 21st under Bradley there's the Third Army the 1st army the 9th and the 15th and this is specifically talking and that does not render very well at all it's gonna be fun December the 18th 1944 anyone have any idea what in particular happened in late December 1944 that would involve these areas during World War two battle the Bulge very good makes us a lot easier so we're going to talk about this in the circle is best owned red line is the the frontline of the group and of the top red line across the north is the breakup between the 12th

Army Group and the northern army group underneath Bernard Montgomery blue line is the dividing line and territorial between the third Army Group and there are area of organization what they had to do and again everything was pretty much under the night the Army is where best stone was which we can zoom in on here I don't know why I did that but it felt right at the time right so why do I bring this up it's actually for this everyone you have a G organization and you have an organization G meaning general staff as meaning staff and each one is responsible for particular areas of expertise or areas of effectively organization so in this case at this

point in time general general patton's XO was the deputy chief of staff which is general gay and he had a of course a deputy chief of staff which is colonel has his name colonel Harkins if you notice we have Colonel Kappa NOLA who's in charge of plans I've got the colonel Matthews who's in charge of personnel a Colonel Maddox in charge of operations in training and then I have a Colonel Mueller who's in charge of supply construction of act at transportation evacuation one guy in particular is in charge of military intelligence guys now the name of Colonel coach and I'm probably mispronouncing that now why do I talk about him well on December 25th this was the current situation of what

was going on Bastogne in the hundred and first Airborne had been completely encircled the the Germans were running on steam in the Ardennes offensive in this area here but then this guy knew something so coach knew that the purpose of intelligence was to assist the commander and accomplishing his mission and to protect the command for surprise why is he important and why is this a good case study back on December the 9th in 1944 there was a 12th Army Group meeting and actually it ended up going up to shave where there was lots of rumblings about the potential German invasion or a German counter-offensive that was going to occur through the Ardennes and one guy in particular had done enough work

on his own of looking internally in planning and working with his g3 but also externally in looking at hairline our aircraft photos and capture signals and everything along those lines to say I really think something bad is going to happen so I've already gone ahead and put together contingency plans that allow maneuvers and activities to occur in case the entire Third Army has to pivot move elusive frontline and move north which surprisingly is exactly what happened on December 27th the encirclement at Bastogne is broken in particular it's broken by this group right here which is the 4th Armored Division associated with a third Army Group underneath Patton following the commands of patent but the tactical planning and the operations at

general then later general coach had put in place and had ready to to to present it to someone back on December the 9th I can't come up with a better example of being prepared versus being reactive than in this particular scenario now the other thing I want you to take from this is again the 4th armored group and in particular 4th armored as it equates to the tank that may have gotten right there first this with the mostess that tank was called though doesn't show it drop that one it's called Cobra King this tank was actually damaged two or three weeks after the Battle of us stone and it was crewed by Charles bocas a

corporal Milton Decker Minh and privates James James Murphy Hubert Smith and a Harold Hafner who are all sitting on top of that tank right outside of passage along as soon as they got in as I mentioned it was damaged shortly thereafter and then recovered repaired put back into place and then forgotten about until it ended up as a trophy or memorial in front of several US army bases in Germany across the Cold War then it was brought back and put in place once it was identified as being the cobra tank or Cobra King tank and was found and reconditioned it was recently placed in that net Museum I'll come back to the reason on that one so

to go back to our problem one more time movie hey it's alright here's our problem it's our fault this is all our fault so in particular one thing I want to point out that I find personally hilarious again I work for a vendor I'm allowed to call this out as this is all our fault but my company is actually on this piece somewhere twice like I'm in here and then I think we're like over here somehow or another I don't know why right but the reason I bring this up the reason I say this is our fault and how it applies into what we're talking about is we've all been very very reactive we have not been anticipatory and I'm not a

big fan of talking about security in the in the vein of I'm gonna be reactive to something or I want to be anticipatory or I want to be ahead of the next major thing because I don't really think that you can sorry I don't like that's my personal vendor stance I think you can be prepared but I don't think you can be anticipatory and be very very specific and what's going on also part of the reason for this is because we're all asking and looking at our own phones and our own echo chambers we're in our own silos that I need something that works for me it's not working for the organization it's not working for the

greater security architecture it's what will work for me and that's how we end up with all these different things that do half of the same thing the other one does kind of sorta maybe and we all use the same words and no one knows why the world is actually spinning right that's my personal vindictive or vendetta against vendors and I honestly don't remember the name of this movie anyone know the one I'm talking about is it the interview the one that was never actually released but was alright so the symptoms of the problem we have too much data fairly simple to explain no real questions we don't have enough people again very simple to explain we've

already talked about that we don't have enough time no one has enough time never have and we are in an analytical paralysis if I hear my VP of Sales or someone else go through and say that I'm hunting for a needle and a pout and a pile of needles in another sales presentation again I'm gonna discuss the concept of electromagnet that's very powerful and just cleans right but the point is that we're all talking about this and we are well this is my problem this is their problem and we have to figure out how we're going to analyze or deal with that particular thing so every symptom has a diagnosis right whether it's right or whether it's

wrong it must be diagnosed so why are we seeing these symptoms again because people are being people teams are talking but they're not communicating this is what's going on here this is what's going on there we don't have a lot of cross team communication or if we do it's a little bit more force than it really ought to be this is the big one and this will lead into the actual discussion of the topic or the title of the presentation ceases our strategic ceases our patent they're not Colonel coach they're not the commander of the 4th army or 4th armored excuse me right they are boys you can look at it and say the Eisenhower is the CEO where as Omar

Bradley was the CIO if the CSO actually reports to them but the CSO is patent and the CSO has a very strategic goal which is to defend the network that's it that's their job that's what they do team leads our team tactical meaning if I have a team lead or if I have a sock level three analysts or if I have someone who is my principal architect in security engineering and whatever that may be their job is to validate from all those vendors we were just talking about what makes the most sense in what works for the company based upon the best price that they can get not is it going to do a better good across multiple

teams but only for the team that has the budget that's been assigned to them at that period of time analysts are keyboard tactical what do I mean by that meaning that they're dealing with that alert they're dealing with that event they're dealing with that artifact they're dealing with that malware file they're dealing with this incident they're not necessarily and they do a good job usually of doing cross Keyboard of helping the guy out beside them or the girl out beside them or the person in the next room but they're not necessarily being able to overtly communicate what they're doing and why it was valuable or what what they found interesting that day again it's tribal knowledge and

it goes up in their head and maybe it'd be spread across a couple of keyboards in the near vicinity you usually do to them cursing throwing something or putting a post-it note of the treatment we need to be able to execute and validate the strategic vision is set by the CSO across the teams and the CSIs job is to make sure that we do that but we can help them out a little bit we need to provide cross team tactical guidance and review need something that's able to bridge those silos and not a technology not not another way of communicating but we need a human potentially that may be able to walk across the teams that is mutually

respected and is able to understand what's going on we also need to be able to do metrics again it's a little military base but we want to be able to do a ARS or after-action reports what did you do what did you find how did you find it how did you mitigate it did you not mitigate it what tool did you use how long did it take you to use the tool right we need to start gathering more detail in that manner and quite frankly we need a historian somebody needs to be able to be in charge of you haven't sent that in I need that piece of information I need that data associated to that and

then finally tribal knowledge well and then we'll leave the other one for another joke but someone the the historian is actually in charge of capturing the tribal knowledge and again the reason why and I'll go back to the history to sample why would I even bring up Cobra King any guesses how did they know that records serial numbers as much as we can bang on the military for whatever they want they take copious notes right they write a ARS or after-action reports on everything that happens they were able to identify on a Google search very quickly the actual crew members of the tank and what they did that day back on December 27th 1944 beyond just simply saying here's a

serial number of this particular tank this was the story of that tank on that day as written by notes and understood by the historians associated to that am I thinking that industries or our companies need to be able to do the same thing No right we don't need all of that but there's a level of information that is internal intelligence that is internal that is not being captured of not being processed in other words you need to know where the bodies are buried right this tool does not do what we thought it was going to do so why am i dependent upon it or this other team knows that it's not doing what we wanted it to do

so I need to be able to try to fix that or figure out a mitigation around that so organization good organizations bad we'll go back to the C so again I personally feel that something is missing right I have a team lead for each one of these silos as we've talked about I have a C so who's in charge of of their strategic vision their budget what they've been charged to do and generally ceases are inheriting an architecture that they may or may not understand or that may internet may or may not want and don't understand why it was put there in the first place I've replaced a lot of vendors in my time working as a vendor because of that same

reason C so comes in doesn't understand what's going on rip it out and replace it was it working don't know don't care don't trust it why what's missing is a staff someone who works for the C so that is not beholden to a particular team that is in charge of gathering metrics being an advisor to a bunch of different people or a bunch of different teams and understands the architecture and the impact at a tactical level so how do you do that how do you become an advisor I really really hate this one and I'm sorry which is the reason why I figure most of you are doing this right but we do have to start taking good notes

that's the way that you can start understanding and providing communication remembering that this person said that last week is great but it doesn't communicate for well because guess what people leave we don't want let all their work go to metrics move things I don't like this why it does not work with your kids I'm gonna be very clear about that right you didn't like this last week I don't care I don't like it now what I do I did that one advised don't do I'm not asking you to walk in and take over someone's job you don't want to do that but what you can do is to help them understand what they're doing in the

greater goal of things help them work with the CISOs towards that strategic vision but more importantly and this is the most important thing you can get out of this talk security suffers from an issue in perception security is a cost basis technology we don't make the company any money ever we cost the company money consistently so we have to be able to start identifying and advertising ourselves on when we do something right and when we find something so if I can do in advising and help people understand across teams how we've done something really well guess what metrics move things like budgets evidence counts again an opinion held by one is an opinion an opinion held by four or five

could be construed as fact depend upon how you want to look at that evaluate and record those investments again Metris understand what's going on we made this investment did it move the needle or did it not but how also are you judging the needle being moved trending can be prophetic anybody in the Mega Millions drawing tonight and buy buy tickets one person in the room only one person wants to quit their job on Saturday are you out of your mind all right guess what trending data it says that we will both have to be at work on Monday right it's the way that it works and then finally some tools to use for this one I don't expect you to simply sit

there and write this stuff down in a notebook there are free versions of all of these software available outside of maybe SharePoint but you can find a pirated version of that somewhere right elastic Hadoop even Google Docs if you have access to it you want the forensic logs you want the daily stock logs I want my I our case notes I want to be able to collect all of the information I possibly can to understand how I can best use that again to advise being able to say hey why don't you look that up this other team ran into it last week is very very different from well let me go pull the sample they'll let me send an

email let them search for it themselves right be able to be tactical and reactive to the internal teams needs not doing this and then once you start getting that down you can start communicating effectively because people are still looking at their phones but they're looking at the same data source on those phones again whether it's any one of these technologies and again please just don't use email just don't don't don't don't right because subject lines where's rendered can you really search it how deep down into it do you need to go right don't do that but other things people can communicate effectively over and they don't have to stare at each other to do so now everyone's familiar

with the Disney hand anyone not familiar with a Disney here don't do that a single pointed finger this is from presentation skills 101 implies blame so you have to use two that doesn't imply blame that is the Disney hand right so I honestly have fun take your kids to Disney World and see if you can get them to point at you with one finger and then they'll freak out it's kind of fun right but as I also like to call it speak softly and carry metrics right I don't like what you're doing why this is the reason why right not I don't really feel like you know what you're doing or you had like those things finally could you

just put the advisor in give us give him or her something to do but again more importantly let that person start to work amongst the teams and this is a job that you can grow for yourselves that's the most honestly out of everything I've said that's the most important thing on this all of us are experienced security people we all have a group that we came out of we're all really good something in this group there's nothing stopping us from taking that and saying I'm really good at this I've got this tribal knowledge let me reach out and build some form of communication across the different teams then all of a sudden my star goes up and I can start showing

that other teams are more effective and I can become more tactical and sit beside the seaso and start building a role for myself and oh by the way metrics move things speak softly carry metrics do you know who really cares about the metrics the board so if I can walk in and show how a decision that was made under my watch as a technical decision had a strategic impact guess what I get a lot more visibility and everyone up the chain looks good so advertise yourselves build metrics give yourself evidence but try to talk a little bit better amongst the different teams and somebody needs to become an advisor in this I'm out of time any

questions yeah actually sorry one more movie sorry no screw huge question I would like to believe that they could they have not proven themselves capable of that to me so far I'm sorry I don't disagree with you I just don't see it happening because everyone is still looking for something that's going to solve this problem especially in the US market we're we're very much Pavlo nyan right I ring the bell I see an alert I did something with the alert or I made that alert not have to happen we're responsive to that so it drives that that single point of focus rather than the consolidation that really is what we need to see yes in the back sure sure so it's a

difficult question to answer because the metrics going to be different everywhere else right but primarily what you're looking at is especially when you're doing almost like a tool validation if the tool says that part of the ROI is to reduce the number of events that you're going to see how many events did I see before I put it in versus how many events does see after I got it and more importantly not in you want to measure twice if not three times it's again speaking from the vendor perspective right I've made a lot of money walking in and saying I'm going to reduce this event flow easy done right and then as soon as I leave the people that are

using it or not as experienced as I am and the event rate goes back up so you want to measure it again right and then you want to give it a little while and you want to measure in a third time because you're going to hit peaks and valleys before you hit a steady-state so that's number one right just simple event rate also I are cases I would love to know the percentage of false positives that have been gathered off of I our cases how many in the hard part is there's a lot of people talk about measurements based on true positives I don't really know how you make that determination that metric myself I can

think about it some more but I really want to see a percentage of false positives versus cases that aren't right whether they're thrown out or whether they've been identified as true positives and move forward into the the case log simple soft daily information right it's not necessarily who handle and this is the fun part for me especially when we talk about analytics I'll beat on the target breach for a second everyone's familiar with the target breach feel like that's fairly old hat at this point in time right so we all look at technologies again from a metrics perspective and say okay it's gonna and this is talking out of both sides of my mouth but we look at

technologies and say that this reduced my alert rate or it's allowed me a little bit better visibility as it applies to risk or compliance great but if we look at the target perspective that would not have necessarily had saved them right they had the alerts the data was there just no one was able to actually understand how important that one particular event or one particular alert was right so when you start talking about your sock daily logs or your other pieces it's important not to get funneled directly down on who's closing the most cases or who's dealing with the most events or dealing with the most alerts it's almost that that middle curve of who's really

crunch spent a little bit more time and maybe communicating with other groups a little bit better so can we measure some of the cross communication can I look at it from a slack perspective or from a jive perspective or from some other archaic messaging capability right to say okay are these people talking across teams around this particular event or this particular indicator or file name or for the love of God it's Betty and accounting again right if it's because for example we may look at Betty and say she's continually opening up these PDFs and we put her through remedial Spearfish training I don't know how many times right so we'll automatically kind of tend to ignore any alerts that have

Betty's name associated to them it's the boy cries wolf scenario right but you have to try to focus in a little bit more on that and that's the fuzzy part of the metrics is can I train that or look for someone that spends a little bit more time on something just to try to make sure that they're not missing something in general is that fair yes sir

I can't believe I'm gonna say this awed it I mean yeah you know the the quite frankly the the group of people that are most used to walking in and understanding something very quickly and then being able to communicate or make references that are communal to other people very fast right that's the first group that I would look at risk and compliance is also a little bit ahead of cyber security as it equates on this stuff and I see a lot more movement of security intelligence I really don't like the term threat intelligence but Intel being moved or pushed more into risk assessment compliance and also just kind of the overall security health of an organization any other questions yes

so that's a good one and this is important so I got a new guy that just came on to my team he's a very good security guy he's very good architect he's still working on some of his sales stuff right ultimately we're all salespeople whether we want to admit it or not right we sold ourselves in relationships we sold ourselves to the job when we did our interview right we sell ourselves to the telemarketers when we tell them to hang up very quickly or we play with them for a little while and let them drone on and Nothingness right so where I'm going with that is security people need to work on their bedside manner and explain

things in simple ways right the metrics need to be fairly simple when you move them up the chain right it's not we've seen a motet 15 or 20 different times within my environment something I've dealt with with the customer the other week or that the black energy or not petia or VPN filter or anything that is when you start talking up the chain they don't get that they don't understand that right but if I can walk through and say that for example we didn't have to reimage 45 machines last week because we got in front of that particular piece that matters right if I can start talking about things in terms of FTEs and understanding man-hours right that helps

so that we have to sell those ideas sell those under things and communicate simply it's you know we don't want to get into the the layer different pieces we I don't want to talk about a layer one versus a layer seven versus a layer eight versus a layer three versus the pcap says this and I use this tool to do that that's great for us right but in communicating higher it doesn't matter yes let me say that one more time average to what average loss expectancy quite frankly I think things like VD I killed it and BYOD killed average loss expectancy right I mean we we write stuff off or we look at you know this

thing has been depreciated over X period of time and there's just a number that's affiliated to that one and it's a commercialized throwaway

sure but right and and and we as security is insurance when I was telling my this was a guy earlier on today security absolutely is insurance and I'm you know the to your point and I think to the point of the talk as well is okay if you wanted to say things based on an average loss great but come with metrics right with this happened last week and this is how many hours or what we had to do to get around that and this was the actual cost affiliated to that one now I can associate a baseline and as I move forward then I can say hey I was able to get in front of five of these guess what

you owe me seven hundred twenty five thousand dollars I mean it's ultimately what you're talking about is the communication strategy upwards so that it can be so that the board or the CMO or the CEO o can actually understand it at this point what I really want people to get out of this is just again start talking like those metrics and that understanding is exactly what where I want to see things go but first off we need to have a better understanding of being able to identify when that was this particular type of incident and we do want to capture those metrics and how do we get that data and then react tactically before we can start taking a

more strategic response and getting more of those budgets or chargebacks is the other fancy term for it any other questions yeah there's a big blaring light [Music]

so the for those that didn't I think everyone heard the question I don't need to repeat it good all right it's a good question I mean that the problem is is security tools security vendors are driven by the wall street piece where we have to try to drive numbers and we're looking to consistently replace someone based upon an it that's just the nature of the beast so I think your your best bet and this is a long-term play is again it's the metrics you know hey we did do that replacement and it did we save you know twenty thousand dollars when we actually go back and look at it can we try something different next time it's

there's no short-term numbers I can give you our metrics or ideas that would say I'm going to disrupt it that cycle but you can start building towards that and again trying to build some of that visibility and some of that information so you can become more tactical and more of a trusted adviser to the to the CSO and from there maybe be able to talk a little higher improve that we don't I don't need you to spend three-quarters of a million dollars on that next fancy new whiz-bang budget even though we have to show some form of improvement what if we did you know more of a process based work this year like let's let's take a

day off let's take a year off from buying something new let's say it's funny to me I constantly run into situations of you know the problem wasn't the tool it was the policy where it was the process or it was the procedure as anyone in here ever worked on a merger and acquisition with networks right how many times have you figured out that the network diagram didn't really reflect what the network actually looked like every single time right how many times have you seen something that that you were expected to see the alert and you didn't and it's because the route didn't actually go through the inspection device that you thought it was going to go through right

happen is all the time so trying to be able to prove some of those things potentially would help disrupt that buying cycle on buying the next of the level of whiz-bang won't solve the core problem that the network doesn't actually run through where it was going to go in the first place it's a level of visibility we have to get but it's a social and basically an architectural visibility not necessarily a packet or a risk or a patch or systems level visibility we've got plenty of those things right does that make sense or is that yeah I mean are we are we really going to fight in gfw right we throw ng in front of it and

all of a sudden - brand new we have to have it great they just but I think that's that that's the point right I mean it is the definition of insanity any other questions I think I am finished I might have run a little long I apologize thanks guys