Naked Boulder Rolling

BSides Detroit53:10282 viewsPublished 2012-06Watch on YouTube ↗

Mentioned in this talk

Standard

About this talk

J. Wolfgang Goerlich talks to us about how to use business impact and risk management as a driving force for prioritizing security efforts, and does so in a funny light-hearted way.

Show transcript [en]

good morning I'd like to introduce our next speaker wolf G Gorlick he'll be presenting naked Boulder rolling you heard it okay thank you am I live on the mic all right all right thank you very much everyone for coming um one other quick announcement I want to make is afterwards they're going to be doing the iPad drawing so if you got a business card you're going to throw in throw in after the talk don't leave now um and then they'll draw it out after we're done excellent that's what I want so today we're talking about Information Security Management uh but it will get more interesting than that don't worry my name is Jay Wolf Gang gorock I am a

security manager and a systems manager for a financial institution an undisclosed financial institution I love that word undisclosed right sort like you're superhero you're flying around you're like no one recognizes me cuz who could possibly figure out if I'm say undisclosed where I work I think in this audience I'm pretty safe no one could connect the NS um but yeah I just want to State for the record that I'm here on my own behalf not speaking for my employer and do not do not use naked Boulder rolling for investment advice very important uh I tweet on jdub g. us if you want to send me any questions or troll me as I'm assuming some people have already started

doing and I also blog at jg. us on some of these topics we're going to be talking today in much more depth and this is what a good friend of mine calls a NASCAR Slide all the things I'm involved with very pleased to be speaking here at bides Detroit and I'm one of the volunteers making this happen so thank you all for participating volunteering I'm involved with the local Michigan security conference the the myc group um isak Isa I attend those from time to time and members of that co-founder of OAS Detroit one of the lead developers on simti I'm trying like all hell to get a CSA group in the area so if anyone's interest in Cloud

security tweet me see me afterwards and before I joined this undisclosed financial institution I was a consultant I Lov being a consultant Consulting was a lot of fun you know there's a problem right you parachute in you solve it they give you a check you run away you put your glasses back on they can't recognize you I love being a consultant a couple things Consulting taught me as security right was that hey security is techn it's the blinking box um I want to check my passwords I so you so I'm concerned about data loss I got a DLP system I put in your office no problem so I learned a lot about security being technology I learned

securest practices right you do the best practices the right things in the right way and the Boogeyman won't get you we're safe I love that and security is also Project based as a consultant what you do is you got to call yeah we've got the system it's going live make it secure for us because we got to go live next week no problem we can do that but of course this mindset doesn't really work well as I jump from being a consultant into managing security and I think we've all seen throughout besid Detroit there's been a lot of talk about people in inside jobs people doing information security the burnout the stress what have you because it can

really pile up right I mean if you're trying to maintain security manage security uh as technology practices and projects it's a lot of work a lot of effort and you can really start to feel burned out and I also think it has to do with how we think about security right so I'm going to give you a couple sentences and uh raise your hands if you agree with this first one's pretty simple it's not if a breach will occur but when a breach will occur are we all pretty good in that right you know it's not if but when the bad guy really will get us no matter how best your best practices are well how about this one

though we're all but one breach away from unemployment does everyone feel like that absolutely absolutely so it's not if but when the bad guy will get us not if but one will get thrown on the bus for it and then have what L calls an RG right a resume generating event so you have a resume generic event you get breached you don't want to happen you're in a new job like I was when I joined this financial institution you're like I am not going to get breached I'm not going to be a statistic I'm going to be in this job five years from now okay so what am I gonna do I'm gonna scare everything right

because I know technology is security I know practice is security we've got projects I can do projects I was a consultant I got this um so you try and secure everything you have and then it gets worse right because wait a minute security as practic what does that really mean it means being Hands-On right being full in full on attending conferences like besid Detroit um after the conference is going back digging in the material knowing your systems very intimately knowing them inside and out comes from training and research right like we're doing here it comes from playing in the lab it comes from building your sand castle in the lab and then kicking it over and then taking

what you learned and building a stronger sand castle and that's all fantastic stuff and it worked great I would imagine if we had a Mainframe that we're responsible for or maybe a server or maybe two servers in the firewall we might get away with that but it's just too much there's too much today and these Stats come from the internet and I was told as a manager the internet's always right uh and they also come from my personal experience when I'm talking about to a security professional full-time security professional they're like yeah look I got like 5,000 devices to support okay all right that sounds like a lot well how about employees I got you know a

thousand employees who are doing who knows what all the time and I'm supposed to keep them all safe and okay so do you have any support on it well not really I got 20 it people are doing things um and that's great but are they doing the right things I don't really know and I ask them to do the right things and I say yeah we'll do that but it really does work better when everyone's administrator uh so there's a lot going on if you do the math too if you look at at 5,000 devices you say I'm going to secure all systems you know I'm going to go all in you say I'm going to work 12 hours a day

I'm going to work 365 days a year who needs a vacation I'm in security we don't take vacations that's where our conferences and that counts as research so that's okay um if you do that math you got 5,000 devices and you want to learn each one of those devices intimately you do that math it means you get about one hour a year to spend with that device and make sure it's really secure so you get one hour sounds great right in January I spent an hour with that system and in December that means it's still secure right there nothing changes but we got a lot going on we got a lot changing these actually are good stats because they

come from McAfee woo 2011 they saw a thousand new malware forms appearing every single day they saw 100 new vulnerabilities appearing every single day okay and the news articles what's going on in the world somewhere between 100 and thousand of things we need to read I didn't experiment back in 2008 when I starting to get stressed out and I did an experiment I took a vacation uh which was was great no the experiment wasn't the vacation the experiment was over a twoe vacation I let all my news feeds pile up every single article every single blog every single email that all pile up and I statistical analysis said okay if I read so many words a minute how long would it

take me to read all this Okay cool so two weeks of reading would take me about a month but all right that doesn't really tell me much because what if I really wanted to understand it you know be full in be Hands-On secure all systems I don't even want to read the stuff but actually want to play with that lab make sure understand what they're talking about you know I saw Jim mano's talk and I thought that was awesome and I want to write some code to do that well that takes a little bit longer so I took two weeks and I spent day after day afterwards you know in between my normal duties catching up and studying it and

actually learning it making sure I knew everything that happened so two week snapshot everything that happened and I found an average it took me four days per day of new news oh my God no wonder why I'm stressed Monday I'm four days behind Tuesday I'm eight days behind seven okay thank you yeah subtract the one thank you we flight yay support from Chicago and by Wednesday okay subtract the one I'm several days behind and that's when you get the call yeah secure the system because it's going into business right away you just can't keep up can't catch up and that's where I started thinking about information security is a Greek tragedy right if you think about a Greek tragedy what do you

got you got three acts okay you got your sister so I mean no you got your God who has brought in the hero who's going to do something okay so God's doing something he's putting all his effort in the I'm sorry the hero is doing something he's putting all his effort in day in and day out he's working his hardest you know it's not if but when by the third act the bad guy's going to get him he dies he gouges out his eyes whatever it may be and that is Security today that's I think where a lot of people are and that's where I felt like I was in 2008 iing I gouging thank you or or Copus

right I'll gouge or Copus with the boulder you know the guy with the boulder every morning he rolled the boulder up and then the GU put it back in the valley and then he did it again which wouldn't be too bad if you only had one Boulder but the reality is as Information Security Professionals we don't only have one system we have hundreds of systems yeah oh yeah go ahead I know you want to so we got hundreds of systems that every day we're coming in we're pushing up a mountain right hundreds of systems that we' come in we get all our system as secure as possible when they're in top of the hill nothing in the valley if

if possible realistically it's a spread and what happens overnight thousand New pieces of mail what happens overnight how new vulnerabilities what happens overnight your email box is full and your RSS feeds are full with a whole bunch of tips and tricks and things you got to do because they found new ways to kick over your s Castle you come in the next morning the Boulder's back in the bottom of the hill and you start it again and you do it again and again and again I first brought up this concept I was thinking about about security as a Greek tra at geran last year at geran and some people trolled me you know maybe maybe a

little bit I'm not going to name names or point in and out I don't think it'd be right to troll the trolls it is possible you may be able to find them hi hi and of course Google's your friend if you want their personal information and if you have any trouble with that come see me um yeah right so one of the things that caught my attention was are like you know in the business track over here geran wolf King's telling us all about naked Boulder rolling woohoo like no you guys don't get this this is the Greek tragedy right you guys are the heroes and the bad guys are going to get you it's not

if but when it's not naked Boulder R come on and they kept add it they kept at it and a year later we're here and they're still keeping at it um but you know at some point called the Stockholm syndrome or whatever I kind of gave in I'm like you know I can kind of see that okay skur is Boulder rolling I I can get that I I can get that and besides you know the defense is the new sexy we're all talking about hack naked thanks to paul.com so all right let's talk about defending and what can we learn from security as naked Boulder rolling if we take this approach of security being naked Boulder rolling what can that tell

us about why we're stressed and how can we get out of the stress situation so we can do a better job and of course naked Boulder rolling really covers if you're taking the project approach if you're taking the technology approach or if you're really focusing in on that from information security it doesn't touch that other one which I was talking about earlier which is a cons you get hired to say hey something needs to be secure can you fix it so in terms of projects if you think about security as projects well when you're an internal Guy best case scenario they call you and they say this Project's going in and oh you can take as long as you want to make

sure it's right and if you find anything we'll kick it back to the vendor and they'll fix it right and then it goes in that's like the best of the best case scenarios has anyone ever had that happen no no I don't think so well realistically what it is is yeah high security it's Thursday I know but the system goes live on Friday oh and yeah they told the board and uh the promotion material is going out Monday morning so just do your security thing just make it work right yeah just your security thing make it work even if you get the best of the best possible situations you put the system in place what happens well I've

put this project in place I saw this those times as a consultant I put it in place in January they had me back out in September why are I back out in September well because it's been breached why has it been breached it was Secure when I put it in right we have a time of check time of use issue right toui because you put it in securely and then what happens you got those 20 administrators going yeah we've got to enable this functionality and um I can get it done if I make everyone administrator so and and what do you mean inut validation we just had to get this code written so security as projects is too

short and it doesn't really fall under the naked Boulder rolling so I started thinking about how could we um explain that Jeff rich is the chief risk officer at ler Technologies and Jeff Rich was on the White Rabbit podcast a while back real smart guy and he said something I thought was pretty interesting so I sort of stole his idea but I am giving him credit he said look you got a project your business is full in on this project they're putting in all the effort to make this project work you got stakeholders You' got customers you've got vendors you got people whose careers I don't even want want to know what's on Twitter right now you have

people whose careers are are you know tied to the success of this project and right about the time the project is ready to launch that's when they call you security and say hey yeah hi we got a project we're launching tomorrow and uh we're rolling the boulder off the cliff make sure that lands on the right spot okay do your security thing and that to me is security as projects right security as projects is not only are we rolling Boulders but they're flipping throwing them at us we are Boulder cing and then we wonder why we're stressed so I started thinking okay if my mindset as a consultant is not working what can I do to have a mindset

shift to be a little more effective in delivering security what can I do to understand a little bit better as an information security manager and hopefully as one day as siso how to really do information security in a way that's making sense that's having an impact that means that I do get to get a couple vacations once in a while I can break away from the office to come to conferences like this what needs to change what I found was three main mindsets one is security business alignment another is risk management the last one is life cycle management for about the next half hour I'm going to go into each one of these three in a very

very quick pace and then afterwards I'm going to round out the hour look at my project dour and show you how this all comes together in a project I'm working on right now first one is security business alignment right because when you go to your CFO and you say look I just need more blinking boxes they make that sucking noise that sounds like money if you're doing naked Boulder rolling you've gotten really good at the boulders if you're a a security consultant or technologist you've got really good at the technology you know that technology inside and out what may be missing is the hacking of layer eight right the carbon layer pepb back what's interesting is we don't even necessarily

call them people anymore but yeah there's people at the end somewhere that are doing something so what I thought was pretty cool was the concept of social engineering your organization for your organization's own good and I don't necessarily mean lying to them of course it was kind of fun when we were doing the rats and Rogues podcast we had um Dave Kennedy on and we're doing the pre-talk and rtis is a is a little bit of a troll himself he's like so Kennedy I hear you know we did a survey and social engineering is all about deception right Relic went on for about 10 minutes it was great only 10 because I said oh we're almost out of time but

um so yeah I'm talking about leveraging people skills we had some great talks in Social Engineering we got some more later on the day if you want to catch them but leveraging people skills to make things happen but not only that but so okay people skills are fine and good but what are you going to do with those people skills in terms of social engineering 101 I mean this is what most people think of social engineering right there's no patch for human stupidity but I I think we need to get beyond that I think we need to look a little bit um a little bit up the ladder what I call maybe a 200 100 level class all right

which is doing things like having a clear goal speaking the language of the business finding alignment figuring out what your CFO wants and now you can get him what he wants so you can get what you want there are pretty simple things there's a a thing going on in Twitter on LinkedIn called SE Biz who here has on been following SE Biz anyone okay a few people great there's actually a workshop for the first time ever I don't know if you guys knew this but it was great first seiz Workshop ever was at bide Detroit yesterday which was fantastic we were pretty excited yes thank you and uh it actually started with our two Keynotes Dave Kennedy and Rafael Los

going at it over Memorial day over Twitter and of course it it grew from there but the concept here is how do we deal with the bifurcation the growing bifurcation information security between aligning at the top with the people who are making management decisions and getting the buyin and the sponsorship and the money and whatnot so that when you do the technical controls you can do a good job so in terms of a mindset SE Biz you're talking about hacking people first right you're talking about going your business talking about security not saying look I was at bides Detroit and uh there's this really cool talk about an Apache vulnerability we really should dig into that can I have some money I

want to do some death you know you're not going to get anywhere with that one of the seist concepts again this comes from rael's uh podcast the concept would talk about the trucks right so if you're in a trucking company you talk about the trucks I'm in a financial services company I talk about the funds I very rarely say look there's this real scary thing we got to do something the Chinese are out to get us uh it's usually more like hey how can we protect asset Center management how can we grow ass Center management and do that in an IT security function and that gets to aligning at the top so we get that buying and the

signing at the bottom the other thing that kind of stripped me up and I think contributed that whole you know secure all systems mindset was as a security professional I came and I'm like this is great I'm here Superman I will do everything and then my it guys are like well what are you touching our stuff for and then pretty soon they're like don't tell wolf anything because he want to change it so a signing at the bottom necessarily means you know the people who know the technology the best are the ones you want to engage involved with the security process make them the advocates for the security team great conversation I had on that topic um was

with one of my software analysts with a vendor and okay so if we're sending data right and you're a security manager and you say it needs to be encrypt and they say okay no problem we're going to use end to end SSL for our web services that sounds pretty good right that's that sounds encrypted so as a security manager if you don't know the technology on on the phone going uhuh that's great yay let's do it my software analyst again ass signing at the bottom who's responsible for security everyone in my team has a security component um I've got development rolling up to me and and it were roll up to me I soft pushed back

he's like okay that's great you know star for effort for web services uh but you realize once we do that web services call you're sending us a file over FTP with a clle text password oh I didn't know that he did which was good the vendor's like yeah okay so we went back and forth like fine would do SFTP great my analyst was like okay that's good they were not done my analyst was going well what about pgp encrypting the file no wait a minute we've got web services we've got SSL we've got SFTP now thanks to you what do you mean PG Crypt theile what do you what are you guys doing with that he's

like I don't know what you're doing with it on your server do you know what I'm doing with it on my server uh okay fine we'll do that too that sounds good and those are the types of things that he caught because he's in it he's the one who intimately loans it he's the one who's spending the time with the system as a security manager I had no clue no clue I'm like Oh yay SSL web services sounds great so by working with the team and getting them to do the work it's much much better and that in a in a very rapid clip of security business line what is key about that is to begin

building the reputation for someone who gets things done begin building the reputation with your security or your it team and your developers that your their efforts are valued and they have a stake in it you know begin building everything you need for the next two things next one being risk management risk management is all about keeping our jobs protecting the organization's ability to perform its Mission not just the it assets I love that that comes from Nest 830 right so risk management is all about saying okay we've got all this these blinking boxes they're great what do they really mean and what is the organization trying to accomplish what are its goals and focusing on that of course the

problem with that is that sounds great right all right everyone go back and find out your Tech stuff and just make sure it makes sense of the business go us wait a minute wait a wait we got a thousand employees using hundreds of systems right running on 5,000 devices with 20 it people doing who knows what who knows when who knows why hopefully in a secure fashion right if you if you started doing the alignment um more likely just because I got to get it done real quick and it really begs the ultimate question at this point if you're talking about prioritizing the question is the hell is this stuff do I got this Blinky box it looks great it's

got connectivity my backup guy says he's he's uh you know backing it up I've got to ass to sell to it yay what does it really mean to the overall organization that's really the question that we've got to answer so again looking at Social Engineering for some guidance having a clear goal the clear goal I think needs to be asset identification business process identification having the business talk to you about what your goals are what I thought was interesting was um in the SEC Biz Workshop some people we had we you know find out what your organization's goals are and how they map to it some people are like uh yeah we asked and they told us that's

none of our business oh that hurts so how do we get executive sponsorship to ask those questions to get the business units to uh spend some time with us and get things done and the way I was able to do this was by leveraging business continuity and my organization circuit 2008 2009 it was well okay there fire can get us that would be bad asteroids if an asteroid strikes and levels our data center it's a smoking creator that would be bad how do we keep in business and don't tell me about all this hacker stuff because every time you do that you want to buy a blinking box but let's figure out no you know you know how this

goes let's figure out what we can do to continue operating in the face of a natural disaster so I'm like great I can do that woohoo let's do business continuity and business continuity is one of the 10 domains of information security so for all the CSS we get a star in our forehead um it's something you never ever hear at an information security conference unless you get Rick Rolled by looking at naked bould rolling I wonder what that's about oh it's business continuity but this is quick I promise um one of the things I like about business continuity as a solution domain is it abstracts things very nicely okay in terms of rolling Boulders when I first started on this process I'm

like look no no really it matters if it's a Dell HP or an IBM server and it matters if it's windows or Linux if it's Linux it matters what kernel it is and let's capture all that documentation and that's and then you get this big huge book and you're like look guys we want to go through this with the business and then no one attends your meetings anymore which is bad so I like that business continuity keeps at a very high level technology application connectivity here's an example from one of our Maps we got a couple servers they're delivering a couple applications they need a data center those applications are being used by research and Client Services okay fantastic what

does client services mean to the business what does research mean to the business rather than what does a blinking box mean because we can map everything up and once we know that once we've got that mapping we can then begin to look at uh impact analysis right so if things are actually down if there is a smoking crater what does it really mean I use a very simple 4x3 Matrix which is app down server down site down communication down same day shortterm long term I promise you i' go through these quickly because I won't talk too much about business impact or business continuity what is important is business impact which just to say if you know what you have and you

know what business function is supporting you can begin to ask the very simple question what monetary value does the organization place on that and what strategic value does the organization place on that in terms of of upside right are we making money with it is a lot of money or a little money and terms of downside if it's down are we getting fines or breaching our things of that nature so impact analysis is great because it begins to prioritize things anyone want to go through a no probably not okay sorry you guys got to come to a my me plus you're trolling me I don't listen to you um the key Insight that I loved from

business continuity and it was it was like a you know a mirage in the desert as I was lurching towards it is this right here which is a disaster recovery budget must not exceed the value of that that protects but differently we shouldn't spend more time on things than what they really matter to the organization through a business process to the overall company and I love that concept and in the past if you're trying to bould a roll you don't know what anything means all you know is you got to roll as many Boulders up before you go home go to sleep and everything's back in the valley but if you can start to say okay what do in stuffo do which

ones are important you can start to make better decisions business continuity was a very easy way to do that of course business continuity is only acts of God right bter didn't purposely aim for you the fire didn't purposely burn your building alone the flood didn't just hit your server and leave the rest of the building unfortunately in security as we know that's almost never the case there usually people who are out to get you so what happens when you do get breached not if but when what happens if you do get breached how can you make sure when you get breached it's not a way the organization continues and more importantly to you personally probably

that your career continues and that you don't get thrown into the bus as the security guy who let something bad happen so we started looking at risk management to do that risk management similar to business continuity but only instead of just looking at availability we start looking at confidentiality Integrity it's also one of the top 10 domains two stars cyps we're stacking up the cpes it's so fantastic thing and when you prioritize your assets it's not only in terms of business continuity about just what is doing but it's also things like hey what compliance issues may occur I'm in financial services that's a big one for me what vulnerabilities may occur if you listened to Derek Thomas's talk

yesterday you know about all the vulnerability management side of it and uh you know what are your threat agents again natural disasters aren't aiming for you but the bad guys are you know your your competition your internal threat your activist as a quick aside why is it that activists always want to go after Sony and financials leave Sony well you can keep eting on Sony but leave us alone ice cream places great if you're watching us on the stream Pet Shops no you know just pick some other one other than financials what all right don't hurt the puppies but any industry other than mine is good pick roll the dice get like one of those

you know D and D dice are you naked doing that you are sir and do not post pictures next year nak dice rolling yeah naked dice rolling that's my next talk apparently uh and it will include business continuity for for you guys to warn so bad guys and bad things they can do to you and of course your vulnerability management now earlier when I started I mentioned I was taking you know that security is technology trying to touch everything and know everything inside and out and drove me nuts and I'm not talking about that when I'm talking about vulnerability management what I like about vulnerability assessments is it's something you could do in the afternoon it's something that can point

you in the right direction it does exactly what I need to do which is tell me where my weak links are in the chain right tell me where my links weak links are so I can focus my time on those and then we can begin to determine okay those my weak links there's my assets what do they really mean and there's some great things to do about to do that for nist 830 you're looking at things like what generates the most revenue or profit I like that from an IT operation side because I can say I enable the business how by spending your money on blinking boxes that never goes over well with my CFO I can say I enable

the business because this technology that you're paying $ 100,000 for a drove million dollars in Revenue last year that is a great conversation to have and you can do that with risk management uh ISO 275 looks at things like loss of customer confidence your reputational impacts and a lot of people are very concerned about that or Fair which things like uh your loss productivity and whatnot so you look at one or more of these domains or blend thereof and you begin to figure out what really is important to the organization's Mission what's really important to the organization meeting its quarterly annual goals that technology is fine now all those Technologies what really is got some

known issues okay those are the boulders we want to focus on and again the corollary to business continuity with risk management is the cost of security must not exceed the value of assets of perect put differently don't spend any more time on it than it really matters I me if you if it's a small Boulder down here don't roll it all the way up to the hill so you can feel good at the end of the day which I've done don't do that so and then you can take a risk based approach I love a risk-based approach when I'm in my organization and we're in a meeting with the higher ups and they say you

know I don't think we need to do all this work we can take a risk based approach that's great that's like okay my list one from 100 things down to 10 score because what's interesting is you know that whole parto chart right which is 20% of your stuff delivers 80% of your value most of your stuff doesn't really do much I mean it's necessar evil so if we can prioritize our efforts we can limit down the amount of stuff we need to worry about and of course then we can begin to remediate from a security perspective remediating after the fact is always painful and I'll get to that when I start talking about naked Boulder catching but when we're Boulder

rolling of course you remediate what's that do that break stuff and now you got to talk to your Ops guy and say Yeah I broke that or me I'm a I'm a dual rooll so I close the door and I yell at myself is that all you do yes in this slide yes so is that all I do uh yeah this is a tough cow so no so you want to remediate when you fix things with security controls you're going to break things and then you get back into that bad reputation of the security guy who breaks things right and if only we don't tell him about it he won't break our stuff so that's really the key thing is

to do lots of communication prepare people break it at the right time um Etc so that's a real rapid Pac look at risk management I think risk management is one of the key ways if you shift your mindset to be more effective in

security you just lost a CPE Mister turn in your badge I would argue that business kind new in risk management is the new peanut butter and jelly why because they go together well there's a lot of complimentary uh information there if you're in a mixed role like me you can perhaps leverage your business continuity efforts Downstream if you're not you need to talk with your um operations guy because he probably has a lot of this information about what the stuff really means that you can use in your risk management prr in my case I called this the falling asteroids hack because I leveraged the concern that literally they said well what if an asteroid hits

us so okay it's a falling asteroid attack let's talk about that what was curious to me is that risk management means is a whole new thing to financial companies I did not know that hey we need to do risk management why we got a whole floor of phds who do that and they're quants okay so risk management did not go over well in terms of it uh controls with my management team business continuity is something out so for me that was a way in for you there may be the same or you may find your own way in again it's all about leveraging social engineering once you do that once you can get outo Boulder rolling and see the

hill for the boulders if it were the forest for the the trees what have you you're can again looking at the overall security posture overall security posture is very simple that says look I got my most important Boulders at the top even if you got the same number of Boulders same number of systems and if you got the same distribution between the ones that are pretty weak and ready to be popped off by activists and the ones are tight and secure and you know Rogue States would would be needed to get into them uh if you got the right distribution between what's important to your organization what's not you're not going to get hit by the bus right yeah

we got hacked and we caught that and we remediate it here's my report it's a much better conversation oh and it meant nothing to your organization just letting you know foi also means rolling fewer Boulders farther if you're trying to spend brute force all these systems and you only get an hour every year with them you're not going to get very far in terms of securing them anyways but if you can spend 20 30 hours of your week focusing on the areas that mean the most to your organization and then spend the rest of your week doing other things you're going to be in a much better spot and you can use that time for things such as

life cycle management which we'll talk about next so in terms of Boulder rolling right your technology your secur technology or Security's practices that's covered by risk management in terms of Boulder catching right they're throwing things at you hey it's Thursday but the Project's got to go live like right now that's where life cycle management comes in life cycle management is all about baking security controls into the entire process right I did that intentionally so we got to get hungry get more hungry and wait no it gets worse so if you imagine a bakery okay this Bakery and you got these great smells and You' got a thousand employees I me a thousand customers right who are depending on you

and you've got 20 Bakers who are all hard at work right and you got one security professional would it make any sense if you told that security guy look we're going to bake the bread and like 5 minutes before it's due to the customer you add the FL yeah that would tastes real good how with flour disgusting you put a file you would you would never ever ever add flour after the fact in the baking process you just won't do it doesn't make sense but for some reason we as industry seem to think oh we just add security after the fact and actually we had one of the the people here out of bides right who had a tweet on this just

last week they had a a message from their project manager is like oh yeah got a message from the project manager we don't do security your job is to add security when the Project's done ouch that's common everyone knows that we see that all the time so what can we do to get out of that well the way we do it in our team is we do we slice a project up this way 20% of the time in the budget goes to preparation design training that's analgous to your your Boulder rolling right you're really getting deep in the system instead of the security guy doing that's actual people doing the work doing that and that's pretty key because if you look at

Verizon's threat report if you look at any these threat reports that come out people are not getting popped and people are not getting fired because of something scary that happened you know that they heard about bid's conference it's usually yeah the IT guy put that on the DMZ and wanted people to get access to it so he just dropped the firewall you know or give everyone admin access things are great these are usually typical configuration issues that if people are responsible educated trained and uh measured in terms of performance on security would not happen so we had preparation up front we spend 70% of the time implementing most businesses when they think of a project that's all they

think about is implementation right we heard someone in they did it it's done well there's prep work there's work after and then we have security 10% of every project budget every 10 10% of every effort that we go through minimum is dedicated to security but that's not after the fact even though that's what it looks like in the slide that's integrated baked in throughout the entire process I'll show you guys what that looks like in terms of workflow this gets back to my assigned responsibility at the bottom align deliveres at the top the best quote I ever got best compliment I personally think I ever got as a manager came about a couple months back when I Was

preparing for uh for a Dev Ops interview I'm like well what what do you think has really changed from how you used to do work when you had you know different management structure to how we do work today when you report to me he said the number one thing that's changed the number one thing that's different is I now have the time the resources and the support to do a good job and I love that to do a good job and that's not just yeah I came in I did a good job yeah me but it's more about doing things in a rugged approach right so that if things get attacked if something breaks something goes wrong there's bad inputs

user has done something a miss that the system stays up and stays operational to do that of course you got to have good alignment at the top I know that goes all the way back to the beginning with social engineering you have to make sure from the CEO on down that you got the support to implement this this gets back to the rugged software Manifesto has anyone looked at this any oh come on now guys no one really serious no oh are you just being nice you're drawing me oh okay I never know with you so I got the UR up there check it out Josh Corman is one of the league guys on this he's worked on this what I

like about the rugged software approach they've got a a whole Manifesto and they're working on like I think a 60-page operation book for devops teams so from a developer perspective all the things we listen to with Jim anaco this morning at his keynote it's like well how do you instill that in the developer so that when they're making code it's coming out the right way and my team uses this rugus offer Manifesto because it gets you you know it's good what I do I built stuff good built it rugged it can withstand anything from social engineering perspective what do we need to do to uh to do life cycle management again it's all about getting the sponsorship up top

to do this it's all about making sure security is in scope if you think about the project management triangle right scope time budget if you got Security in scope from the beginning that means what time and budget for training for your your team your developers yourself Securities and scope that means times and budget for internal security review have securi in scope that means time and budget is available for external review for pen tests for red team in so it's vital that we get that out of the gate in terms of the sdlc training this is just a standard water all model training as we already talked about is 20% doing it right requirements is all

about from the time you did the business case on down we're communicating with the business in a way that makes sense to them talk about the trucks talk about the funds so they know that security is going to be a component of the overall quality of the system when you design it it's baking the security controls doing your threat modeling really and I am skipping ahead really quickly and when it's all done you put it in place and you integrate it with what I talked about earlier which is business continuity by impact analysis your risk management process right maintain the vulnerabilities and maintaining the configuration the key here is in terms of security projects in terms of naked

Boulder catching is to have a process that when systems go in place you've gotten way ahead of the Boulder so that you can do everything you can to make sure that secure it lands in the the right spot in the hill you're in a good position then to maintain it over time and maintain that security as close to the desired State as possible but differently that means you know Boulders have a controlled Landing right they go where we want them to go those are really the three main things that uh I had a mindset shift on starting in 2008 and now I approach security entirely differently from a management perspective one example that a case in point is uh is a system a

project I'm working on right now before I go into this I'm going to say ask your doctor if sdl is right for you Everyone likes to argue especially some of the people up here in front uh so go ahead arree with me that's fine I often times call these Coke or Pepsi questions because they're like oh you know I I picture people with their Coke bottle coming up to me with their Pepsi bottle you need to drink Coke if only you had bought product X things would work great so go ahead argue with me that's fine don't be surprised if I don't tell you're right because there's multiple ways of doing this um and it's funny too

I I put on Twitter I'm like you know it's a CER Pepsi question instantly secure Julio no it's RCA man you've been doing it wrong ouch Scott Thomas follow him he's got a good career ahead of him as a impc pundit I can tell so my case in point my case point is a website my website has this lovely nugget on it website says site optimized for ie5 with 800 by 600 resolution excellent yes most excellent that's like a big sign saying hey activist come get me I'm a financial I I hope you all appreciate too the the attention that I went through to actually find i5 and screenshot this but I I do kind of like that

because it makes me nostalgic you know for happier times simpler times when you didn't have all these web browsers I couldn't pronounce um people weren't carrying around what's a tablet I don't know uh back when you could tell your client run this resolution this browser that's a great thing but of course what comes up must come down and sometimes when it comes down it comes down hard which always reminds me of the $6 Million Man crash there goes our website but don't worry we can rebuild it we have the technology so we started a project to rebuild a website but if Steve Austin reported to my firm he would get like the bionic leg and the

Walker so do do it do it affordable okay wolf all right we can do that we can do thaten or a wooden Peg yes you thank you sir mcain so again through the sdlc process and the requirements fa is we knew right away that we had to have this website secure people are going to try and tear this poster down right so we had to have this website come in Secure so from the business case to the RFP to the final sign statement of work we and made sure that security was included why so we have the time and the budget to do security but we didn't do it by saying look guys uh did you see Jim Monaco's

talk I can send you the link there's some really scary stuff you can do with cross-site scripting which would have worked great for my developers and they would yay rugged but would doesn't work well with my business unit so we talked about the funds we talked about protecting assets under management we talked about growing assets under management we talked about holding the vendor who's writing this code accountable we're paying them an ungodly amount of money they better be writing high quality code well how do you know if it's high quality well I'll tell you we'll bring in a company we'll test the quality of the code ah okay let's do it we also got a letter of testation as

part of the RFP process under their stlc how are they running sof secure development are they following a secure development life cycle process and if they're not I don't want working on my stuff and we got which is key a letter saying we will build in controls to address the OAS top 10 we'll address the oaps top 10 and if it's not addressed we've got to fix it that's on us why because that's outside the scope we didn't do something right which is fantastic and we got a budget to bring a third party to do code review and to do system testing and we did that all front well before the boulder was even you

know a real Boulder well in the process of just writing the business case then we did the impact analysis what's really going to happen to this system when it goes live obviously confidentiality not so really important as a public website availability pretty important on a day-to-day basis we need it up if we're in a Dr scenario probably not so important because it's not tied to a key business process so it's important for the overall organization's you know six Monon 12- month Mission um but overall it can be down a little bit without costing us too much money which is good so we found our Dr tier we found our confidentiality then we got to Integrity with respect to Asset

Management even though we got a website that's completely separate in every meaningful way from a trading system if that thing got breached and popped by activists and there's a picture of a boat or whoever on it the obvious question going be wait why who am I investing with these people do do I trust them H why a boat Wiki Bo oh lats not Wiki boat low cats there you go we get attack so we we went and we made sure that we follow a very rugged process to make sure that we had a high degree of integrity and one of the meetings we had and and I really enjoyed it I had was my software

developer and their software developer and they're staring eye to eye and I felt like I was sort of like watching like some sort of you know clintus Wood movie and I was like oh this is going to be bad and their guys are like look we don't need to do input validation what do you mean why not well you're giving us the data we trust you that should be your responsibility right no and my guy like look we need to do this project right and what's going to happen is I don't know how but sometime next year we're going to send you bad data I don't know how I don't know why but it's a given that sometime next year

we're have an operational concern we're going to have a security concern we're going to have whatever it may be and you're going to get bad data on a good day 364 days a year you're going to get good data that'll be tens of workflows that people will process through their normal efforts which would be great fantastic no effort needed from I on that one bad day you're talking about potentially thousands of workflows each one them needs to be manually checked the normal process that the business is following needs to be put on hold the is team needs to be pulled off whatever teams there and we're going to have one to two very long days followed probably

by some unpleasant meetings you absolutely positively need to do input validation and again I go back to rugged Dev Ops that's just the way now my team thinks right things are going to go wrong that's bake it in early on so when things go wrong the business doesn't notice and I don't need to be up all night and I think that's critical critical in the design phase we also kicked the documents the final design documents over third party we revealed them internally kicked them over third party to make sure we didn't miss anything we actually did miss a couple things so was a very valuable exercise some of the controls they felt were pretty weak for the oos top 10 so we

strengthened that before it went into production on the app side I am using Windows so like I said c for Pepsi me but uh we're using Harden Windows uh we have a true multi-tier infrastructure with different segments on the network we're encrypting everything where wherever possible we got IPS on the uplinks and once we got all that design again we reviewed internally meaning I reviewed it after my team designed it and then I kicked over to third party and they reviewed it so we have a high level of uh attestation on the apps side and then we started implementing okay so in implementing we're using Microsoft um SD process which is free we're downloading it's got a whole bunch

of templates it helps us out spec includes the security controls which is key so they're building the controls in some of the things that Jim Monaco talked about earlier today are in from the ground up uh so they tell us to make sure that it actually is and we've got a third party again doing code review at 50% 75% and then 100% they do code review and then they attack it and also I should State it's not just code review as you know separate from the business it's part of the uat and our RFP so we do functional testing we do security testing and if it doesn't pass both guess what you're not getting paid and

you're going back and finishing it which I think is critical to hold your vendors accountable to make sure they're actually producing high quality stuff on the outside we're using automated process we've got a system center configuration manager to do that I'm looking at using the pz for the first time for a penetration test which is all good and fun stuff as a pro tip when you get your penetration test coming in right you really want someone with in the trenches knowledge you want someone who's you know got that uh got that real world experience someone who's come up from the ranks someone who walks in and your team is already scared or they hear he's coming and they hideen

the firewalls before they come in so it's it's vital you get someone who really knows their stuff it fun I actually put this on when I was working on my deck and my uh my storage guy walked in he saw it on my monitor he's like hey wolf I like to talk to you about oh my God he goes who is that I go that's the guy who's going to be tching your you better do a good job he goes is he going to be that dirty when he comes 5050 5050 so so yeah we do we're we are going to be testing the infrastructure is set up now we're going to be starting that next

couple weeks and then TBD because as I mentioned this project is is in process we're going to be integrating in in with our rgc pack I'm using service manager from that from Microsoft to get as many ways to do it but I found that one's pretty easy for me and it saved me a bunch of money switching off the old itgc system I was using we're integrating it in with our threat management Gateway so we got response alerts everything we need so that again it's not if but when but when I get an alert I can respond very quickly address the Integrity of the site very quickly and move on and eventually we'll be able

to retire this thing hopefully before I get a slide that is as Antiquated as I5 with 800 by 600 hopefully otherwise I'll have another talk and and that's really an example of what I mean by uh security development life cycle has uh means Boulders have a controll landing right because from the start of the process all the way till when that Boulder is on the field and we're now maintaining it rolling up the hill every single step of the way we are doing everything possible we can to make sure it's it's tight it's got the right controls we've addressed the threats we're doing it in a very high quality rugged fashion and that's also what I mean by risk

management means rolling fewer Boulders farther I'm not going to spend a ton of time looking at aspects of the system that aren't necessarily tied to the organization's Mission and aren't necessarily going to impact the organization should they occur and again that's in this particular instance things like availability in a Dr scenario so that is your Boulder rolling and as a quick wrap up I'll wrap up real quick I know we're just about or actually we are out of time quick what I found going in from a security position being Hands-On as a consultant to a security manager position is that I was getting way worn out right because Boulder rolling will wear you down every

morning you come in you roll as many Boulders up next day they're all back in the hill and you do it again and again and again and while you're doing that they're throwing new Boulders at you which makes it fun so Boulder catching will flatten you because there's invariably you're going to get that call on Thursday yeah fix this by Friday it's going live you didn't fix it goes live next week There's a security incident now you're to blank so you got to get out of I feel we got to get out of that type of mentality I think it's better to focus in on the organization and its ability to perform its Mission which is

this real high level lofty goal which I feel that we can get to that by using things like business continuity impact analysis so we should be able to look at any blinking box in our environment actually my team has knowledge sharing meetings where we talk about this that blinking Box means this to the business which means this to our six-month 12mon goals part of that is social engineering using just good oldfashioned people hacking skills and a legitimate ethical way so that your team has what they need so that you have what you need so your team knows what they're doing so they've got the resources to train and so at the end of the day you can have a very

resilient high quality system gets back to risk management and business continuity being a new peanut butter and jelly sdlc being the new bread yes it's lunchtime get hungry uh impact analysis smart SM Boulder rolling life cycle is smarter Boulder catching that's really all I have I want to thank everyone for coming out here I hope you're having a great P out

Detroit I also want to give a