Keynote - Brian Kelly - BSides CT 2019 - 11/09/19

and Kelly how about now better everybody see me behind the podium we're good Adrienne's asked me not to wander around a little bit because I tend to do that so I'm gonna try to stay on camera so when they asked me to come in and Keynote this they said fifty seventy-five on average that's what we had before I think we tapped out over 300 for this conference so this is really incredible to be here for all of you to be here this is what the sixth year of besides Connecticut so quick show of hands how many been to more than one excellent show hands first one awesome welcome really important that you're here thank you for coming thank

you for the to the 'besides committee for inviting me and having me thanks to Central Connecticut State University for hosting I was the C so at Quinnipiac for number of years we hosted a couple of these and I know the effort that it takes to host something like this so this is a great venue and hope you guys have a good day so the talk the original site slide said what's your origin story but what we're going to talk about today is really a community story and how 'besides plays into our community so I'll talk a little bit about b-sides as a community I'll talk a little bit about why I'm here right part of that community why you're here right

joining in participating in a community and then we'll also talk about who else is here right so as you look around this room it's Roman was speaking you see some of the folks sitting next to you we'll talk about who else is here who's in our community and then lastly we'll sort of close with we're not alone and it's not an alien reference it's a we need to do this as a community and I don't have a clicker so I'm going to go through this the old way so blackhat so Romans wearing a hat right so that's how we find Roman today Romans got the black hat hat on right so black hat I was

gonna say is it the top hat that Jack Daniels is wearing but it's it's not just a hat right it's a conference and black hat was founded way back in 1997 so I was afraid at Central I was gonna have an audience that wasn't born in 1997 but it looks like it's it's fairly well mixed this morning so 1997 so that's a little bit of time ago and it really by 2009 black hat had become this really big head right it was it was the thing that started all those awkward conversations that we had with our bosses and our spouses when we said we had to go to Vegas for work right no no really it's work but what happened by

2009 was black out with such a big head it was such a the go to conference that there was speakers and talks that were getting rejected that weren't finding their way into that week-long conference right so it had grown beyond just sort of this national now it's an international brand they've got logo where they do training it's it's quite an incredible organization and out of that came folks like Mike Murray and Mike Don and Jennifer legio and Jack Daniel who started to think about what can we do with all of this sort of content that isn't making the cut for blackhat and out of that grew this concept of b-sides right the B side the

B side is sort of an homage back to an A and a B side of a seventy five a seventy eight forty five or thirty three and a half our p.m. photographic record it's this where I lose the crowd right because well vinyls coming back but for those of you that were raised in the 80s a cassette had an A and a B side right and typically the a side was what the artist wanted you to buy that's what you were paying for and the B side was either extra music or garbage music or a bonus right bonus music it was free music so before there was Napster and streaming and all these things there's

the free music was you bought the a side you got the B side and I think bonus for me is really indicative of what B sides is as a community right it's its bonus right the content that you guys are going to experience today will show a hands for track one or track two I think most of us would like to be in bolt right how do we how do we do both tracks simultaneously and thankfully it's being recorded so we can go and maybe be in both places at the same time later on so you know talk about getting old right so 2009 was ten years ago so the first b-sides was in July of

Denine so this past July was the tenth birthday or the tenth anniversary of b-sides and when we talk about these these founders these folks that's their names on a plaque names I mentioned like Jack Daniel and Mike Murray and jennifer twomey they're not just names on a plaque or names on the b-sides history site website these are people sitting next to you these are like both rock stars in our community and people that we can just talk to you or tweet to or interact with so that's I mean for us that is such an important part of the community and then what I hope these sides will mean to you is that it will become part of your origin story so for

those of you that raised your hand said hey this is my first time you're gonna meet people today you're gonna make friends even with the vendors you're gonna make friends and these are gonna be relationships that you'll have for a lifetime so talk a little bit about my origin story and I went ahead on that or the two automations did come in right so my origin story is I wanted to be a cop my father was a cop my grandfather was a cop I had lots of uncles they were war cops and you know even though that was sort of my path growing up I wasn't really sure what I wanted to be when I

grew up and there's some days where I'm still not really sure what I want to be when I grow up so after high school I worked for Amtrak for about a year that's a story for another talk if you've ever traveled or used Amtrak you you know that's just too long of a talk for this morning so after high school I went and I do I enrolled at Naugatuck Valley Community College in an associate's degree program in 1989 criminal justice right I was going to be a law enforcement officer in 92 I graduated with in associate's degree so those of you that are good with math or I know it's early on Saturday morning it

took me three years to complete a two-year associate's degree that happens for a lot of us once I got done I joined the Air Force which is a which we'll talk about in a little bit but in reality I've been at Naugatuck Valley for what feels like 30 years so 89 and 92 I was a student I left for a little bit was in the Air Force I came back to NACA tech Valley in 1999 as an adjunct instructor teaching networking and computer courses and really if never I feel like I've never left I feel like I've been part of that community for you know 30 30 years now so show of hands veterans folks that have

served our serving thank you so much for your service we're two days away from veterans today so now I ask that you don't answer this question so after I graduated with my associates degree I figured out I was trying to think about how I could differentiate myself how I could you know I wanted to be a police officer I was applying at every town know I could talk New Britain State Police Waterbury and ice trying to differentiate myself in my professional resume not like blue hair or tattoos but how do I build my professional resume so I decided to talk to an Air Force recruiter and in the joke for those of you that know the answer to this is how

do you know when your recruiter is lying to you when their lips are moving right so I went and I talked to an Air Force recruiter about a law enforcement or security forces position because that's what I you know that's what I wanted to do and I thought that would best help my resume my professional resume what happened was this recruiter said I don't have a law enforcement or security forces I have this thing called a computer systems operator and I went to what and he said no no this is you'll have a top-secret clearance so the government will trust you and so will every municipality in the United States so you know when you're ready to go back

to law enforcement this this will help you immensely your ASVAB scores were phenomenal you'll do you'll do great and I was sold like I believed him so I took it right and you know what it turned out that recruiter was was right right he was on to something I ended up really liking that computer stuff so I sort of dug in and I learned as much as I could now again sort of dating myself it's the mid-90s there was this really new cool operating system coming out called Windows 95 yeah so I was working on that and so my Air Force career ended in 2013 are retired from the Air National Guard that was a huge part of

community for me I miss it every day don't don't tell my wife she'll she'll be mad that's being recorded I'm screwed can we can we fix that and post-op post edit just take that out anyway so again it's the late 90s it's the early 2000s and I'm working for the Air Force full-time and a friend a mentor or colleague a gentleman but name of Brian Sheehan he says you know you got to go out and you got to talk to people and you got to get involved with groups and you got a few stuff and in real life right because there is no LinkedIn in 2000 so he introduces me to the information system security

association or Issa they had meetings in Harford that were monthly and what an opportunity to go there much like today but on a smaller scale right the meetings were designed for gathering people together for networking and for learning but you know for me what what really helped me out I think for many of us in our sort of our origin story in our community is was learning how to sort of interact with people when so today when folks company to say tell me what you're doing or what you're working on we tend to say what we're doing or what we're working on and those early Issa meetings sort of helped me learn to say things like what I'm currently doing

is I'm configuring firewalls for the Air Force well what's interesting is I think there's going to be an opportunity for Sigma or Aetna to do some of the things that I'm learning in what I'm doing for the Air Force so it helped me sort of mature the story of my origin and move me from one career to the next thing so I think as you have those conversations today think about not only what you're doing but where you want to go and especially for those little those of us that are students from is to say I was introduced to this group called the InfraGard which is a public-private partnership folks familiar with InfraGard probably some of it between

the FBI and in public and private industry and what that did for me was really it sort of appealed to my law enforcement background your interests and it appealed to sort of my military background and what a great group I was part of the founding group here in Connecticut were I think in the 20th year now of that organization there's probably 900 members in the state of Connecticut it's a national organization but there is Connecticut chapters not every meeting is cyber related sometimes they talk about shipping and you know electrical and power and water but it's a great group to be involved with and then lastly before I left at in the back in 2006 was as I was building this feels

like a really really long time ago I get introduced this organization called a high technology crime investigation Association HT CIA in what that was was as time there wasn't a lot of private forensics going on it was all law enforcement so again really sort of appealed the interest to my my law enforcement sorry if we could on the CTF hack this thermostat as like the first goal that would be really great really warm in here so HTC ia at the time was this group of largely law enforcement the state of Connecticut but helps me sort of understand how to build out this forensics lab at at none before I left and I was so engaged and so involved

with HTC a that they sort of elected me president and I was president of that organization for a very long time and if you're into forensics computer forensics if you've not found that community here HCC ia I highly recommend that you take a look at it and enjoy and that was my last slide there so I'm gonna be 49 and 11 day I feel really really old wait this slide this slides not about me it's about you so what I meant to say is that I'm not as young as I think I am or is not as young as I used to be and what's important for this right this is a very you know quick keynote to start the day

but as you think about today as you're sitting here just think about we all started somewhere so a number of you raised your hand and said this is your first time right everyone in this room whether it today is your first time or today is your sixth time we all started somewhere right we all started this journey together starting from nothing right so I want you to keep in mind that the smartest the coolest the best hacker that you'll meet today or that you'll see speak today was just once like you they were sitting here for the first time so keep in mind that we're all sort of be it started at the same beginning

and for those of you that are the cool kids like like Ryan that are really that you know the smart hackers and the folks that we come to see you know in the other tracks just remember how important it was when you were starting out when someone came up and talked to you right engaged with you how impactful that was for you both personally and professionally and I I just strongly encouraged the dialogue I saw some great conversations going on even before this started so me you know make sure you're engaging with one another and then I have curiosity right so will your story your origin story be one of curiosity right so curiosity might have brought you here today it

might have brought you into the this the course of study here it's essentially you're in you know we like as professionals we like to think about how things break rights many of us might have grown up taking things apart and some of us were better putting them back together than others sometimes we like to see how things our systems fail right how we can take something and make it do something to creator never intended to do right so that's part of curiosity I think that binds us brings us together and that's important for us to remember and I think there's a way to think about that and from a critical thinking or sort of question everything perspective

and I have paranoia up there right so security folks in general can be accused of being paranoid ryan's laughing at me is that an understatement right a paranoid should be right so in that in that vein we often see how things fail right we tend to see where there's there's gaps and that's what we're trained to look at right and that can be perceived as paranoia try to be sort of a healthy paranoia if that's possible and try to be not always sort of you know the the debbie downer I guess is the right rants and then also be optimistic right how many security folks do you know that are optimistic it's not it's things that one there thank you

yeah it's always one but typically we were not optimistic we're always sort of chasing perfection right we've got to be right a hundred percent of the time the bad guys have a series only got to be right once so you know try to be optimistic don't chase perfection focus on your successes I used to tell Alex a lot like there was so much that we weren't accomplishing but there was so much that we were doing and we always used to focus on what we didn't get done or we didn't finish so try to be optimistic I know it's really really hard we're in an academic setting my new role at EDUCAUSE is providing cyber security consultation and advice to

higher ed throughout the the country and back in the fall there was two universities that were impacted by ransomware Regis University near Denver and Stevens Institute of Technology in New Jersey and everybody in higher ed is freaking out about what happened how they how they were vulnerable you know how the threat propagated what happened and but educause serves over 4,000 colleges and universities so we're really concerned about two that got burned with ransomware but there's four thousand that are doing something right and I don't think they're just being lucky I think there's a good story to tell there so I try to think about how we can be optimistic and focus on where we're winning not only being in the news where

there's breeches and then sort of lastly I know if this is going to work anybody remove remember the movie The Sixth Sense all right so most of you that's good I was worried so in the movie that the kid Halle dill Joel Osment all he saw was dead people right so I've been accused of being like that kid except I don't see dead people all I see is problems right well you see his problems right so don't don't end up being an old curmudgeon don't don't just see problems see solutions and sort of that's where this community is so helpful because the conversations that you have around things that you see as problems or things you're struggling

with in your own environment somebody if somebody sitting next to you may have that answer and may be able to help you with that so as you look around the room right you know who's sitting next to you you know who's in front of you you know who's behind you some of you may be so I'm not gonna ask you to get up and introduce yourself it's way too early for that I know it's a Saturday morning so don't and I literally I have like two more slides so you can introduce yourself to each other on the way out as you talk about what a great keynote this was and you're so glad you came so you

know look around some of these speakers that are here yeah I look at the agenda and I look at who I want to go and see and generally and thankfully not this morning there's generally somebody on the agenda the same time I'm talking that I would rather go see than myself so think about who you came to see besides me of course who you want to meet how you want to interact with those those folks today I know many of us are introverts you know I don't want to stereotype the the geek and the security nerds and in the space but it happens and it's hard it's hard for us to as introverts interact with people go up

and have a conversation try to be purposeful about that today try to engage with folks if you see someone you know ask they're doing you asking what they're working on what they're interested in if you're not ready for that today you don't want to you know have social interaction today but later on you want to connect with me on LinkedIn and tell me what a great talk this was or it wasn't just say that you know when you reach out to somebody on LinkedIn whether it's me or if you're you know studying AI at Central and you find somebody on LinkedIn that's really a leader in that space reach out to them and say hey I'm in a cybersecurity

program at Central I see that you're a leader in this space I'd love to connect with you and learn from you I think those connections those communities are hugely important for all of us I was going to say you know if you're not on Twitter already you know the InfoSec cyber security hacker community on Twitter is phenomenal there's some really great you know I talked about Twitter and I worry it's gonna turn into a political conversation but specific to cybersecurity there's a great dialogue going on out there and then we are in an academic setting so I have to talk about reading right so I'm a geek and I like to read and I like history so I don't

fit me a they're nerdy geek or a geeky nerd tribe of hackers folk some of you might have read that already a great book it's got 70 profiles in it of folks in our community it sort of reads like a QA about how they got started what they think the future of cybersecurity is it's a great read I was also fortunate to be involved with the cybersecurity cannon project so hopefully you've heard of it if you haven't go ahead and google it Palo Alto sponsors it but it's really an independent sort of body of knowledge of books that we should all be reading while it was part of it I got to meet Kevin Paulson from Wired magazine and he

wrote kingpin so really I encourage you to read whether that's audiobooks or however you consume just go out and read as much as you can and this is my last slide so my professional commute my professional community began at Issa meeting and it really expanded through so many different organizations many of them are listed here right so I think for you just make sure that you're including as many of these organizations and there might be others that I'm missing because I'm an old guy so if there's things that you know about come up and talk to me and say hey Brian we should you should be talking about these organizations because that's what's coming I think you know way to talked about

we're not alone you can't learn alone we can't learn alone we can't succeed alone it's so important for us to be part of the community Connecticut is a really small state but there's so many vibrant communities I have some of them listed there and with that I'll close and saying you know introverts unite have a great day thank you for coming thank you for your attention and I'll see you around