Starting a Security Program: Thrills and Spills

[Music]

hello yep thank you for attending the 11 o'clock session my name is Puna and I'm gonna be talking about starting a security program that thrills and spills we are all here on a Sunday because we all want to do better at security some of us aspire to build that application security program manage that product security program build the security program for the company and back in November 2015 I got that dream opportunity the dream opportunity to build the security program for a healthcare company which had at that point no users not a product market fit and we didn't really have any customers pains for anything but we wanted to start off foundationally with a solid

security program while we are building those skills for that aspirational opportunity we are thinking of like technology skills we are thinking policy frameworks we are thinking trainings and certifications we are preparing for project management skills team leadership skills hiring firing and whatnot and in the past year or two what I learned was that all those skills are great they got me the opportunity that's why I got into the door and once I got those opportunity the ones I got into that opportunity it was super filling to say look I'm gonna be building this foundational security program but the the spills came in when I was unable to do so in certain areas where it was for non-technical

reasons the skills give us that the the confidence to go do something but then if we are we are stuck on how to get that done and in this talk I'm discussing the scenario of where I realize that the emotional intelligence piece or emotional quotient for somebody who has this responsibility is at least as important if not more than the skills themselves because otherwise the skills that we build are marginalized if we are not able to run through the program with an even keel of mine so by way of introduction I have been building skills all along I have a master's in computer security from UCSD I was a software engineer for almost nine ten years if you used

Netflix on Apple TV stony any of those devices I built that then I manage the product security and the application security team at Netflix I built security products for Netflix was trying to at the same time build my own technology company I gave it a shot for about three years and in November 2015 when the lira health opportunity showed up that's when I changed pivoted to working on that one own single focused effort I became the first security engineer /c so at lira health what do we do at lira health we provide a comprehensive behavioral healthcare solution for employees and family members of the companies that work with us we have everything the entire gamut

from like self-care apps that use computer-based cognitive behavioral therapies so that people can help themselves see CBT as it's known in the psychology world through you know how you deal with like physical therapy you have like a limited session set of like coaching sessions and then yourself serve so we have that for behavioral therapy we have therapists who work on-site and near sites we have clinics at the companies that we work with where the employees can just walk up to those clinics and we also have psychotherapists on our board where we can prescribe medicine so end to end behavioral health care that's what layer I have to present so this is this is where a wise man named Drake would say

starting from the bottom now we're here started from the bottom now my whole functioning teams here so in from the bottom now so 2018 I just willing to be here earlier for me at Lera health because we have we achieved in the first year of my joining the company we achieved hydros compliance and high trust I'll talk more about that later but it's it was great because enter company rallied to get there we have a lot of customers who for stringent requirements and some of them are probably in the audience some of them are potential customers in the audience who are whose InfoSec team has assessed us and has helped us become stronger based on their feedback we the

entire company rallies together when we have annual compliance support disaster recovery exercises external Red Team exercises we all work currently pulling the company in the same direction and the security techniques are used not just to defend but to creatively solve problems I'll get more examples of that as well and when they occur security incidents are immediately reported broadly discussed and we take we do post mortems and then prevent future recurrence in a without blame or shame fashion so it feels great to be there in 2018 back in 2015 I was starting at the bottom I wasn't sure how to go about it I knew so based my skill for telling me I'm not gonna start with a risk assessment and

then a threat modeling exercise or should I do comply like you know start with a compliance program first take action with like sdlc it's off a development lifecycle figure out shift left and have set cops you know best practices like we have Oh ask top ten stands 20 you know FTC has the start with security program all those skills are coming to me left and right and then I realize that I'm one person number one security engineer how much of this can I do by myself and when you think about SDLC and like you know implementing fine SEC bugs and failing the build when you know when you're when your security issues show up the engineers are not

really incentivized to do that because there they are measured on like did you get that feature out in this friend did you get that experience working there and they don't necessarily need to do my five sec bugs the product security team is like everything I asked them in so like you know changing the password strength or anything would be basically a thing that would create issues with their funnel right like their registration funnels and their user experience funnels will get a drop and when they implement security features the the data science team the data science team is always hungry for more data have my Network segregation diagrams I have my data classification I have the the whole you

know how we will we will manage all these different types of data and the data science team is all about the only privilege and access they want is all privilege all accessed so that they can run all their machine learning algorithms on as much data as they can to get to those insights so the instance incentives are not aligned the executive members are still trying to get that round of funding or are doing their first customer pictures or they are trying to get those customer success programs going they don't really care about my you know let's let's do that incidence incident response tabletop exercises whatever scenarios because they're like do you know how drastic this is this what if scenario is that my

company might not survive your what-if scenario of the tabletop exercises let's priority right how do we rally company resources to work on penetration tests and what what would encourage employees to report issues because that's not what they're used to if you report something where you did something wrong you're gonna get punished that's the only thing they know so I had to do a lot of introspection I had the exclusive privilege and responsibility to build this program and I knew what I wanted to do because my skills taught me that I was contemplating on how so the purpose of why did I take this why am I doing this was super important so most of us

take the role because either there's a title or a pay raise or improves our commute gives us different experiences like trails that we have in place so I had done product security and application security for Netflix I had the ability to learn all the domains and so that would be exact and in the mission of the company itself and to me what it boiled down to was the the mission of the company transform behavioral healthcare via technology with a human touch that was so appealing to me that the rest of it didn't matter and I think that's where being purposeful I drew a lot of strength I lost my fear of like how I'm going to

approach somebody to ask for help and it became very powerful and I also looking back even two years later I feel like if I hadn't had that sense of purpose I would get burned out very quickly if I wasn't creatively and passionately able to participate I would not be able to get lehre health there we are so light I needed my purpose the company needed a call to action right like why why would the company do a bunch of small things so I needed like a big banner like this is what we're gonna get done and this is when we're gonna do it by and for that I got the business team and executive team

excited about getting leader health high trust certified in 2016 one year we're gonna spend time on that high trust which is an which is a prescriptive program which basically allows you to be your company to be nest ISO HIPPA COBIT all these aggregate all these compliance rules they aggregate that and then prescribe what you need to do so the we took or that it was great because the company like the executors and business team was like excited because the sales would be very easy with high trust in there there would be trust for from the customers who would want give their employee information to us so that we can provide them the care and with that

the entire company was like okay fine let's get this done in 2016 so I took her all the SAS accounts we had all the like in a Google later use github and sales for whatever you have you know minimum privilege minimum required acts and least privileged principles started doing like I didn't know anything about management of max using champ but I took a training and jamp I went about taking everybody's machine and like hard disk encryption Application Firewall turning on screensaver password management and then took over all the mobile devices that would ever want access to lehre health and like if you install this Google MDM profile then you'll get access set up you know password

requirements to factor and all that stuff and it's great because high trust gave us 19 domains on which we would execute these things and it was like a playbook we knew and we would get it by and everybody was railing again this is only 90 percent of the time like there's less than 10% of the set of people or technologies or things that will not go your way right so there were some people in the employee population would be like going 100 percent to the cloud in no health care company that I have worked at that was possible it's not it's not something we would recommend we want our data under our noses and all that so you

have those arguments through like why would I want to turn on this 8 character passcode on my mobile device I'm not that's too much I don't like you know like you either have access to lehre health data with all these security controls which is like the passcode for your phone no jailbroken devices and all that or you don't and you choose right so you have to have flexible policies whether like you either opt in or opt out but if you want access same thing for the devices say we're gonna give you these devices with the expectation that we've made we will turn it around at the end of one year we will give you a

different device so use this device as if it's on lease and if you store information that is fine but it needs to be backed up to Google Drive we have enumerated Google Drive storage space if you are a coder everything is backed up to github because at the end of the year we'll give you a month month notice and then we'll swap it out it may not be a new device but this what this does is it gives us the disaster recovery and business continuity leverage because they there's nothing on the devices or data that will be lost if ever we if we are in a situation where we need to get their devices back

similarly you can store as much of your personal pictures on there but know that if you lose the device I'm going to remotely wipe your device and because responsible for it because I don't I'm not gonna stop you from storing your personal pictures but in the case of scenario where we have to wipe the machine lera half the data is important for me your pictures will be second and so with that freedom and responsibility bars have been established and my screensaver kid ninh so the having a purpose for myself was great having a call to action for the company was great and then as I started implementing implement this call to action the emotional journey that

that I went through was was very fruitful for me personally because I needed to understand all my emotional triggers because there would be a lot of pushback from people who would be like I don't know that I want you know like I don't want to swap out my machine at the end of the day or like I don't feel comfortable going hundred percent to the cloud and like how do we how do I answer those things without because I as the first security engineer I just don't represent that in the security engineering I represent the security culture for the company I needed to have an you know emotional balance so we all have these right not all of these

thinking traps apply to all of us but most of these applied to most of us we all have those shoots statements like I went in with like everything should be two factor if it has that option it has to be two factor you know you cannot have shared accounts and like well Survey Monkey account cost 2500 bucks if you don't have shared account you're gonna have how many shared at how many individual accounts per person in your company so all those are context based right it has to be taken with a grain of like it's not all black or white it is gray and the emotional maturity that I needed so personally I'm always on a performance improvement plan if I

miss this note here I'm gonna be like why did I miss that and like I have my wife is on a performance improvement plan my daughter three year old daughter is on a pip so everywhere every co-workers on a pip the world is on a pep in my opinion and so those are my thinking traps right I have initially I started with like you are either with me or against me and that is not gonna go great if you are also representing how this company should operate in terms of security so there was a lot of learning in there but it was great because for for whatever I think my three-year-old is a three-year-old she will grow up and

mature and so did I in terms of like understanding everybody has a perspective and if you answer it differently or based on what they're they are a product of their life's experience if you explain it differently things work out in the end at the end of the day I'm running with the baton to implement high trust in 2016 so I did it so the first two things I talked about which is purpose and self-awareness who are internal looking the next one I'm going to talk about communication is external looking and like communication to others has to reinforce the security culture of the company and so there's a lot of there are a lot of previous talks

and articles about how great communication skills how to build great communication skills there's like you have to be concise and clear in your ask you sometimes you have to be assertive but other times you can be flexible based on the context always conflict issues will you know resolve conflicts and prioritize things all this is great right this is no no argument against that but what I found very useful was if we wanted to have a shared responsibility then we needed to communicate as a company with shared values so what I found useful two key values that I found useful for later health was framing every discussion in terms of user privacy and business value the so the example of like the product

team not wanting to implement email validation so I had to frame it in user privacy is saying if somebody fat-fingers an email when their argument was we don't want to implement email validation because that requires a click into somebody's email and then like they have to go from the app to their email click on that link come back into the app and we lose you know there's a drop-off in the funnel like that's fine but in the case that they enter the wrong email at best it bounces and at worst it goes to a legitimate other person with and and we might be sending pH I being a mental health care company and when you sell phi2 the wrong person

that is disclosure we have to do a breach response and talk to that user and talk to that customer whose employees information was disclosed and fess up to fess up to this incident and that's a tall order would you want to do that how much of that is like that user privacy is gonna cost us so much in terms of business so let's just implement email validation so we did implement email validation the example of like picking high trust as the call-to-action was again business driven because business like we are able to talk to our customers but they're giving them the confidence that a third party has worked with us to make sure that we

are Hydra certified and we qualify for all these third-party assessments and then some tactics in communication we learned was that we if you send an email out and they don't respond that's not because they're ignoring or you are their hate they hate you or if you file a juror etiquette and nobody responds or you send them a slack message and they didn't respond it's like some micro cultures only look at certain things some employees only look at certain communication channels so just the idea is to communicate broadly and make sure that you know you're communicating on all channels the other thing was we security is only known when people hear about security only when there is an incident and so the idea was

to communicate more when there were events so for example and at Google Docs phishing scam was happening I send out saying you know why we are not impacted by this because of this setting configuration setting that prevents us from doing certain things in other places but in these scenarios it was great for us because we didn't get fetched we weren't impacted sometimes when you really want that security question asked plant them I plant them I ask like friends and like I also do like raffles on a slack channel where I say if whoever gets this question in which all hands is gonna get a Phills coffee so there's like so many people competing to ask security questions it's great and

what brought well I welled up when a member of the clinical team asked me without any any incentives she asked me about like what meltdown was and what we were doing to prevent it and I was like we have achieved it when a clinical team member is asking me security questions think we got there and and when we when I go back from conferences I take all the goodies and I like so if you we are not a security company but there are all these security company stickers on on our company laptops it's amazing because I feel like they they are more aware so the last attribute I wanted to talk about was presence and we

demonstrate presence in a way that we don't want to say the security team only found out later we want to demonstrate presence in a way that security team is just a part of every function of the company and the this might be a little controversial we're like remote working remotely insecure security like especially if you're a first security engineer it may or may not work there's the concept like you know it'll work for like Oh Comcast it's doing my internet at the new building I need to go via for four hours or like I'm going to work from home one day a week or but if you're the if you're not there it's like out of sight

out of mind people want to approach you and have those impromptu conversations where they want to ask those questions if we are not available they will either do the wrong thing or they will do the they will not do anything and if they do the wrong thing that's bad for security if they do the wrong thing that's bad for the company otherwise it's bad for us so I what I tended to do was sit by the coffee station sit by the lunch lunch table and like have people come in and have those random questions answered or just chat because you learn so much about other products other things that other compunctions in the company are

working that was my window into what they were doing it was every day lots of decisions are being made and I felt like I was being a part of it by being present physically the next aspect of it is participating right like you know I attend like again this might not be scalable as you grow bigger like this I'm again the thrill of what I'm doing was that it's a small company 60 people with all the teams included so I'm able to participate in the product planning meeting I'm able to participate in engineering sprint meetings I'm able to you know even when we on put any vendor like I'm involved right from day one and

the when the company goals are being formed for every month we have like top five goals we get in a couple of security goals for example when we have the third party pen test we say our monthly goal for this month is like we're gonna you know go through the code again make sure we have run fine sick bugs all that stuff make sure we have no credentials in there like I go to the customer called a customer call supporting team and like let's go through your scripts and make sure that there are no and then practice those scripts that there are no social engineering attacks possible and then we do our third party pen test a red team

test where like every every function is pretty much exposed to an attack so that was one monthly go we had another goal where this was driven by the SLA for the company like we have a 99.9% SLA which means at most one minute 26 seconds of downtime or fourth you know 43 minutes for the month so we were able to do a security we went ahead and did a disaster recovery exercise where we said here are all the dependency graphs lest let's test every function that exists in our system let's go through a slight flavor of chaos engineering that Netflix does where we take down a function and see what gets impacted and what the downtime is and

the output of this exercise for that month was we got all our disaster recovery automated in that all the alerts and monitoring is in place but at the same time if we were to take our entire infrastructure and relaunch it in another region we have all those dependencies all those intricate calls being mapped out and works in a completely different region because we automated that so the whole interest in fruss structure as code we implemented that because we had a monthly goal on like meeting the SLA so keyword business value drives Security Initiative the for quarterly goals right so we have we are a mental health company so there's a lot of stigma associated so when our

customer asks us like any implement SSO with our enterprise SSO vendor we were like that might work in other scenarios but for mental health company we would enable other things like sign-in with Google or optional MFA within our profile because the employees potentially don't want to log in with their company's work email into a offering because they may feel like oh I don't know if my employer will find out about what I'm going through right so clever ways of getting the the security features implemented like single sign-on via Google which many people have a gmail account so they would be more open to that personal gmail account versus like a company account enabling optional MFA so that we give the end-user the

confidence that hey their user privacy's going to be taken care of by to an amount - to a quantity that they feel comfortable with it was great similarly contribute write presence also means contribute so you know code if we don't code and contribute why would anybody listen to our suggestions so we I fixed the so like I am going back to my started at the bottom I fixed two classes of like fine side bugs issues and went through and told the engineer team here's how I did it can you please take it over and they were like happy because like they knew what to do it was bounded and they were like let me let us start it in this

print and they went ahead and implemented fine site bugs and they failed a bill at the end of you know in in a sprint they got all the other warnings and errors similarly I wanted to do application layer encryption for poor customer so that we reduce the risk so imagine if like our company got attacked and like all the data got taken over we wanted to do this by like really encrypting each customer's information with a separate key and have that application layer protection and I was looking for an opportune moment and turns out there was one important health plan that we wanted to integrate with and they said we want hosted like hosted environment that is dedicated to us and

the we were scrambling to figure out that's that's too much of an ass because we are as a service we don't want to necessarily create an entire environment for this company and so we said can we do application layer encryption with customer specific key for you guys so you have the virtual value of as if you had your own environment and your data doesn't commingle with anybody else's and they were like you know that we'll just work with us and they got the approval for us and then I got to do my project and the engineering team was super happy because they got a prototype built so again like when I code it and gave that the engineering team the data

science team asked us for code reviews not because I have a process in place where they have to go through my approval but they feel like I add value to their to their work so that's again a win a thrill for me and similarly the hack days participate you don't have to just sit in a corner doing are looking at our alerts and monitoring we one of the hack days I learned from the business team that we used to pay our providers with like checks at their every so often and we will mail them for their for the therapies that they had conducted so I sat down with an engineer and and the business team member and like we mapped

out the processes we integrated stripe we built the initial prototype where payments happen the same day and you know what the providers although all the providers that work with Lyra hell they loved Lyra health ninety-five percent like rate is higher than anything else that's out there because they get paid at the same day or the next day because if you are doing work and you're getting paid the same day or next day it's very important for them and we happen to have built that hack so the security team is viewed as a security team is viewed as a partner in all the functions and that that's again in a group and it's possible right now again because we are

small and I'm able to participate but you get the drift own projects and so I had to be like so that I'm apart I'm partaking in everything thanks to the folks at Yelp they built out a last alert I integrated last alert into our infrastructure and then we I own all auditing logging and monitoring what that gets me is that if for every critical action that happens on the product or any of our services I have that who did what and when and what classified data I did it touch write and we have that at a level because I own that infrastructure and everybody uses that to to integrate with their product so again another

place where my presence I don't mean physical presence but like being able to contribute makes everybody see security of the partner and I'm present in their workflows the clinical team was working on like they really wanted to get this software for longitudinal care so that like when a care seeker calls us when the chat with us and they have this one view of all the interactions that had happened they really like this vendor and they want it onboard but that vendor did not have any third party at the stations or like did not have like they have a security white paper and which most vendors are and if we are in the world of so the clinical team was poor

now please please please please don't fail them we want them to we want them to be approved I you know and I was like I am your partner I want them to succeed as well and luckily to us one of our partner company or one of our customers had demonstrated how they value us when we didn't have any of those certifications they paid for a pen test they did a dynamic assessment of us and they paid for they waited for us to fix all those issues for three months back in the day and helped us become a company that can work with them and so I learned from them and I did the pay it

forward with this company which is like I went there I introduced them to the people that they need to talk to for like kicking off their third-party assessments and all that I went ahead and like said let me look at your data diagrams let me see how you can make your secretary controls better and basically did what I would do at my it at our own company I did it for them just so that they can be a vendor with us right and the clinical team is eternally thankful so anything that happens they see me as a partner and talk to me about that so bringing it home our skills our absolute able stakes there's no denying that the the my

thesis is that security cannot be enforced we can build as many pavéd as we want we can build as many gear car drills as we want we can make it as easy to be secure by default but at the end of the day security is a shared responsibility and for anybody to share share our responsibility they we need to work on shared values and we need to work on belief in the same purpose constantly be self-aware and communicate in terms of like what we all believe will take the company to the next level and so for me it is an exhilarating experience having gone through this like just exercising my skills and at the same time

emotionally growing up to be able to run this and thank you for allowing me to share my story [Applause] [Music]