RMF in a DevOps World - Scott Zimmerman and Frank Cameron with Lucas Truax

up next we have Scott Frank and Lucas and they're going to tell us about how Automation is hard but it is definitely worth it and I tend to agree wholeheartedly and their talk is called RMF and a devops world let's give them a nice round of applause [Applause]

so there's free beer out there and you guys still stayed in here I don't know what that says about you know so well we get set up it's gonna come up because it's looking for a pasture yeah so the three of us big password there so the three of us come from a company called concurrent Technologies Corporation near Johnstown Pennsylvania so not too far from here CTC is a independent high-tech research and development firm mainly working with Department of Defense the intelligence community do a lot of this sort of work and so you would think that you know our government is as efficient as they are right it's all about efficiency with an increment you know yeah is that you know

automation and DevOps would play right into you know accreditation process that they use so I'm Scott Bennett CTC for quite a while the the principal cyber security engineer I'm Frank sysadmin at CTC worked a lot with Scott on our external clients and Lucas on our internal corporate network Lucas and I'm a security engineer also at CDC so real quick about two weeks ago Lucas was promoted to a manager so yeah so yeah Kirk hurt for months he busted my yeah whatever yeah okay we'll move on I called man yeah now he was giving me a hard time he's called me a manager and now yeah so so just this yeah yeah so he's non-technical like he's going away party I guess wait

them so show hands who in the room works with the risk management framework so quite a few how about DevOps we're trying to integrate DevOps or automation into there so the risk management framework something that's been around within the United States government for not that long it was it was where there moved from going from a prescriptive security approach a check block mentality if you will security approach to a more of applying the appropriate levels of controls I talked a bit about that I probably don't want to jump ahead too far but you know so the the big idea behind our talk is is how the DevOps and the continuous deployment pipeline have set up right

done right with the automation how that really supports the RMF process or the for the compliance right or the system security plans you for now yep I'm good next slide so okay we did that already and this idea of a couple memes in here because you never want to show up meme 'less for the presentation so not as many as I'd like because that's really the important part of the talk right is getting the memes right so it takes so long that you know often yeah spend a lot of time there it's worth it so we're gonna talk quickly about so DevOps give it some background what DevOps is I mean what we think DevOps is it's kind of one

of those buzzword bingo things everyone likes to talk about and also the background there and why we think some of the pre RMF stuff was really terrible and set us up for some bad habits especially on the government side and then how we can bring those two things together RMF and DevOps to experience some efficiencies or synergies as we managers like to talk about synergy a paradigm so one of the things I want to talk caution about I guess is you hear people talk they're talking about things they do this it'll save the world and it's really even automation is really hard at something that is implementing implementing it at an organizational level especially because it difficult

because it's a mindset change and how we address things how we do things I wouldn't think you're trying to take their job away by scripting out those things they do so it's it's something that takes time and it's a it's gonna be difficult so although I think there's a lot of value in it it's certainly something you have to consider and at the cost of before jumping into so DevOps client development principles to infrastructure and trying to do those releases and things rapidly getting things out there quickly so prior to DevOps I think that this is where my next right here is what we did before that which was not as not as fun or as good but then you have map which

is a risk management framework which the DoD introduced is it trying to as a way to try to introduce the value of what you're securing or the impact of if it goes down into the process of securing it so a lot of times you you have $10,000 in security for 50 cents worth of asset because process doesn't support anything less so we don't want to do that no so prior to the RMF process through Spanish for a framework the government for many years and you probably see this in other regulated environments or compliance environments where they it's more of a prescriptive approach to security right where the the security controls don't really take into account the risk levels or the

categorization of the data where you know that for many many years the government did this painful painful thing called die cap and like Luke's who comes up with the acronym but the idea was is that it wasn't it can there was no continuous monitoring of the security posture of the application or the system you would do at a point in time you would build this really thick system security plan and if you guys are do that often right a lot of the paperwork throw it over the fence and a couple years later you come back and try to look at it and figure out what it's changed right so what we're what we're excited about what the risk mantel I

don't know if that's kind of the right thing we're happy to see what the risk management framework they're applying the right levels purity for the data right not applying a million dollars worth of data our security to ten dollars worth of data so importantly right and then so in in the developed world you have the pre DevOps environments in which we hate we developers will go away we get we go have some some probably not even technical people go talk to clients cuz we don't like talking to clients there's some requirements bring some of those back to me we're all gonna squirrel away in a basement somewhere with a bunch of energy drinks and stuff we're gonna give

you something in like five years sometimes ten sometimes never get anything right there was this idea of throwing products over the fence and of course it doesn't end up well in the history of software I think we've seen over and over again that that just doesn't work it doesn't know how to schedule doesn't allow us to give customers clients whatever what they need at the end because they're so long and the speed the speed of change is now drastically different than it was when we were even considering those types of technologies so who here has seen the other guys the movie yeah so if you know what this yeah the PLC reference yeah as I said

attempts to address that old diet cap mentality of hey we're gonna throw it over the fence in three years and you guys get to deal with it I was I worked on engaging one time when we were we were trying to help assess some achieve accreditation and the system was in a nuclear fallout shelter and it didn't have if so was it was also air gapped right but the weeks stepped into this we should walk in with okay let's let's see what the update pot for the system is so the system itself hadn't been touched in almost three years exactly so since the last since three years before that was last time they apply patches updated

antivirus signatures I mean anything besides something to keep it running and touched anything security wise because it was difficult they didn't care because no one was checking them on it and they didn't have to care I guess you know I mean one of those things about about standards and compliance which I mean that don't we all love compliance isn't it awesome like compliance is wonderful right you want to get up in the morning go to compliancy things really I mean it's it's terrible I mean we hate someone say you're insecure because you didn't meet this requirement in this standard which may or may not be a security thing but because of problems like this because it's no one's checking what

people are doing and implanting security wise compliance has become something that we're gonna have to deal with as long as long as they're a threat and as long as they're developers like like we should be who only do what we're supposed to do or are told to do right then compliance in holding our feet to the fire with some type of standard an assessment is gonna be important so risk management framework attempts to kind of take that away by saying okay you know what we're gonna try to stop this thing that first of all we're gonna evaluate you based on risk so what's the impact level of your of your system and if you're have an armament background you're

familiar with that you could have triggered it into your head and like the fifth one nine nine what's your impact stuff and even those categories were really brought it's hard to figure out what the heck is the risk like low Mott high I mean there's there's a lot of latitude in between those low moderate high system things that you mean it's hard it's hard to quantify but the drastic shift was we're gonna stop the once and done thing we're gonna say okay we're gonna have periodic reassessments and but but also you're required to build in this monitoring of your security as part of the cycle or part of the software cycle or the accreditations like whatever whatever

part of that whether it's at the system or application level that has to be built in and then additionally you can't when you get to when you get to optimization you have to have a strategy for how are you going to do that there has to be some way you have to demonstrate how are you going to go take that security state now and maintain it going forward yeah I wanna say too so that we kind of the segue and from the dike app from the prescriptive not really looking at the system or level setting what the system does an RMF even though that you're not maybe have to follow that compliance or a follow RMF

what were you know our hypothesis is is that the RMF is a solid thing right it's especially if you're looking to go move to DevOps that following this process the six step process of whether we're gonna go over today is is a positive thing this is really right give me stuff faster you guys seen that Dilbert where like the the boss guys comes in and he's like I saw this thing that I was witnessing on agile and it says that you can that it can I can do like so much code with like one programmer and we can get rid of all of you guys know any one programmer isn't that what people here with your

DevOps I can you mean I can deploy in like 30 seconds later he's like type of line of code and it's push to production automatically but so but as an aside to that often what gets left out of discussion is the security of the deployment pipeline and so I think be honest working on the security side I think when DevOps developers hear this in terms of developing code in DevOps environment they think I can build insecure stuff faster right I got I can get a bracket really fast now like I mean sure we can fix things fast but often because by considering security in the first place we're just getting at the production insecurely faster so a

lot headshake when you said that so once again to the manager speak right everybody you know there are plenty of synergies here we're giving them out today there's a lot of synergies between the RMF and the DevOps cycle are the continuous delivery pipeline and this graphic here you can see the the white right the white text is the DevOps right the DevOps pipeline the black text is the RMF process where the process is a sixth process starting with categorization and the selection categorization of data and the selection rules the implementation of controls assessment authorization and monitoring where yeah I'll let you read the other ones but so this I think maybe I don't know if this one or the RMF mean is

probably but I mean I don't like synergies go back to work and we talked about the synergies we're going to provide by really what we're seeing we're trying to map or portrays how you at which phases of the process and you can map this in a nation and this is we've tried we tried to kind of talk about okay if you're a dev up shop and you were looking for a security standard you're like okay we want to build security in our development process what would that look like if we wanted to use RMF for that but it's kind of hard to try to dual-purpose it so I think there is some value there and I think you can

if you're looking for a standard of compliance that is kind of ubiquitous ubiquitous across many different regulation standards or compliance interview that you would want to use that would be a good one but I think the priority that we are hoping to bring forward is that for a government of our environment or for someone implementing according to that standard that the DevOps provides you a lot of latitude were in the management of efficiencies you know just real quick the thought unity - about the dike at maybe what we did would talk about - is that the entire process if you have ever been involved in it is such a painful thing where literally you could add 50 to 75

percent to the bottom line of what the code and the infrastructure should cost to get it an ATO undertook cap right and the idea with RMF should be cheaper so the first phase of an RMF environment is categorization and that's that that idea of hey just how important is this system application to my organization so I mean and one of the problems here that he's gonna jump out at least he jumped out to me right away is when you start talking to you about okay we need to secure our critical information where the heck is the critical information does anyone know does it I mean you start asking around okay where where is the proprietary data if you're in private

where is the financial data the health data whereas the classified data like if there's they say that like a sensitive made a hole and you can put it all in there like so you can just pull it out and secure it in at one spot but it's not like that right it's all it's all your network it's usually not segmented correctly in terms of protection but that's that's one of the hard parts of this initial process is pretty on where the heck of stuff is so you can even try or attempt to secure it now if you're looking out for an application level the first thing you want to figure out is okay what's if you're trying to if

you're coming at this blind or blank slate wise from automation like and you're saying okay you know we don't have any automation like to get there you're gonna want to start trying to figure out what the heck your automation is going to look like in this space isn't it I mean for from the RMF perspective from that process you're just saying hey is this worth what's the impact let's move on from that and start looking at what controls we want to apply to it but if you're actually trying to automate stuff and you want to say okay how can I start building there's automation baselines or how can I figure out where automation applies and how it best applies early on in the

process so you know over the past I don't know how many years so we do it lot of assessments of third parties government agencies small to medium-sized businesses and one of the first questions are you go in and you ask you know how's your network setup have you categorized your data do you know where your data is at and I can't say 100% that I would say well over 95% of the organization's really can't answer this and hopefully you know by implementing this process this categorization phase will be something that would be a no-brainer and obviously you know if you didn't have users this would be probably easier as well and of course the key takeaway because I know

like you're listening listening to external and talking here it's hard to get anything out of it but the key takeaway sorry identify key takeaway from each step but the key takeaway is here when you're building something new or trying to get something accredited or just out to production because it's in the private sector that's kind of what it is right think about what's the impact of the data and then what how does that relate to how one is secure because I mean that's the real question we want to ask ourselves in in all the other fluff aside that's that's really what the key is okay how what's it gonna do if it goes down even if it's from a

non the developer accidentally shuts off the web service I mean it's still down right so how does it impact and so part of that is part of that design phase that you can really set yourself up for success on the later phases of this where you're going to do some heavy automation is figuring out what are the change key so in the gut well the government's out you out you have approvals it's like a approval Palooza right everybody has to prove this this has to be approved and signed off one so identify those areas or things and your process is where someone has to approve it so you can build automation to meet those goals like if there needs to be an

approval process and this is something that Frank Frank and I worked on not too long ago where we had so the idea that we we want to make sure that we can still the for code goes into another environment how do you give someone making a decision you may not have intamin develop and knowledge of what's going on how do you give them the information they need do they need to have to make a yes or no decision or whether that gets propagated or pushed to the next phase or into production so the goal so thinking about these ideas okay what am i what are the critical areas of this what needs to be decided

on what how do I give them that information anyway and then we had we had a recent experience where we were working an RMF environment for the government this goes back to the risk by governments always efficient right we needed to get a laptop accredited at a secret level so we went through the process I mean the hardening things are not that difficult so that that's some of the things we volunteered to do it but the price the cost of the Accrediting a single laptop there's about $800 of like an i5 six gigs of RAM just standard standard stuff seventy-five thousand dollars of labor that's true IQ story yeah we weren't gonna believe this but $75,000 to $700

or date or maybe dollars because the government bought it so maybe it was a thousand I don't know and you wonder why there's the two thousand dollar a hammer but them yeah so not only would it be 75 K would have Brendan six months - yeah - get a laptop of proof so selection is okay I know what my impact of this data is okay so then what does that mean in terms of the security going to implement and a lot of times in government sectors that's that's the already decided for you in other words I have a choice so if you're at impact system controls we're going to apply and you have to either

show how you've done them or for how you've implemented them or tell us why you didn't do that right but but in both government and private sector there's a lot of specialization after that so say you I want to put a Windows host on the network I mean that's sometimes the requirements will get had any windows box on the network okay there's a lot of things beyond that they really did really have a impact on what the security profile that device looks like I mean is it something that's supporting like is it a DC is it a web server is it something that's supporting automation is I mean there are a lot of things that

can kind of really drastically affect what that thing should be allowed to do how you would harden it you know and things like that so a quick way to shortcut some of that especially and once again drive your automation is deciding early on okay what are what are the what are the types of things we have and then you can start the lowest level very easy Linux Windows that's to baselines right Linux windows it's a Mac soon hmm no there's put it max max you've helped us some business right there's no why do we have them so we can keep her out this people anyway sorry now the windows and so you have to baseline two

or three if you are having that shot you get three baseline that's that's the place you can start with that may be on that is the thing about business questions that affect the security of or the functionality which is what the your users and your developers care about the functionality of that host right and this in this situation the data impact the second question there yeah is it goes from you know if there's a breach or disclosure of information that it would significantly impact the organization or agency where moderate may have some significant impact loss of money where and then you know depending on the industry that you're in you know high would be something along the lines

of you know loss of data could be loss of life right so but you could come up if you don't use this this these are NIST standard right if you follow the NIST stuff these are the the NIST standards so the key here once again to take away it I mean setting having an idea for yourself as an organization whether it's the are meant for whether it's like Asian or 171 which is a really a boil down version of that of those massive 853 standards like figuring out what you want to do as an organization to define what books good security perspective okay I have a DMZ e-commerce application you might say you know what

I'm losing money every second that thing has a problem therefore that's a high system to me right military or DoD why they don't care about that but but once again it really comes down to defining an organizational level okay how are we going to secure things and then how do we want to standardize that across the board now you can do that and build all that yourself but there's a lot of frameworks out there you could probably just pull one in pick and choose a little bit and start from something like that I think the key takeaway once again just defining something at an organizational level that says okay this is how we're gonna define security lemont high like

whether it's by payment processing where where data is or the classification of what processes okay now one of the cool things as we were working this is it well not that's cool thing but as a geek it's cool it seemed like a cool thing so ssp system security plan is yeah aren't they a blast - right right isn't a great disco there just update Word documents like and Scott was telling a story about the consultants yeah yeah actually we get paid by the pound right the pay is the more paperwork there was they would yeah that's a name it they would do that and the true story is that they would think that if they would kill

when the system security plan with you know just like when you were in high school those that thing nobody would even read it alright so it had to be secure when it's that thing yeah okay pay by the pound it's a thousand pages I mean it's gotta be good okay so the key here so I'm gonna read my slide sorry back to the SSP part so treating compliance and security activities as another part of the development process so instead of having okay security guys over here there's some security stuff then you got your dev guys over here working on important stuff right and then how we're seeing sometimes especially in the private sector what are you gonna turn

off my money-making machine or slow it down so that I can put security in anyway putting it all on the same bucket okay and then establishing based on your common controls of okay we need to implement this we need to do this when you do that establishing user stories or backlog items or tasks however you track them internally establishing that in the same bucket as a development effort so you say okay I'm working in developing on this product here my security tasks here's my development tasks they're in the same bucket they have to be they have to prioritize along with all the other work so you can kind of see where things are now here's the cool thing

about or why I think it's cool about it is that okay if you if you make your security controls tasks or stories then as you implement those things and checking things against those tasks and stories you have a couple things first of all to an auditor which we all have auditors and just into compliance right to an honor you have a trail from what you've done compliance wise or you've saved them directly back to code and work changes they've been checked in or done in support of that task and going back to the SSP what you have now if you go through so that you log back in your your task tracking tool you say hey where's what's

my security status pull out for security related items what's the what is the completion status on all of us you can get a very quick assessment of where you're at it's part of the product development lifecycle or even later on after it's been fielded where you're at compliance wise you can see what's been checked in what's remaining to be done because of sub stories and tasks and then finally exporting that out is a thing called an SSP because you have what you've done you said you're going to do what you've done check thing and then that export that the developer hopefully because all of us developers like really great check-in comments right yeah so if you have good

comments there then you have what you've done technically also in the same thing which exporting that creates an SSP because you outlined those tasks as part of the security controls and don't know so the tailor went back to the questionnaire I'm sorry I kind of threw that but some some way of saying okay what do we do that's a little different because all everyone does something a little bit different industry white wise or I mean maybe organization wise maybe you yourself do something a little bit different but you want to be able to try to figure out that and then make it a process you can actually automate automation it's key implementation this is the hard part

so you've got a common set of controls right you've been working hard you've talked to your managers they forced all those developers to do these things for security or to agree to do these things for security you've got an idea of the impact of all of this to your system and now you're ready to say ok let's start let's start writing stuff so this is really the hard part it really is because you're going to say especially if you're not if you don't have an automation background or support then it's gonna be difficult because you're starting from Ground Zero square one pick your metaphor there but you're you're really good you have to figure out okay how are we gonna automatically

I kind of all these things work so you're gonna heavily rely on your development staff and your IT support staff we love security they love glue and security tasking and it was much further put down their projects and come out but anyway it's a big change really it's really gonna be finding a tool finding picking what's right for your organization in terms of automation and then getting to work so one of the critical things here that we've discussed several times about this this also helps with keeping scope yeah image scope right that you're able to control the things to go out and hopefully hide the security from the developers before he gets to the developer right things are built in so

your your dev your dev M eyes or whatever are the same as what your your flowing into operations and then just picking picking those items of security hopefully hopefully by priority of so what you've identified as problems or security controls you're going to meet picking those off of that backlog or story list see the GRA issue whatever it is and then moving forward with them in trying to prioritize that by criticality is important especially I'm trying to keep up with the speed what we're trying what we're hoping you're going for in the development operation so once again the question a good question asked here is so what's the goal of the control or what's the goal because that's a lot of

times what gets lost and in the compliance versus real security right they want they want to do what it says on the paper without understanding what the reason in behind or sometimes the paper is just a stupid idea I mean I mean it's not like there were Martians that came in dropped off these perfect compliance standards right people develop these and sometimes they're not they're not very well written they're done they don't really reflect real world security very well so like the key though especially in the private side if you're not defined by compliance as we all are in the government you want to make sure that you're developing controls with the goal in mind so I mean

automating notifications like what questions about what is the right way this should look for example website up right can I ping it good we had how many times we had sites go down no one knows it went down it wasn't it wasn't even malfeasance or anyone it wasn't the Russians and then people from West Virginia yeah yeah I joked I said I think I'm here but come West Virginia so I had to me farewell Westerners shirt I couldn't I really try to think of pit jokes but I wasn't sure yeah oh yeah he couldn't think of any pit jokes but if you want Earl mountaineer joke I have my teeth left I'm at the end yeah

ok so then once again just making sure that you're thinking about the security aspect from what the purpose of the thing is because the goal here is not to get to compliance right the goal is to maintain compliance maintain a secure state throughout the lifecycle until you turn that server off you want to know what's going on and when it goes wrong whether it's security problem or whether it's a problem with like I said when it's down it's down it doesn't matter what caused it to be down it doesn't matter what caused it to DDoS whether it's your application it's got screwed up request frequency or whether it's someone actually ddossing it right so it's that down is down so that I mean

the key out of the implementation phase is making sure that you have a a desired good state through whether it's puppet baselines whether it's any of the other automation tools I said I keep saying public because we use puppet so I try to make it to agnostic but I'm sorry thank you proof yes thanks the brain size s Leben yeah yes so just a desired good state so what what's good if you know what's good - from a technical perspective at the end of this phase you're on the right track hey I'm shalini Asst yeah about other automation tools to prove that I'm not but I'm in agnostic what happened to your mean game here to come out sorry

I'm sorry so then the assessment part and this is where the bang for the buck comes in because if you've done your if you die all these other steps right if you built the automation correctly to say ok what's the correct state tell me when it's wrong I mean the assessment portion is looking what you've got I mean it tells you when there's something wrong now the evidence there is you may need there are some things you may need to go look at it say okay I'm gonna check this because the auto wants to see config file off of something but the state of your application if you're going with baselines if you've tailored them

correctly to the functions of the server's if you're look if you've done that with the goal of these in mind the goal of security in mind and the goal of the control saying okay what's the object of this okay what's my good state okay how do I meet that good state is this the side up yes down I want to know if send me an email is am I getting fat logins had to reached my regulation to find threshold send me an email and through this you can then how do you said that work yeah get the Dynamis eyes I ever saw the famous eyes yeah my isms yeah okay so you know how to make some pride you some really great

stuff in because we all like going out and running the same manual web application scan or whatever it is against applications when they come through the pipe on right no so something that the goal would be to have these things assess as much as possible as part of the complete to call the continuous integration pipeline so but the goal is to have so as when code is checked in have a scan run against it and then produce the results of that skin as part of the merge request or ticket or whatever you're going to get to the next level so that you have the information you need to make the decision you have the the trail

information linkage to the check-in and then you also have the security data that once again you wouldn't have had because even when even when you run manual scans what you have to do gonna be stored somewhere where you can get to often within your sent items then you guys' your organization's archive policies like one year long and then who knew like two years later some of the okay did you this thing broke I scanned that for that sorry so assessment is really based on how well you've done in categorizing setting up those controls and then implementing them in an automated fashion authorization this is where this is where you realize all the work that you

put in or you realize all the work that you have put in especially on automation because what happens when you're ready to go and you have to prove compliance what we immediately do oh crap I gotta go dig up all this stuff I gotta figure out what the heck we did to meet all these security requirement that I knew you were coming I just didn't have in the design phase so now I gotta figure out how the heck I'm gonna get from okay I know I did this I'm pretty sure nice it's configured it this way and then you spend a long time I don't know how I don't know how a long time sometimes

it's like six months smaller applications maybe I mean spent all the time getting ready or preparing these authors and packages and people make careers out of authorization packages yeah I think what white collar welfare the power of saying no people people people just love it when you come through with like some of your documents their summary documents not and I think there's a joy in just wrecking people's world because they get good they can't yes very fun very fun stuff so what's acceptable to be the point so once again not tailoring this to an RMF government audience like what is acceptable to you in your organization for deployment okay so then build that first and step

one and then just maintain it until you ready to deploy because I mean how many now you've done this like once again the panic mode before you deploy it's like oh crap we have all these things we haven't done because we have we have in fact they're not on the development list they're not on your burn down chart not any of that because I mean we don't really care about security because it's a negative thing I understand that it doesn't provide that it just gives you the ability to market things but so build those things in the beginning and then part becomes instead of this massive overhead and scary now so so just a few months ago we were working

with a client a large client who went through the process of building out their continuous develop the pipeline or deployment pipeline through AWS so they built their be somewhat terraform or whatever to use they were building out their Mis and their and that they were working with the ops folks so that the Devon ops were together and they put months of work into it put a beautiful Identity and Access Management System and it went to deploy with the security folks and the security folks said you know you have all of this wrong so they actually spent I don't know hundreds of thousands of dollars and because the security was not involved in the authorization right so

yeah I mean more recent example of another project who worked on the once again true stories sadly but three years of development and there was no authentication knowing they're gonna be on a network they put it on a cloud through here three years of development and not authentication because they hadn't needed it up to that point I mean this is like this is 2018 I don't know I mean sometimes sometimes you have to wonder right but that's something without thinking about the idea of what what it's going to be used for it's not you sometimes do lose sight of that get something out there functional prototype was it POC or get out right get something out there

continuous monitoring this is it this is the fun part so defining green so what is good I mean stops up no one's stealing my stuff that's good that's that's a that's the happy place that we all like to be in now often we're in a happy place and we just don't know that everything's red we're just my dad would say fat dumb and happy no idea that the world is burning around us because we haven't visibility so the goal is figuring out what that good state is and then verifying the state so you can say you can say Green is no alerts or no messages but if you have no alerting or logging setup then you can

be just as happy as you can be and you have no idea that you're getting and right but something to remember here though also is on the other end of the spectrum continuous monitoring doesn't mean that you're checking things every millisecond or something like that because great way to detox for an environment or spend it or give Splunk like a billion dollars for all the logs that you generate right but it does need to be at some some interval you decided hey how long was this down before matters or how long does how long to someone having root access or getting added to to a privileged group how long was that a problem okay how soon would

you want to know about it and then starting to find defying that and once again verifying it in an automated way there are a lot of things that sis admins and I mean we've done over the years that just because we don't have time I mean I mean you want to go back and check you want it you want to just sit down and be like hey I should run through some logs see if I see anything suspicious I mean right we hit that goal it's like I'm sitting there like hey you know what I haven't checked read it in like 10 minutes so I should check that out for the rest of the day right yeah well you go with

your mind like this this is what I want to do when I want to provide security to my organization but often gets lost because there are so many other things competing for your time attention and resources that's what kind of job oh yeah I wasted one of my trenched I'm sorry so yeah so here's the deal with this the newest monitoring just means if the application changed whether your purrs did it or whether bad guys did it or whether someone plug unplug to cat power cord somewhere like how would you know or what and what do you want to know about right so the things you want to know about just effectively communicate them to you to the people

who need to approve those changes to your to your team to management he said he was gonna say tell you I can already lied he looks like a manager yeah so I already talked about the nuclear fallout thing that was just I just blew my mind that was one of I was like wow is this what was one of my earlier own engagements the government now is like this is really how the government works like you come in and I think we spent like eight weeks trying to prep this site a full team of like five people because it's air gap then you gotta like mainly bringing updates through a very secure process right have enough that

anything in three years we're gonna make it very hard for you to updated in the amount of time we need to do it but I mean to me that was just the epitome of the old data cap process of hey we're gonna we're gonna make this thing secure we're gonna check you very well right now we're not gonna talk to you again for three years and then we're gonna we're gonna check you then right interesting and also the idea of a cost to secure being greater than the asset you're securing it does not blow and sometimes that's our fault of security people were like hey you got to do all this stuff you can't do that you can't do this you

guys think it's just like a I have like 10 cents of data on here and it's not it's not even a if it gets this close is 10 cents of data because sometimes we think well hey it's just one social security number that's all I'm talking about it yeah usually that happens when you try to bolt things on at the end almost always right so if you're in in from the beginning obviously you guys preaching to the choir but yeah the cost is always greater I think there's always longer if you try to bolt the song at the end and usually unsuccessful they usually unsuccessful so the easy button the easy button would be this to

me walking coming to coming to an authorization meeting having spent like maybe three days or two days gathering the data the tremendous amounts of information you have from your automation to prepare your deploy to production or to repair your authorization package like that that to me is the easy button because we've done all this work up front we've gotten the automation in place with me we've identified critical impact areas we've said okay this is what we want to monitor this is the bad state this is this is what we want to know when it goes south right that's automated and sent to me this is how we this is how we approve changes throughout our pipeline where we say ok

you mister government official don't know a single thing about development but you do care whether or not you have a cat one vulnerability in this latest release so I'm gonna put that in the merge ticket because I can automate the scan of the software and I can give you the results in the merge request or approval web approval processes so you have the information you need to make an informed decision that is that decision can be approved and question production that's a very minimal amount of interaction but I mean there there's a lot behind it but but coming up on that authorization process is the same thing the same thing applies to where you've put in the work to identify the critical

areas of your environment which part should be more secure than others and it's the tailoring process it's sometimes kind of funny to me because knowing how like I work so I'm gonna call myself lazy but like you know when they make controls optional what do you do not doing that right so the tailoring sometimes I think it's a little hard - it's a little hard to make people do because it really is like okay what's compliant standard that's what I'm doing I'm not the only thing else but there's a lot of optional stuff where you can you can make yourself much more secure it's kind of like the mall two factor authentication I mean we've done for

years but mana factors an education just should just do it it's not difficult there's been products out there for it but two decades I mean it seems like two decades probably not two decades long time yeah baby yeah we haven't been up but but if you if you if you put in the work and you can come to these like an assessment thing an assessment should be on nearly a blip on your radar but often we have 12 I don't want to say 12 people working in the security department very heavily to prepare for assessments because we haven't only worked before in because it's now it's time well we got to do the assessment thing again whereas

it should be figuring out okay we're just gonna gather the information that I already have maybe pull pull stuff out of our users out of our task management export it I'd love to see let me great just like click export so you have your compliance your controls the export that from your user tasks you have at least start of your SSP probably a good chunk of grass is good if you can convince developers the document schemes of now sorry I shouldn't laugh at that we try to document things well but we don't always succeed sorry any questions this is great like it that means we answered all the questions yeah well thank you yes thank you

[Applause]