Ben Johnson Keynote Presentation at BSides Columbus 2020

hey my name is ben johnson super excited to be here today at b-sides columbus thanks for inviting me to be the keynote speaker i only wish that i could be there with you all and i was really looking forward to you know the after talk conversations the networking the uh maybe happy hours or other things so unfortunate but that's the year we have and uh 2020 is both forgettable and unforgettable at the same time uh but would love to connect with as many of you as i can on on linkedin email a follow-up call uh what have you and uh thanks to uh to to mitch and the entire team for uh all the logistics and and

planning and everything else so so thank you and i hope you have a great day today of talks and uh if anyone wants these slides or again follow-up conversations or something please reach out you can get me at chicago ben obsidian sac or b johnson obsidian security.com so with that let's just dive in i wanted to i think present a bunch of information today that's both useful from a high level or more of you know if you're kind of slightly more in the business or totally more in the business side of the house or if you're very technical hardcore security engineer hardcore sock hardcore incident response i'm hoping there's material for everyone and that's kind of the challenge with

keynotes right it's you kind of want to present to everybody and and you know give some maybe interesting thoughts and and philosophies maybe some technical information all all blended so hopefully i can do that for you today so really talking about how you can think about your overall environment how you can approach security how you can just you know hopefully get better because let's let's face it we're not we're not winning as well as we should be in the cyber war so with that um who am i so uh co-founder cto of obsidian security uh so if any of you ever figure out what a cto actually does for a living please let me know

i feel like i put a new hat on every hour of the day and it could be deep dive into code with the engineers it could be talking to a reporter or gartner analyst security practitioner um you know thinking about strategy road maps all the other stuff right uh so just a lot that goes on but uh the the cool thing is i get to think about security with all of that right we're thinking about sas security cloud security previously i co-founded and with cto of carbon black so i had the fortunate opportunity there to see something go from nothing to about 800 people when i left and i got to think about malware and

host-based recording you know endpoint recording edr and that kind of thing so really just how do we think about you know detection response how do we think about suspicious behavior from a device or an endpoint perspective and now i get to do it more from the user or the you know kind of sas application perspective with obsidian and then prior to all that i started at nsa uh spent seven years from 2000 2007 in the intelligence community uh working with a bunch of different agencies and uh defense department uh components and different offices and parts of the dod that kind of thing it was awesome i would have done it for free but they paid us

so i guess i won twice and uh it was great and uh and then i you know got got the edge to do something more on the commercial side which is where carbon black spawned from uh and now still doing it with obsidian but i missed the national security world so i am fortunate that i got picked to be a technical advisor to the u.s fisa court so i get to work with judges and legal advisors and and a bunch of interesting people on very interesting cases as a you know kind of a technical uh interpreter kind of thing i also love startups so i'm involved with with multiple startups probably way more than this in terms of informal

uh discussions and anything i can do to offer advice or opinions or or whatever uh and you know fortunate in my carbon black and obsidian roles i've gotten to speak to hundreds and hundreds and hundreds of security teams could be best of the best in maybe silicon valley maybe columbus maybe new york city you know different places that have interesting teams interesting environments i've gotten to go all over the world i'd leave my house for a couple weeks and go all over asia trying to sell you know product to uh i don't know mssps or security teams in like thailand or whatever it's kind of different than uh doing it here right uh but i get to learn a lot i get it to

absorb a lot so having said all that there's gonna be a lot of material in this in this in this presentation so i hope uh hope some of it resonates with you and with that um what's the goal you know i typically tend to have a slide or maybe even this exact slide in every presentation i do and so today's goals it's really just one goal which is i hope you spend i hope you walk away with a feeling that your time was well spent but if we break it down a little bit i want you to have some reflection i want you to sit here and and and get some forced reflection time now

typically it's a little bit different because you're in a conference or at a summit or something like that so it's like hey shout out the email forget about all the fires all the other stuff get some reflection time i know it's a little different you're probably sitting at home but still can you get some reflection forced reflection and then can you think can you ponder can you contemplate hopefully some of this stuff leads to that and then finally what good is any of that if you don't actually like remember some stuff right so hopefully you you walk away with some things to remember and again if you want to get these slides or have follow-up conversations

would love to have that so having said all that i haven't even started already like six minutes in um what are the challenges now uh we have a lot we have a lot of challenges and so we start on the inside first sort of the internal view your surface area what you're defending is exploding is expanding uh especially in 2020 right i mean we're already on this cloud migration journey as really a globe but you know most organizations and then the rapid acceleration and adoption of new technology from the work from home work from anywhere type policies and realities uh just means like your surface area today looks quite different probably than it did a year ago maybe not but

either way there's more stuff to defend right uh and but we're good right like we we should be good look at all this stuff we're doing we're doing architecture reviews we're writing rfps we're going to meetings we're troubleshooting we're doing help desk we're doing hr work sometimes like go get me all the events that this person that's being terminated did before they walked out the door now i'm not saying any of that is bad but what i'm saying is look at all the stuff we're doing and somewhere in the middle here is like strategy or operations or that kind of thing so i know we have a lot on our plates as security teams and then if you go beyond that there's

some challenges some real challenges and i've been reusing some of these slides for years and i think it's still relevant still accurate uh because you know things just don't get better that fast and so first and foremost a skills gap whether it's a lack of talent in the talent pool or maybe it's poor recruiting or misalignment between the available skill sets and the requirements right everyone likes to joke that you need you know 20 years kubernetes experience or some of these other things that are only a couple years old and yet you see job descriptions saying you need a lot of years of experience of something that doesn't make sense either way there's a gap like i see so

many teams that are trying to hire trying to find people and that kind of thing and then secondly this notion of deploy and decay so over time our environments are tooling our detections are actually getting worse rather than getting better like sort of by default they're they're moving into decay so we need to come in and correct those and then you have attacker successes so whether it's someone getting into your environment ransomware just run-of-the-mill malware maybe a more sophisticated breach maybe you just see it on the news it's tough because you just see like there's a lot of people kind of against you or you know at least not with you and so that's not

necessarily a pro it's more of a con here right it's it's it's hard and then there's a ton of data like you click a button these days and it transfers a terabyte of data from one part of the country to another part of the country or even out of the country so there's a huge amount of data and what i've seen is this often adds up to a lack of cyber self-esteem or you know just sort of like hey man like what can we do when the odds are kind of stacked in our uh against us and um you know we kind of need that sesame street after school special to say yes we can do it we can make

positive change or an impact on risk reduction or whatever you want to measure yourselves by so maybe that's what this talk is is the after school special but we have a lot of challenges right and then you start to think about things like like cloud and this migration to cloud and often i hear that you know executives or the business side of the house they don't realize that you all or we all are still responsible for security in the cloud even if aws or microsoft or whomever is responsible for security of the cloud so just because you outsource maybe more of the it or compute side of the house doesn't mean you're necessarily getting rid of

your security obligations and then you multiply this now that clouds talk to clouds you know apps integrate with apps and so you might lock down one drive and yet someone integrates with slack and slack isn't as locked down and now you quite you know you have quite of a vulnerable situation or just an opportunity for data leaks and such so um things are moving fast business is moving fast that's kind of the whole point that's what you know we want to enable innovation and that kind of thing but it doesn't necessarily make our lives easier and then you know when we think about what real teams are actually saying and i'm guessing you all have stories like this

um these are just quotes that i'm hearing like i t is going from zero to 100 into the cloud and leaving us in the dust or we're blind to these new accounts or 50 of our engagements are you know now cloud from a from an ir firm um or you have a whole bunch of accounts and no governance that kind of thing so there's just a lot going on and this is all just internal i haven't even talked about really the adversaries too much yet right so i get it and hopefully we all are here together to help discuss and share tips and techniques and knowledge and referrals and everything else because there's a lot that the businesses are

doing that isn't necessarily making our lives better and that's part of the talk today is how do we maybe kind of influence that a little bit right so what would a talk be without you know maybe like a threat escape talk right um and someone somewhere is probably drinking every time you show a slide like this right i know those games but if we think about it like breaches are accelerating and you can see i haven't even necessarily updated the slide in a few years because it doesn't really need to be updated there's just a lot and we've kind of passed the point of no return where there's enough you know kind of adversarial success or

nation-state attacks or whatever we're we're not really going back like they're having enough success making money or stealing ip or whatever so this is reality like the internet is now a war zone so we have to think about that right and if you even think about the headlines from last year there's just there's a lot right a lot of stuff going on we probably have breach fatigue headline fatigue pick your kind of buzzword but we're seeing a lot of stuff and um you know it's sort of desensitized to it and you know recently there was the the twitter breach and uh i think uh garmin just paid what 10 million bucks for uh ransomware because it basically

halted a lot of their operations and such so um this is literally just in the past like month so there's there's there's a lot uh and so when we think about who our adversaries are i wanted to put a slide in like this because i do think we need to think about who we're up against and what they're after what's their motive right and you can break this up in different ways yourself or you know figure out how how you want to best do like risk modeling or threat modeling or these other things but first and foremost you have to worry that there are people out there that literally don't care who you are they just want access to maybe your data

maybe your compute maybe your identity to send out spam as you or do business email compromise or whatever but they're just trying to make money and money as you know is quite a motivator especially when a little bit of cyber attack work maybe makes you more money from that attack than working a legitimate job would in a year something like that right especially some of these other countries so you have these opportunistic cyber criminals and then you have you know kind of opportunistic but a bit more maybe targeted hacktivists who maybe don't agree with you don't agree with your positions your stances your political donations whatever it is you have to worry about like people who aren't necessarily there

to steal they're just there more to disrupt right so you have to think a little bit more about hey this isn't necessarily about just loss of information or data or exploitation of compute it might be actually you know denial of service or degradation of service of whatever you're trying to do right slow you down in terms of productivity or the service you offer and then you have the nation states which quite frankly are doing everything they're actually even making money sometimes to try to you know fund military and such but um they're you know probably more likely after ip or you know lists of users maybe some of their uh citizens are in your your database

for whatever reason and they're trying to figure out some information so you got to think about that and finally insiders and the reason i put this whole slide together really is because of insiders the the first three criminals hacktivists nation states what are they trying to become they're trying to get insider-like access or employee-like access so maybe you trust everyone maybe you vet your employees very well and treat them well and and have very low uh you know risk when it comes to a malicious like true employee insider but what can their credentials do what can their access do if someone just gets them with the phishing attack or whatever but then uses that instead of

sending spam or whatever use that to then pivot into other you know credentials find some ssh keys on their box log into the server what can they do right so you have to look at everyone in your environment not necessarily as like joe or bob or mary or whomever who's you know maybe amazing people but what can their access what can their credentials do and don't feel bad thinking that way because it's truly like disconnect the human from their access you got to think about what the insider access can do but you also have to think about your people and making sure you're not creating a lot of insiders as well and by the way insider attacks

do seem to be a bit on the rise this year with lots of layoffs and uncertainty and anxiety of 2020 and all the other stuff that's going on in the global climate so you know please be careful there as well so we just talked a lot about like the human factor but when we think about you know some of these challenges one of the things i like to call out is that defenders are often defending infrastructure but attackers are attacking humans like the attackers trying to get into the ceo's laptop the cfo's you know financial spreadsheets or whatever but the defender is thinking about ip addresses and subnets and also other stuff it's a little bit misaligned so i think

we just got to think about how do we align a little bit better there um and then there's you know mistakes and we just talked a bit about insider threat and one thing i'll throw out there is a lot of times like if you can just log in rather than use some you know cyber super weapon or zero day or non-public exploit or whatever it is you're going to try to go in the access route because you're just logging in you're not potentially throwing away this you know 10 million dollar tool or whatever so um you know think about like access and and logins and then you know think maybe about zero days and stuff because

why do this crazy operation if you just walk through the front door or try password one two three or whatever right so we gotta think about that the other thing and then i promise i'll actually get to more of the meat this is just setting us up so hopefully you're still with me uh i saw this in a ted talk about health actually but i thought this applies so well to security the absence of and i.t the absence of disease does not mean health like talk to your team talk to your board talk to your executives whomever you know business leaders just because you're not in the front page of the news does not mean you're healthy does not

mean you have good information security so you have to think about like that step back like are you doing the equivalent of you know healthy eating and exercise and you know getting your checkups and all the other stuff because if you're not you know that there's stuff brewing down there there's tech dead there's risk there's holes that are not being patched so just think about like the absence of disease does not mean health right and maybe you can pass that along to your team so approaching security how do we you know start to take all of this stuff that we need to kind of combat we've mostly just talked about things we need to combat how do we go

about like even trying to tackle this stuff right well first and foremost i'm telling you we can do better maybe again maybe i'm on the sesame street special but we can do better in some ways we are doing better like things have gotten better but the adversaries have also advanced too right so um we're not done it's not enough in some ways it could get worse this explosion of devices explosion of data right talking about all the sort of vaccine research and everything and clouds and people trying to hack each other and take out hospitals and stuff like so this is not going away you all are gonna have jobs and um we need to do the best we can and

we need to raise the bar right and we can we can do it and of all the teams i've talked to this might even be a higher number now like 800 companies um all over the world i try to boil it down and maybe you all have a better way of describing the difference but to me it's it's kind of a simple difference between do you try to hire a team do you try to build a team that is more i'm going to plug you in with a tool and you're going to look at reports and alerts and be like an analyst in the sort of pure sense of the word or am i going to take my resources take

my technology take my data feeds and step back almost like a like a excuse me a product manager or service provider and say how am i going to build how am i going to engineer the optimum way to reduce risk to especially information security risk in my environment and the teams i see that are better and quite frankly a lot of times um it's you know it starts with just having like software engineering skills on the team but the teams that i've seen do better and it's not it's not a zero or one proposition there's there's good teams on both but in general if i walk into an environment and and the mindset is much more of like

how can we build and take the output of this and shove it into this and enrich it with this and you know tie in this threat feed and this open source intelligence and all this other stuff that's a better team just just you know in general so if you're not doing that that's okay but like maybe you can do more of that and if you are doing that again how can you maybe do do more of that like how can you stitch together and have that engineering mindset now speaking of mindset i want us to shift our mindset i want you to shift your mindset if it's not already shifted now what often happens in security right

is we're supposed to be i don't know maybe the offensive line in football and the ball is hiked and we drop back and we're just trying to take what's coming at us right we you know maybe maybe in the uh actually corporate world we're a little bit more passive we just have to react to whatever the business deploys or it deploys we think about the environment as if we only have read-only access and events sort of happen to us right that's what i see a lot but can we shift it can we be more aggressive like the defensive line right and we go after what we want to go after and you think about the corporate environment it's

like can we think we actually have a say here we actually have like a seat at the table to sort of mold or give our opinion and sort of have right access to what's going on can we help shape the environment that's what we need to do and that's really what this talk is about is how we think about what can we do in the environment to have an impact and you know i'm a huge book nerd and my favorite book is essentialism and i'll put an actual slide at the end for some book recommendations but it's essentialism it's about making the wisest possible investment of your time and energy in order to have the highest point of

contribution basically how do you focus on the vital few versus the trivial many often in security we focus on the trivial many oh i'm just going to get through as many alerts as i can it's like did that really make an impact or can you like tune it a little or you know create something more upstream so you don't need all these alerts and that one thing would have much more impact than just resolving you know 20 or 50 or 100 alerts so anyways where's the best roi of our time i want you to think about that as we keep going right and again i'm throwing a lot at you there's gonna be a lot more

stuff i hope just some of it sticks contemplation forced reflection right and you can uh come back and and hopefully review if there's anything of interest here so what we did as a cyber security or information security culture or you know community is we said we need to slow attackers down so for the longest time we focus on blocking or unlocking down what you know what what could be done what what's capable of being done against these systems and that's great we need to keep doing that so like what can i block what can i prevent you need to have that right you don't want to just say everyone come on in you need to have

some blocking some locking down et cetera you need to slow attackers down but we all know or we should know if we don't blocking is not enough and so really over the last 10 years there's been more investment more resources shifted to detection and response because you cannot stop 100 of attacks and threats right and so we said you know what something somewhere or the insider or whatever is going to get through so we must find things quicker react clean up remediate et cetera faster more efficiently more effectively so we said that right and so then we did things like orchestration which grew into this whole market of like soar and automation but instead of just an alert

going to a human you you know so some of these teams and some of these some of this grew out of uh corporate security teams that had software engineers they built tools like fido and netflix and some of these others where you get an alert and you say okay what device is this is this the cfo or the intern do i have any reputational information from my threat feeds then all of that data automatically pulled together and correlated goes to a human right then the human has a much better opportunity to make a decision use critical thought rationale etc and then if they want to take remediation action you have technology that can block kill preserve evidence

you know reset credentials etc but you figure out where it's best for a machine to do it where's best for a human to do it and i think that was really good a really you know step forward for cyber security and then also that's not enough to be complete so then this whole notion of like sort of threat hunting evolved which is look regardless of all of my detection capabilities i'm not going to detect 100 of the unwanted actions in my environment could be a mistake it could be malicious activity but somewhere there's going to be something that all of my detection rules and tooling do not detect so that gap between that and the entire you know totality of

threats and unwanted behavior is the gap that hunting fills putting a human mind going having you know a thesis or a hypothesis going after and seeing like is that correct is there anything unexpected or interesting and then if so is it an actual you know compromise or threat and then tuning detections hopefully get better and better better but threat hunting really evolved so we did all this stuff really because what we're trying to do we're trying to speed defenders up right so we've done a bunch of stuff beyond blocking so are we good right we're good because we did all that no we still have employees contractors guests executives like it's not just about the

external attacker it's also about the insider threat internal actor etc right and mistakes and and all that fun stuff that we all live with probably every day so what else did we start doing we started discouraging bad behavior now this isn't all uh you know exclusive to either speeding up defenders or slowing down attackers or whatever or discouraging bad behavior but you know in this case it's it's it's it's less focused on the adversary and less focused on our information security team it's more focused on the entire sort of user population you start saying hey don't click be paranoid don't circumvent us don't install that so start forcing training we start preaching we all know how well that goes right

that's the stick not the carrot uh sometimes it's necessary sometimes it's absolutely effective but a lot of times it's not enough and not necessarily sort of acceptable with some of the cultures of the the corporate environment and stuff like that where you know you don't want to be the person always saying no uh and so what we've seen now is this shift of csos and security leaders security uh engineers etc to be more collaborative more constructive like go to the business unit and say hey you know what i'm still accountable for security i know you're installing this marketing thing but like i'm accountable so like we need to work together and so no has become yes but like yes you can do

this but here's the review i need to conduct or here's the controls i need or the data i need the the logs etc and what what seems to be the case out there i've seen this and i've heard other csos talk about this and such is that you have to appeal to the heart like you have to make it more of an emotional thing so yeah if someone clicks that dumb phishing link often it's not that they didn't know to click it it's that they had apathy they didn't care they're like yeah i'm tired whatever i'm going home soon i'll just click this thing because it might be something even though in their their mind it's kind of telling

them like this is not right but they have apathy so if you can appeal to the heart and get them to care more about like why this is making your co-workers safer and better and the company more resilient that's when you get some change right and so what we're really talking about is encouraging good decisions you need to get upstream get earlier into the process improve the sdlc the software life cycle procurement et cetera so you need to be a partner with the rest of your business so you enable security risk assessments early you know things are easier and cheaper to correct before deployment i'm probably preaching to the choir here in a lot of this but i want to call it

out like we need to be thinking about this stuff and so if you start to put these pieces together what we're really saying is first you want to slow attackers down because if you don't do that like it's going to be chaos then you want to speed defenders up make sure your you and your team can do the most with the limited amount of time you have but then it's really a it's a it's it's like you need the national guard you need your your company helping and how they do that is through the discouragement of bad behaviors and the encouragement of good behavior or good decisions right and so if you flip this around a

little bit it's really slow attackers down speed defenders up and in the middle is your user population it's really about how can they think about security as like a default piece of the puzzle like how do i have configurations and deployments and that kind of thing be more secure by default that's really what i mean here and hopefully you can use something like this because it's quite easy to explain to the business it's like hey yeah we're doing this because it's going to slow attackers down or we're doing this because it's going to speed defenders up or we're doing this because by default we want a more secure deployment or more resilient configuration or access that

goes away faster so that you don't leak stuff it's just it's it's it's a good way to think about things and i think it puts it in a quite simple way of thinking about things so um thinking about this framework now hope you're still with me uh i'm on the west coast so started at six a.m uh but uh how do we how do we think about this well first of all you've got to be able to communicate all this which is kind of the slide i was just talking about like how do you communicate what you're doing where you're investing how you're reducing risk how you're enabling the business while still keeping it more safe or

safer um and and that kind of thing right so you got to think about communication and sort of teamwork but then if we move on to some of those things we just talked about slowing attackers down so i think slowing attackers down is is often quite easy to wrap your head around if you step back and think about it right and again some of these are quite simplistic but you know single sign-on can you force all the logins all the authentications through a choke point like through a single point because then you have a much better place to monitor to make sure it's configured properly to see who's logging in right look for anomalies and things like that

so single sign-on the more single sign-on we see in our our world uh you know me from obsidian the usually the fewer uh compromises we see then if you've forced everyone through a single sign-on point multi-factor authentication it's much more obtainable because you're just basically turning it on for one account the single sign-on account and then you need to disable legacy authentication or weak authentication because some of these systems do allow for methods to get into mailboxes or other things that bypass the need for something like mfa or or you know single sign-on as well like make sure there's not some backdoor accounts into these these systems and then think about things like anti-phishing or some of the

common attack vectors the more you can do there then you're slowing attackers down making it harder raising the bar right so create fewer entry points make it harder to compromise and then really it's about like limiting attack other attack vectors and reducing the blast radius right like what what could be uh used once someone's in and so you know oauth applications scrutiny or sort of third-party applications we see that a lot too it's actually becoming quite a hot attack vector because people have gotten better at multi-factor authentication but if i just send you a link and say hey you've been invited to join the brand new like google drive app um click here you click there it

says hey do you authorize this to have basically full access to google drive you say yep you should probably ask yourself why you need to authorize that if it's already in google but whatever maybe that happens and then they're in they don't need to log in as you ever they don't need to get your mfa they have the token token has you know whatever scopes you granted to it and they can pull data read documents from your entire domain or whatever so um you got to think about that and things like powershell can you just disable powershell i've been saying this for like six years um disable it or just say hey look on uh sunday night between 11 pm and 12

midnight it's the only time powershell will run all of our it jobs will run it then and then it'll shut it off across the fleet the rest of the six days and 23 hours can you just do something like that i know it's easier said than done but hopefully you're you're thinking hopefully there's thoughts going right like maybe yeah maybe i could at least reduce it to one day a week or something same with like local admin and stuff like that or can you do allow list where only certain things are allowed to run right i mean ipad is kind of the classic example of an iphone basically yeah it's not perfect but it's pretty hard to get

malware into the apple store and then that's really the only thing that can deliver software so you basically have a trusted software repository so it's quite hard to get uh malware onto you know an iphone or an ipad that kind of thing so how do you slow attackers down i want you to think about that how am i slowing attackers down now so now slowing attackers down now let's think about speeding defenders up really starts with visibility right because by speeding defenders up what we really mean is they need access to information to be able to investigate to be able to triage hunt you know that kind of thing and so you know i think what you've seen is the

entire industry shifted away from this sort of method of scanning and sweeps and looking for iocs or binaries or whatever to continuous recording whether it's endpoint cloud network other places in the environment you know continuous recording has been quite uh become quite common and sort of ubiquitous here um but then can you take it steps further so can you add thread intelligence or reputation information so you know like yeah i have a whole bunch of uh you know data points or information but i know some are kind of marked as known bad maybe i start there and some are known as marked as known good maybe i can ignore that for a bit maybe ever

and then focus on the middle once i'm once i'm done with those um and then you know maybe prevalence or frequency like hey if something's kind of known bad but happens all over the time all the time maybe i'm really screwed or i have bad thread intel but either way i have more information i can make better better decisions and then finally relationships really help help drive this to a better place where you know is this the ceo or the intern that ran svc host late at night on christmas you know in a strange user context maybe i'm jumping out of bed for the ceo maybe not for the intern maybe still but i have more information

is this just powershell running from a script or is this powershell running that was spawned from word spawned from outlook pretty pretty common attack vector right so if you start having these relationships and such that's where you really start to to get power and start to understand what's you know kind of what's normal and what's not um and you know one thing that that kind of works against us though is this is our it environment so is your it environment is your you know kind of just just overall corporate environment more like the left or the right is are people using gold images you know re-imaging and installing clean you know clean boxes have good hygiene

can people everyone use like spotify and any other app they want and it clogs up all your logs all these random processes that are not really trusted or allowed but it's not really frowned upon in your policy or your culture um you know and i've sat in the the traffic on the left on some of my trips and i don't i don't know who's sort of breaking the law or who's sort of got right away or whatever on the right though it's quite easy you know in the in a figurative sense if you see a strange truck or a person or someone going perpendicular you know in your environment when everything's going a certain way

it's much easier to spot either from a human or you know technology and detection rules so we've got to think about that and another thing i want to bring up is and i'm a multi-time vendor so i can say this push on your vendors ask for features ask for integrations ask for training you know it doesn't mean they're gonna give you everything you ask for but like push on them you know just one simple thing is like you bought a product a year ago it's coming up on renewal has it advanced in that year if it hasn't now maybe there's reasons why you need to keep it or whatever but if it hasn't ask your vendor why not

what are they investing in that how is it getting better is it shifting your needs are shifting the environment's shifting the adversaries are you know advancing your defenses need to be advancing too so push on your vendors ask for more and tell them i told you to do that and they can yell at me to do it so thinking about this i just talked about a bunch of stuff we're talking about speeding defenders up so really what we're talking about is like you need to give your defenders telemetry you know visibility into you know what's going on in different parts of the tech stack the environment they need access i've talked to security teams where they have to put in a

help desk ticket to get access to o365 logs during an ir and sometimes it takes a week for it to give them the locks this is during an incident response it's like mind blowing but it's reality so can you make sure you have the right access ahead of time so when you're investigating triaging correlating doing a full-blown you know evidence collection and forensics situation you have the access you need or at least you've built those relationships and you've communicated why you need access or hey i might come to you someday and need this so please quickly grant it to me you know leverage the hell out of your tools you know push on your vendors talked

about that like we all have tools you're not using your tools completely i guarantee it there's more value in your tools than you are using today get more value out of them push on your vendors and then write code write code write code pretty much every product out there now has apis or ways you can like stitch together information pull information out shove it into you know just throw up an elastic search instance if you need to or whatever but like do some engineering work and then do retrospectives and things like that where you know you're sharing lessons that you learn this week maybe across companies like it it doesn't have to be internally like tell another team how you operate

it's not just about like ip addresses and iocs when we talk about sharing it's about like best practices or i hired someone really great this is how i did it or i constructed a really great security program that actually enabled my entire company to become my national guard share that give a talk at something like this talk to each other whatever but share that stuff and then can you tune you know that constant deploy and decay we got to fight it so are you tuning things right so i'm preaching a bit here but have you added like an updated rule or tuned something this week got to do it okay now the other piece i want to talk about which is like

the default security can you enlist other people in your organization to attend security boot camps and make it a perk it's a perfect way to offer like a perk i'm going to teach you how to secure your home router and your kids gmail address and make sure when they play um you know minecraft online or whatever they're not going to bad youtube sites or whatever right we're not talking earth shattering education here but we're talking good concepts that help reinforce corporate security concepts that you want them to learn so can you do stuff like that and of course teach them about internal you know internal things targeting what might be going on with your environment

that kind of thing but get them involved and you know i was talking to a really awesome team uh in one of the best uh most well-known brands in the world and they said the best thing they've done is they roll in devops person and then basically they're a full-time security person for could be a couple weeks could be even a couple months and then they roll them back now they have a much better understanding of how security works how to how to better deploy their own stuff in a secure way or a way that helps speed up defenders or against slow down attackers um and they're you know just more of an ambassador you've built those

relationships that kind of thing so can you do stuff like that where you roll in an engineer or someone from you know kind of the other side of it into security for a bit and then roll them back out right immersion that's going to be a great way to do it another thing is access how often do we give someone access and then that's it i gave you access and by default access never goes away so this is what i'm talking about when i talk about drive default security can you flip it so by default if you do nothing else eventually access goes away it like it itself has a dk right it itself has a half-life

and it starts to go away right because what we typically set ourselves up for is we have to go out of our way to be better at security rather than having the default path forward just make us more secure right so can you counter this like identity creep or you know everyone's having too much access too much surface area they don't really need so can access have a half-life you see stuff like uh like slack is pretty good when you add a guest you can right away add a uh end date and then you can extend it but that means i had to go out of my way to explicitly extend their access otherwise if i do nothing if i go on vacation for

three months their access goes away i'm in a more secure place at least you know in theory so thinking about that and then you know when you think about like other aspects of security in the business you know can you establish sort of pre-procurement review i know people sign up for sas quite quickly and quite often can you establish a pre-procurement review can you create an access review process can you have sponsorship internally for guests and contractors right like how many times have you looked at an account especially if it's like a contractor or guest and you have no idea who the internal you know employee your company was that asked for them to join

yeah maybe there's a ticket in some other system somewhere or whatever but like it's hard to track that down or keep track of it right can you do that and then you know things like single sign-on that we already talked about but like can each new system just interact or just uh integrate with your single sign-on system so by default you know okay at least i'm going to see people like logging in because i'm looking at octa or you know microsoft or whatever so i can see this new tool and let's see who's logging in who's using it and then things like we all share files all over the time all the time right all over the place do they have a

password can you default them to having an expiration date so by default all those you know files that people are sharing eventually you can't access them and you don't have to worry about those links leaking out or stuff like that and things like mail forwarding just shut it off why the hell do people need mail forwarding shut it off right so sorry to get aggressive there but some some things you can do to uh hopefully just make your systems more secure by default right that's more on the sas side of the house and then the infrastructure as a service side of the house like default to you know just no no public shares networks buckets like

can you just like lock everything down more by default and someone has to explicitly open it up right because in the past it was more explicitly open or more uh implicitly open and that you had to explicitly close it down centralized access to something like amazon right like for us you have to go through uh g suite your g suite account and impersonate a role and that kind of thing you have you know certain groups and stuff um so no one should be actually logging in directly through aws they should be logging in through our idp and into you know their accounts and things like that can you automate scans static or dynamic scans if you're building software so

that by default at least there's more checking before it ever hits production and then educate on that shared responsibility model we talked about where you are still responsible for security okay i hope you're still with me it's been about 45 minutes let's wrap up here so it's all about people i said a whole bunch of stuff i hope you go back and look at it i hope you've taken something with you so far but really what we need is aggression we need leaders we need aggression we can influence the battlefield we play in right that we have to monitor it's all people problems you gotta go build those relationships with other parts of the business with

the board you know all progress is people all problems are people at least that's what i like to say so how can you go get more buy-in from business leaders or how can you work more with it how can you influence the mindset of your whole company so really what i'm talking about when i say drive default security is make it so people have to go out of their way to be insecure don't make it where they have to go out of their way to do the right thing make it where they have to go out of their way to do the wrong thing because if they just go forward they do the right thing and

really what we're talking about here is culture right culture age strategy for breakfast famous quote by drucker but you know it's true like just build an environment where people are excited we give out you know military challenge coins when people report a security or privacy uh issue i've seen people give out stormtrooper helmets or gift cards or you know there's all sorts of other things um create that culture where people are excited to defend the business right because we are on different teams but we have the same mission i was fortunate the guy in the bottom right uh james wetherby to uh an astronaut to be at a couple events where he spoke and i got to spend time with him

and he talked about how he would go and meet all these people working on the like on the space shuttle and such and really understand the motivations and stuff but also make sure they understood that he was a person that they weren't just building something to a schematic that they were actually shoving humans into this rocket and sending it into space and just creating that sort of emotional connection and that communication so you know you might need to do the same thing like hey man i'm not trying to say no i just i need your help right i need to we need to work together excuse me and then there's lots out there right there's a lot of different

tools out there can you use some of these tools blend them with maybe the commercial tools you already have and you know build a better environment and like give you an example i have credit cards why are credit cards on there i've seen teams buy some cheap free paid credit cards and just sprinkle sprinkle the credit card numbers throughout their environment in little text files and if there's ever a charge on it boom someone is doing something wrong and it probably cost them a thousand dollars total to buy like 10 100 cards so like can you think about these interesting things of how would i detect how would i you know again slow attackers down speed

defenders up drive default security and you're probably sick of seeing slides like this maybe you're sick of giving a slide like this because often we say the attacker only has to be successful once but you're like a soccer goalie who has to stop 100 of the you know penalty kicks or whatever but i guess a lot of what we're saying too is once they land the minute they land in your environment it flips they should have to be a hundred percent perfect now i know that's a little bit of a dream but how close to that can you get like as soon as their behavior looks a little bit suspicious or they hit the wrong box or whatever they're

they're they're caught so remember slow attackers down speed defenders or yourselves up and then how can you drive default security through your environment right discourage bad behavior enable good decisions so think about that i hope this helps and the final slide and then i'll take questions is my book recommendations i have tons happy to recommend all sorts of books tell me the topic i'll i'll probably have a book because i again huge book nerd but essentialism how do you focus on the vital few versus a trivial many extreme ownership is basically like we can always do more ourselves so have those retrospectives but like how could you have better communicated or prepped or whatever and then team of

teams you know we're always working in environments where there's teams of teams and mcchrystal talks about fighting al qaeda and iraq as the commander of joint special operations command so you had these amazing special forces actually losing to al-qaeda and iraq until they made some some changes and a lot of it just dealt with information flow horizontal information flow getting people the information much more quickly less bureaucratic uh that kind of thing but all phenomenal reads and and i highly recommend them so um with that i will uh stop and take questions but i thank you so much for listening to me and i hope we can connect after this through email or a zoom call or on linkedin or something

like that so thank you very much