From Me to We: The Way of the Unicorn

I got I got a loud voice so real quick just a quick couple notes if you are planning on playing the neon Temple CTF today after the Keynotes meet in the room there's going to be some instructions for some of the challenges that are a little bit unique so if you want to get the full details and know how to play those challenges meet us in the room after the Keynotes and John here will go and do a rundown of what you need to know sound good got it okay sweet good morning everybody uh will Santiago here uh speaker leison going to be introducing some fantastic speakers super excited to get into it with our first Keynote not speaker uh

Bryson uh before I do that I am going to play some Hype music really fast and we're going to get squared

away don't tell my

[Applause] attorneys [Music] all right so can we get some noise going for Bryson I'm going to really introduce him really quick Bryson is the founder of Scythe a startup building a Next Generation threat emulation platform and Grim a cyber security consultancy and actually I got a secret grim might be a name that Bryson might go by um and co-founder of IC Village a nonprofit advancing awareness of industrial control system security he's a senior fellow at the National Security Institute adjunct senior technical adviser for institute security and technology and an advisor to the Army cyber Institute as a US Army US Army Officer he served as a battle captain and Brigade engineer in support of Iraq operation Iraqi Freedom before

leaving the Army as a captain he was recognized as one of the top 50 in cyber by Business Insider Security executive finalist by the year of SC media and a tech Titan in Washington DC with that being said Bryson we'd love to come you welcome you on [Applause]

stage is this off yeah we go no this is not off [Music] right it's a hacker conference if we didn't have technical difficulties we're not doing our job good morning bides Tampa belon from this side H we need some work okay so this is take two so for those of who seen me speak who seen me speak before so you know that there's kind of two ways this goes right you work with me or I make you work with me and you're thinking that's [ __ ] because he's up on that stage I'll come down you're not safe so good morning besides [Applause] Tampa um I really like Dad jokes and you might have noticed the previous dad

jokes left you feeling a little flat part of that is because it's the same thing as what the triangle said to the circle it was pointless but that's not my favorite dad joke kayen would you like to know what my favorite dad joke is no you're getting it anyway you didn't follow the instructions at the beginning I told you just press that right hold

it let this be a lesson kayen oh I already got one what is a pirate's favorite letter I I I okay I haven't heard that one before that's not bad that's not bad coach since you have to talk F oh what is a pirate's favorite letter I know my favorite letter is Bryson but uh a pirate's favorite letter is uh [Applause] R nay it is the C they

love all right one last joke before we do get this going or lesson of wisdom so you know my bit right I do I do the unicorn and we're going to be doing from me to we we have an aphorism in the US Army that says no plan survives first Contact and the first is that well this is kind of warm so I brought a summer unicorn I promise there's content somewhere at some [Laughter] point let's go so if you were just a they already did my introduction but if you were wondering about why the unicorns with the beard so during coid I did not cut my hair or cut my beard if there was an

Olympic sport in the world for growing hair I'd be like gold or silver that's me that's cyber gandal that's actually me that's my actual hair okay so from me to We The Way of the Unicorn this is going to be something to speak to all of you um because we are in this together first point so we're going to go through some rules of the road you don't have to be this tall to get on the ride who's a student theoretically I'm assuming you might change your mind after this keynote which might also be the closing keynote apparently you want to work in cyber security yes yeah yeah and it feels daunting doesn't it like who's going to

hire me who's going to let me get that chance so the first part about this is you're already doing the right thing by showing up here today so give yourself a round of applause for that your task for today is to learn learning is playing the CTF even though you don't know what that is and are scared of it it is meeting somebody it is asking for help these neon Temple clowns right here seriously they will help you USF has its own cyber SEC security um group as well get involved learn there's two aspects to this there's the technical competency which is where we all start how do I become the best individual contributor that I can be also known as

how can I be the smartest person in the room we're going to talk about where that will get you in trouble but for now that's your goal but here's the thing it's not just the technical that makes it work I mean I haven't been replaced by artificial intelligence yet Keynotes are still human bsides are still put on by people hiring managers are the ones that hire you and yeah it is monster.com still a thing yes okay they're not a sponsor right that would be really awkward you can do the cold resume or you can do the oh yeah that's Jill that's John that's Jose I know them once you're in you're going to be spending a number of years becoming like

I said the smartest person in the room AKA an engineer because we are the smartest people everywhere are we not and then we Fork it some point because there is a limitation to being an individual contributor it's teamwork not how fast you can pull the ore not being the fastest unicorn in the herd to being able to pull together as a team and that first opportunity is going to get to be a team leader how can I make this team more than the sum of its parts and that's where the fork is going to happen do I continue down being a more of a team leader on the technical side or do I cross over to the dark side management

[Music] now here who's a hiring manager okay keep your hands up students just got laser pointed this is my appeal to the hiring manager you've all seen the statistics what we need like three kajillion people in cyber security I don't know whether that's true or not but I do know that this is one of the fastest growing fields in the entire world and we need more people period the problem that you feel is we don't seem to need as many of the beginners that onus is on the hiring manager when we hire folks we need to hire them with the scaffolding already there to support them so this is where I push this to the hiring managers your

part of the Unicorn way is saying I recognize I'm going to hire somebody that doesn't have the C doesn't have the education on the box basically don't let Human Resources lead you around by the neck take control and say I'm going to hire this person because I believe in them I see that they can do it and I'm going to invest the three the six months the 12 months and getting them where we want to get them to be a part of the team you saw them raise their hands they agreed do it he there are two kinds of leadership in the world this is important to understand because how often have we gotten frustrated that we don't get theat

budget the resources the attention from the business all the time all of the time thank you J or I'm practicing my

fidan what two kinds of leadership I just miss you man I got thrown off look it in your eyes again and I sorry coaches there was one before you there a lot of unicorns on these shorts so there's two kinds of leadership right just just think about in your daily life you are Professionals in this space and you do not wake up other than with your job and think about cyber security for your daily life you're like how do I get out of bed am I getting out of bed on time where's the coffee where's my there's all of these other things that occupy it and that is the challenge for society as a whole we

expect everybody to understand and take this as seriously as we do because we're here and we care we like to paycheck too it's pretty good but we're here because we care about what we're doing not everybody necessarily gets that so my recommendation as you go out into the world is you're going to see two kinds of leaders in these companies those that care about security those that don't another way to look at that security

compliance so for the compliance is not a nasty word this is I was actually going to PIV it to help here compliance is an existential requirement we see you you're beautiful thank you without compliance the business does not exist not at

all but it's not security a checkbox is not security so this is where I was going to Pivot to this before you you helped me there I appreciate that you get a high five too you notice how I got permission as I went in for the hug by the way that's one of those important things Human Resources yeah there's two things in life that are that are going to really hurt as you get into the workforce younger folks one is HR the second is what is this compliance thing compliance is anything from the Regulatory and legal Frameworks that govern how your business works to somebody in the business is important enough to say thou shalt and it becomes a checkbox that's

not a bad thing again we we want to be in compliance with the law yes really wasn't a trick question or rhetorical wise we want to be in compliance because that's what allows us to operate just don't conflate it with security because security is the investment I'm make after I've done the checklist hey you always have a vote who here is burned out I would offer our industry has a higher level of burnout than average let's kind of peel back some general stereotypes of us we are curious people

we really like things to be black and white because we're

Engineers we don't like long pauses that's where he mess with the introverts in the room which most of you are right burnout is your responsibility to start with you can't help others if you can't help yourself going back to the previous rule on there's two kinds of leadership if you are beating your head against the wall trying to make something happen when leadership isn't given it you're going to burn out don't the second part how does it who works an incident response your closest and easiest yeah we're going to do we're going to do that physical bit so what is incident resp I'm not sitting in your lap don't worry it's kind of like starting to move

it along I'm like okay so incident response what is the feeling and I probably going to start to feel it as I'm doing it that you get your chest and your stomach as the three-day weekend approaches little pressure little pressure why because there's a lot of off time that something can go wrong that's one if you even get the off time we have this pervading sense of existential dread the anxiety of I think we're doing security until 4:55 p.m. on Friday here's the thing one you're not alone you all feel that has anybody solved

security seeking attention only gets you budget budget gets you security budget gets you more budget gets you s all right

security is not a measurable thing in a finite way there are different aspects kind of like that metaphor where we talk about people looking at different parts of the elephant right this feels like a tree this feels like a hose nobody has solved security nobody I joke there are no experts there's just folks who have a lot of experience they usually have white beards and lots of dark patches and a drinking problem don't do that nobody has figured this out so that dread that you have you're not alone feeling it and there's not much more that you can do about it so like anything in life accept it and just sort of put it to the side

when that 3-day weekend happens that you don't get yeah that sucks but there's nothing else you could have done okay we don't have to be perfect right going into that existential dread you don't have to get everything right has anyone heard that that a Defenders need to always be right an attacker only needs to be right once it's not true you have more control than you realize when an attacker gets into your network and they will they want it badly enough what's the largest risk surface area in any organization people and how many of those Technical Solutions written by nerds for nerds solve that one so you're over here scrambling to try to be perfect when there's just

peoplein over here expect it you don't have to be perfect so when an attacker gets in they are going to be on your assets mean this isn't James Bond they're not bringing their own Super sophisticated thing to the table when they talk they're talking on your wires even more limited they're talking on your wires with the protocols that you are use in your environment what is the most most common command and control protocol https why you don't stop it probably most of your traffic and it's encrypted did I have to roll my own encryption to do something super fancy nope thank you for the encryption and thank you for letting me blend right in hackers are

lazy why do more work than you have to we'll take what you've already got so you don't have to be perfect but start to realize you do have more control than you thought okay security as we discussed is a hard problem why would we turn anyone away from it so the starting point is diversity I really believe that the more diverse opinion you have a looking at a problem the better that solution is going to be we need people that think differently and challenge because group think is what's getting us here there's a talk about that at noon what's the name of the

talk thank you retired Colonel JC Vega you think I planted these people I did not actually I didn't even recognize them at first until I until I heard them um so the diversity of bringing those folks around the table is going to be where we push the imagination and make security better but that's not enough it's not enough inclusion is the key aspect bringing different folks around the table doesn't work if they don't feel safe to be able to contribute if my opinion is constantly pushed down I'm going to check out why would I bother so one there are a lot of you hiring managers in particular but every single one of us can be an

ally allies help create that safe space right the way of the Unicorn is a Wei is a herd we need to feel that all together we are all responsible for every one of us feeling safe and feeling like they can give something back management can be there to help set those things but it is all of us that do that together and when you see somebody that you know is being marginalized that is your responsibility too to help them to reach out and let me be honest being an ally is is not always easy it takes courage to be able to step on behalf of somebody it takes courage to reach out to somebody who looks

different who talks differently than you do and trying to understand them so that you can help and this has nothing to do with politics this is what's best for us as a community because we need the help and special shout out just because of the timing yesterday was the trans day of visibility so we see you and we love you too

one more click most users are not the problem we have a challenge in this community where we are seen as a culture of no yeah no but yes thank you it's good we are seen as blockers we We complain why weren't we brought up to the front why weren't we included on the front so the first recommendation I would have here is um if you're in management leadership is look into the idea of security Champions you don't have to do this alone in security go and get folks from other villages to be a part of what you are doing naturally organically don't try to force it second if a user clicking on a bad link

can bring your company to its knees one the user is just using the computer the way it was designed two what is your security actually then users are not the pro most users are not the problem these people exist you know them they don't necessarily need to have all of the Privileges there there can be computers that we sort of let sit over here and they can just literally burn from all the malware that is causing that CPU to overclock so what right reduce the impact again most users are not the problem okay who remembers Crown Sterling or has heard of Crown

Sterling see I'm trainable getting better oh you just you're just like yes I remember it but don't call on me okay passes the nice Ferrari shirt by the way thank you too bad they suck they did terrible today um so if I recall it was black hat and this company came with like Innovative new way of solving security with like bunch of math that didn't actually add up uh using very big words like Ai and Quantum and blah blah blah blah blah if I recall that's what I remember that that is a very accurate representation and I think there were sponsors and like actual people went and bought into it until uh they well yeah we don't need to

go down that way but yes was not not not the best day for the black hatat conference so uh Jake Williams and I got our hands on the original publication we're GNA probably find some Museum to put this in I don't know if the NSA cryptologic Museum would be interested so first thing here using the yeah they they they snowballed us with all of these crazy big words I I've been doing this a long time and I have learned when I don't understand something it's usually not me and this is hard when you're a student because you're like oh my gosh this sounds so sophisticated and what's really going on it's their fault it's not your fault I mean it's

your fault if you don't ask the question like well like what is that five word mean but after they come back with a six- syllable word you know it's their fault the burden is on us as speakers instructors teachers and leaders to make things into plain English if we can't put it into plain English we don't deserve it and again particularly for the students here who get all the noise it's not your fault there are Crown Sterlings throughout industry so they're really a metaphor although they did actually exist the other thing we get all the time is sort of like from a student perspective what tools should I learn from an Enterprise perspective what tools should I buy and I get asked

this all the time um with the Consulting work I do well Bryson which of the edrs should I get or this or that so starting with what tool to learn pick something that matters to you click again or make one build a passion project you learn to code I'm not doing the coding as this is a gatekeeping you must learn to code but you're going to find yourselves a lot more power over time in your career if you know how to code follows the the you know what language should I learn to code in whatever you want just pick something it's more the idea the thought you putting passion into learning something and eventually maybe you even get to the

point where you you share it with the community and now you've got your own talk at bides right after the diversity talk with Colonel JC Vega I hate Cody there are some of us who like I could I started I started in combat arms too with armor um but then I moved into you know being able to breathe without thinking um in the signal core JC on the other hand was Aviation [Music] so hey JC how can I tell if you're an aviator good [Applause] looking and they're humble the most humble so talking to the Enterprise is about buying look it starts with trust do I trust this vendor because most salespeople are actually not trying to get one over on

you it's not that they don't exist but your reality is going to be a little bit different than the really slick demo and PowerPoint you got and the question is will they be there when I need them when I have when I need to pick up the phone at 455 on Friday will they be there the second and this goes back to the two kinds of leadership and again where you can Bang Your Head on the wall because how many of you have had a tool thrown at you right did you even have a say in it Yep this is why they advertise in those magazines in the back of first class in airplanes because your C is going to buy

the tool now it's your problem the missing piece here is that second part is after trust what am I going to invest in to make this tool mine 75% of tools bought today a quarter of them are never installed right they're they're there next to the Windows NT diss that are sitting on top of the server room a quarter of them are installed with default configuration hackers love that admin admin hacker and then another fourth of them are installed improperly maybe 25% of the tools we have in our organization work for us and that's what you get to deal with this is part of why the job is so hard and where we feel led by the tool rather than us

getting to invest and drive it to make it ours that is a commitment that needs to come upfront this is part of where we can get leadership that cares about security to understand hey the problem is not solved by going and buying the AI ml post Quantum exchange Silver Bullet there is there are no silver bullets right security is not solved it's us investing to make it ours that's what's going to solve this that's what's going to give us the confidence that's going to be where the tools work for us that's going to be where we're not going to stop the zero day that got them in but we're going to reduce that dwell time for being able to detect them and

the ransomware doesn't get further than here a lot of folks so students who wants to go into offense why do you want to go into offense I'm not going to throw the mic at you I you're a nerd you're probably like you know coordination and I'm a nerd so it probably go over there anyway

so cool tricks and gaining access right the summary is it's cool offense is cool offense is the coolest I mean in our space that's a relative thing I mean you go to a normal human being and they're just kind of like okay I'm GNA go I'm G to go to the sportball game I love that sport ball are they going to score a touchdown in the third period it's cool we all think it's cool it has this Mystique there are only a few of us who get to do it so it's seen as like this Elite thing first the rules of any organization anywhere on the planet because it all comes down to money there's a slight Sigma about where

the line starts but the largest budget in any organization is for what the organization's purpose is if I make cookies it's for making cookies then some percentage of that is for information technology I cannot scale a modern organization without it now we're getting to security one step over and another fraction so we start seeing these fractions security is just the basics of can I have security operations offense is that little niche that comes comes here I would assert there are maybe 5,000 organizations in the entire world that actually have offense capabilities you ever want to know how to take a hacker down to size just tell them their quality assurance tell me I'm wrong we've put the idea of this cool

offense as the Pinnacle it's not the Pinnacle it's there to assure everything everybody else is doing being a cool hacker is not have I figured out how to do vulnerability research have I figured out how to weaponize and exploit do I know how to get creds like red team operations those are all functions where if I cannot do that to support the business and communicate that it has no meaning it's not the Pinnacle it's what's there to assure the business on the confidentiality integrity and availability did I get my CP credits of whatever the purpose of that business is the fish tank my neonle folks left so who knows the story of the fish tank in

2014 you really were in the Navy come on the training is slow they hacked a device that managed the fish fish tank and then they used that to get into the casino to hack the [Applause] casino so Sheldon adelen who is a billionaire in 2013 I believe it was uh said some things that were the Iranians got a little upset about and the Iranian guard um in 2014 was like we're going to get him back now as you can imagine the Sans hotel and casino has pretty good security as far as security goes It's A Hard Target well that hard target had a multi-million dollar fish tank it's very nice to look at and I mean I don't own

any fish tanks but I'm guessing a multi-million dollar fish tank has very expensive fish that probably costs as much as a Ferrari and since I'm spending that amount of money on my fish tank and my Ferrari fish I probably want to make sure that they don't die so I need to be checking the water and all of its different ways and while I could probably have you know the 18-year-old High School pool manager sitting there with the dipstick doing it non-stop like at your local pool probably better that I hire some professionals that can remotely monitor this right this sounds a lot like what happened in SAR in 2021 huh Wonder yeah we'll get to

that so I'm able to remotely monitor this now do you think the fish people who I'm guessing are what probably like two or three guys are trained in cyber security nope so the Iranians found them came in through the remote monitoring system into the sensors in the fish tank now here's where it ssf because it never occurred to them that perhaps Those sensors should not be able to talk to the network the estimate from this attack was about $40 million in recovery with three4 of their servers and workstations going down through a fish tank iot I iot is Computing cheap Computing as many places as we can put it all interconnected the S stands for security

and iot I bring up this example because I have a number of examples and I'm sure Bo has a number of examples from his experiences you're talking later too right right after me stay tuned for a better talk every environment besides the most users comment has some equivalent of the fish tank going back to why diversity inclusion is so important we need that imagination and that courage to being able to call out where we see fish tanks in our environment because we have them this is why supply chain risk has become such a big thing in the last few years right solar winds log 4J CA you all have like a Litany of them right or I mean anybody who has

Microsoft Office or Windows you pretty much have that too why Powershell is so much fun you have fish tanks it's going to take your creativity to understand where they are and again that's something we can only do

together so it can feel like we're in this alone it's existential again that we feel at 4:55 on every Friday or every day we have to go into work or even when we're just at home and hoping we don't get the phone call but you're not in this alone we're in this together and so covering managerial human and Technical pieces of what I've learned from my career um I hope that that helps you get to the final rule of how to be a Wei in the Unicorn way way which is being in this together because it doesn't matter if you work at a random company the shadow internet has us all connected together your supply chain which nobody

knows how long their supply chain actually is you know the first vendors that you have worked with you know the software there but that's why log forj for example was so confusing we still to this day do not know everywhere log 4J is in our environments that's not for lack of trying it's because that's how hard it is and so whatever random company you work at you're a part of this and we're in this together I co-founded a nonprofit with Tom Van Norman called the IC Village um number of you have probably seen us at Defcon we're also at RSA uh we have our own conference May 10th and 11th in mlan Virginia called hack the capital

um I picked that name six years ago before January 6th so please don't bring that up it is available virtually for free to join but this is where this comes together right critical infrastructure you are all a part of critical infrastructure you depend on this city your office your house depends on the water and the electricity that allows you to do these things right the SI 16 different sectors of critical infrastructure are what underpins Modern Life the second we lose some of them we go to the Stone Age instantaneously I mean how long just look at your teenagers when you take away a phone from them you're the same way when we take away electricity and

water this is more than just a city this is more than just a country this is us as Humanity all together in this basket so while we wear the flag the United States proudly this is a problem that's bigger than us and bigger than the five eyes this is us as Humanity all depending on how we can solve some of these things together because why we have Bad actors that are out there Russia Iran China Korea North Korea right I can tell you the motives of each one of them right Russia prior to UK Ukraine was trying to establish relevance on the global stage and they the best way to do that was to be a forcing factor and they

need ransomware to establish hard currency for operations China in our lifetime I believe China is going to overtake us as the key Emy in this world Iran Iran is a regional player and as we've seen likes to likes to fight back and then North Korea deer leader cannot buy Ferraris and expensive whiskey with whatever their currency is hence all the in fact mandia that was what they just came out with and I've been saying this for years not that I knew something more than mandiant because those guys are brilliant but that most of their a lot of their actions were generating again hard currency not for as much covert as what we were seeing with the Russians but

again deer leader needs Western Goods that the only way you can do that is with Western currency so but the civilians in those spaces are kept hostage by those systems and that is where we share our heart and our space with them so the end of the day we're all on this blue marble together and the more ways that we can find to work with this together from the individual contributor level to the managerial level to Industry to communities like this and broader is my challenge to you and