BSides 2022 - Mari Galloway

we are ready for our next speaker please allow me to introduce you to Mary Galloway the CEO of women's Society of cyberji Jutsu that's going to be good Mary is the CEO and a founding board member of the women's Society of cyberjutsu WSC one of the fastest growing 501c3 non-profit cyber security communities dedicated to Bringing more women and girls to cyber WSC provides its members with the resources and support required to enter and Advance as cyber Security Professionals Marie began her career her cyber career with Accenture where she excelled as a network engineer Mary is also the inaugural isc2 diversity Award winner for 2019 with over 12 years of Information Technology 10 of which are in cyber security her

expertise spans Network design and security architecture risk assessments vulnerability management incident response and policy Development Across governmental and Commercial Industries so please welcome Mary Galloway with locknote [Applause] all right can you guys hear me yeah I can hear myself um so I know it's the end of the day it's on a Friday and we're all exhausted and tired so I'm going to try to get through this quickly so that we can all go and enjoy ourselves after this event so if you had fun today please clap your hands yes there we go good good good um and I also have a book to give away that Miss corollado Carlota was an author in plus a number of other

cyber tutu members were arthasin so stick around you might be able to win this if you decide to fall asleep please don't snore because I will call you out um we don't like snoring in here so today I'm going to talk about automating the BS the boring stuff the [ __ ] whatever you want to call it and what you need to know about doing that so this is kind of what we're going to go through who am I she kind of already told you who I am but I'll tell you a little bit more we'll talk about the difference between orchestration and automation sort of a history of it some stats and myths because a lot of folks

don't understand Automation and the importance of it and then we'll talk about how to get started so basically on Monday when you go back to work you can start thinking about some of these things and start looking at how you can automate in your organization so that's me 12 years cyber ninja if you're on LinkedIn find me it's open it's free my tagline has cyber ninja in it I'm the founder one of the founders and the CEO of cyberjitsu like she said we help train women and girls to get into this space Marcel Lee if you took her Workshop yesterday she's one of our board members Carlota is also a member and hopefully all of you will become

members of the organization at some point um I also work for a major cyber security vendor in this space doing Automation and helping customers understand where we can Implement Automation in their organization and uh basically doing the technical side of things I won't say who but if you want to know I can tell you later I'm also a professor a board member and a volunteer on everything so as my role as CEO I am a volunteer I don't get paid to do that but I like to help people and give back and then I'm a winemaker in Las Vegas so if you're ever in Las Vegas and want to learn how to make wine let me know I'll take you to

Grape expectations where we make our wine at every year a Lego builder so here on this photo that is the front half of the Titanic Lego set that I'm working on right now it's about 9000 pieces and that's important because as Security Professionals we'd like to solve challenges and solve problems and I like to build LEGO stuff if you're familiar with Star Wars I also have the Millennium Falcon built at the house that took about a week to do this took about six hours to do there's three parts so there's two more parts for that and I'm a crafter so yarn craft needlework all that kind of stuff kind of the boring things so automation versus orchestration do

you guys all know what Automation and orchestration means and if you don't let me know so thank you automation is basically taking tasks and removing the human from doing that work so think about phishing emails we get phishing emails all day every day and it takes analysts sometimes four days to analyze pull out indicators start to pull some of that information to see what's really going on and then we have to go and figure out was anybody else affected by this particular phishing email that takes a lot of time automation helps you reduce that amount of time so that you can have your analysts doing other stuff it improves reliability and efficiency because we all know as humans as we're doing these

repetitive tasks all the time we might forget something we might miss something we'll make errors and so things can happen right automation also reduces the repetitive tasks orchestration on the other hand is taking those automated tasks that you've done and starting to put the pieces together to build this big picture basically an orchestra so each instrument inside of an orchestra is a task but when it comes together you have this huge big picture it makes it makes sense it does things it optimizes your workflows that you currently have if you have them in place if you don't have workflows in place I suggest you put them in place um and it also improves scalability so if you want to grow your organization

if you want to grow your Revenue implementing Automation and orchestration can help you do that so a little bit of History so that first orange bubble automation we start to see that with the Mayans and the Greeks with aqueducts bringing water from the oceans into their cities so that they can live their lives and do their stuff right we start to move into the industrial revolution with steam engines and that helps to move cranes and trains and things across the countries and across the United States and even here okay then in the 1900s 1946 to be exact you start to hear Automation in the automobile industry so with Ford if you guys are familiar with Ford they started

to build out assembly lines to help make cars faster get them out into the environment faster there's still some human interaction because you want to make sure you're checking what's going on but now we have these robots that are doing work 24x7 by 365. that next bubble here at the bottom that's where computers and stuff come in so you start to see microprocessors coming in the advancement of personal computers and you start to we're starting to get more into the handheld stuff when it comes to automation finally where we're at now as they call it the fourth Industrial Revolution this is where Ai and machine learning come into play so if you have you know

nests in your house and you have like Vivint and Google Voice and those different types of tools that help you with home automation that's where we're at right now and that's kind of the future of where we're going where machine learning is learning about what's happening in your environment and helping you make decisions on what you should and shouldn't do when it comes to triaging alerts and making decisions to help keep your organization protected interesting stats so y'all don't have to read all of this but one of the things who has incident response in-house and like incident response teams three people four four so everybody else has no incident response teams in their organization oh you guys are already you guys are

already underwater so if you've heard anybody talk about incident response today you need to call them and get them in your environment ASAP um which is weird because 90 of organizations that were surveyed by Palo Alto Forbes and work Market say that they have incident response in-house but most people don't so if something happens you don't have a team to help you identify the root cause to help you figure out okay what systems were affected who was affected how do they get in that's a problem okay so one in six organizations with ten thousand plus employees have one to three IR team members so the folks that have an IR team how many people are on

your team I think you've raised your hand how many people on your team okay what about you what about you so there you go that's the person that has one to three um if something happens what do you do if you have an incident every single day what are you supposed to do so this is how automation can help identify those issues and fix those and resolve those issues who does threat Intel management or who does threat management anybody does your organization have a threat management platform or program nothing okay one person [Laughter] so if you're trying to do threat management and threat Intel you're doing it manually which means you're looking through logs you're looking through

alerts trying to find the bad stuff with automation that can help you you can Implement machine learning and AI to kind of look for that stuff for you and then you as the human can look at the results later um the other big thing that I think is really important here is that 74 of incidents that analysts are triaging a day are going to be fishing like I said we get fishing stuff I think I just looked at one this morning and I was just like really this is not even a good phishing email we see that all the time the Nexus malware with 56 and then endpoint so your phones your computers your end user devices alerts on those

are always happening especially if you don't have uh Tools in place processes in place to keep your employees from doing stuff they shouldn't be doing they shouldn't be on Twitter at work but you know they probably are who knows so this is really important because with automation you're able to reduce the number of alerts that your analysts are triaging and you're able to free up some time for them to do other more complex things like the threat Intel and the threat hunting and managing that part of the system and I thought this was really cool that companies with heavy automation are six times more likely to have an increase in Revenue right 15 percent increase

actually because they're they're automating those things that are super boring that are super redundant that are super repetitive and they're able to have their endless do other stuff so if you don't have automation if you don't have threat intel if you don't have threat management looking at automation is probably really going to be important for you and it doesn't matter what size your organization is it can be small it can be large it can be medium sized it doesn't matter so let's talk about myths so I want you guys to participate what have you heard about automation besides reading what's on the screen doesn't matter just shout it out and if you shout it out you might be entered to

win this book anybody okay okay any other that's a good one any other stuff that you've heard that you think okay okay good those so those are all really good things to think about um yes it can be expensive right but it's only at the very beginning if you're putting in tools but over time your company could save four million dollars with automation depending on the size of your organization because you're you're automating those redundant tasks that your analysts are doing daily and once you start to automate those things it takes them into somewhere else and your systems are able to find things that you probably wouldn't have found as the human as the person looking for this stuff

most folks thinks that once you implement some kind of sore automation platform you just set it and forget it that's not the case you can't do that you have to actively be in their tuning and making sure things are going right continuously monitoring it to make sure that it's pulling the information that it's supposed to do a lot of folks think that jobs are at risk not really right your focus just changes you're no longer doing those mundane retain tasks that are super boring causing turnover right you're you're letting your analysts be analysts and actually analyze the data that's coming in automation solves all your problems definitely not true so there's a lot of stuff that automation won't solve

exactly [Laughter] um it can solve a lot of your problems but it's not going to solve all of them you're still going to need some human interactions when you're dealing with Automation and thinking about um how to best fit this into your organization I've had customers at the company that I work for they're like oh it's difficult to put this into our environment because we've got all these different separate locations and network segmentation and it's like well actually automation might actually help you because now you're able to communicate with all of those different areas in your organization and see what's going on and put remediations in place to protect those spaces and typically complex infrastructure is like the ICS or the

industrial control systems that are super Legacy super old and like oh we can't but you have to change your expectations and change what you're looking for in there and figure out how can we put this into our environment and pull some value out of it too expensive I mentioned this already but yes tools are expensive but a lot of you probably already have tools in-house that you can start automation with right we'll talk about that a little bit at the very end um in the beginning it's expensive but at the at the end of the day it saves you a lot of money and then it causes friction so if you have to communicate with the

network department or with another business unit you know there's always that friction because nobody likes security nobody wants to have automation nobody wants to lose control of their domain or what they're doing and I think that automation actually promotes collaboration because now you have to talk to these other units to figure out okay what processes are you doing how can you interact with us how can we work together to make this better and make our organization secure so a quick example and Carlota posted a she has an Roi calculator that you guys can use um Palo also has a calculator you can use as well but this is an example of um or made up organization it's not a real

organization but typically you'll have incidents you'll have about 16 incidents a year or a month and the response time per incident is about 415 minutes or six to seven hours of response time right so if you have 16 of those every single month you're spending forty eight hundred dollars give or take depending on how much it costs for your analysts that can be reduced with automation this average salary is just an it's just a bunch of numbers from like indeed and different job sites to say what the average salary is for an analyst doing this type of work and that's the cost per incident based on how long it takes them to do it so if you start to look at

automation you're able to start saving on average 110 hours per month per incident per analyst okay over time over the cost of a year or the course of a year you're almost at sixty thousand dollars so if your analysts make more than 43 dollars and you start to add in automation to give them time to do what they need to do you're saving way more than fifty eight thousand dollars and in some places that's somebody's salary right now you're able to use that money to help with training your employees with getting them to conferences like b-sides came in to helping them do other things inside of your organization so that's really important um this number will change for managers for

leadership for other folks in your organization but the fact that you can save almost 60 Grand with automation is super important so how do we get started I always like to do the who what where when why and how so I don't know if you guys are familiar with Nickelodeon but there used to be a show called the five I think it was like the five W's or something it was like a new show for kids and they went through all of these different pieces of each topic they were talking about so when I think of automation when I talk to my customers I want them to go through this process so step one or Step Zero is it time to

automate so how do you know when it's time to automate uh recent breach so if you've been breached recently it's probably time you start some sort of automation whether that's automated threat hunting whether that's automated triaging of alerts whether that's automating pushing indicators to firewalls or other tools in your environment your sock response times are slipping if you're managing your stock response times if you're looking at that if you're if you're tracking that and you notice that you know it took yesterday it took an analyst four days to complete a task and now it's taken them six days it might be time to look at automating some of that stuff threats are missed this is a big one

I don't know if you've ever looked at traffic on endpoints on an environment but a lot of the stuff that's really important gets missed because it's informational or low severity we tend to We tend to focus on the high severity and the critical things but there's a lot of information in those low incidents and I have this target breach on here because Target was breached a few years ago and the tar the incident was right in their face it was right in the traffic but they weren't seeing it because they weren't looking for it they were looking at the High stuff with automation automation can help you see those things false positive overload if you're

getting a million alerts a day you don't know what's false positive what's a real positive okay and so with adding Automation in you can figure those things out quickly and start to filter that stuff out before you even have to worry about looking at it and if your stock has no organization it might be time to look at automation I also added the Sans logo on here because I used to work for this casino and they had gotten breached in 2014 through their industrial Control Systems from their Pennsylvania location that they just sold they managed to get through their Pennsylvania location to the location in Vegas and bring the systems down and cause the casino to lose millions of

dollars every single day until they could get it back up automation probably could have helped identify that issue happening and they could have helped stop it so step one who who should be involved in this definitely your analyst I've seen too many organizations that have left the analyst out left the engineer out and these are the folks that do the work on the ground they need to be involved in this conversation because they're the ones that are doing this they're the ones that know what needs to happen and what's going on your program manager that's the person that's going to oversee this program because at first it's going to be a program a project but

then eventually it's going to move into just a regular part of your security operations your executive sponsor the executive sponsor is going to be the person that's going to go to bat for you they're going to be that influencer they're going to be the vision the voice of reason to help you get this project over the finish line and then business unit leaders so when we think of automation a lot of folks think of it as simply a security tool but you can use Automation in every part of your organization I like when customers use use it for onboarding and off-boarding employees right there's a lot of different things that have to happen when you onboard

somebody so let's automate that process we get them an email address then we start to provision them and all the tools that they need we don't have to worry about anything it also helps when you're off-boarding them because now you know where they're supposed to be where they were and you can take all of their accesses away from them and you can do that automatically without having to interact with it as a human step two the what so what needs what can be automated if you have run books or playbooks already built out or workflows already built out you can start to look at okay maybe we can automate this maybe this task is a

little bit simpler and we can start to figure out what that looks like again look outside of security for use cases onboarding and off-boarding of employees um you know there's a bunch of different things that you can do with that particular thing what are your critical assets do you know what those are and do we need to be aware of that and what what do we need to protect in that space so some questions to consider what processes do you currently have if you have a process for phishing if you have a process for malware analysis let's look at that and see are those things time sucks do they take a lot of time for our people to do

um what can we do quickly so this is the other part of it where folks want to automate some hard stuff very quickly and it's like yeah you're not going to get an Roi from that because you're not going to do it successfully so let's look at the stuff that we can do easily a lot of the automation tools that are out there will have built-in playbooks for fishing for malware analysis for incident response in general and you can start to look at that as an option for what to do first again which processes are taking up a lot of time this is where the analyst comes in and can tell you well this process over here is taking more time

than this process over here so let's start to look at this over here and automate it and then are you Bound By Any regulatory requirements so if you're in the states we have HIPAA for medical we've got PCI DSS for the credit cards do those things govern what it is we're trying to do and do we need to put some Automation in place to meet those requirements the next is where so where does your stuff lie where is your data where's your applications where are your tools where are your people are they remote are they on site um do you have identified who the important players are what the crown jewels are this is really important when it comes

to orchestration because you can automate a bunch of stuff but now if I pull out indicators from a phishing email I want to send that to my edl and put it in a firewall so we can start blocking it I want to go and search my entire environment and see if anybody else has interacted with that particular indicator of compromise I want to go and destroy those emails in those inboxes that's where the orchestration comes from and understanding where your stuff lies where your data is lying helps you build that program so some of the tools that are recommended here Network diagrams if you don't have them get them very important it doesn't matter if it's in the cloud

or if it's on-prem you need to have it um asset inventories do you have an asset inventory system if you don't you need to get one if you have other asset tools look at those those that data in there and then brain power some of these organizations people have been there for years and years and years they have a lot of knowledge in their head pull that information out of them document it get it on paper and that'll start to help you figure out okay where do we need to put these tools to do what we need to do when when do we manually do stuff and when do we automate stuff so yes we can fully

automate processes but sometimes you know when you have an indicator that you want to push through a firewall and block you may not actually want to block it right away you may want somebody to come and look at it and make sure it should be blocked and then do that blocking manually so identifying where that process takes place is really important and then how often should these processes run with a lot of tools you can start to fetch indicators and you can fetch alerts uh regularly you know every hour every day every month what does that look like for you and what do you guys need how often are you interacting with those systems that have the alerts and

what does that look like for you and then what's your budget right you if you're an analyst you may not know what the budget is but that's fine but talk to your management team and say hey what's our budget for putting something like this in and when can we start to do this process and then the why so check Step Zero so remember there's those things that said there was a breach there was something else that happened that's the first part of it but then why are you wanting to to automate processes in your organization have you been mandated to do it does your boss want to move into the future because he knows that you know we're going to get

hit with all of these different alerts and all these different attacks coming in the future um do the benefits outweigh the cost in most cases they do depending on how you go about starting the automation process um what's the ROI your management team can help you figure that out and that's a part of that that why and what's the end goal do you want to be able to give your analysts more abilities and more time to learn and to dig into some of those threat Intel types of uh things or not and then maybe your overall security plan is important you know what that is okay cool automation helps us get to what our end

goal is for our security organization step six start small this is this is the how so how do you do this start small most customers that I've seen they want to start with the most complex thing in their environment and then get frustrated when four months later they have not automated anything they see no return on value so start small start with things like fishing like threats uh what is it threat Intel management bringing indicators in and doing attribution on them and pulling that information into your environment build a plan you got to have a plan to do this kind of thing what does this look like what's the timelines look like are we going to bring in other tools

that may be useful for us to be successful if you don't know what assets you have identify them and assets are people processes and Technology because they're all important when it comes to developing Automation and doing automation if you don't have run books or play books or workflows built you need to get them done now so if you're an analyst or an engineer doing stuff write it down I don't I can't tell you how valuable that part is when a customer comes to me and says hey we have all of these run books already it's like cool this is going to be easy because you already have the process ready um and then you have to monitor it you

know you like I said you can't set it and forget it you have to monitor what's going on um because sometimes things will change sometimes your requirements will change sometimes what you're looking for will change so you have to continually monitor what it is that you're trying to do and then have fun nothing in security is really I mean it's fun but it's not fun when you're getting started but you have to have fun with it right because at the end of the day what you're going to do is save your company money give your analyst back time to do other fun stuff and more complex stuff and you're going to be happier in the

long run as well so this is just a quick like if you're thinking about Automation and where to start if you already have some of these tools in your environment you don't have to necessarily buy a platform you can use Powershell if you have people that can program and that like to program you can use your firewall data and start to analyze that information you can use all of your tools that you currently have but I highly recommend looking at platforms that help you figure out how to do this Automation and kind of build that machine learning in to learn what's going on as you continue to get those emails and those alerts into your

environment that's one of the cool things too about automation is that as we move through the future we see things with AI and machine learning and it's learning what's bad what's good in your environment based on what's coming in it's my last one that was quick any questions I have a Heckler moving yeah any questions yes

let's let Carlota take that one because I work with major big companies I don't know for small companies okay that's fun small companies you're going to look more at what you've got in-house right you're looking at um your email protectivity Suite you're automating what you can on the email side you're looking at um scheduling more than anything right you're not getting a lot of automation you're getting a lot of reminders so if you're using jira or something you can kick off a lot of things through that there are things like better Cloud all Cloud that will push tasks between different cloud services so if you're not invested heavily in on-premise stuff um all Cloud better Cloud those can have

some very affordable options for especially automating HR tasks onboarding off-boarding turning off access to different Services really recommend looking at those sorts of things I think it's really going to depend on what's important to your business where you feel like I feel like for a small business automatic automating asset capture both on your laptops you can do that through an MDM for example but also automating digital assets if you're in gcp AWS has a lot of my clients are just figuring out just running turning on some of those native AWS tools that will give you an idea of what's in there for assets asset inventory that becomes really you're really focused on how can I improve basic hygiene right that's

been my experience at least good question any other questions so on Monday you all should be able to go to work and talk to your bosses about hey how do we start looking at automation and what do we need to do to make this happen and then you call me or Carlota and say okay we're ready to start [Laughter] any other questions yes while they're thinking about automation or after they have automated what they want to automate it depends on where they're at in the process um obviously you want to start with automation first sort of to figure out what those what those processes look like what can we start to do um we'll have a lot of customers that

will start to they'll do some parts of the automation piece of it but they won't necessarily go towards blocking things just yet only because they want to make sure that nothing is broken when they when they do that so you can definitely start to think about it but that's where that Network segmentation comes into play and like understanding where your assets lie and how we can interact with those from from the platform let's start with the individual tasks first get the ROI on it and then start to do the other pieces of it I think he has a question right here in the front no okay any other questions [Laughter] well if you need a consultant let me

know are you here locally I'll come back [Laughter] and you guys can ask any question about anything to be honest if you have anything okay cool do we have any students in the audience okay what about first time security conference goers okay one two three okay shoot all right did you bring more um okay right your name okay that works last question what's the answer to the world oh geez you guys know stuff okay so this book Reinventing cyber security Carlota was a um and contributing Arthur in here like she mentioned it's a really good book I wrote a quote in it as well they also will be at cyberjitsukon in June in the Maryland DC area doing a book signing so

if you're in that area at that time come hang out with us um it's actually really good like one of the better cyber security books that I've read so who do you want to give it to the lady in the white with the mask on oh happy birthday [Applause] so lady in the white you get an autographed copy of Reinventing cyber security so here you go if you guys have any yes crap I don't think she has any more books we've got some whiskey for you she's going to sign it for you right over there um again if you have any I know this was quick and fast but if you have any questions by all means feel free to ask

um I'm not trying to sell you anything for one this is not my region my region is in the pack Northwest of the United States but I can definitely talk to you guys about different tools and things that you can utilize to help with you know threat hunting automation all that stuff and that's it [Applause]