Keynote

good morning besides Augusta [Music] I said good morning beside

it awesome it is so amazing to see you all here we have been working on besides Augusta for so many months now we've been preparing working hard and it's uh so great to have you all here today thank you all for coming I'm Doug Burks I'm the president of the greater Augusta Issa I'm co-founder of besides Augusta and so that's me who are you guys so how many visitors do we have from out of town that's a lot of hands very good yep uh what cities are you from Columbia Colombia I'm here Colombia Charleston Greenville Atlanta Williamsburg Williamsburg Manassas nice what else Spartanburg represent nice any other cities Fort Mill awesome Huntsville welcome to Augusta

very cool you are our honored guest we thank you for being here we'd also like to thank our sponsors we have some amazing sponsors so first and foremost uh Georgia Regents University the whole College of Business they have been an amazing partner of ours we're providing the seats that you're sitting in right now the rooms that we're going to be in later today the tents that we have set up for lunch they've done so much so thank you to Georgia Regis University thank you to all College of Business thank you to miss Joanne Sexton who's sitting back there she's a computer science Professor here and thank you to this Crystal Vincent who works in the whole College of Business

and who uh done some amazing work for us as well so thank you very much for that gold sponsors we have CSR group we have the greater Augusta Issa we have Sands we have edts mandiant and core security so thank you to our gold sponsors silver sponsors we have Raytheon Mr Bob Damon is he here today Bob Damon anybody now uh Raytheon and open security there are silver sponsors so staff I mentioned before we've been working on b-sides we probably started back in March talking about B-side so Mark bag and myself have been talking for years we've been threatening to do a security conference in Augusta so about February or March we finally said okay

this is the year we're going to make it happen and uh so myself Mark Baggett Mike mcdark Phil planavira Joanne Sexton Ron Martin and last but not least I want to especially recognize Mr Lawrence Abrams he's been the driving force behind b-sides Augusta he's been getting stuff done he's been taking care of business so thank you [Applause] I also need to recognize Mr Jack Blanchard Jack are you here is Jack down here today plumber Jack designed our logo this thing right here Mr Jack Blanchard designed that so if you know Jack if you see Jack give him a high five we have over 20 volunteers here today so we have the 255 Sierra group from Fort

Gordon we have a bunch of other volunteers so a round of applause for our volunteers

is there anybody else that I need to thank Mark am I missing anybody Lawrence am I missing anybody all right well thank you all to everybody who has made this event a success so far so now let's talk Logistics so we did have to make some schedule changes yesterday we had two speaker cancellations so please make sure that you pay attention to the schedule as it has changed the printed schedule that you have should be correct but just be aware that things have changed if you'd looked at the schedule earlier we have two tracks today we have a blue team track and we have a red team track if you're not familiar with those terms

blue team typically means defense red team typically means offense so if you want to see computer security attacks you want to go see a red team talk if you want to see how to defend against those attacks you want to see a blue team talk blue team yeah that's right So speaking of that who are my blue teamers Make some noise yeah I'm blue team and I'm proud [Laughter] no booing Tim get out of here so Mark and I uh I'm a hardcore blue teamer Mark bag is a hardcore red team or we've had this ongoing debate for years and we have this this uh you know this one relationship where we pick at each other

so I want to continue that today so I want the blue teamers to be picking on the red teamers I want the red teamers to be picking on the blue team so Tim keep that up that's awesome so I saw the blue team or so blue teamers we've got some awesome blue team talks for you today I'm very excited for all the blue team talks we have um I want to say this about the blue team you know blue team am I the only one who's sick of the blue team being looked down upon thank you yeah am I the only one who's sick of losing the battle to the bad guys okay thank you

today we change all that okay we're gonna do it better today we've got some of the world's best blue teamers here today we're going to teach you how to do it better okay let me hear it for blue team yeah all right red team [Laughter] notice I didn't boo you but I didn't stop them from booing you red teamers we've got some of the world's best red teamers here today I'm very excited about the red team talks um if you want to learn how to break into stuff red team is the way to go but let me say this red teamers I want you guys to not just be stuck in your red team tunnel vision

I want you to attend some blue team talks and likewise for the blue teamers I want you to attend some red team talks why cross pollination offense informs defense right we can only be better Defenders if we truly understand offense and you rent teamers you can do a better job if you understand some of the Cutting Edge defense techniques that we're going to show you today so make sure you get a good mix and match of events that you attend now since we do have two tracks going on at the same time you can't attend every single talk that we have we understand that that's why we're recording them right so if you are torn between a red

team and a blue team talk fret no more you can attend one and watch the other one later so thank you for recording our talks thank you to GRU for setting that up that's awesome so we talked about blue team we talked about red team if for some reason both Blue Team and Red Team talks are filled if you can't find a seat we still have things for you to do so we have a lock pick Village provided by fail so that's that's going to be right outside the uh the rooms there in the science Hall so you can go learn how to pick locks that's pretty awesome we're going to have a couple of talks

this morning and then we're going to have lunch at the the big tents there so lunch is free if you if you registered and you got in then you get free lunch that's awesome so thank you to our sponsors for helping pay for lunch we're going to have giveaways today so we had about 2 s and dollars worth of money that we just went and bought boys with right so we've got some awesome toys you can probably solve the registration table we've got a little netgate firewall we've got a dual-com tap we've got copy of copies of Richard baitlyn's book we've got uh a drone we've got a Nexus tablet all kinds of cool stuff

how are we doing that in the talks each talk will give away like one gift there'll be trivia questions so if you answer the trivia if you're the first person answering the trivia question you get that gift so pay attention during the talks you might get a free giveaway some of the other giveaways are going to be done during lunch and so Phil correct me if I'm wrong they have to have their tickets you have to have a ticket for the giveaways at lunch it's going to be pulled your ticket's going to be pulled and you have to present your ticket to get your giveaway if you did not get a ticket go back to

registration and they will give you one uh if attendees check in they're automatically entered but you must be present to win that's very important all right any other administrivia did I miss anything oh live tweeting thank you Lawrence so please everybody right now unholster your smartphone start live tweeting please use hashtag besides Augusta one of the points of today is we are trying to show the world the kind of infosec community we have built up right here in little bitty Augusta Georgia and how we can compete with the biggest and best cities in the world when it comes to security Talent so let's show them that by live tweeting and again I'd like to say thank you to

you all for being here I'm very excited about today I hope you are so again let me hear blue team the team makes noise that was pretty even let's let's see who's who's actually better blue team Make some noise can you make some noise probably won that one let's try it one more time we'll give you redtubers one more chance blue team makes a noise yeah red team yeah sorry it's sad but true all right oh any other administ trivia anything I forgot what's the hashtag b-sides Augusta all one word no hyphenation just b-sides Augusta all right well that's enough of my droning on and on um I'm very excited now to welcome our keynote speaker for today

so you can read his bio in the program and I'm sure many of you are already familiar with them uh but I do want to say this so Richard baitlin has been a huge hero of mine for a long long time uh he's truly a brilliant man he truly understands technology he truly understands history and he truly understands the adversary and how to defend against the adversary but his Brilliance goes even beyond that because he can take all of that insanely detailed technical knowledge and he can boil it down and he can present it in such a way such that anybody can understand it and uh so when we were talking about putting together b-sides and we were

considering a keynote speaker our first uh option the the man that immediately sprung to mind was Mr bigley so I said hey Richard um would you be available to come and speak at our little b-sides Augusta thing he said well I would love to but I'm I already have plans that day so I started crying and I cried myself to sleep for many weeks and months and then finally one day I got an email from Richard he said hey that event that I had got canceled so I went ahead and signed up for b-sides Augusta I'm gonna be there you didn't say anything at all about the keynote he just wanted to come and hang

out and see all of our cool Blue Team and Red Team talks so that told me that we did a pretty good job of putting together this schedule and we got some pretty awesome Talent put together to talk about security so without further Ado please join me in welcoming Mr Richard baitlin

thank you sir

thanks a lot Doug what he doesn't mention after saying the word brilliant three times or so is that I'm his boss and we're coming into the end of year period where we have to do assessments of performance and such so uh and salary planning and raises and all that so I guess I'll have to keep all that in mind and somehow discount that introduction appropriately but I appreciate the very kind words I appreciate the opportunity to be here I have to say this is the most interesting place I've ever spoken I feel like we should have a moat here and maybe Gladiators or something nearby it's it's pretty awesome to be speaking in an Amphitheater like this

something else Doug didn't mention was that the reason I wasn't able to make it well why I initially told them I couldn't make the talk was that I was supposed to be teaching uh for black hat in Istanbul but you may have seen that there were riots and um islamist conflicts going on so they decided to cancel that event so I guess you can thank uh religious and political Strife in the Middle East for my ability to be here today which very interesting I have just a few a few remarks to share with you all this is a keynote and it's supposed to get you out of the mindset of the other the other talks in other words I'm not

supposed to be here to talk about what field is in what header of which packet or anything like that so I'm not going to do that sort of thing today first I just wanted to talk briefly about b-sides itself I find it very interesting that there is such a thing as b-sides b-sides very much has the personality this b-sides here in Augusta very much has the personality of the two track leaders Doug and Mark which is the reason why I was so interested in attending it because you can go to other b-sides and they take on the Persona of their of their leaders as well uh you go to Vegas the the b-sides there tend to

be just sort of out of control and and speakers get canceled because they're talking about really crazy things and I don't know if any of you know what I'm talking about but it's not something I'm going to mention a polite company here but this one seemed very much aligned with the things I'm interested in uh not just on the blue side but even on the red side as well so I think it's very good that there can be such a a construct that allows this I think for a while people were getting tired of the sort of the same old conference and now that there's this this idea of b-sides it takes on the the uh the mantle of the

people who organize it I think that's really great the second thing I wanted to talk about was what I think is the reason one of the reasons why red teams are always just pounding blue teams and then I'll finish with some ways that maybe we can reverse that but I think one of the reasons is is that no one is learning the lessons of what the red teams are doing and whether they're red teams of your own red team or whether it's somebody else's red team like they're a real red team you know red is their National color type team if you know what I'm talking about um you know so why is it why is that

happening and I think we're in a period now where people are starting to realize that we need to do something different and thankfully it's it's not taken that long to figure it out unlike some other examples and I want to give you an example of a time when that's cool got a plane taking off this is I have to tell you this is the most interesting place I've ever spoken at this is really cool so um many of you know I sort of keep up with what our friends in China are doing and I want you to know though I'm not simply Mr China I study other things I we were talking about Greek hoplite warrior or

Warfare this morning with some of my friends from andiant and I'm looking at some other things as well but one of the stories I came across recently had to do with the the transition from one Dynasty to another in China so I'm going to tell you a little short story about that so the third sort of main dynasty in China was called The Joe Dynasty and there that's pronoun that's spelled z-h-o-u and the Joe Dynasty came about in about 11th century BC and they had overthrown the Dynasty before them that was called the Shang so the Joe Dynasty they created essentially an Empire and they were ruling fairly well for about three centuries but they started to lose

control of their empire and they let essentially competing states emerge on their territory so at one point there were about 250 of these competing states and then eventually that was called what was called the Spring and Autumn period and then eventually they went into this time called the Warring States period so essentially this Empire that they had just collapsed it totally fragmented into all these different Warring States and things were really bad at the time now that took hundreds and hundreds of years to happen but at the tail end of that period you had two different philosophers stand up and say what's going on what's wrong with our civilization why are we why are we just

collapsing like this and they came up with ways to think about the world to try to address this one of them was uh confuzu Master Kung Fu means Master who's known in the west is Confucius and the other one was lautzer which translates to Old Master people aren't really sure if it was a real person but that was his point of view so Confucius he invented uh his point of view which involved order among different relations and you had the five relationships among you know father two son uh state to ruled to ruled and so so forth and on the other side you had laotzu who came up with essentially taoism which is hey don't just go with

the flow you can't invent any you can't come up with a prescriptive way to solve problems because of untended consequences and so forth well what's the point of all this the point is these people went through this very traumatic period where their civilization was falling apart and they decided to step back and try to figure out what the problem is and then come up with some prescriptions there were two very different prescriptions and they the interesting thing is to this day they still influence the way that that culture works well I feel like we're finally getting to that point in in information security we've been getting hammered now for probably not three centuries but more like three decades

and there are very few people who are sort of stepping back and saying why is this why is it that red teams always win blue teams always lose and there are some very simple yet really wrong prescriptions such as well the blue team really doesn't know what's going on or if if but the blue team just used the right technology then would be fine and it turns out that's all that's all false thinking I think one of the problems I think is that we don't have a strategy in other words we don't really know what we're doing and I can prove this because I repeatedly go to different large customers and when I meet with them they

don't know what they're doing and this isn't this isn't an insult it's reflected in the questions they ask so for example just this week I was at a big Bank up in New York City and we walk in there and they say so mandian uh what should we be doing and I said what do you mean and they say well you know you see lots of failure you see lots of other Banks like us what should we be doing and so I just stopped and said well what what what's your point of view what goal are you trying to achieve they couldn't answer that I said what do you have any metrics and they laughed at me they said

we have 250 pages of metrics we produce every month so I said okay what's the time from when an intruder gets into a system to when you contain it silence so they had 250 pages of metrics which are probably things like anti-virus patching all that but as far as a performance-based metric they had nothing and this this same pattern is repeated over and over again very very basic questions it turns out people can't answer them so I wanted to provide two things one was a way to think about this and then uh secondly a prescription around blue teams versus red teams so the the strategy part is this how many of you are thinking in terms of you set a goal

like what's actually the goal of my security program what are we here for are we going to accept risk are we going to transfer risk are we going to mitigate it are we going to try to avoid it whatever those whatever choice you make that's your goal you know some people say we're going to avoid internet-based risk we disconnect from the network you hear that sometimes from it's funny I was in the Air Force but sometimes it'd be nice to set up a no-fly zone over a speaking area I guess so you have to figure out what is the goal that you're trying to achieve and I think I've seen this in large organizations before and obviously in

small organizations as well where you ask say the CIO or even the CEO what's the goal of the security program and you're berated like just keep this secure what's wrong with you don't you know that's what you're supposed to be doing here well okay thank you that's like me telling you your goal is just to make money great you know that's that was really enlightening it's like telling a you know what's your strategy for stocks Buy Buy Low sell High I mean that that gives you no prescription whatsoever so first you set the goal you know what is the goal that we're going to have then secondly you come up with a strategy and there can be a whole set of

strategies that you that you could Implement for example maybe your strategy is we eliminate all vulnerabilities such that no one can break into our system no one's laughing right so I hope you write you recognize that that's not true you cannot do that I think history is born that out but yet that's still something you'll hear from some leaders who say well you know we just get rid of all vulnerabilities or else you say well we perfectly patch everything and we run antivirus everywhere and again that's not even really a strategy but it's still along this idea of you start you prevent all intrusions a strategy in contrast that we we pursue at mandia is fast detection

Fast Response fast containment and and comprehensive detection response to containment so you don't just get one box that's affected you get all boxes that are affected at the same time or applications or users or whatever the case is all right so you pick your strategy once you have your strategy you set out to run some campaigns and those campaigns are the operational way that you are implementing that strategy uh now we see this on the adversary side the adversaries run campaigns against us they have their goals that they're trying to meet they have strategies which involve penetrating uh to them foreign computers and then they run a campaign you know campaigns against these various targets we need to have

defensive campaigns along the same manner and then finally at the bottom of the tactics what are the tactics that you create that Implement your operations that support your strategy that fulfill your goal so the tactics could be things like um you're going to make a decision about whether you watch a system when it's compromised or whether you're going to cut it off from the network there's a whole set of these things but the idea is that at the end of the day you've got tactics that support all the way back up to whatever your goal was and if you want to throw technology in there Technologies at the bottom technology is the thing that you use to to run a

tactic all right now my final comment in the spirit of blue teams and red teams we like to think on the blue side when we're trying to defend that it's really the toughest job in the world why is it so tough the the common idea is that the defender has to be perfect everywhere and the Intruder only has to be perfect or only has to find one weakness in order to get into the network and I think that that's very true you have any time in in sort of History where you have a focused adversary who's attacking a single point and can Master the single point and you've got a Defender who has to spread their defenses across the

entire Battlefield that decisive point is gonna is gonna win so that's why the intruders win so okay that seems pretty bad for the blue team but it turns out the Intruder has the same problem the Intruder has to be perfect in all of his or her activities once they're inside the network well what do I mean by that well if the Intruder leaves any artifact behind or gives any hint that they're they're live in the network and you have Defenders who are paying attention you can find them and once you find them now they have to defend them if essentially the Intruder has to defend himself as you kick him out of the network so I've heard people like Marcus random

say packets don't hold ground he's clearly never been any internet based battle right I mean you can hold ground it's just computers that you're holding and holding means I own this computer and I can tell you who can log in and who can log out or whatever so I've seen many of you probably been in the same situation where you're fighting battles against Intruders and at one point you own the computer and you're you can decide what happens to it and then you lose control someone else now has administrative or root access and so forth so I leave you with that because this idea that you know blue teams you know we're just sort of helpless you're not

helpless because when the Intruder gets into the network they have to be perfect in order to be persistent on the network and if you're out there if you're looking for them if you're hunting through first of all if you're correctly instrumented so you have data and then you're always going out and looking through it you're going to make life difficult for the adversaries and I think that's the final key is that for too long the adversary has had free reign on all these networks at mandiant when we do an incident response for the last year it's been about eight months of time that we've recorded that's elapsed between when an adversary has gone into the network and when the

defender has called for help and eight months is is too long anybody can do anything over at an eight-month period just two quick case studies both the New York Times and uh uh actually South Carolina Department of Revenue sorry this mayor hit home first for some of you all um but that that was a case study that was released by your Governor which I think was a great idea in both of those cases the point at which the Intruder broke in and then the time that elapsed between when they broke in and when they they took something when they where they stole data where they got access to something sensitive four weeks elapsed essentially a month passed from when they got into

when they did something if at any point during that month a Defender had noticed and kicked them out then the the victim would have been successful you would have avoided a serious incident now that's not not the case with every adversary there are some adversaries who can accomplish their goal in in minutes or even seconds and you know depending on the nature of the compromise so that's my final comment is that if you're active as a Defender just as the intruders are active you have a chance to win against them and Red Team guys I know you don't need any guidance about what you need to do to do better but I would warn you that we're out there

we're looking for you so hopefully that that sort of creative tension is the same sort of uh process that can lead to Improvement and then it won't take us 300 years to figure out why we're getting our lunch handed to us every day we can just take the lessons over the last 30 years or so and figure out what we need to do and if you're at all interested in sort of the history of of this digital conflict that's been going on a really great book was released by a friend of mine named Jason Healey it's called a fierce domain conflict in cyberspace from 1986 to 2012. and he goes through the history mainly from a military perspective but

there is a little bit of commercial stuff in there and I'd encourage you to take a look at that book and it's basically the first uh you know digital security history book where he goes through famous case studies that people should know about and and what we can learn from them so thank you again for the opportunity to to be with you today I couldn't have thought of a you know better better day better weather and uh better organizers you guys are doing a wonderful job and I enjoy the conference today foreign