BSides Las Vegas 2019 - Tuesday - Common Ground

You categorize data sensitivity. So what that means is that you really have to decide what's really important, what's kind of important, what's not important, what is totally not, like totally okay to go. And you have to make your decisions accordingly. Confidential versus do not distribute versus top secret versus photos of puppies. And then after you take your policies and you check all this, you really need to kind of look at your defined policies for these different areas. And we really kind of focused on this, trusted versus untrusted and on network versus off network. And then recently, because of cloud, because everybody's going to the cloud, right, that we have two different kinds of cloud. And we don't really consider, you know, we know it's not all cloud,

but anything off network is trusted, which we cover with things like a CASB. And a lot of it is untrusted. things like Dropbox, Snapchat, TikTok, all that. So we have to take a look at where our trust is. And this last one is the most important thing you can do if you ever deploy DOP somewhere, is create a system to fix your problems. You have to build an exception system. A system that people can lodge a complaint, lodge an exception, and it goes, for us, it goes through legal, and IT and the business unit before it goes back to in play. It's effective. And most people will just say, well it's not important enough for legal, but some people do. And that

way, there's a lot of people making decisions on what's going on. You shouldn't be making decisions on what's. When you manage your project, this is super, super, super important. Make sure the C-suite wants it. In some cases, you might have them use it first. which we try to do as much as possible. That way, when a mid-level manager complains about it, they go, "Well, the CEO's been using this for six months." Just like software development, you need to write your tests, make everything dependent on that, because that's the criteria. Milestones, for us, we use Kanban like crazy, but figure out what system works for you, and indicate that. That's garbage. So building an amenity. This is kind of a weird one. So when we rolled out DLP first,

we actually ended up rolling out DLP right at the end of October. And at the end of October, I don't know if you guys are aware, but apparently people do a lot of shopping around the end of October. You know, middle of November. I'm sorry, it was middle of November is when we deployed. And right at the end of November is when everyone does a lot of shopping. So what we did is the first thing we built was a blocking mechanism. We did a blocking mechanism. So what we did is on a non-HTPS field on any website, if you put in your social security number or credit card, it tells you, hey, this field's not

secure. Are you sure you want to do this? And we let them do it, though. And we immediately got calls from people saying, thank you for this cool thing. Like, what does that mean? It's like, well, you were about to send your credit card number to somebody on a non-security. And we built the mentality day one. Before we started putting any controls in place, people started seeing it as something they wanted in their house. And recruiting your confederates. Take your most painful, worst, pain in the ass users. I'm sorry, most challenging, most vocal. Tune with what the business needs. And is there other, you know, the people in the ivory tower need? Recruit them. Have them test your product. Get feedback from them.

But it's not always going to work. This is where the fun part. Sometimes the product fails. We had a product we loved. We were testing it for months. Fantastic! And then suddenly, it started crashing browsers. And it's really a lot of fun when you get calls from senior managing directors, the CEO, CFO, saying, "Why can't I open Name Your Browser?" So, a lot of fun. So, POC versus Bake Off versus RFC. Obviously, proof of concept is the most involved. It's going to take a lot of your time. You have to have a product that you really like. Bake-offs are okay, but you really can't focus on it. And then RFCs are garbage. If you buy something without testing it, you know, I mean, how many of us

buy a car without testing it first? Same thing. And then culture fail. You know, you're always going to have a situation where people just hate it. And if they hate it and don't want it and management agrees, then you just have to give it up. You can't love it so much, you can't give it up. And then really this one is the one I probably should first, communication. Always for the projects we had, every project is available at all times. So that anybody involved can see the milestones, what's going on and the trouble tickets associated with the project and their own trouble ticket. So they can see if their trouble ticket is important or not

and they can see the pool of trouble tickets that are there. So they go, oh, well I lodged this thing two months ago but they've got other bigger issues so I'm not even gonna bother. So kinda nice. And then mobs versus bosses. So this goes back to the whole buy-in from the top. If the bosses are using it, then the mobs don't really get much of a say. But the problem is, no matter what, DLP still sucks. It's going to suck. It's going to be hard to do. It's going to be hard to deploy. And it's going to be hard to manage. But if you keep your goals in mind and you focus on the

basics, you really kind of think about your users and how much they're going to deal with it, it's a lot easier to use. I do sit down at a rigor basis and say, "I'm sorry guys, we have to use this." Then you have to do all this other documentation. You show them what documentation they have to do if they don't want to use DLP. It's required by you or the UK or California or New York, Illinois. They took a look at it and they go, "I don't want to deal with that." They go, "Well, then here's your solution." The other thing is I always tell everybody, "If you can find a better solution, I want to hear it because I hate this too."

I want to thank Financial. They were actually pretty excited for me to come on here today. They did want me to say at the very beginning, which I totally forgot, that I am giving this presentation solely as an individual review. commentary is no way reflective of the beliefs and commentary of Mezzofinancial, Mezzofinancial Holdings, Mezzofinancial UK, Mezzofinancial Europe, or any other subsidy or entity thereof. So if I missed anybody, I would like to thank the DLB products of several vendors whose products I have now broken. GDPR, NYCR, CCPA, if you don't know what these mean, you should. They're very boring, very painful, but they are the privacy regulations that are really pushing GDPR forward. And they're really there to help you as

individuals. So, and basically screw your companies. Hopefully, Wikipedia is notable, assuming. Hopefully not. And, of course, I'd like to thank all of you. I was expecting like three people to come in and basically drink all my booze and leave. So this is freaking me out. So if you want to go to that, if you want to get a hold of me, Beer Bites Bacon is my Twitter handle and I'll be around all day. Feel free, hang out. I will not make you drink Malort unless you really don't want to be my friend. And the Tesla DOP fail. It's Gizmodo. It's really kind of interesting read because it's a lot of future content in there. So if anybody has

any questions, I'd be happy to talk to them. My experience is that the process behind the management of incidents, so basically false positives is the most cumbersome or most effort lies in there because you can't just give it to a help desk team, you have to have legal or compliance people, you have to have business savvy people to analyze what the case is about, and you have to have the security people on board. So that makes it a very expensive team that you could bother with a lot of false positives. At least that's the experience I have. I'm from Switzerland, so you're up, so maybe we have tighter requirements for privacy laws. So, yeah, and I'm really glad you brought that up, is

the false positives, because really, that is the huge, huge, huge pain in the ass for IT staff and security staff are the false positives. And if you don't know what false positives are, it's that DLP is usually pretty terrible because the DLP vendors don't want to get involved in accidentally letting information out, so they make these rules so loose that they stop everything. Everything. Everything. So what you get is you get metadata that thinks is a Swiss passport number. It has nothing to do with anything, so you really have to go through and really kind of nail down your profiles and your rules. If you know how to use regex, you're gonna be really, really, really in a good place to work on DLP.

There's so many so many terrible things about about the false positives that you get and You don't want to lurk fatigue because that's what we all get right now Suddenly your email box just blew up or night because somebody sent out just a photo So we need to do is you need to scale those back. No, we only we log all of these false positives, we don't do anything about them. What we do is when we have a behavior that shows more and more data, that raises the information, the level of the severity of the incident from low to medium, high, or critical. So we only take action on mediums and highs and criticals. Lows,

which are just a few things here and there, we just avoid. And we use that as a discovery mechanism if we do find out somebody stole data later on, then we go back and we do periodically go through and take a look at somebody's logs and make sure that we're not letting things into the cracks. But really, you need to figure out what your thresholds are for medium and high and only work on those. Are you blocking USB or just monitoring? We do block USB for most employees. The traffic leaving the system, because we, I told you not to use endpoint agents, we're using endpoint agents. So the endpoint agent actually monitors all the traffic

leaving the system, it's through a USB port. There's a full log of that, and that full log every week goes to our compliance department, who then will go through it. But if we do see something that's obvious, somebody exporting a lot of data, we do throw a flare up, and we do get alerts. But for 99% of the company, they're not allowed to use USB at all. But for those few that are, and I think it's like 10 people, those people, everything they do is monitored. So I think we have time for one more. So how do you respond to a DLP alert? Like do you have a process? Do you have a process looking

at that or signals? Like what's the process here? Right now, I see you're looking at the person who manages most of the DLP for the We don't really have a whole lot of human resources to throw at the problem. Which if you do, if you have a lot of bodies, that's great. But if you don't, then you have to be smart about it. So what I have is I have a daily report that I get that shows everything that happened yesterday. And I go through that and clear that queue every day. I've gotten it down to the point that I only spend 20 minutes. So it's not bad. If there's something huge that happens, though, I get an email alert immediately. And I have to take

care of that immediately. We do have an automated system. We do forward problems to the sim, but the sim is just there. I mean, I have false positives as well. So somebody else does that as well every day. But that's less than five minutes a day of his time. OK, so I think we're done. If anybody has any more questions or wants to chat afterwards, again, I'll be hanging around. I'm the only person in this building that does not work here wearing a suit. So I should probably be really easy to find. So, oh I'm sorry. - We have a list of credit card numbers that all pay, they're all trigger DLP. - Test two, test two. -

Sure. - And then therefore that credit card number will not-- - Never show. - Never show. Yeah, no, and there's nothing you can do about it. It's not going to stop real attack rates. It stops the X-files. But, you know, we've discovered that most of our, most companies, their X-files happen by accident. It's usually employees. So we actually, so we have rules and rules within the department. So we have temporary employees and but for most people - We log a disgusting amount of data. Because the idea is that if somebody does do a workflow and we get a call from the FBI six months later, we would more importantly be able to go back to the moment at that point and say, "Who did it and

how did they do it?" Radio signal. - Easy to, that's why this, this is basically a burner laptop. Yeah. Yeah. - I don't want to touch their stuff.

All right. Yeah.

So we're using some of the UEBA features on our DLP and they're terrible. So we're actually going to buy a different product that just does that because there's not. There's not. And we're looking at it. I dare you. - So, well here, I can't make him do it alone. - Oh, I'm not doing it alone. - You want to be in on this one? Yeah, it's not entirely unlike gasoline. No, I mean, you know, we want dark trace, but we're not gonna build something else. So I had my old company, I built a system that did a lot of things, built a series of thresholds and just took an eye.

and kept an eye on the data flows that individuals are doing. But I have the time and ability to do that, and the visibility to do that. You know, that's not for everybody. And we're looking for a tool. We've seen so many different user behavior systems that just fall apart. Sure. Well, hey, thanks a lot. Yeah. Okay. So Digital Guardian, we actually tried their product, and the latency that it introduced in our system was brutal. But I hear they have a cloud-based system, which is much better. Well, the good news is I'm using it, and we're basically spending all the technology. We currently use Cement DOP and only because, only because, God I love these glasses. Only because they do everything. They don't

do anything well but they do everything poorly. And I can deal with that though. I can live with that. So we're using super, super, super highly customized policy sets to manage the data because when you install it, it's going to suddenly say, everyone is non-compliant, you're fucked, you know, like, Rome is burning, and then you're going to look at it and go, this was... Last year's picnic report, you know photos from you know photos from the company outing like this is not PII This is just metadata that we're sending to you know to Google about you know the location date or whatever You know the fourth of photos taking so it will pick up a lot of stuff Run

it monitor only mode for a while rolled out slowly one rule at a time we have We have beta rules, test rules, and then production rules. Production rules, loans, and then production. The test rules are actually the rules that we have that are in production that are keyword based to make sure that the functionality is working because your DLP will break a lot. And so I've written a series of automated scripts and tests that we go through and test all these things on a monthly basis so that I know if my browser broke or if Outlook suddenly decided to not start scanning data anymore. So my name is Matt. I'm a developer online. Great. Please do. Yeah. Do you think you can share a lot

of the projects that you're obviously doing? Yeah, I mean, I actually had a nice long chat with our general counsel. Wow.

- That's exactly right. I'm just looking at my schedule.

So there was a very obvious solution to the how do you get

file onto a highly untrusted computer. No, it was basically a URL shortened link to a Google Doc. So here are the scripts that I encourage you to read, go through, start jotting things down. We don't have our buzzers. What's that? If you can do that, that's awesome. If you can actually do a wolf whistle, I bet you Nicola Bryson can do it. I think a wolf whistle is walking back and forth to the hotel today. You did get the, you got a little catcall? Yeah. How did the meeting go? It went pretty well. I started out by reading the email I sent to the company yesterday. Yes. That it's smacked of the chilling effect, as EFF called it. Yes. And

that censorship is illegal, in other words. And that all research took place in the Netherlands. So it worked out pretty well. They mentioned NDAs, and I was like, I don't really like those. Yep, that seems... Is that an air horn? No, it's a shirt. You're going to be impressed. I'm like... I can go find something. That'll wake him up. Not permanent NDAs. Nothing should last forever. That's what I thought. Eventually the-- This is not ideal, but it'll be OK. Now, last year we were sort of in the center. This is a little awkward, but-- Do you want-- I don't think-- it's going to require-- we have a power. So potentially get a lot of-- if you wanted to just take chairs and do

a sunny circle. I think with the scripts, the table's probably better.

I don't want to be able to make eye contact, but I also don't want to be in the way. So I think all this is here. You guys can all see me. So we'll do it this way. There's two labs. Sorry. Yeah, so you want me on this side? Oh, I can make eye contact. Yeah, let's do... So that's true. Make sure that has one super long thin hairstyle. Like... So yeah, that'll work. And then I can just roll over here for the couple times that I actually need to change the slides. You guys review script. Start thinking of what you're going to say for the various things. Let's do this. I might be the straight person in

this because I'm not as humorous as everyone. But you are. You're selling yourself short. I said it.

Yes. I can't quite get myself ready for-- Well, not the USB-- the USB 1-y thing, right? It's the single port, so you can't use your computer without-- like the iPad Pro, I think you need a $100 adapter before you can use two things at once. Right. Give me one second. I just want to finish reading through this. You can turn this on and see what I'm watching.

So let's see. That looks great, man. That looks just so great. I love it. I so love it. Anybody who asks a stupid question, you should be Arizona. There was a switch on the side that I did not turn on. Oh, there we go. Yeah. Nice. Perfect. This works. Thank you. Oh, did you make them? Oh, yeah. Awesome. I'm going to make a new entry in that thing. Oh, that sounds amazing.

the speaker ready room and get myself a Red Bull before we get ready to go live. - That's a knee. - Oh, here, I'm gonna move over. - Oh, no, no, you're fine. It's more just me. I tend to have embarrassing things like that happen. - Oh, I bruise myself all the time. You can brush up against me and I've got a massive bruise. It's amazing. - And one of my rear end cheeks where I'm like, "What the eff did I do?" - Where did that come from? - And I have no doubt, I just backed into something, blah, blah, blah, like something. - Yeah. I still don't know where these ones came from. And then I got

one here, and then one here. I'm like, wait, wait, wait. Yeah. I don't need help with this. No. I mean, do I want to get like a... Yeah, that's what I was doing. And I was trying to see, do you know if anybody has a highlighter as their swag stuff? Do you know if anybody has a highlighter as their swag stuff? I used to carry one of those highlighter-y pen things. But then it dried up. In the past, I've actually had... So towards the end of the show we'll have a better rhythm but at the same time... And you'll have a roving mic for me? You'll have a handheld roving mic? I know, yeah yeah

yeah. Yes. Marty Blushen. Yeah.

Lorem ipsum, doler sit amet.

Oh, remind me to ask you after this some advice. University wants me to be part of their PhD program. I'm getting heavily recruited by them nowadays. I wanted to do the John McAfee one because he threatened to sue me. Okay. Yeah, he's an interesting man. That's all I can say. I thought it was hilarious. I think he was high, which is all the time.

I think John McAfee is hot. High. Oh yes. Yeah, yeah, yeah. All the time. All the time. He told me, "I looked you up and you're not even a real lady." I was looking at myself like, "Huh. I didn't know that. I think he's a lady." No, you're right. I'm a freak in the sheets. Man, I wish you had been there. Damn it.

Check one, two, three, four, five, six, seven, eight, nine, ten, eleven, twelve. Yeah, these levels are check, check, test one, two. I'm actually seeing at the front that the right side's fine, but the left side's a little low, but it's fine. It's because I'm on that. If I walked this way, check one, two. You know how I check this? I walk out. Can you stand right here and give me a thumbs up when I cut out? Or a thumbs down when I cut out? Yeah. Check 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13. I'm still good? Wow. See, look, this wasn't like this before. So we're, you know, we're fine. Yeah, so

let's just check the, sorry. I was trying to find a good song to beat the noise. A little switch at the bottom that says on off? Yep. The closer you are to the microphone, the better you are. Be careful. You're not going to use a lavalier, are you? I'll be back in four minutes.

Check one two. Holy moly. Look at that. That signal is great. Check one two. Three four five six seven eight nine ten. Check one two. Three four five six seven eight nine ten. Yeah. Look at those. See those orange bars right there on that third thing down? Yeah, those are the frequency. But yeah. So here's this. This is good. No issues. Check, check, one, two. Maybe a little ringy. The lowest, ooh. Capital One. Who's in your wallet? Yeah, I like that. I like that. Objection. Nope. Sorry. Thank you. Here's a baby chain. If you had like four lines, you'd point out that this one is a one-time thing.

No, go on that. Yeah. We have Antaz and we have video turn six on it. Do you have any ideas, questions, thoughts? Do you want to seize in or seize on? I just keep reading it over and over again. Capital One Data Reach. Who's in your wallet? No, really. Who? Who's, man? I mean, I can technically... I mean, when I introduce you, you can stand up and... Oh, yeah, you can. Actually, the fun joke is each of you I mean, it'll hunt. That dog will hunt. I was trying to think if somebody had stress balls I could put on the end or something. Oh, yeah. I mean, yeah, they're not even properly notched. I'm telling you,

give me a theme. I'll run with it. Or a costume. I'm telling you. No worries. 15 minutes long. I'll see if I can do something with this for you at the discretion.

I'll see you in a bit, okay? Cool, bye. Bugger it. What happened? I have a friend who's a putz. Got a badge for you. And then he didn't show up today. That's what happens every time. Somebody did that today as well. I guess we're back in black. Does anyone want from the speaker's room? Bad idea. If they have... Oh, I'll walk with. Do you mind? I'm just rereading. Thank you for reviewing, yes. Got some caffeine. Yourself a carbonated beverage before you mic'd up. And then...

I put on my onesie because it's actually kind of cold in here. It's going to be so hot. I'm sorry. At least I feel like there's good air conditioning in here. Yeah. And some other places it's not so great. I just want to know, like, when you got the Batman onesie, did you say, you know what, I'm going to wear this, like, quasi non-ironically someday? Yes, right? So I was planning to, if Jeff had come out, We had had security guards at Amsterdam. We're gonna go out and do a pub crawl in Amsterdam. Wearing our pajamas, our themed pajamas. A bunch of us. Yeah, but it's Amsterdam. So you can kind of, you know, go G-string while you rollerblade around. I

need to go visit. Yeah! See you later. That's a good one too. Yep, I like that one. I'm gonna look that's when somebody will call me. You love it.

I'm just impressed at how you're able to, with the skirt, I would have laughed. Well, I figured I'd wear like a softer skirt, you know, because then I could just put it on and then it wouldn't wrinkle because of the print. That's fine. I plan ahead. I try to have plan B's and C's. I was asking some friends, hey, what kind of costume should I get? One of them suggested, I don't know why, a clean one. I'm like, that's a compliment. It is? Sure. She's made millions of dollars. That's true. And she's appreciated, like, for her curves. And so if someone's telling you you've got smoking curves, that's how I take it. At least I didn't say

Kardashian. Oh, Jesus Christ, don't lie. No. No, I would die. Oh, my God, I would kill them. No. Yeah, that's what I mean, like, we're not friends. Wait, we've just stopped this conversation? Uh-huh. And I don't want to speak too good. Uh-huh. Uh-huh.

little dog and he's like oh surely I have saved this picture I mean the ears the ears are a get me it's a little dog okay all right so Bryson is a professional what time do we start painting I did yeah I think I painted him

Okay, so The chaos, should we fear the anarchists? Who did you want going where? - That is a great question, thank you. That is question eight. - Since I brought up Capital One in the beginning, should I be Capital One again or does someone else wanna play with Capital One? - No, I think that's great. If you like Capital One, then you should play with it. And then Bryson for the lulls and Chris, do you wanna back clean up, which is anarchists are kind of pathetic. Or tell me what floats your boat. Do you want to talk about Capital One? I don't like Capital One. You do Capital One. You are Capital One. What is in your wallet? Exactly. Who is in

your wallet? Who is in your wallet? Because these days... I like it. He must be changing into his costume. What's that? I mean, those are girls. So did you guys get that? Did you see the patch? Yeah, yeah. So the... Yep, exactly. Well, you know, he has the dark past port, right? So you never know. And so the question I'm going to ask you as you introduce it is, you know, I'll say, is, you know, tell us how that informs your ability to comment today. Or why do you think you will win? But essentially... Because I like to use technology to kill people, so I always win. A little more of the bio stuff, so

like, it's a way of having a self-introduction, so I'm not just reading, I'll give the... Self-introduction? No. I numbered them. Squirrels. We forgot squirrels. Number five, we should have squirrels. That's a very strange... So, you guys know the basic rules of improv. It's yes and. So, if someone's giving an answer and you want to add to it, you can call this in your shelf. It's even a non-descript. What pleasant sound do you want? It depends on the mood. They can change. Someone last will do

If you can keep it in the meat, I think that's wonderful. I'm just gonna keep hitting play, so we'll see. And if it doesn't work, it will work. That's okay. Anybody need, like, minty things? Keep your... You know, actually, it's funny. It's been a while, but it's still in my hotel room. I got these fisherman work. Fisherman friend. Fisherman friend on fisherman work. Yeah, there you go. I'm gonna spend on 19 litigation first. Nobody wants to be told their baby's ugly.

This is a pretty cool driver box. And, turns out I could have rolled with Fuji A as well. You don't think he's in the speaker room? What's that? Do you think he's in the... No, he's just in the same room. Right. Did you follow up with him? On number one, do you want A or B?

I think B coming from Bryson would be the funniest. Chris, did I show you for question number one what the graphic is? I like it. I like it. Number five. Are you marking things for Bryson? Yeah. Oh, that's so nice. Accident. I wonder if some of the rest we should be focusing on. Accidental. Accidental. I'm going to say squirrels. Ah! I already got it. Ah! Clean squirrels. Nice. That one will be open.

Okay. Yeah, they keep going back and forth. And we don't have bottles of water. Do we have any? I can get you bottles of water. Thank you so much. So this is what we do. Obviously, you don't have to use the powder exactly. It's basically, it's just like, it's cell phones, cell phones, microphone, sponsors go. Explain the microphone. If you're going to ask a question. Oh, yeah. Good. All right. Yeah, for Q&A, I can come over here. And then we can use the past mic. Yeah, we'll do that. Thank you. I didn't pick any of those yet. I mean, I would say yes or of course or duh. Yeah, I mean, I'd say all of those. All of those.

I'm not going to say duh. I'm going to say duh. I just put the Price is Right theme song in my head now. I think that's a great start. I think yes because I'm more of a straight person. I think I'm channeling your serious. Don't forget to stay your New Year's. Yeah, there you go.

Sorry, 19. My therapy attacks, but they are... Oh, we were just randomly, so... I'll say B. Then I was just going to add fear of litigation. Nobody wants to be told their baby's ugly. Attribution agency. Smart cities. So, are you going to have like a... When you've volunteered as tribute for something, you're very good. May the emphasis of Oz be ever in your favor. Well, we're waiting for one more panel. Just in time to leave. Okay, on 17. Yes. Do we have... An extra piece of...do we want to... An extra... Sorry, I was going to do something... And someone's coming to bring you bottles of water. Oh, excellent. We were prepared. I was going to say, typically... And also,

this might be a good time to make a pre-panel contribution if you are so inclined. Except you're in a onesie, so it's going to be difficult. If you just take a bio break, this would be a good time. Oh, I already did that. We met in the bathroom. Nice. It's funny, it's also where Liz and I met. It happens. Yeah, like I turned around and there was this woman with a bow and arrow. And I was like, that's what we heard. Well, it's like the old song goes, it happened one loo. Oh, okay. 17. So can we convince countries not to attack? How can the good guys stave off the bad guys? And by the

way, yeah, for a question to, or any of the other ones, if you have more funny answers to offer, chime in. That's what we have the buzzer for. So you grab my attention and claim the stick. What is the Drake equation?

I have favorite equations. I'm definitely warmer now. We get to pick three of our sponsors. We'd like to thank our sponsors, Critical Stack and Madeline, and our stellar sponsors, Robin Hood and Paranoids, and of course, the National Security Agency. Hey, I like it. You're going to give the NSA some of your sponsorship? Well, they're sponsoring part of the conference here. They have a booth, so I'm going to... Of course, our friends at the NSA... Exactly. They're always our friends. Right? Excellent. Thank you so much. Mine. It's the price of... It probably gets money from women all the time. Yeah. Nope.

I don't know what's up. I guess I don't know what's up. 14 minutes. I hate being late for things. I always like to be over prepared with Plan B's and C's. 13. Maybe that was Barsons. I don't know what it is. Cause he looked at the script last night. And he was emailing. Yeah. Your phone was dinging. Your phone was dinging. Or something was dinging. That's not your phone. Oh, this is the... This is their stuff, right?

That's not me. Okay. Okay. No, I just, I just, I'm very, my wife made that graphic and I'm very happy with it. And so. That's very, very nice. I do like it. I'm good. So we did, we did make contact? Okay. What's that? No, I couldn't make contact. It just rang through. Excellent. Let me DM Bryson. Oh, where are we meeting? Oh, hang on a second. Are you fucking kidding me? Driving over in a minute, have to pick a badge first. Where are we meeting? I'm waiting for Bryson. He should be coming. Jesus. I mean, I need like someone to bring Bryson in past the crowd. Well, past the crowd, but also he won't have time to pick

up his badge. I've got an extra badge on me. Do you want me to get him? Because I got a bat, an extra bat in my purse. And hang on a second, let me text the music. Driving over in a fucking minute? Oh, come on. Thank you. That is super Swan Beach. Nice of you. Nice to meet you, my lady. What's the closest entrance? Is it the casino entrance? Yes. I'm Cheryl. Do you know what he looks like? He may be wearing a military uniform. Oh, he's driving his own car. He's still going to park. Ballet. There should be ballet up front. Ballet in front of the casino entrance, we think? Yeah, the casino entrance has ballet.

At this point, yeah. I already felt late when it was like... These jokes are things that you do? You guys know the jokes. Well, a certain stuff with members pages. No, you were a super sponsor. Yeah, I was a super sponsor. I'm going to tell the door to open. So, at a certain point...

Exactly. Exactly. Of course he will be. Yeah, he is funny. It is going to be. I mean, any of the three of you should do this as a talk. This was just a way to get... This is my excuse to wear a SHINee jacket and hang out with my friends. Oh man, I should have worn the gold SHINee top I wore to Pride. Oh, yeah. Okay, bye. I'm judging you for nothing. I know, right? We were like super SHINee together. SHINee. SHINee. That's, uh... I've tried to do that song in karaoke. It's hard. Is it? Yeah, so... From Moana, SHINee. Because, like, the lyrics for Moana... Lin-Manuel Miranda, so it's hip-hop, like it's packed in

there tight and it's really hard to actually get them on beat. There's a what? Okay. Oh yeah. So Katie Moe has decided that our song for karaoke is a duet. Love the way you would want it in a duet. Oh my. Which is, her part is gorgeous. And fairly simple. And my part is an increasingly aggressive descent into mental madness and domestic violence. It is one of the most draining performances I can do. It's like, one, it's fucking Eminem. And two, if she ever tries to leave again, it ends with, uh... Speaking of silencing phones, we should make sure that we're doing it. Yeah, this is going to be the story that we tell about

him for a while. Yes. Yes. Absolutely. Uh oh. Maybe I shouldn't be giving them no money. I'm starting to get warm. Can I ask a favor? Yeah, could you change that graphic and put a picture of the three of us in front of that screen? Now I've got that song stuck in my head. Make a sad face. Yeah, we'll be on one side. You want to make sad faces? No, we're just going to Photoshop Bryson. Bryson Leach. Yes, bright and past, dark past time. Well, thank you. We try to look good for you. What's that? They're very huge fans. That's true. Yes. I don't think we can do it. Oh, from there? Very. You look awesome.

Everyone is wearing a sexy dress underneath. Sorry. Hey! Well, you don't have to behave. Yes. Chris, you have one of the most enthusiastic crowd of Twitter fans. I love my fans. No, it's as well you should. Are they retweeting everything around? Alright, cool. You know, I know people. Just a few. Just a few. So I'll tell you what, this is not made of natural fabric. It doesn't have what you call breathability. Yeah. I'm just glad I wore like deodorant. How you doing? This is like a car seat material. It's not. No. So this is my plan B. I always have a backup. I always have a plan B. I think it's from the military. You always gotta have a plan B. Yes!

Absolutely. We should do like a pub crawl in like onesie pajamas, right? Yeah! Yeah, yeah, yeah, yeah. Let's do that. I'm just trying to think which onesie I would want to go get. Or when I'm in D.C. in October. You want to do two minutes more? Two minutes more? Two minutes more.

Yes that's a really great idea. I like that. I think he's dinging you. Pulling off. All right. He's pulling up now. So it's going to be three minutes. I'll start with the intro, and we'll introduce you, and then he'll come in. Thank you for the great introduction.

All right, well, thank you everyone for joining us for this afternoon's B-Sides 10th anniversary programming brought to you live from our Common Ground studio here in Tuscany, Las Vegas. We'd like to remind you that these talks are streaming, so please turn off your cell phones. And if you'd like to ask a question, raise your hand and I will bring you a microphone. B-Sides 10th anniversary is brought to you today by our Inner Circle sponsors, Critical Stack and Valomare. Our stellar sponsors Microsoft, Cylance, and our friends at the National Security Agency, as well as viewers like you. We kick off this afternoon's programming with "Where in the World are Carmen's Dollar Adjective Cyberattacks?" So please welcome

our host, Alan Friedman. Thank you, thank you. And by the way, there's applause. Thank you. We are so excited. We have a great show for you this afternoon. There's been a lot of discussion about how we make things better. This afternoon, we're going to wonder why on earth things aren't actually worse. Cyber attacks come from all points, all sorts of approaches, but most of what we're worried about are, similar to why we rob banks, where the money's at. So today we're going to look at the attacks that aren't financially motivated and say, why aren't more of them? Why aren't there more of them? We have a great panel for you. Now a lesser panel would have just been ordinary talking heads having a standard policy panel. But our panel

today is going to give you a fantastic and fun game show where there are great prizes and the points don't mean anything. And we all wonder when we're going to die in a giant cyber refirer. So I'm going to introduce our panel and I have a request which is when one of our panelists shows up at a dead run I would like everyone to stand up and give him a standing ovation as he comes. I think that is the appropriate call out for someone who is coming late. But the folks who actually made it here on time, we have a truly stellar panel for you today. Our panel kicks off with Liz Wharton, who is

the VP of Ops and Strategy. She is over a decade of experience.

as a lawyer working with hackers, and she is someone who you should not trifle with, either in a dark alley or in a competition based on where your next meal is coming from. So, Liz, you've been doing a lot of work in security in this. How are you informed? How has your work informed you to wonder when we're all going to die in a cybery fire? Well, considering half the time I'm trying to keep the people from causing the fire, And then the other half the time, I'm hoping that the folks that I work with are the ones that haven't burned my stuff down just for the lulls. I'd say over a decade, keeping these

folks out of trouble and working with policymakers, that's how I'm qualified. Fantastic. Thank you. And our second panelist today is Chris Kubeka, who's the CEO and founder of HypoSec. Hi. She's a cyber conflict expert and consultant, which she thinks of as a slightly more lucrative career than her past gig as a carny. That's true, actually. Ask her to do some stunts for you later. Just not all of them are currently legal in Nevada, so be careful. Chris, you've thought a lot about cyber conflict. Why are you here today? I like to discuss how to use technology to kill people. It's one of my favorite topics, and that's why I'm here. Excellent. So, true to form with our game

shows, our buzzers have not arrived in time. So we're going to be asking each panelist to make their own buzzing noise. So, for at least the beginning of the game, Chris is going to sound like, and Liz is going to sound like, oh no no hey, hey, we talked about this, no threats of bodily harm. You're wrong. Our last panelist, and a man who only showed up late because he really wanted to make a flashy entrance. is Bryson Bort. Bryson is the CEO and founder of Grim and Scythe and has a mysterious dark past that he occasionally alludes to and also makes one hell of a cocktail. So Bryson, how has your work both in the secret squirrel world and in the private sector informed your understanding

of attacks that aren't profit motivated? Well, just like everybody else, I don't know anything but I pretend I do. Technically, that's my job. I thought we had this conversation. All right. So we're going to start off today with a key question. In the abstract, we use the analogy of the Drake equation. And your first question, contestants, what is the Drake equation? Liz. Yes. I'm not sure, but the solution is the numbers to my cell phone. I don't think that my cell phone is the right answer. Do we have another answer? What is the Drake equation? - Buzz, buzz, buzz. - Bryce. - A calculation needed for the optimal ships to raid the Spanish main and defeat the Spanish Armada.

I was not expecting a 16th century military strategic reference, but that's what you get from a West Point guy. Well, we can add Clausewitz, too. It's a Clausewitzian equation. It's a Clausewitzian? Okay. I'm sorry, that's still not correct. Does anyone have the correct answer? So it's the probability of life depending on certain circumstances and conditions and depending on certain types of technology. And I'm going to ask the panel to move the mics just a little closer to themselves. So you start off with a bunch of very small probabilities, but if you multiply them all times a very large number, say the number of people stars in the sky for intelligent life, or the number of

people on the planet, it still means that there should be a non-zero risk of either intelligent life or not so intelligent cyberlifing. Your next question, we're going to play a game I like to call, if this is the answer, what is the question? So panel, if the answer is more than 16,500, what is the question? The number of times I expect to be propositioned by furries in this onesie. It is, that is a real risk. Liz? Yes, that's the number of arrows I would need to take down a wide area network. That I would... feel like we should actually measure that. I think you might even be able to make it in fewer than that, but that's impressive. That's not... Do we

have another answer? What is it? Bryson. The number of new entries in the national vulnerability database. So there are lots and lots of vulnerabilities out there. So let's talk about a couple of them. Panel, what do you think... was the most important security news from last week. Yes? - John McAfee. - Yeah, that's true, he's no longer in jail. I think that's-- - He's no longer in jail? - I think that's important security news, but I was looking for something else. Yes, the better question is who's in your wallet? Because apparently hundreds of millions of credit card numbers have lots of people now in their wallet, Capital One. I think that certainly dominated the headlines, but I'm going to disagree. I think there was one

more story that from a cyber security perspective was even more important. Does anyone know what it is? Buzz. Bryson. The 11 vulnerabilities announced in Wind River's VxWorks real-time operating system. That is true. I strongly believe that. If you're not familiar with this, VxWorks is a real-time operating system made by the company Wind River. It was a disclosure of 11 serious vulnerabilities, many of which will be there forever. Not everyone knows exactly what their real-time operating system is. This is technology that is used in satellite uplinks, in digital controllers in factories, in medical devices all over the world, and not all of it is easily patchable. So this is a real concern. It's a shame that the headlines were dominated by the Capital One or the John

McAfee. So here's a chance... that redeem yourselves because still the points are well they're made up so I'm not going to read the score yet for the muggles in the audience do you each have a favorite vulnerability that you really like to talk about to frighten people Liz printers because just as soon as you get the sucker working you find out someone's using it to steal all your data and information that's a scary one Chris Well, I think Java related. It's in over three billion devices and that really scares me actually. It's everywhere. It is and it's always asking for an update too, which probably means there's some bad stuff. Always asking. It's in cars. All right, Bryson, what is

your favorite vulnerability to scare people with? If you have a computer, we can find you. All right, I'm now terrified. All right, so as we've talked about, the majority of attacks that we see today whether they're targeted against companies, whether they're ransomware, whether they're going after little old ladies' computers, they're financially motivated. It's the classic line, why do you go after banks? It's where the money is. But there's a lot more risk outside of just the cyber crime world. So we're gonna play lightning round. I'd like the panel to go down the list and please, whoever can give us the most risks that we should be focusing on that aren't built around direct profit. So let's start. Liz. Oops, my bad. Accidental risk.

Accidental risk is key. Squirrels. Squirrels still affect the electric grid in the United States more than any other type of attack. Bryson? Insider threats. Ooh. So we just had one out in the news today. There was a Pakistani man who was arrested for using $1 million to bribe AT&T officials. For the record, no one bribes Commerce Department officials. That's because we look for results. All right. So for these sort of non-financial related attacks, what are some of the threat actors that we should be worried about? Well, hackers, right? We're always a threat. The good news is I don't see anyone with a hoodie on or an old-timey mask. So I think these are good hackers. Absolutely.

Are there any other threat actors that you think we should be trying to worry about? Well, you have to break it down. You have to look at the criminals, those just looking to cause chaos. And then again, the oops, my bad, the clueless who don't realize what they're doing and the effect it will have. Whether they're a panda or a kitten or whatever bullshit name we're going to come up with because we're running out of animals. The latest one on the horizon is now Vietnam. Vietnam has started to actively hack everything in their country. So just following the rules the way the rest of us do it. So that gets us to a question of thinking about motive. So is it easy to tell the

motive of, you know, for someone who wants money, pretty easy, they want the money. For these other types of attacks, is this something that's easy to figure out? Well, sometimes people want you to know why they did it. If they're doing it for chaos or the lulz, they'll tell you whether they're lying. Another story. That's true. Sometimes people claim credit for things they haven't done. As a white man, I'm very familiar with that phenomenon. Sorry, I'm implying that I do it, not that I'm a fake. That was awkward. No, but I think your point, which is that there are lots of times that we want people to know that we did it. I drink your

milkshake. Do we always have that? Not always. I like to say anytime the Israelis are on your system because they're so good, you never know their motivation. Well, that's the question. Is it an Israeli vendor or is it the Israeli government?

So, Liz, you talked about chaos. Should we fear the anarchists, the people who just want to break stuff? Well, going back to Capital One, I mean, doing it because you can, according to court documents, and exposing that kind of a risk, I would have to say yes. I'll take that answer for 100 points. That's true. Unfortunately, your points have been ransomwared. So... Yeah, sorry about that. But yes, according to the court documents, the suspect told another Twitter user, I basically strapped myself with a bomb vest, effing dropped Capital One's docs, and admitting it, which is not a great thing to be on the record for the FBI talking about it. Are there other sort of anarchists saying that was a,

well, we said that wasn't the most important thing. It was a big deal. Are there other reasons why we might want to worry about the people who just want to break stuff? Well, from my experience, they tend not to do as much harm. They tend to get the low-hanging fruit, but there's still a lot of low-hanging fruit out there. All right. So now it's time to take a quick break and get a quick note from our sponsors. In addition to the lovely B-side sponsors, today's game show is brought to you by Bolt-on Security. Bolt-on Security. Because sometimes you don't want to be asked to actually build it properly yourself. Bolt-on Security. Why worry about it now when you can worry about it later? We

are also brought to you by the miracle hangover cure, hydration. Hydration. It's what's going to keep your pee clear while you're in Las Vegas. Hydration. So, meanwhile, back here. We are, after all, a game show that is nominally themed after Carmen Sandiego. So I'll have a Carmen Sandiego question. Carmen Sandiego is known for using henchmen and henchwomen. So, for the panel, your question is, what does henching involve? Liz? A TPS report filed in triplicate with the top copy printed on yellow paper. Oh my, okay. That sounds frightening. Do we have another guess from the panel? To be honest, the lady doesn't really describe it in flight company. A little too much. Is there perhaps an even better answer

for what henching involves? Zzz. Yes, Bryson. So it is related to the Old English for hengess or stallion. It's true. A henchman was a term for the person who worked after your horse. And so it was a groom in the eight days of yore when your knights had lots of people to help them. And so your henchman was sort of the person who did the dirty work while you got to ride off into glory. Similarly why I get to wear this fancy jacket while the henchmen on the panel and henchwomen on the panel do all of the work for this panel. So, let's talk politics. Everyone loves politics, it's always great in this conversation. People do crazy stuff over political disagreements. There's discussion about parties, people, countries.

Is politically motivated hacking, is that still something that we need to be thinking about? Yes, Chris. Yes, so basically any time a Soviet hero statue is moved, there is a whole bunch of very interesting Russian patriotic hackers, I've been told. It turns out that, yes, moving statues has caused a little problem. Panels, any other answer? Buzz. Dang it. You beat me to it. Bryson, I think you're... Well, there used to be a lot more in the U.S., but then they all grew up and had kids, and now they just do real things at DEF CON. Yeah. Except for the few that got rolled up in the Anon crackdown. But yeah, that's I think a really important point that you can now get paid to do a lot

of that stuff. And I think that has soaked up some of the market in the US. Liz. Yes, well, for as much as cities and other folks are getting held by ransomware to say it's politically motivated is probably not as much the case. More likely than not, a lot of it is just purely accidental or realizing that you're following the lowest hanging fruit, the weakest link. That's a fun answer. So is hacktivism gone? Are there any regions where we still see lots of hacktivism in the world? Well, India and Pakistan, when even cricket is not sacred. I mean, cricket might be sacred. I certainly don't understand it, so I think it's ineffable. Yeah. Yes, but did you hack

an entire school's website because people were celebrating their team's win? That's a cool story. Are there any other areas there we should be concerned about? I've seen a lot in Eastern Europe, particularly Bulgaria and Romania, because they're pulled apart by Western Europe, Russia, and Turkey. When you're at the nexus of not just two powers but three powers, things get a little sloppy. Anything else that we're seeing today? Bryce? So, of course, I'm going to pick on China. I'd also throw a rush in there as well. I mean, there's this fine line between what they are independently doing versus what is state-sponsored, but I guess if you follow their party line, then it counts as hacktivism.

All right. No, I like it. And we're going to get to the state stuff in just a minute, but I want to ask, before we dive in there, we're slowly ramping up the scary. So we've talked about people doing things for the lulz. We've talked about some political stuff. Now... I want to talk about cyberterrorism. Is that a real thing? Who's got the right answer here? Yes. Yes, I'd like to take the first shot because, well, chaos, clueless, can cause almost as much damage as a cyberterrorist. Knowing the motivation helps. Whether it's a real threat, the end result may be the same. Anyone have a firmer answer, yes or no? Bryson. Absolutely not. Second shot, fire. So...

Short of defacing websites, most of these groups don't actually have the capabilities. So when we're looking at these kinds of things, it's now a group effort. It turns out defense actually did get better. Go I am the cavalry. You're supposed to wave back at me, Josh. You don't have to pretend you don't know who I am. It's too late. And so when they're looking around it, we have now more of a group effort where 20 years ago, an individual hacker could get really far. Now it's more of a team-based thing. And it's a lot harder to organize that way. And a lot of these folks aren't going to be taking the contract. All right. So

we have a maybe. We have a hard no. So... Tomorrow I'm going to be doing a talk on cyberterrorism because an insider hacked the Saudi Arabian embassy and was very friendly with ISIS and another nation state and held hostage the entire city of The Hague in 2014. So if you'd like to know more, come to my talk at 10 a.m. tomorrow morning right here and about their lovely $50 million extortion attempt or they would kill over 400 dignitaries. I would watch that movie, by the way. I don't know about the rest of you. I think that sounds... So in addition to your talk, we're looking forward to the screenplay as well. And we've talked about terror, so let's break this down. Single actors. Is this the sort of

thing? How easy is it for one person, a lone wolf, maybe they're not part of the Broadway, how is it easy for one person to do some real damage? I like the fact that we get to listen to that every time Liz answers a question. Well, from having worked for the world's busiest airport as the technology attorney, I can tell you that with the latest Mirai variant attacking LG screens in almost every airport in the world, not just in the U.S., using some form of LG screen as their signage, that one misplaced thing and suddenly nobody has signs you've created the chaos. But then you also look at the fact that one company, Aerodata, does the load balancing software for all of the major airlines

and is prone to glitches. And one glitch back in April shut down seven different airlines in one fell swoop for several hours. So knowing where to go, one person Can just have a bad software update be it a person or a squirrel. All right So we've got the case that yes one can made panel any other answers? Wait there playbooks I just a mediocre without the playbook all right, so Any other answers on can one person make a difference in this world by breaking things? Buzz. So unless you're Brian Krebs, nobody's fucking with your website. Is that because things have gotten better or because the actors have changed? I don't know. It doesn't say anything about that in the script. Fantastic. So, it's time

now to play another game of if this is the answer, what is the question? The answer is three. What's the question? Chris. The number of furry propositions I might accept. Okay. I mean, that's a pretty good defense rate from 16,000 to three. Buzz. Yes, Bryson. My actual emotional maturity age. Can confirm.

Liz? The number of Bitcoins that some city somewhere has refused to pay to unlock their systems. And do we applaud that, or do we think that is the wrong decision? It depends. You know, it's really hard to get this. Fair point. And a profit-motivated attack. Do we have another answer for what three might be? Chris? The net? So the number of people that were killed in a German steel mill attack, it was the first known instance of cyber used to kill people in 2013. Do we know anything else about that incident today? The German BND will not release any other information other than one paragraph about it. Just that. Does the audience have other known mechanisms of a cyber attack leading

directly to death? I'm going to take the mic to you. Hi, J.M. Porup, CSO Online. I had a very reliable source tell me in 1998 that in the mid-90s, a New Zealand hacker hacked a test nuclear reactor in Pakistan, causing a mini-meltdown and the death of 80 engineers. I've never been able to prove it. I am glad that we have put that unsupported allegation on the Internet. That is a fascinating story. And hopefully, hopefully we've inspired someone to do a little more digging. I think that's fascinating. Hey, we stand behind our five eye partners, okay? But that leads to the real question here, like the big actors now, which is nation states. Do countries currently have the capability to, and let's see if I'm pronouncing

this technical term right, F things up? Panel. Yes. Absolutely. Absolutely. Any other answer? - Yeah. - Right, close the door. All right, now we're Skiff. - Yes. - Liz, do you have an alternate answer? - Yeah, really? Just by asking the question, I think we're gonna deduct some of your points. - Thank you, thank you. Trying to win the audience back over to my side. All right, well, if we know this is happening, let's actually dive into some of the really scary stuff. Are we seeing attacks against critical infrastructure?

Liz. Exactly. But you wouldn't have been able to listen to that if you were living in the Ukraine on December 23rd, 2015, where 30 substations, 230,000 people, pause, 230,000 people were without power for one to six hours. That sounds pretty scary. Do we have other examples of, you know, people getting all up in the cyber and breaking things in a way that would make us not sleep that well? So in the summer of 2014, there was a raft of production ICS-related attacks all across the country of Germany. It affected the pharmaceutical industry, the steel industry, the lumber industry, every type of industry. And it nearly shut down their production. That sounds pretty frightening. Bryson, you're

the scariest person in the room, mainly just because Ming left. Who's going to be here for DEF CON? Who's coming to my talk where I'm going to be breaking down all the critical infrastructure attacks we saw in 2018 in detail? Put up your fucking hands. See, you think that you can't be educational, entertaining, and self-promotional all at once, but this panel has really demonstrated it. Well, so let's talk about what we can do about this then. So if countries and maybe even the occasional individual or well-resourced group can do something really bad... What options do we have? Can we, you know, try to stave them off? Can we convince the bad guys not to attack us? - Buzz. - Bryce.

- There are two kinds of influence in the world. There's the one where I put a gun in your face, hi Tyrone, and you do what I say as long as it's there. The second is where I put a bullet in your head and you permanently do it. - Well that got grim. - You should have put that up for my nickname. So one approach is just we have lots and lots of force on the other side. So if someone comes and attacks us, we make it clear that we're going to do this. Do we have those red lines today? Well, so red lines, I think, are more of a policy and academic thing. Sounds

like the kind of thing Department of Commerce would coordinate with NIST about. We just take action. And then we think about it. I like that. Are there other things that we know about how to deter organizations or countries? Chris? Well, after some of the EU-NATO cyber warfare exercises in Brussels and convincing perhaps influencing unduly my group of countries to use the nuclear option to create an EMP over the attacking country. We've now been building a diplomatic toolkit so that they can actually talk to each other before they launch a weapon. You see, Bryson, not everything involves guns. Smash. Chris. Sorry, Liz. I was going to say, look at someone else's butt. But it's the interdependence, creating the

interdependence where if you break our system, you've also broken yours. If you break our travel, that you will inevitably take out some of your own citizens or disrupt your own industry and your own systems. I think that helps as well. I like that. So see, again, sometimes we can get newer and fancier guns that we all have to use together. I like that one. They were made in China. Yes. I don't like that part. - Well, so let's continue talking about sort of some of this new and emerging tech. So, a lot of us are engineers. We like new and shiny things. Is the evolution, as things evolve, is that gonna make things better or worse for these attacks that aren't just crime, that are these attacks

that are meant to hurt? Is AI going to save us? Is IoT? And by the way, if anyone mentions blockchains, you lose. - Can I leave the panel if I do? You've already ransomware-ed my points anyway, so I've got nothing to lose. Well, now I'm going to actually make you tell a story about how blockchain can help. Oh, fudge. Okay, if not blockchain, what are some of the other emerging techs that we should pay attention to?

Chris. There's a few different types of emerging techs. I'm currently advising the EU Parliament on how to use different types of artificial intelligence for warfare, but also we're concerned at the University of Oxford and De Montfort University with quantum computing and how that will actually affect the current encryption and what it will look like hacking in a post-quantum world. I like it. Can we get a contract for that too? Maybe.

Well, if I've already been ransomwared, I might as well talk about that place I worked that part of it avoided the ransomware. And at the airport, being able to use the smart city or the IoT connected technology, but also unmanned systems. And as long as you weren't using a certain Chinese manufacturer's aircraft, in which case you knew your data was going to be exploited and taken somewhere else. et cetera et cetera but being able to then take that technology and that interconnectivity and do get better data on a runway for example inspection than you could using unmanned systems you can get the 20 minutes 30 minutes of flight shutting down the runway what would previously take hours

much less clear data couldn't get to the granular level that the unmanned systems and the different sensors on those could. No, I think the rise of unmanned systems both scary but also potentially useful. Potentially. And also if you're trying to get supplies into war torn areas where someone may not want to be able to go you can do humanitarian air drops and stuff. You hear that Bryson? Things coming from aircraft that are nice? I don't know what humanitarian is. The ones you didn't shoot down. Oh, nation building. Wow. I mean, we're liberating them. So I got one. Buzz, please. So it goes both ways. All too often we look at technology as the savior to overcome the fact that it turns out people

do things. People use computers. The greatest surface area in any organization is technology. People, regular people, not IT professionals, not folks who are like, "I actually know what a computer is." These are the folks that think the CD-ROM 10 years ago was where you put your coffee. These are the folks that were still learning, "If I turn it off and on again, it works." And so as we add additional complexity, that's called from an offensive side, increased surface area. You've now given me more of a target to go for. Defensive products are a target just like anything else. The more defense you have, also the larger your surface area for me to attack. Alright, no, I think, so basically we should have smaller organizations and less tech. Yeah, I

think we should just go back a few, you know, decades, centuries, just let's keep it simple. Well, you know. I call it my trebuchet plan. So, one possible explanation as to why we haven't seen more people exploiting all of these vulnerabilities that we talked about at the beginning of the game is that they are, but maybe they're not telling anyone about it. So what's the possible motivation there? Buzz. Bryce. Nobody likes to look weak. Well, I mean, with Chris around with her guns, the rest of the panel, well, I've never had an arrow brandished at me before. You don't know the right people then. Are there other reasons we may want to not actually disclose successful or potential attacks? Chris. Litigation

fears is one of them because I face that a lot, like this morning. Nobody really wants to be told that their baby's ugly. Some of us still get told we're ugly. It's still not pleasant. I tell a lot of companies that their babies are ugly. And attribution ain't easy. I mean, if someone's going to take credit for it or if you're going to point the finger at another country, nation, state, actor, you better make sure that you are correct and that they haven't perhaps fabricated evidence to the contrary. No, I think that's a great point. Hard to attribute. So, audience. Have our contestants, who are currently all tied, have they successfully answered your concerns about why we're not

all being pwned left and right by arbitrary bad actors? Does anyone have any questions? This is the time for audience participation. You can also participate forcefully. You made eye contact. Do you have a question? Yeah, you. No, that doesn't... Blocking eye contact doesn't stop it. What's your question? Unless you're talking about a retinal scanner, in which case that may work temporarily but you still won't get in the door. My cybernetics aren't that advanced yet. Yes. Do you foresee anything worse happening in the near future? Yes. Most definitely yes. So I'm going to disagree. I think that, I don't think we're gonna see the digital Pearl Harbor. I think instead what we're gonna have is the death by a thousand paper cuts. And we're

gonna continue to see little slices of things as our adversaries, 'cause it's not just about cyber, right? This is not a game where it's just computers and that's the only part of the playing field. It turns out we have other assets that are helping protect us. And those are very much part of the equation of any other nation state that's doing something to us. Which is why we haven't seen anything say in critical infrastructure crossing that proverbial red line because they know the result is not gonna be that we're gonna deface their website. We're gonna come and bum the fuck out of you. - I feel that should also have been your nickname as well.

Yes. You also have to look at, too, what's the motivation? Because if you completely cripple something, someone, they become useless. And if you're just trying to cause chaos and disruption, then you can do almost as much damage as one criminal attack or one clueless attack. I mean, it's what are you trying to accomplish? What is your motivation and the outcome? Yeah, if I can tag onto that. That's one of the big challenges we have in critical infrastructure, particularly things like election systems. I don't have to technically compromise an election system to undermine the public trust in the democratic process. And so a lot of these things really are looking at the human psychology of what's the impact of what it looks like I'm doing or the

perception of what I'm doing, which still has the end result. Question there and then there. - Okay, hi, Chrissy. Question for Bryson, really. You said that you don't think cyber terrorists have got the capabilities to do much. Why is it then you think that governments are actually taking out hackers with airstrikes? So, for example, Israel and also America did it a few years back as well. The Israeli airstrike actually didn't take out anybody. They bombed a building and there's a lot of discussion about what actually happened on the ground, which I won't go into, but that story might not be as kind of dry as it looked like. I think the better way to look at it is hackers are a capability like any other capability to establish effect,

whether that's psyops, spying, actual kinetic strikes. And so they're just now a part of the battlefield like anything else. Any other comments from the panel? Oh no. How bad does this situation in the US have to become for the Russian meddling in the last election to become considered a slowly creeping cyber Pearl Harbor? What if in a few years, maybe five, six years from now, we have still a racist in charge in the US and shootings happening every single day and democracy failing. Would you then go back and see 2016 as a cyber-peer-hopper to the whole panel? - I'll take it, I guess. So I had an interview with CNN this morning and the primary discussion was around that concept. What was

that, self-promotional? Sorry, wait, it airs at five o'clock on-- - I believe the appropriate responses.

No, but seriously, because he didn't want to talk about the cyber impact. He wanted to talk about the people aspect and he wanted to go, what can we do about it? And while I do not have a lot of domestic law enforcement experience, most of my experience has been OCONUS. A lot of what I discussed there was solutions through community engagement to solve the radicalization piece. But going to your question about the Pearl Harbor aspect of 2016, to a degree, I think that's more of a judgment call because I think Pearl Harbor was such a stark event that really shifted world history. You could argue perhaps the 2016 election did it well. But more importantly

is in 2018, we did something about it. And you can see where US Cyber Command went over and said hi, and they did it in two phases. Going back to my comment about influence, the first thing they did was all of the Russian agents or motivated patriots at the IRA in Leningrad received messages pop up on the screen that said, hey, we know you're doing this, hello. Now, that only goes so far because the GRU officer was standing right behind him and like, "Yeah, continue." So that didn't work. But then what we did do is we completely took them offline. And at that point, I always have the aphorism, "A hacker can't hack what they

can't touch." And the IRA's capabilities were degraded to the point that they couldn't touch anything. So something, there was a response. Again, segregating what is the national security response versus perhaps domestic policy pieces, I can only answer part of that. Chris, thoughts? Well, I'll be writing a paper with German think tank SNV to present at the German Marshall Fund in October for the EU-US joint response for malicious cyber activities this year. And so some of the things that we're going to be addressing is not something to deal with perhaps directly the administration, but the actual response on, say, between the EU and US Cyber Command and so forth. I think one of the things that is important to, I'm sorry, Chris, get this out. Oh, no, I

am not writing a white paper with a think tank this year. Instead, focusing on the third-party risk and the compliance. So hardening other systems to make it harder and so that you know what you're, you know, who you're dancing with and what's coming your way so that you're companies and individuals can make better decisions on how to allocate their resources, but there are no international folks paying me to write. - Should we go around the room and see who is getting paid to write international think tank? And I think it's important to acknowledge the distinction between an information operation and what we might call a C&E, like computer network exploitation, And Bryson pointed out that often they are going to be on the same landscape. But

for this, we tried to sort of leave aside the info ops and focus on the fact that if everything is broken, why aren't more people smashing? Why is it just Bryson that's smashing? That's not attributed. Yes. Attribution ain't easy. I didn't do it. Wasn't me. I think we've got the makeup for a pretty good song. Further questions? Yes. We've got a mic coming through. So are we seeing any trends in nation states using kind of third party contracted hackers from other countries or are we seeing more staying internal within their own home country? So it's been more internal and a lot of that has to do with control. uh... now that being said there's there's a fine line between

uh... from an outside perspective what looks like independent party that's what i was teasing about the the activists of the the motivated patriots urges doing this versus they're actually on the payroll uh... but i do think we're going to see more that i think as the uh... As we see additional activities, I think we're going to see a lot more introduction of those kinds of third parties in the next five years, particularly as we look at the continued democratization of offensive techniques that are being leaked. All right. I'm going to now ask the panel one final question, which is here in front of God, hackers, and a video camera. What should we be focusing on if we're worried about this growing risk you mentioned of sort

of people not just going after a quick buck but actually breaking things and harming other people and systems? What do you think we should be focusing on from a technical perspective and policy perspective? You know, I've now given you hopefully enough time to formulate an answer. What do you think? Well, I'll say, on some level, it doesn't matter to me who was trying to do what if the end result is the same. And, you know, whether, keep talking about the clueless, the criminal, the chaotic, if the end result is a system isn't working or the, you know, I can't turn on my lights as an end user, then... knowing exactly what the impact is, but just knowing the risk landscape, knowing what you're doing, the companies, the different things

that are playing into your environment and having a good feel for that and knowing what you can do on your end because you can't always control the actions of others. I would like to see more countries adopt the Dutch model for requirements for coordinated and responsible disclosure from every company and vendor. Without that, you have fears of litigation, censorship, or just not having any sort of program being able to acknowledge somebody handing you vulnerability or exploitation information. And I would really like to see that much more. Also in draft UK IOT regulations and other areas that are growing around the end. There are certain parts of the US government that have been actively promoting coordinated vulnerability disclosure for

four and a half years now. You can take credit for that there. Well, the US government, yes. The rest of us just aren't doing anything. Yeah. Speaking of which, Bryson, what should we be focusing on? So, my biggest concern is the promise of the internet that we were all given is that this was a way that one, we were going to find data would be set free. Remember when that was a thing? Remember that it would be easy for all of us to find truth and information would all be level? What we've seen instead is the world is starting to balkanize, and it's really bifurcating into those who believe in an open internet and repressive

regimes who have now seen the ability to control their populace, and they're starting to close themselves off in these enclaves. China's already done it. Russia's already looking at doing it. And I don't think that's going to stop. I mean, those are not countries that we can influence enough to prevent them from doing that. But that doesn't mean that the promise of the internet is not something we can still see as the standard in the international order. Now, that's not something we can dictate. As much as we have a lead as the United States, it's something which is the opposite of everything I've been half joking and half saying throughout this. Part of this is this

was scripted, what I said, so don't take everything I said with face value. This is the only part where I'm actually allowed to go off script and say something, is detente. We actually need to be building detente with all of those countries to be able to continue to establish a free and open internet against where these repressive regimes are going to continue to just carve out their piece and let's hope that they can't force other regional players into that and create their own internets. All right, that is actually a note of hope of saying let's keep the internet as awesome as it has been. I hope you'll join me in thanking our great contestants. They've

each won a pair of the socks that are floating around as freebies that didn't end up in the bag stuff. So well done, everyone. Also, travel assistance today was brought to you by weather delays. Weather delays, it means you won't get a free hotel room. Weather delays. So I hope you will all follow these brilliant people on Twitter. They are both erudite and educational. And I hope you will all join me in giving them a round of applause. Thank you, everyone. Sorry. I actually had a... That's my phone. Oh, nope, I just put it away. Sorry. Thank you. Oh, okay. - I still have to go register. - Oh, that'd be fantastic, thanks. - I stole a badge

from one of the volunteers who gave me quite an extra. - Thanks. - I'm supposed to be somewhere in 10 minutes, time to go, it's like too late. Sorry, so I'm sorry. - It's okay. You look very nice. - Thank you. Hello! You've been on an airport visit. Thank you. I really appreciate it. That's very cool. Excellent. I made a mental note to pull it out of my pocket when I came over here. Thank you so much. Because I started off being a bit forward as in I don't put up with censorship. It's illegal in the Netherlands. Everything was done by Dutch. That was their intent. They were chilling. In fact, - I certainly hope it wasn't the company lawyers.

- Whose attention are you trying to get? - So I set the stage. - Oh, fantastic. - And then we changed the line. - No, no, no. - See, now you're making me inspired to keep mine looking nice. - Mine has a lot fewer bottles than his. That was a nice line, by the way. You don't hang out with my friends. All right, I have to run to my next talk. Thank you. Thank you. This was the feedback. This was the challenge. You did it well. Thank you. Thank you. I'm parked on the curb. Not only did I forget my dongle, I forgot my whole computer. That was embarrassing. Okay.

I have a field called source IPv4 for X2, but in the other one is source IPv4 data data. They mean the same thing, but when you just receive those logs, and you don't change the name or you don't find a way to find a common ground between them, you're just getting two different fields that maybe you cannot do correlation at all from them and it's not useful for you. And there are lots of cases. We have a huge list, for example this list here. It's one of the examples that we have to, we dealt before, like trying to find a common name for each field by grabbing all of our sources and then classifying them. So why enrichment? So what's the importance here is

that we want to correlate events that are happening in one source with the other may help you with better incident response or having an idea of what's going on. Then we have the context. Again, the idea is you get more of your logs, you have a better panorama of what's going on. And then the analytics for if you need to do reports, you have to search, all right, somebody is going to see your platform and work on your platform, having those analytics ready, and in a way they can understand and do very advanced search on it is a huge plus to detect any kind of issues later. - So we are going to cover this in three parts. The first one

is theoretical, so it's going to be very boring because I'm going to try to explain what we are trying to achieve. And then we move to the technical part, which is the magic that Pedro is making with the scripts and repositories and all the things that I don't understand. Okay, so contemplator approach. So we have the data sources, we have the fields, we already covered these, the different values, and then to start explaining this, let's use three buckets. Let's use format, intelligence, and labeling. So in format is everything related to the format of the field. If this field could mean something that is already a known value. using dictionaries or even taking a string and fractioning that string in

different values. Then we have intelligence, which is external information we are going to inject to the logs we already have, to some fields in the logs. And then labeling is known values for us that we are going to start tagging. So this log, for example, it's coming from an administrator in Azure Active Directory, so I'm going to tag this as an admin log. So let's talk, let's start with the format. Common name. So if you're ingesting in Splunk or Elastic or any other tool, CDN logs, for example, content delivery network from Cloudflare or Akamai, and if you are also extracting logs from the web server, let's say Apache, they both contain the same true client IP, which is the true, the IP of the client that is

making the request. And the CDN will call it client IP and the web server will call it true client IP. So the meaning is the same. It is the same IP and you can correlate that, but the field is separate. And this is really basic, but most of the time people are not removing or modifying the field names. In this case, what we want is to call it the same if they mean the same. known format for this. If you are processing IP addresses, then make your Splunk or Elastic understand that field as an IP address. There are plugins for that because sometimes you are not interpreting that as an IP. It is just a

plain string and you are not able to query based on CDR notation, for example, CDR ranges, for example. The other part, a cool one that I don't know if you guys know, is the EI. 164 numbering, that's for phone numbers. So that's basically taking from call data record, record CDR from call manager, and it is taking all the phone numbers and it is enriching those in a format that you can read easily. Basically the plus, country, area code, and the rest. This is about known values. I'm going to explain this with an example. If you play with NetFlow, run NetFlow, you see that the NetFlow TCP flag is hexadecimal. So why you keep the hexadecimal? I mean, it is easier for us to basically move

from the hexadecimal value of TCP SYNC to actual the word SYNC. And it looks pretty in the dashboards and it is easier to manipulate. Also another example in NetFlow is the IP protocol number. So it's hexadecimal for the TCP protocol or the IP protocol and you see the number there, just enrich that with what it means, which is TCP, ICMP, or IP protocol. The other one that I want to mention in the dictionary is there are repositories that will take your user agent from Apache, let's say, they take the stream from the web agent, user agent, and they convert that to, for example, in this one you see Mozilla's 5.op and a string there that it is not telling you much, but then if you enrich

that, you will resolve that as Chrome 18 on Android, Jelly Bean, Samsung. So it's giving you the browser and it's giving you the platform. Decompose, in this case, we are taking the URL and we are looking at the URL at different, we are taking the slash and each slash will be now a field. And perhaps you're like, why you're doing this? Because it is easier to look if botnets are targeting specific sections of the network, you will see it spikes in different URL sections. That's an example. The other one is pricing, but we will cover that later. Intelligence, this is the second bucket. So geospatial is basically taking the IPs and the phone numbers and enriching that with the location.

A lot of times people are looking at the logs and they see a public IP. They take that public IP to ARIN or APNIC or RIP or whatever and they look for the owner of that IP. Why you don't do that automatically for every single log that contains a public IP address? Identities, same. You're looking at IP, you want to see who is the registrar. Instead of doing that, just enrich that data. So every time you have a public IP in whatever source, add the geolocation and add the ASN number based on BGP. Pedro will cover how to do it later. security and others, use the intelligence you receive from US CERT, from New Zealand

CERT, from, I don't know, every country has a CERT, if you're subscribed to it, and get all the IOCs, the IPs, domains, start creating a repository and start enriching your data with those. So if you see a hash and you are collecting a hash, then enrich that repository I started from. So if you know, and if the US Earth send you a list of IP addresses that are related to North Korea thing, just take that, create a dictionary, and enrich that with your current data going forward. And also, if you can, retrospective to see the past. Labeling. So in labeling, we have different approaches here. And most of them are based on the previous enrichments. So flow direction. If I want to see

inbound and outbound in Elastic or Splunk, what I'm doing is I'm taking the private range of my private range or even my public range And if it is in source IP field, then I target a source company, or it's my source. If I see it in the destination, the destination company. So if I want to, this is an example, if I want to see company source, but remove company destination, I'm asking to see outbound traffic. Yeah, or no. Yeah, outbound. Okay, IOCs, same example, takes Cisco Talos information from blacklisted IPs. It is available. You can go to Cisco Talos and see the blacklist domains and IPs. You can download that every day, every hour, and use that to label as IOC from Cisco or IOC from Talos

each time you see that IP in your NetFlow in your next generation firewall logs. compliance, since you are enriching the data with the geolocation, now you can see traffic from embargo countries. So sanctioned destinations, everything related to Cuba, Iran, North Korea, Sudan, and Syria. You can look for emails coming from those countries, flows coming from those countries, or even traffic in the website coming from those countries. Since you are adding the ASN number, which is the owner of that IP, you can even start tracking for the embargo companies, the entity list. business intelligence, this is just tagging based on competitors, investors, and clients. And this is because you are now able to move from an

IP to who owns that IP, and now you can, if you start tagging competitors, investors, and clients, you will start looking at them, answering like, what are they doing in our website? So if you want to see a competitor, you just filter by the competitor, and you see all the activity they are doing in the website. People, similar. In this case, we are going to-- since we know the email addresses and the accounts of the C-level and also the system administrator, we are going to start tagging as admin log each time we see a log containing that string. Starting with this is kind of difficult. So I base everything in Excel at the beginning. So for example, you see all the data sources there and then the

different categories, subcategories, and what I want to achieve with each of them. So for example, if I want to say IP, which data sources include an IP? All of those. And now let's see geospatial. Which data sources can I enrich with geospatial information? based on IP and I start marking an X in all data sources where it applies. This is just a map to start like, okay, I want to enrich, where do I start? This is an example of the IP base. So I have the different IP formats, the data sources, and the description of each field containing an IP. Then at the end, I'm suggesting a change of the field based on what it

means. So look at all the different numbers, different names, a value a field might have. And in the last column you can see that actually they might mean the same and they need to be changed in order to correlate and to facilitate the stuff. And then start marking with X like where or which enrichment applies to this. For example, your location, every single IP, public IP. ASN, every single public IP. Flow direction, so if the source IP is private, then mark it as your company source IP. Same for destination, if it is public and it is within the embargo countries, then tag it as embargo. Same with competitors or major investors or clients. And also, the final one, if it is

public IPs, then also tag it using the intelligence you're receiving from the external world. related to IOCs. Yeah, I told you that was the theoretical part. So that gets practical here. So you see that Rodrigo simply designed everything that he wants. He was going to analyze this data later. So you have lots of requirements that you have to keep up and try to implement them on your platform. But you see there's lots of sources, there are lots to implement, and you think, "Well, this is very overwhelming because where should I start?" So you may feel overwhelmed, but in the end, If you go step by step, everything starts with a simple step, and then you think about what other choices you have to implement this idea and improve

it. - That's how I make you feel? - Yeah, you make me feel it. This is what I did the first days. Okay, so to start, everything you can find on the net can be useful for starting this up. When I was in college, there was something like everyone was pretty lazy to do the stuff on their own. If there was something on the net, okay, there is something done, we may try to use that. So we have lots of sources where we can retrieve information like lists, products, or whatever you can connect with the platform. So for example, public repositories, be it GitHub, GitLab, they have like Lists or scripts that may help you to retrieve the information, maybe

save it on a file for later being grabbed by one of the beats that can read a file, or just an API that you can contact with through Logstash and retrieve all the information. So, there are also newsletters or where they, for example, each day they update the list of IPs that are related to a certain malicious activity, mining activity. So maybe in this case you just have, okay, I just have to adapt this list, but it's a simple task, I just download this list, create a small script to adapt it to an acceptable format by Logstash, and that's it. Then, for example, for the GeoIP part, we use MaxMind for this. They have GeoIP databases that with the IP, you can retrieve where

it is located, what is the ASN. ASN means like if this IP is from a company like Microsoft or Amazon or whatever. If you can just narrow what you need, like, "Okay, Rodrigo asked this, maybe I should look at this," and try to narrow all your research before doing everything, you'll find very good results. Then, again, Logstash. Logstash has lots of filters to apply. Doesn't matter where you are trying to retrieve the source or what you want to get to enrich the data, Logstash may already have a filter for this. So for example, maybe you want to retrieve information from a certain database. Logstash offers a way to connect with a database. You specify what kind

of field you want to compare, then it contacts the database and there's results. It will generate a new field with the result it found. So when you try to work with Logstashes, works in a very simple way. because generally they work through plugins and they are written this way. So you get the plugin, you specify which attributes of the plugin you want to use, and that's it. Generally you have a set of plugins that will work like the Hazit workload, All the documents that are related to, let's say, this is Apache information, so I want to apply to this Apache information all these plugins, like for enrich the data, and that's it. It's very simple to use it. There is enough documentation to understand

how it works, so it's up to you to see what suits you for what you need, and then apply it. And okay, it comes the point that, okay, Logstash didn't work for me, or what it offers isn't enough, or cannot do what I have been asked. So Logstash offers something like, which is the Ruby plugin. So if you're not familiar with Ruby, the Ruby language, It's not a difficult language to learn. I didn't know Ruby when I had to do some tasks that are related to very complicated stuff that I couldn't do with just one plugin. I had to learn Ruby. In two weeks I had the basics already done. It was kind of easy to code from this side. Alright, you may

not have a background in coding. Maybe you can get whatever, I don't know, a programmer from another area and just, okay, can you please help me with this project? It's not something complicated to do. There are cases that we had to do something that, for example, One issue with ElastiSearch with nested fields is that it doesn't process them well or is not that well supported. So there was a time that with one of our sources we get the list of vulnerabilities after doing a scan of the machines. And we only get the score as a number. But we wanted to classify them through the CVSS, like okay, this vulnerability here has this score, it is moderate. So this wasn't on the logs, so we had

to do it. It was kind of easy to do because how this plugin works. So you get, it works through simple CRUD Like, you get a field, you set a field, you can delete a document, you can clone them, and even tag it. So, in this case, we just needed to grab the field where the score was, and from then we have to compare with the range, like here. So, if we just compare, okay, this number associates with a hike. So, we just need to create a new field, that will show the result of that script. So for example, something got into, there was a document that was showing vulnerability of 9.1, which should be high, so

this script will just grab this number and then convert it to the CVSS. And doesn't matter if it's a list of 100 vulnerabilities, it will do its job as expected. And also something to add is that if you're kind of worried about, okay, maybe this script doesn't work or maybe it will crash the whole Logstash application, there is the possibility that you can just run unit testing on it, which is a good practice. And then you can say, okay, maybe if I put this case here, let's see how it runs, it runs as expected or not. And then you can get sure of, okay, this script works as expected, I think I can just run it on Logstash. So you can get really

sure of what you're coding in this case is helpful and working for you.

So let's put all together. I'm going to show you examples in dashboards with enrichments and then Pedro will explain how he is doing that. Yeah, so analytics. So let's play with NetFlow. Since I'm enriching the data with -- I'm removing the hexadecimal and I'm asking TCP -- and I'm enriching -- removing the TCP non-merit value and resolving as TCP, hexadecimal value for TCP flags and resolving as what flags are there, and since I'm tagging for private versus public IP addresses, I'm able to say, OK, in this case, give me everything that is TCP, everything that is TCP flag, and everything that is not coming from a nice source. So I'm looking to inbound traffic on NetFlow TCP things. What I'm trying to do here

is to check all the scanning activity, people scanning our network, our public ranges. And also, I'm enriching that. the source IPs with the country they are coming. So you can see, for example, if you see weird activity from a specific country, you will see the spike there. Same with companies. Most of them will be ISPs. But you will see if you are on their DOS or somebody is scanning your network, you will see a spike not only in source IP addresses, also in who owns that IP.

We are doing the same thing for Blue Keep. So we want to see if something is messing around with RDP. After we enrich the data, I'm asking, okay, in NetFlow, everything that is TCP, everything that is seeing, anything that is not coming from our public IP, private IP ranges, and the destination port is 33089. So I'm able to see what's the RDP activity, and if I switch this to give me just the company source IPs, Targeting company destination IPs, I'm asking to give me all the internal traffic. So I'm looking for who is scanning RDP. Same for WannaCry. You can set it as SMB and you will see who is scanning on SMB port. And that is useful to detect malware outbreaks.

So how do we do that? In this case we are doing, comparing with the dictionary. So we have dictionaries that includes, for example, the code of and the protocol that is associated. Generally, as Rodrigo said, the logs comes with showing the number for the TCP flag or the protocol there that is contacting. So we have to do simply is just compare with those dictionaries. Okay, it came a 15 as a protocol, so it will show an XNet as a result. The same happened with the flags. We had the list of flags there. When it's related to the flow direction, what do we do here is that we know some IPs belong to our company. And

what we do is, okay, for all the IP fields we have, We just need to do like the IPs that start with this specific pattern, we know they are internal. So we just indicate, okay, please tag those IPs. Same for any other IP you want to start tagging, you just need to find a pattern for it, and then you just tag it as you need.

So basic data loss provision, for example, what I'm doing here is I build a dashboard just to count or to assume how many bytes are going from my company to the external world. And since I'm enriching that data with who owns the external IPs, I can say, okay, Microsoft is normal here. Google is normal here. Dropbox is normal here. So I can start monitoring per IP who is sending data to the external world and how much data. And the cool part of this is it is very basic just to check the data that is going out, I mean the amount of data. But the purpose of this is to filter, to remove known destinations that your company use and focus on

those weird activity that happened that perhaps somebody is sending 30 gigabytes to ISP in Hungary and we have no business in Hungary. So let's investigate that.

So in this case, the magic of the GeoIP databases is that you indicate what kind of a field with an IP you want to use to check. You connect a GeoIP database to it. And what you will get is this information right here. So you get the name of the company, where is it located, the coordinates if you want to, if you like to work with visualizations that are maps, they are very useful. So you can get, they can pinpoint where specifically it's located on the map. That kind of information is also useful if you want to just do an analysis through the time zone and the region code, et cetera. Let's talk about, okay, content delivery network and web servers and e-commerce.

So this is security analytics for web. What I'm doing here is splitting the enrichment is the format and is decomposed. So what I'm taking is the URL that is actually, one second, over here. And I'm taking that value and I'm splitting the value in four different values. What I'm trying to figure or to detect is if there is a bot or somebody focused on a specific section of the website. For example, the search part. If you're to start getting a lot of gets to the search part, you will see the host or the section on that of the URL. For example, it could be the third section. A huge spike there in that section. So

this one is pretty simple. We have the URL. We know that each time there is a slash, we just want to separate it. So what we do is separate the URL into different pieces. The idea is that we are only interested in the three first. The rest we will group into a single field. So for example, we have this URL that is PSP, nav, and search. So we get the file. But in this case, there are more than, It's not useful for us to keep doing a deeper search. But again, the idea is that we just grab the URL, separate it, and just manipulate as you need. So we continue in security web. We are using here format dictionary. So in this case,

we are taking the string of the agent and resolving that as a readable agent. Intelligence, what we are doing is downloading the list of bots, known bots and crawlers. And we are comparing the web agent with that list of bots. So, the first chart is just the regular string, and this one, it is in our web server monitoring, is the behavior from known bots. So what do we do here? It's simply there are lots of resources where we can grab those user agents. So, for example, there is a GitHub repo from Mon Paris that he updates the the list of user agents in a frequent way, so you don't have to worry about, okay, I have to do it by

myself. No, I can just grab this repo, check for updates, and then download it, or if I have to update it, adapt it, I just adapt it to our needs, and then transform it for, in our case, we work with YAML dictionaries. So we just adapt it and generate the dictionaries and then we connect on Logstash and say, "Okay, this field here is a user agent. "I want to compare this user agent "with this dictionary of user agents I have." And then I will get the result from it. So this is a simple example here. It's just a translate. We have the field agents. We indicate the destination and then we indicate where is the

dictionary located in our server. So this is labeling. Let's talk about email security gateway. Perhaps in this case you have sensitive high value targets in your company and you want to start tagging those. So in this case we are taking our email security gateways and each time the recipient is a C level, we are going to tag as C level. And what you can do with this is basically look at the behavior of the C-level if he or she clicks on a link. And also you can create an elastic watcher alerts because it's not the same thing with an employee hits on a phishing link or your C-level, let's call the CFO or CEO, they click in a business email compromise link, for example.

- In this case it's kind of complicated because this is an internal source and we have to get the list of all C-level personnel we have to be aware of when, okay, somebody is new at the company, as our new CFO, CTO, we have to update this list, update with the people that is not working anymore. But the point is, we have this list, and we indicate, again, through a dictionary, so for example, if there is a click reported by some C-level, The logs will indicate, okay, the recipient was this level, this was a click, please tag it as an urgent thing. So we receive the alert from this, we can start acting immediately. Okay, same with C levels, now we know our admins in

Azure or in next generation firewall in Azure or even in the active directory. So with this, I can start tagging. I want Elk to show me every single lock related to an admin. And it will show a lot of locks because for example, they will be enabling accounts or disabling accounts every day. But then with that tag, you can specify in your machine learning. And OK, machine learning, start looking at each individual admin over time. What's their behavior? because we are able to filter those admins by this simple tag and start looking at just what they normally do and alert each time they do something that is un-normal for them, it's not normal. - This one is pretty much

similar to the previous one, but now in this case we are just working with admin access. So again, we have a list of people that are considered admins, and from them we just monitor the activity from each source and detect, okay, in this case we have this login or this information modified by this admin. So it gets tagged with the admin information. Okay, Blacklist, in this case I'm using the tag NISourceIP, so it's our company. I'm looking at NetFlow. I want to see every single internal IP that complains with the tag destination Talos. That means that we are downloading information from Blacklist's IPs in Talos. We are enriching the destinations. And I'm asking Elk to show me every single private IP inside

my company that is contacting blacklisted destinations. So perhaps one or two TCP connections is not enough, but if I see on the spike in either bytes sent, bytes received, or amount of packages exchanged, then that's when we start investigating. Most of the time it's malware. Other ideas is serve reports. So if you are subscribed to CISA or US search, you will start receiving a lot of reports from them. They contain IOCs, indicators of compromise, that they are in this format. So you can start building your own dictionaries and start taking those values and enriching every hit on Elastic.

- Yeah, so I said before, the idea is that we have lots of dictionaries that we collect and try to update each daily. And the point is, as we are just tagging that comparing, okay, this URL is on this list, we just tag it as malicious activity, or coin miners, for example. And that's it, simply we just have a list of plugins that are in charge of just tagging them all. Okay, compliance, in this case, I'm taking email security gateway, active directory, Office 365, let's say, and call it the records, that's phone numbers, and I want to see every single login success for an embargo country. If you take that information, if you see a login

success and you take that to your company's lawyers, that will cut their attention. and start investigating. Same with phone numbers. If I see a call to an embargoed country that lasts over one minute or two minutes, that's something that needs to be investigated. - Yeah, this one is pretty much simple because we have a list of countries. Generally, you may say China, but on these databases it doesn't show us China, People's Republic of China for example so what we use in this case are the initials or the two letters that represent each country to do this detection so simply if there's traffic coming from this country we just tag it as is an embargoed country. Okay this is the same principle with splitting the

URLs to see the content, and I'm asking Elastic to show me the embargo countries, which content of the website they are going. Same could apply for business intelligence where instead of tagging, okay, so I have the country and I have the owner of the IP. So instead of, I can start enriching Elastic with, okay, tag every single competitor or every single major investors. Now I use the tag and I just start looking at what specific content in the website they are looking. Even you can start looking at the different products and the currencies they are trying to get. It is a normal activity everybody does. - Yeah, so there are stuff that still is not, there is not on the web or there is nothing Elastic

has done yet. So you can just start doing by yourself. In this case, I'm trying to create a filter that detects E164 numbers. It detects if they are complying with the standard, and if they comply, you get what kind of country it belongs, region, the local number and the international number. So it will be useful for if we are doing all this geolocation analysis, this will be helpful now to apply for, for example, detecting scam cases from other countries. So this is mostly how it looks like. The idea is that when you get a number, it will show you, okay, this belongs to this, this is the country code, whatever. - So this is other ideas

that you might argue you might find interesting or I'm curious for this. So the API that FTC.gov that will give you the early terminations which is when a company is acquired by other. So it is going to give you the acquiring company, acquired company and the acquiring party. So, well, I'm not. That is business intelligence because sometimes that is not public or the press does not realize release notes on it. So if you have your major investors or your competitors tag, then you can use this to accelerate when the business intelligence group, to send that information to the business intelligence group. So if I have a major investor that they just acquire a company or a competitor that acquire a company and it is now public publicly

here but it's not in the news, then I'm going to use that information to send it to the business intelligence group and they will start looking for which is the industry, what's the sector, why they invest in that place, why they invest. Other ideas, you can take the phone numbers from the CDR, this is coming from the call manager, and you can start using white pages, though you have to pay, you can start enriching that information, the number, the phone number, with the type and the carrier. So the type could be a mobile, could be home, business, and the carrier, which is the provider in a given country. The other thing that I would like

to do, and it is really difficult, is in the content delivery network, CDN, and the web server and e-commerce. So you have the ASN using BGP. You get the owner of an IP. I want to remove all the ISPs, and I want to start looking at traffic coming to your website or coming through the CDN or through the web server. I want to see that traffic based on sector, based on industry, and based on industry. That will be a huge query, a great query to see, okay, these are the list of products, and these are the companies that are looking at those products, and these are the different sectors, industries, and sub-industries that are looking

at those. Well, basically what we cover is, well, we talk about several different data sources. I'm pretty sure you guys have some of those or more than those. And how using three different buckets, we are trying to enrich that data. And I guess in this, we are open to questions if you have. Oh, yeah. Oh. Oh, sure. On your ELK stack, did you see an increased performance need while enriching this data? And if so, what was like the performance hit that it took to enrich this data? No, we haven't seen any hits on the performance when applying this. Generally, maybe it is mostly related to the input that you're sending to Logstash. If there is too much data and

you're trying to do all this enrichment, it will be kind of complicated. But, okay, we have seen some cases, but we've had to discard it because, for example, it was trying to interpret from NetFlow all the internal IPs related to internal DHCP server, and getting the host name from it, it was pretty much a very complicated task for Logstash that simply crashed it. We just had to discard this one, but this specifically is because of the input we are getting from it. It is too much data that needs to be processed each document and it's not a good idea. So it looks like in your Elastic Stack here, you have a lot of dictionaries that

you're manually maintaining and updating. Can you talk a little bit about the automation or some of the CI/CD or user interfaces that you've developed so that other teams and groups can go in and help you enrich that data? Or is this really like a small team that's managing a whole bunch of dictionary files? Right now it's a small team that is managing everything. doing it in a simple way, like for example, again, we get those files from different repositories, we just look, okay, this is JSON, it provides us these fields here, but we're just interested in this field here, so we just create a wrapper that just say, okay, we retrieve this JSON, we want

to generate a YAML file that, okay, for this IP, please tag it as this name, you know. But it's very simple, and there is no complicated task being done here, just as a wrapper in this case. And we try to automate this in the way that each hour for certain sources, because there are the sources that you have access, in 24 hours you have limited access to it, so you have to regulate, like okay, I have to do this one time per day, or one time per hour, it depends on the source in this case.

Some of your use cases involved NetFlow data, and I was wondering how the NetFlow ingestion works, because NetFlow is always changing dynamically. If there's an analog database that also changes dynamically, or if it's doing like a log line to record type of Like is there a new, you understand? - Yeah, yeah, I get it. So with NetFlow, what I like from Logstash is that they offer, at the beginning without the bits weren't, haven't progressed that much, they offered a codec for NetFlow. It kind of did the job, I mean it has supports for providers, for example, it didn't have support for Viptela before, but you just enter in contact with the plugin developer and okay, if you get this information documentation on how can we interpret

that flow coming from Viptela, maybe we can just apply on the code, and after this we release a new version of the plugin and that's it. You're getting now Viptela logs being recognized by the plugin. So Logstash already offers this and now Filebit also has the possibility of using, of recognizing NetFlow data from it. Now on the version they have, as NetFlow is sending too much data, they even offer now new features like you can compress the received data to just filter what kind of information from each NetFlow document you need. So you don't have to, in question of storage, there is no compression that gets pretty much easier to do queries as you're just

filtering what you need now. You don't have to go through all the documents and okay, I need to check everyone. No, you just can filter it and get what you need, right. - We don't have more questions? Cool, thank you. Walter, Walter.

Hey, how are you? So, I work in data science for a company. Oh, yeah. Yeah. Yeah. Yeah. Yeah. Oh yeah, before Logstash started implementing the pipelines which is pretty much simple because you just focus on the source instead of getting everything okay if it's this if this is from this source rename it that's it is then for this one you have to you have to repeat code of this case but now with Logstash Using pipelines it gets easier to do that because it's okay. We have those fields here from this specific source We just have to rename these ones there and it looks pretty much simpler now You don't have to look at all those

big changes you're doing, right? Yeah, still Elastic is offering something like is the common schema. So what's the idea of this common schema? Now the elastic is pretty much getting the attention as a data analytics platform. The idea is that they're generating a schema so it doesn't matter which provider is selling you the logs, you adapt those logs at this schema and then Elastic, when interpreting this schema, will do much better analytics. It's like, if this is information from this antivirus X, antivirus Y, you just get into the same schema that Elastic offers, now with the elastic seam and they do even better analysis like they show you a lot of stuff that you cannot do even yeah

yeah exactly standards you need a new standard yeah yeah yeah Yeah, at least they're offering the schema because, all right, we do our schema, there are people who does their schema that way. We have to deal that with different teams at the company. So they have their way to do the stuff, we have our way to do the stuff, and if we try to correlate it, it's a mess. Right. I'm wondering if there's now an machine learning able to do it? Right now there isn't, but they're trying to implement it. Say you set up your systems and you say, "Okay, I know I've got this source of logs, this source of logs, and this source of logs. Okay, I want to do something." Where

are the numbers the same? You know what I mean? Yeah, right now they have told us a lot of times that, okay, we're trying to get this done, or at least something pretty common is when it's dealing with patterns on your logs, like for example, you have the whole words and you want to separate them into fields. They're trying to implement machine learning on this, for example. So I believe they're trying also to get the ECS, because doing the ECS, getting a schema through all the sources you have, It's complicated, you know, you have to do the whole analysis with all the sources and then-- - And it changes from time. - Yeah, exactly, exactly.

So I believe they're doing something like this and they are already, we already asked for this, but there's still nothing concrete yet. Yeah. Yeah, all right, thank you. - Would you guys be willing to share the slides? I got a mail stack, engineer back home. I'd love to be able to work with that when I get back. If you have a... Okay, this is great. I can send you a copy of it. That'd be awesome. Thank you. Sure. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.

Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.

Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. - So,

yeah. - Black athletes are going to do this tough so at least 10 weeks. Regular use of arms and legs, you're playing in a wheelchair and you're just going to need to be distracted. - Great.

All right.

I'm wondering what happened this morning, though. I kind of think he's kind of over-exaggerating some of this stuff. I'm not too sure, though. Yeah. Like, I'm just going... That's cool, but it ain't that big of a deal. You should have heard from this guy.

You're not lying. I mean, there's no... I mean, I might do Shadow Puppets if y'all don't get up for that. I'm gonna go for a skirt. I've been helping out a lot of people. Hey! I'm a chicken! Wait, wait. I'm a bird. Welcome to the... Nobody's gonna show up. No, welcome to the Shitty Shadow Puppets out with Gillis. So there's not an actual bot. um

I was doing too many at once and it was driving me crazy and burning me up. I'm glad to do it this far. I'm gonna use some real shit. That's a good check. Yeah. Especially for Gillis. That's funny. We should have done that. They're very... They're a word. I mean, that's so funny. For Shadow Guy with Gillis. I mean, that is fun. But, uh... They're missing out on a name. They're actually... Yeah. Because I'm like, fuck this. It's always... Yeah. Okay.

And then all of a sudden,

What kind of puppet do you want? Puppy. That was a puppy. Any more requests?

Requests? Anything. Girl. It's a really shitty thing to do for a man. That's not worthy of a bar. I'm throwing up gang signs. Not extremely cool with that. I'm not a good money speaker. I'm a stupid. I'm a stupid. I'm a stupid.

- Somebody choose. - My one job is to make sure these fingers don't die. - It's my one job. - Y'all can do that. - Yeah, all right. - You will deserve it. - You just be sure. - Nice job. - He is like eating something. Oh look, somebody left me my favorite socks. I actually have these. They make the best... There you go. Okay. Just for kicks, can you give me a 15? Yeah, flash the 5 and the 10. We get to sit down the entire time while he has to stand. I picked the right time to wear heels. That's all I'm going to say. Right time to wear the heels. I didn't know we were going to have a table. What

was your name, though? At least, like, the first name. I'm not saying, like, this guy. Don. Don. Don.

There's sound on it. It's the end of the day. Clearly. I think you should put that beer bottle in the ice. See, oh, I should have come prepared. You know, we used to do it with the band. We'd poke and it was just water and it was like deck. See, that's smart. So you put that and you just hammer the whole thing.

There's nothing people like more than watching a woman just slam a bottle. Just let me drink this whole Jack Daniels bottle, which you think is Jack Daniels. Hey, Trouble. Hey, Trouble Maker. Hello. Hello. Hello. Hello. Four for four. I said I talk low so I want to put it like right hey

Should be fun. Love socks. That's the one. I've worn mine so much that it wore through. So I may have to steal those. I'm deciding whether or not to get to tea, but I think I'm fine. Is that like two cups of tea already? Stephanie is just on it. Stephanie is always on it. Am I forgotten again? I'm sorry, John. I'm sorry. You're not a priority right now. I am not, actually. Last but not least, there we go. I leave his name off of one picture, and now he's going to come up. Yeah, see what you did? I don't. Thank you. Thank you very, very much. We don't give him a speaker, but if anything, can we slide

this back a little bit? Because I don't know if they're the show, so I don't know if... Seriously, can I move this back?

Just let him flog all that, we don't need it. Oh, somebody left a red ball in there. Or maybe I should get a... You're good there, I don't think you need to have that. Can you guys see him? I can see him, so I think... I think I might grab a cup of tea. I think that should be fine. Coffee, tea? I'm grabbing something like that. You're leaving? Yeah, I have to see you guys. Have fun! Bye! I work fast. Usually it takes me a little while before people get that upset. It says all sorts of stuff. So it's basically a bunch of quotes from an online forum. Exactly. It's exactly it. Everything's good. The best part is they put

the red right across my chest so everybody comes up and they're like, I have to remember that I'm wearing this shirt? Normally you want to yell, like, "Eyes up here." Oh, wait, you're reading my shirt. Okay, alright. Fair. We're good. You should take off those shoes. Huh? You should take off those shoes. They're wet now. No, I don't want to be a tripping hazard. I did. Thank you. Wow! That was pretty good. Just that little bit of manipulation and look what you did to him. I'm just going to keep on rubbing it in. Just like... Wait, you're going to rub it in. I don't know what else to do. Microphone in my face. That usually gets me going. I don't

know what the right angle is. It's probably just straight. Yeah. I mean, they're not going to shake it off.

What is happening out there? Looks like we're good. Just sneak out that door and I'll be right back. It would be amazing. Oh my gosh, I know. Thankfully I didn't have to do that on the broadcast today. We had a moderator, she had to deal with that. I just got to sit there and talk. I've done that before. That's the worst. I don't want extended view. - She went to go get tea or something? - I told you this was like herding cats. I mean, keeping all these puppies in the box, good luck. - Yeah, it was up before, but now it's... I don't want it to, I want it to go down. There we go. PowerPoint. It did. It

tried to be smart on me and "A-ha! I'll show it!" How are you? Good luck with your talk. Thanks. That clock can't be right. I've got five minutes too. That clock says 4:54. Oh, it's not moving. I have 4:54. That's what I got too. We can all relax. Chloe made it back. They are staying on, thankfully. Thank you. That was the smartest. That is the best fashion hack I've heard and learned. They're good, thanks. So, my heel keeps falling, like, coming out of, like, my heels. And so I was, like, walking and it looked really ridiculous. And then I went up to Vickie. I was like, wait, you know how to fix this situation? She's like, oh, just put duct tape in the back.

And so, like, we just got some duct tape and put it back in now that it's, like, Right, yeah, you just keep building it up. I'm so happy now I'm gonna do that for all my shoes because my feet seem to shrink all the time. That's a good problem. I like it, maybe. I know, this is like so anxiety producing. Oh, we didn't ask them if they're streaming this or... No, it's not. That's a great question. But whatever happens in Vegas days in Vegas, I'm gonna be honest, 'cause that's probably gonna come out eventually anyway. I was recently reported anyway about the fact that people, I've had a couple guys try to get into my hotel room at conferences, so that's gonna be out in public

soon anyway. But I will definitely talk about the time of like, getting assaulted at a conference. That's important to know. If no one talks about it, no one knows about it. - Boo, testing one two, testing one two. I don't want to get too close to the mic. I haven't seen him but I have talked to him a couple times. I hope to see him here. Hopefully. I'm really curious if there's a picture. Testing one two, testing one two. Can you guys hear me out there? Or should I have them turn it up? Because I don't really want to get like this. Oh, damn it. Can we turn this up a little bit so I don't have to stand so close? Maybe, maybe not. Because if it's ugly, we

don't want to waste it. I was just going to say that. I was looking to make sure we had our tags on there. Well, we have about three minutes and we're going to try and start right at the top of the hour. Everybody cool with that? Did someone drop the mic? Because that's really expensive. Yeah, for his mic. And this thing is not labeled, and I'm not an AV guy, so I don't... If anybody wants to be an AV guy and adjust the things, you're more than welcome to try. We're going to close the door, too, so we don't have... Thank you very much. All right, so we have about two minutes. Did we check your mics? Are we good? I think I'm good. We'll go closer. I

don't know. Can you hear me? No? I'm okay. So it is being recorded. Hello. Everybody has to get that closer. Can we just turn up the master volume? Turn up the master. So that way we don't have to swallow the mic. Or you could just hear us. Buddy? Is it recording? Can you hear us okay? Okay. We also want the people streaming and recording to be able to hear. Fair enough. Gotcha. Testing 1-2. It's on. I just don't necessarily want to get this close. The proximity effect is great when you do. Isn't it? Oh, your voice goes... It's awesome. Testing 1-2. Testing 1-2. A little better? A little bit. Thanks. Should I move up closer? Like straight up a little bit.

All right, we will go ahead and get started. Thank you for coming to the B-Sides Las Vegas Common Ground Track. This is the Mind the Diversity Gap, a panel discussion led by Don, and he will introduce everybody else in a minute. We would like to thank our sponsors, especially our Inner Circle sponsors, Critical Stack and Valamail. as well as some of our stellar sponsors which include the Paranoids, Secure Code Warrior, and Robinhood. If you have any cell phones, please mute them because this is being recorded and streamed online. And also if we have a chance for any questions, please raise your hand and I'll run the mic over to you. And with that, let's get started.

Please welcome our panel discussion. Hey everybody, you can clap if you want, go for it. That's awesome. Well, thanks and welcome to Mind the Diversity Gap. I don't really think it's any major secret that the infosec industry has a diversity problem. Really, there are a whole bunch of studies that we could bring up, but honestly, all you have to do is either go outside or go to your organization or go to your company, wherever you may be, and it'll kind of smack you in the face. Hey, whoo! But, Why is this happening? Why is it this way? How have we been addressing this issue? Do we really need to address it with talks like this and make changes to corporate policies and what have you?

How is it truly affecting us as a community? And also, how is it affecting us with the products and services that we also provide? So today we're going to let each of our panelists share their stories, but the bulk of the session is going to be kind of like an interview style. We're going to have a bunch of questions for our panelists, but then also we want you guys to participate as well. So in addition to that, we want that to be a casual, safe, and kind of productive conversation. And we wanted to be focused on the idea of sharing and problem solving because working together we can actually help the security community not only

do better, but actually be better. So thanks for attending and we thank you, Advance, for your future participation. So I'm Don. First full name is Don Donzel. I'm the community manager for eLearn Security, but most of you probably know me better for the Ethical Hacker Network, a free online magazine that I founded and is now part of the eLearn Security family. But before we get to our panelists, Stephanie Ihazukwu, Chloe Mestagi, and Alyssa Miller, we have a few ground rules for you. So first one, don't be a d-- you know what, okay? Second is no politics, okay? We want this to be truthful, yet a positive session, and that's how we can truly make some lasting change. But with that,

Let me introduce our guests. So we'll go one by one and let them introduce themselves. Steph? Hi, I'm Steph. Just kidding. I'm Stephanie and my handle is StephAdSec on Twitter. I am an information security analyst for a law firm. I run, but I'm an analyst, but I run security for the region. So that's, yeah. So that's it. - Lovely. My name is Chloe Vistaghi. I am a security researcher advocate at BugGround. I'm also the co-founder of Women in Security, also known as WOSAC, and also the founder of Women Hackers, which is an online private community for women hackers to connect with each other and learn new skills. And I'm so happy to be on this

panel with both of you. These two are also WOSAC members, and they actually are chapter lead in their own cities. - Okay, now I don't have to introduce them. - Yes! Awesome. So thank you guys for being here. I'm Melissa Miller. As you can see up there, I work for a company called CDW. A lot of you might recognize the name because you might have bought a computer from them at some point or something. We do actually do security. We've had a security practice that's 20 years old. I lead our information security solutions practice. I've been in security for about 15 years now. I've worked in consulting worlds. I've worked in private industry. And so

I'm just here hoping that we can have a productive discussion and maybe find a solution or two here. Excellent, thank you guys. So we have several questions that we want to ask the panelists and then we'll also eventually hear about their stories as we move through those questions. And again, keep in mind that we're going to get you guys involved as well. So please have your questions ready to go. But before we even start, something that we had actually discussed beforehand before we came here today is that, you know what? Almost every single one of you are in a minority. So how many of you guys are working in tech? Okay, so pretty much everybody.

And you guys have all experienced being that lonely tech person in your organization. So you have to go talk to the people who really don't care what you have to say, try and get money that really isn't going to be given to you, and you're going to hear often how you're really just a cost center, you're not really a revenue generator. So we've all had to deal with that in a particular way. So now take how you feel with that, And now imagine if you were a minority of a minority, or in some cases here, a minority of a minority of a minority. So I want you to keep that in mind so that way

you guys can kind of understand at least some way how these people feel. But in addition to that, hear their extended stories. But before we get to that, Steph, can you maybe tell us a little bit of the difference between diversity and inclusion? So diversity pretty much means having a variety of people or backgrounds, just a variety of things rather, in a space. So inclusion though means bringing everybody into that space and making sure that everybody has a chance to participate in that space. So those are the two separate definitions for diversity and inclusion. They're not the same thing. Common misconception. And do the other two want to add to that or share anything along

those lines? You know, I'll just say that, you know, we talk about diversity, we talk about inclusion, and yeah, so often those end up being almost used like synonymous words. And, you know, companies try to hire for diversity. They, at some level, understand diversity might be an important thing that they want to address. But if you don't have an inclusive environment, that is welcoming to everybody with those diverse backgrounds, your retention, your hiring efforts, they don't work. And that's where I think, you know, we want to spend a lot of time today to kind of focus on that too. The only thing to add on to both of these incredible responses is just like diversity

is, it's not just gender, it's not just how we look, it's also the way we think. So those that have, you know, ADHD or dyslexia or any other, it's just, it's being able to be there and for everyone in the community and your work office to be inclusive with you as well. So it's not just how you look, it's also what's deep down inside, including sexuality and religion as well. That's an excellent point because it could also be age, the amount of your education. It could be where you come from, not just your educational background, but where in the world you come from. So those are great points, but Alyssa, question for you. Why is

diversity actually important? Can you give us maybe a tangible example as to where if we don't have diversity in our workplaces or we're including them in our products, how can we actually see tangible evidence to where they actually have some pretty epic fails? So this is an important question, right? I mean, first of all, I've certainly heard the question posed, why is diversity so important? And it's usually not posed in quite that nice a manner, but we'll ask the question. And, you know, thankfully, we're starting to see some really tangible reasons for why diversity matters. And it comes down to, for those of you that have ever been in software development, you understand the need

of a strong test set. If I'm developing a piece of software and I'm running that through my regression tests, I know how important it is that the data that I'm testing against is representative of all of the possibilities. So when we think about now diversity in terms of the staff doing that development, If we're developing a product that's going to be used by consumers and we don't think of all of the various ways in which they may use those products, that can be problematic. I can go back a few years when Apple was working with Face ID and very quickly it came up that your iPhone couldn't detect the face of a person of color. Well, how did we get there? If we had people in the testing process,

a diverse set, it shouldn't matter what color their faces were for Apple to be able to say, yes, that's a human being. Another one that we saw in recent, there was just a recent article on this, is when you think about TSA. We all love the body scanners at TSA, right? The issues with body scanners, you think, first of all, one of the most recent ones is in terms of detecting hair. And there were certain hairstyles that are predominantly worn by women of color that would constantly alert. a large inordinate number of alerts for women that were wearing those hairstyles. For transgender individuals, there were issues with how their bodies were being detected for the longest time. And so those are

cases where if we had these diverse people in at the beginning when we were developing those products, I'm not even talking about testing, but when we're developing them, They're familiar with those struggles because they've lived them every day. And so now as we're designing these products, we can capture that as, yeah, this is something important we need to think about if we're going to be scanning somebody's body and making a decision, or we're going to be looking at their face and trying to recognize that, yes, that is indeed not only a face, but their face looking back at us. And so the other example that I can think of right off the bat is that

those systems are trained by AI. And so with that, AI is really all dependent on what you put in it from a data set perspective. And then once you have that data set, then you have actual humans that say, "Okay, this is what X is and this is what Y is. Now go learn how to identify that better." Well, if I don't know that there's a Z or I don't include that other type of data in my data set, that's going to be another epic fail where diversity could obviously solve that problem pretty quickly. Now, with that, now that we've kind of all warmed up a little bit, you kind of know what we're talking

about, so let's get a little deeper now. So with that, maybe Chloe. What do you think is to blame for the lack of diversity in security? And maybe you could share your personal story because I know, and we can get to each one of you if you'd like to address this, is that each one of you had a time in your lives where you probably felt like leaving security or IT in general and just doing something else. And maybe you can discuss that a little bit. And what was it that brought you back? Great. Okay, so I think the best way to answer that question is to take everyone back that I almost, can everyone

hear me with this mic? Okay. I almost left InfoSec about a year ago, a little bit over a year ago. What happened was that I decided for International Women's Day, I'm going to write a blog of all these incredible stories of these women because I knew the statistic was 11% of women are in InfoSec. So I interviewed all these women. Sorry to interrupt. Can I borrow your microphone? Excellent. They're having a hard time hearing you over on the other side. Ah, okay. All right. Oh, much better. Much better. So basically, when I was writing this blog post for women in InfoSec, I basically got this chance to talk to all these women, and they told me about their stories, their stories of why they are thinking about

leaving, what are the issues they've been facing. And, like, it went through one year, but it didn't, like, really sink in until I went to RSA 2018. I was in this room, and there was a couple hundred of men people in there and I'll just be really honest most of them were white men actually I'm going to say all of them were men except for two other women and I was like please say you're not an executive assistant please say you're not an executive assistant and they both were and we're walking out and like there's the bathroom so bathroom this is women we talk about this often which is basically the men's room you have

this long line out the door at an infosec conference women's you open the door and sometimes there's not a single person in there. And you're like, well, this is different. This isn't bad, but it's weird. So like I go into the restroom and there's no one in there and I'm like, okay, this just feels really weird. So then I decide to go to the hotel. And when I'm going to the hotel, I go in the bathroom, washing my hands. And also then I was saying, you know, I'll just take off my makeup. And I look in the mirror and it was like as if I got flooded with emotions. because at that very moment was

as if a blindfold just got lifted and everything that those women were telling me were happening to me the entire time and I was blindsided by it. Next thing I know I'm on the ground crying having a real breakdown here and I mean it wasn't like a nice cry like It was like an ugly cry. I like curled up in a ball on the bathroom floor at a hotel and I didn't want to know how clean it was or not. It was just it was over. And I was like, that's it. If men don't want me here, why am I still here? Why do I have to keep doing this? And if all these other

women have been in this industry for like, I don't know, some of them were in there for like 20 years or more and they're not getting anywhere. What's the point of me being here if no one wants to accept me for who I am? And then one of my friends was like, there's this conference called Day of Security. It's coming up. You should go to it. But at that time, I already decided I'm going to leave InfoSec. So I started looking around, going to go to another tech job probably because I live in SF and it's really expensive. And so then I go to Day of Security. I walk in the room. There's 200 women

in there. And suddenly I felt like, oh wait, there's this great community of women. This is fantastic. And then from there, I decided I wanted to go to B-Sides. I wanted to go to DEF CON. And it was my first time ever. It was last year. I was a volt. I was actually a room host in this room. And yeah, all those people that I interviewed, they actually paid for flights, hotel stay, everything, because they didn't want to see me leave. And that was when everything changed. because I realized men and women do not want to see more women leaving. And that was the game-changing point. So I think in the issues when it comes

to how do we keep women in there, if you are in a conference room and there's one woman in there, you better make sure that that woman is heard. That means if she's giving an idea, Make sure everyone hears that idea because chances are they will dismiss it or another man will take it over and everyone will applaud him and say he's doing a good job. But in reality, it was the woman who gave the idea in the first place. So that's the first thing. Also, don't turn around to a woman and ask for her to go get you some water if she's getting a glass of water. It's never a good thing to do.

I think those are kind of the main ones. It's in your office. Make sure you know that. And know your boundaries. Don't do weird things. You know when you're doing something wrong. Don't do weird Slack messaging to other women employees, okay? That's all I got to say on that front. I know these guys have plenty more. Maybe we'll jump into that a little deeper as you put it on Twitter, get a little real. But Steph, you also had a story to where you came really close to leaving. And could you share that along with also the benefit and the advantages to finding a good mentor? Yes, okay. So two years ago, fall of 2017, I was tired of the

industry. My current job was... Being a dick, if I could say that. I wanted to get promoted into the security position at my company, and I did everything right. Like, everything that they asked, which they changed the bar many times, and I reached the bar every single time. And so finally this time they promoted me to something else, and then told me I couldn't get into security for another year. I was like, fuck this. I'm out. And so I was like, I'm going to be a psychologist. I'm just going to go into psychology, be a therapist. I'm done with tech. Like, this is annoying. Like, I literally at that point had spent... three years, no, no, no, four years trying to get into security various

different ways. And it was like I was getting cock blocked all over the place. And so I was like, you know what, this is who has to struggle this much to get into a job like I'm working for you. Like, why do I have to fight to work for you? So I was over it. But then I think something in me was like, let me see if I can find a mentor. And before that point, like she said, a lot of the women in security I had come across had been like, an assistant or like a customer success manager and those roles are important but they don't really give me anything to aspire to at

all because I don't really want to do those things. So for me, I ended up hearing about Kirsten Brazier, who's Kirsten Brazier on Twitter. And she had done a panel at Houston Security Conference, Husecon, and I decided I was gonna reach out to her. And she ended up saying, "Here's my number, call me on Sunday. "I do this thing where I talk women off the ledge." So you'll just be my Sunday appointment. And so we spent like two hours talking and I was telling her my story and she was like telling me like her story, which was like literally a mirror of mine. And so we're having this like really like girl empowerment, but also

kind of a depressing moment because we're both sharing the same story and so she kind of said okay well these are the things that I need you to do I need you to get a website and I need you to document what you're doing in the industry to learn I need you to get on Twitter and I was like Twitter is so old I'm not getting on it she's like trust me like there's a community on there and so I did those two things and she was like you know you want to get your sec plus go ahead and get that you know it's not like the most I guess, respected among, like, you know,

the super technical guys, but it'll get your foot in the door. So she kind of told me about all these things, and Twitter actually helped me find my community, and that helped me realize that there are women in the industry. Because up until that point, I was like, did all the women leave? And, like, I'm the only one left, and, like, I'm just waiting until I get to the point where it's like, oh, this is why they left, you know? So... That's why having a mentor actually helped me. It's not like she walked me up to the front of the line and was like, "Hire her," which is not even my style anyway as a

Nigerian. I'm too proud for that. But she did show me different steps of being encouraged on a day-to-day basis, which having a community actually does that for you. And going to her when there are really tough things that I'm facing in the industry helps a lot. Because at that point, I can say, okay, this is the thing that happened. Is it normal? Or this is what they're paying me. Is that a good salary? Things like that are very invaluable, especially considering some of us are underpaid. But I did meet a woman this week that said she's never been underpaid. But that's like minority. And I was like, well, I'll teach you all your tips. But

yeah, how to know that you're being underpaid, how to know you're being mistreated, those kinds of things. It was like having a big sister in the industry. And it was invaluable for me. So that was, that she is literally the reason I'm still here. Well, that's awesome because not only that, but one of the things that you mentioned to me is that anytime you go somewhere, you didn't see anyone that looked like you. So you didn't think that it was a place for you. Right. And so it's incredibly important that not only did you find the mentor, but that you actually took the advice and did it. Because now when other people like you come and see, they're like, hey, there's a strong, intelligent black woman. I can do

that, too. And so with that, Alyssa, you had a similar thing as well of trying to be an example and showing people that, you know what, this is a place for a lot of other people that can join that may not think that they're really accepted or part of this community. Can you share your story? Yeah, so no surprise. And for those of you that follow me on Twitter know that this isn't something I normally just bring up. My transition really is probably the key thing that had me really debating getting out of Infosec. I was working in Infosec for a while and when I announced to obviously a lot of people that this is who I am and this

is what I'm planning to do, the reactions were very interesting. To your face, people are very politically correct, I'll say. But I had, for instance, a colleague of mine who used to be a boss of mine who said to me early on, well, just don't go getting too hot because I don't want to, you know, he was worried that he was going to be attracted to me. And that stops you in your tracks when you hear something like that. Like, dude, you really just said that? You know, and of course you get the predictable stuff, the, sales guy, the director of sales who couldn't stop mis-gendering me. And as a trans woman, you kind of understand that to a point. Like,

okay, you've known me as this person and I'm asking you to change your perceptions of me. I understand that. But there comes that point where it's like, okay, this isn't accidental anymore. And I had been previously fairly active in the industry from speaking, not not really boisterous about it, but whatever. And I started to take in all of these different pieces of feedback and it's hard not to focus on that. And what's it going to be like when I go to B-Sides Las Vegas and I sit down here and all these people who, some of them probably knew me before my transition and they may not even recognize me, but they are going to recognize who I am in terms of my gender identity and so

forth. And it's a very daunting thing. I mean, I'll tell you, I'm shaking right now because this is probably the first time I've talked about this in a public space in the InfoSec world. People know it. I don't hide it. I'm not at all ashamed of it. But to actually, you know, there's typically no need for me to talk about it. It doesn't define who I am. You know, saying I'm a trans woman is no different than saying I'm an Irish woman or saying I'm a white woman. It's an adjective. But to sit here and actually make it, to bring it up as part of the issue is, That's tough. And it's not just trans

women who struggle with that. It is men who are gay. It is women who are bisexual or lesbians. It is, you name it, a lot of us, you know, it's not something we wear on our face every day, but it's those pieces that people know about. And so when we think about this in terms of trying to be in an inclusive environment, if we're not empathetic to the experiences of people who aren't like us and we don't take into account all the things that we say the things that we do that are great when we're in a very homogenous group like we so often find ourselves that those may have a very significant and profound impact on other people that's where the problems start to come in with being

truly inclusive in this industry Well, that's really tough for you to talk about and I know so now I'm going to give you a chance to brag a little bit because you actually overcame all of that and now you're actually in management positions and you're breaking through that ceiling. So can you tell us a little bit about what did it take to do that? How difficult was it if at all? And then now that you're here, Has it changed? Is it better or worse? But here, at least brag a little bit about what you accomplished. Well, I'll take it from the reverse. Is it better? Hell yeah. I'm finally my own self. I mean, you

know, to be able to sit up here and be with you people and be real. I mean, this is who I am. This is after spending far too many years trying to live in a world where I didn't really fit and trying to match up and to act in the ways that everybody told me I needed to act because of how I looked and how I was born. So yeah, I've absolutely come out of my shell a little bit. To that end, yeah, it's had its struggles. You know, I also have the added benefit of, okay, I did live all those years in that other space where I had certain privilege. And to be my

real self, I had to give up some of that privilege. But I also was able to hold on to the fact that, yeah, I had been able to build a career in part because of the privilege that I enjoyed. So where I sit now, being in a leadership position in an organization, I'm both with CDW, with WOSEC, and with other organizations I'm beginning to work with as well, it's this is my time to use that privilege that I've got to help those who, you know, most women don't get to experience that same kind of privilege. And so that's become a focus for me, and that's the thing that's really helped me to even sit here

today and talk about this is, hey, This is who I am, and what's gotten me here can help others get even farther than where I am today. And any piece that I can do to be a part of that is something that not only do I find rewarding, but there's a sense of duty in that. And so, yeah, I am proud to actually be sitting here today at B-Sides speaking to a bunch of like-minded security professionals. So, hope you don't mind, but...

But with that, now let's bring it back to some serious stuff. Because what Alyssa mentioned was that men were not bashful at all about coming on to her when she was making her transition. And that's all too common. And Chloe, you actually mentioned a few things that happened at conferences that honestly, when we were talking about it, was pretty damn disturbing. So... Could you share that with us? Because I know it's a little difficult, but now it's time for you to shake a little bit. Okay, so you guys want to hear the truth. So I've been to 18 conferences, oh wait, no, no, 20 conferences in the past five months. I've had three guys treading

into my hotel rooms at conferences, so I no longer can stay at conference hotels, thank you, to keep my safety. And now when I go and book a hotel, I can't use my name. I'll have to use someone else's name for now on and out. Not just that, I've also been assaulted twice at a conference. So the first time I was actually assaulted by someone grabbing me by my neck against a wall, he was drinking. And then the last one was when I was in an Uber coming back from RSA home, this guy decides to see, he sees me wearing a lei because I went to Tiki Con. I don't know if anyone knows Tiki

Con, but it's like, it's during RSA. And I had like the lei on and whatnot. I'm sitting in the car. I've only had one drink, okay? Not drunk, not, I'm, I'm fine, totally fine. The guy sees me wearing this, so he thinks it's totally okay. So what he does is, while we're on the bridge in the Uber, he grabs me by my upper thigh, puts his hand right on me, and this was a shared Uber, and I quickly just took his hand off and moved it. And there's been many other times where it's gotten close to that too. So if you see something, say something. At DEF CON, it's coming up. There is a number.

I'll probably tweet it out. I think all of us are going to end up tweeting it out at some point this week. Know that number. Know your safety. You see something go down, say something. That's very, very important. And also, if you're drinking, please don't overdrink because that can be dangerous, too, for everyone. I mean, I know Chloe is becoming, you know, kind of the celebrity now and so you know normally celebrities have to change their names but I mean she's speaking at six different events this week is is that correct? So, you know, but that's a shame. I mean, imagine that. I mean, this is what women have to go through normally. But now

just because they're involved in InfoSec, they actually have to change their names, not because they're a celebrity, but just because they're a woman? Oh, and the death threats. You get death threats. It's awesome. You get death threats on Twitter. If you speak out a lot, also you'll get a lot of these tweets, which is like, hi there. And it's like weird. But the other ones that I cannot stand is one, they're like, you should be more concerned about getting married and having kids. You know, a kitchen is the right place for you. You look like you could be a good chef. And I'm like, okay. So maybe here's my opportunity to offer a slight suggestion. If we're tech people and we're infosec people, well maybe we should put

it in a way that everybody could understand. So why don't we treat women like pen test engagements? And if you don't have permission, it's not only not right, it's probably partially illegal too. Can we write up the rules of engagement on that please? We just hand it out at these conferences, right? Little cards. Seriously, but Chloe does bring up a good point. Please help spread the message and tweet. If you haven't seen up here already, this is where you can contact all of these ladies as well as follow them on Twitter and please retweet those important messages. But another thing that you guys had mentioned often is the feeling of community, finding something that you can find to engage yourself in where you don't necessarily feel alone.

And Steph, I know you brought this up and it was just interesting because there were multiple different definitions of community. and not only being part of a large community but finding smaller communities so again you're not alone. Could you share some of that because I know you mentioned things like your Twitter community and you also have an event where you have people come out and actually learn technology in communities that you create. Could you share that with us? Yeah, so community is obviously important to me based off of what I said earlier. So I try to do that myself. Last year when I was I did a lot of tech a thons because I didn't

like studying alone. I can do a lot of stuff alone but for whatever reason studying was really hard alone at that time. So I did some tech a thons and we labbed side by side virtually. Some of my friends would come over and we would lab. So that's something that I did off the just my own strength, no organization tied to me. But then also doing things like, you know, WOSEC. I'm a lead for the WISP scholars, and WISP is Women in Security and Privacy, and they give out scholarships to attend DEF CON every year and Diana Initiative. So I decided to, you know, be a lead this year. Every time that there's an opportunity

to do something that will help other people feel included, I try to put myself in there because I know what it's like to feel as if there's nobody that gives a shit and you're just like going to work and working with your coworkers who are dicks and you know. So I feel like community is a huge part for me to give back and I think that that's the way that a lot of people who are in their shell too can kind of get out of their shell. Like last year, in January, I had 92 followers when I decided to take up on my mentor's offer to join Twitter. And over the year, like I've really

met some bomb people that I meet IRL at these conferences. And without them, there's a lot of things that I wouldn't be doing like this panel right here. So I think that community is important, not just because you get to be on panels, But also because you don't feel alone. And for me, I will also say a big part of feeling like this is something that you can do, meaning the security thing, is seeing people like you who have also achieved or done the security thing. And so when there's a lack of people who have done the security thing, you're thinking that you're pioneering something and that's not necessarily a task that anybody wants to

take on. You have to deal with everything first, which means you're just gonna have to literally meet obstacle after obstacle after obstacle. And after some time you get burnt out from that and you're just kind of like, what am I doing this for? I don't really give a fuck about, excuse my language. I don't really give a crap about this stuff. You know, I just wanna work and learn and nerd out and have the, environment of supporting people who just want to teach. And you would think that there are more spaces like that because us nerds, we like to talk about the stuff that we like to nerd out about. However, there's like this huge

I had in the beginning of my career, I had a lot of you basically can't, like girls stay out kind of messaging. It wasn't so blunt as that, but that's pretty much what it was. And I had a friend confirm that that's what it was at the time. So I think that community, though, like you have the women hackers group, that helps. People who want to do the hacker thing and they're just kind of like, but I'm so terrified of doing it. I don't have a safe space to do it. I can't say I don't know without feeling like someone's going to judge me or say, oh, you noob or whatever about it. So I

think that Long story short, community is important for multiple reasons that I stated. Well, and to point out the positive, and maybe we'll do this a little in reverse order now, but I mean what you're doing is definitely helping for the equal treatment of minorities, which I know is incredibly important to you, but now it's your turn to shake a little bit. You ready? So we had talked about in a previous conversation about how when you were reaching out to those communities and you went to women's groups, that there is a little difference there too. So kind of like being the minority of a minority of a minority, you experienced that not only were these

women groups or women panels all comprised of all white women, but more often than not, all straight white women. So can you tell us a little bit about your feelings on that and maybe how you feel breaking through and being the example that other people can follow? Yeah, there's a real issue in the industry you know, they cover like they half-ass it. So they're just kind of like, yeah, man, everybody's about this diversity thing. Like, what are we going to do? What are we going to do? White women. That's the answer. And they just like put a whole bunch of white people on the stage and it's like a white guy moderator and a white

women panel. And it's like, they're all straight. They don't really, I think, um, I said in a recent pod, I have a podcast. I didn't say that earlier. But I said in a recent episode that it's like having a book with 50 chapters and having the same chapter for every single chapter. All 50 chapters are just exactly the same and reading it over and over and over again. You need a total picture, which means including other people of other sexualities, like you said, like neurodiverse people as well. I think having more people makes the story complete. You don't have everybody's stories. I can't sit up here and tell you anything about someone who has dyslexia.

because I don't have dyslexia, but I do have ADHD. So I can tell you about that. I can tell you about being black. I can tell you about being Nigerian. I can tell you about being a woman, but I can't tell you about being a white woman or an Indian woman or an Asian woman or anything like that. I can only tell you about my own story. So as much as it's important for me to be here to speak for black women, it's also important for somebody to speak for Indian women or, you know, other, I'm only Nigerian American. So there's a whole, like, Africa is a huge continent, so I feel like there's other

African spaces or other European spaces or Australia, like everywhere. Like you need to have somebody from each group to represent because most of us, if we look at where we are in our friend groups, in our family and everything, we're very homogenous. You might hang out with, unintentionally or intentionally, you might hang out with one color person or one gender. I tend to gravitate towards black women. And it's something, I do have white women friends and other raced women friends and other raced male friends. But for the most part, if I look at my close friends for the past, like, my whole life, they will be black women. And that might be something tied to

my childhood. I don't know, we'll explore that in therapy. But I will say, you know, I need to hear other people's stories so that I have a more total and complete picture of things. Like, for instance, I mean, there's a show called Pose. I don't know if anybody's familiar with it, but it talks about the... It talks about the transgender experience, and it's something that I never had known the extent of. Had they not made a piece of art like that, I would be totally and completely ignorant as I was before. So now I have clarity. If they had made a show about a white woman who falls in love with someone and then breaks

up and then falls in love, that's the same thing, and I don't relate to it. So I think it's important to have a mixture, which is the diverse part of diversity and inclusion. Without that, we just get the same story that we can't relate to. We feel alone, we feel isolated, and we feel different. Even though there are probably millions of people that are just like us out there, we have no context for that because all the panels are just one thing. No, no, that's actually good. And we had mentioned that earlier where diversity is not just about gender or identity. There's all kinds of different ways that you could look at diversity. And in

fact, we had podcasts with people from Microsoft that said exactly the same thing and they were finding the same exact flaws that we mentioned earlier on AI. But we can go on and on. So one thing to just quickly point out here, a really good takeaway, is that the three women up on this panel right now are incredibly courageous. They are comfortable speaking out, but a lot of you may not. And so we will encourage you in just a couple minutes in order to hopefully you can share your experiences, your feelings or whatever you you can. But a lot of you are not. So I highly encourage you that if you have a story and

you really don't quite have the courage to get it out there, contact them. I'm telling you, they're going to help you. But with that, we kind of have gone over the past and what's going on in the present. Let's take just a couple minutes to focus on what you guys think we need to do in the future before we open it up to additional questions. So Alyssa, you have been very successful in large corporate America. So maybe you can kind of offer some suggestions, not only maybe what your company is doing and they could be the example for what others are doing, but maybe some suggestions on where we could be doing better in corporate

America. Sure. So, you know, I could talk for a week on this, obviously, as I think all three of us could. You know, in the corporate world, again, I'll go back to it all starts with that inclusivity. And organizations, you know, Steph brings up a really good point. There's so many ways that you can look at diversity. And we want to be diverse. Oh, we're going to hire to be diverse. Well, what does that mean? I mean, you're going to target one group to the you know, detriment of the others. And really it's not the answer. The answer is we need to work on culture. And our culture needs to be one where it's not

socially acceptable to be, as you put it so bluntly before, to be a dick. If you're going to be a dick, that should not be culturally acceptable in your organization. And, you know, I've been in organizations where it's tremendous. I won't lie, the company I work for right now as a whole is wonderful. You know, from an inclusion perspective, I walked in the front door the very first time at our offices in Lincolnshire, and you feel it when you walk through the door. So really, I can't even describe it, but when you walk in and you can just feel It's not that feeling of walking in and seeing a bunch of white males walking around

or seeing a bunch of white people walking around or anything. I mean, you see just that, okay, this looks like everyday life out on the street or anywhere else. But then there comes this one little thing, and that is it takes one bad apple to ruin it. And I've seen them. In the best organizations in the world, that one bad apple that can ruin everything. And that's where organizations really need to be stronger in how they react. Organizations more and more now, and some of it's because the EEOC forces their hand, they have things like ethics hotlines where you can report if you've been discriminated against and so forth. But how many times do employees

call that ethics hotline and say, "Hey, I've been discriminated against by my boss," and what's the first response? They bring that employee together with the boss and say, "Let's work this out." That doesn't work. That is the absolute worst thing you can do in that situation because you've now told this employee it is not safe for you to report because the person that is causing this problem is now going to come to you in this situation and confront you on the behaviors. Yes, we live in a society where the accused have the right to confront their accusers. I get that. But until the facts are out, until that investigation has concluded... We can't do this and we need to be able to react and it can't be a reaction

either of well We're gonna move you to a different team since you're having a problem with that boss No, I don't have the problem with the boss. The boss has a problem right me and We can do better in corporate America of doing that If we look at the Human Rights Commission and their corporate equality index, it's a nice start and but there are so many things that don't get taken into account even with that where organizations may have eeoc complaints filed against them that's not something that the hrc looks at so getting better with that is it's going to be multifaceted and it's got to be led by the private sector we cannot look

to government to do this for us it has to be organizations that recognize the value of diversity recognize that inclusivity is the way to get there with a welcoming culture and be motivated to do it. Excellent. So I know we don't have that much time left. So just very quickly, Chloe, with all your experiences at conferences, what kind of positive suggestions can you make for them? Oh, okay. So one of my suggestions is a lot of conferences, they have a Slack. Make sure you also let people know that there's one you can report in. That's gonna be really helpful. Another way is to have one person to delegate when it comes to anything when someone

wants to report something. I think that's the number one. DEF CONs did a great job. They're like, "This is the number. "Here's an image. "Do not forget about this. "Reshare." I love that. That's one way. The other thing is making sure that people are aware when signing up for a conference that they follow the certain rules. That's going to be very important as well, I think. Other than that, like, really, you see each other around. You see when someone's drinking. You see if they're doing something inappropriate. Walk over, ask the person, like, hey, are you okay? Is everything all right? They're like, yeah, everything's fine. No, that's good. If not, help them out. The other

approach is if you ever see someone who's kind of like, oh, God, help me kind of look, and we've all seen that once in a while, go rescue that person. Be like, hey, what's you know what? Let's go get a water really fast. Or, hey, your friend wanted me to grab you for a second. And, like, just take the person out of that space for a little bit. That's the best recommendation to have for others. But, ladies... Honestly, if you're ever in a situation like that, pretend your phone's vibrating, pick it up, walk out. That's the best way of doing it. The other thing is if a guy asks for your phone number, give him

an old phone number that you've memorized, like your childhood number that no one uses. So then the guy does not expect that you're giving him a fake number because you can tell when someone's giving a fake number. I'm a social engineer. You can definitely tell. So give him an old number and be like, this is my number. And then be like, oh, there's my friend. She's over there. So that's one way I had to do it. Just know... Be safe. Always have a buddy. I think that's number one when you're at any conference. By the way, if you are a woman hacker, let me know, I'll get you on Women Hackers. We also have a

channel in there for conferences, so if you're ever at our conference, you can always ping to see what other women, which we have over 300 women now, are at that conference too. I see the person in the back, hi. So yeah, so just know that you will always have a buddy now. So it's a great way to stay safe. Excellent, thank you. And Steph? What would you do in the future to make sure that communities, whether large or small, are a little more inclusive? What would you make for suggestions? That is hard because I think that that depends on who runs the community and what they want out of it. So I would just say

that as people who are being a part of this community, if you feel like it's like really bland and one flavor, that you don't participate in it. or that you call it out and say, hey, you know, this space would be better if we had more of this representation or this space would be better if we had more than that. I want to say that sometimes it is not purposefully exclusive. Sometimes the person might just gravitate towards a certain type of demographic, whether it be like primarily young people or whatever. So I think that sometimes though, if you call their attention to something, their reaction will tell you if it's on purpose or not. But

for me, I think that there... You kind of had that experience on Twitter this week. Yeah. Exactly. So I think that you should just make sure that you're in part of those kinds of spaces. Make sure that people have a voice. I know Chloe was a guest actually on my podcast. And she talked about how if a person of color hasn't been accepted to a con, that she would just basically do their talk online. like take their talk and like put it up and be like, oh, this is the person's talk. And that's like one way, but you know, making sure that people of color or people that are minorities or people who are of

different sexual orientations or whatever, have a voice or a space anywhere that you are is very, is very crucial part of changing the landscape of the industry. So that's pretty much it. And again, it's hard. I mean, standing up like these women have done is not easy. So if you need help making that first step, please contact them. But speaking of which, maybe this could be a first step for some of you. Anybody want to share their story? Anything that they want to talk about? Excellent. Questions, too, so you don't necessarily have to share your story or anything personal. If you have any questions for the ladies, we have a microphone that's going around, so

please go for it and speak clearly into the microphone. Is it on? So I have a question and corporate America, I work for Intel, so I'm very well versed with this and Stephanie you kind of alluded to it, has no bounds for coming up with new ways to silo ourselves. And so many companies now for diversity and inclusion tout their employee resource groups or their networking resource groups. But we at Intel have found over the last, because we've had, I mean, the LGBT employee resource group at Intel is the oldest employee resource group. But we found out it was all just us. Once again, we weren't very diverse because we were, people who were outside

these groups didn't feel they could join these groups. So I'm wondering, as you see this come up in corporate America, what do you think corporate America can do to fix that? I'll go first. Yes, sir. So the problem is that gets kind of tricky and the reason why I say that is sometimes because the landscape is what it is at this point in time sometimes those groups are created to be safe like a safe space so as a like a defensive kind of mechanism it's like if you come into this space I don't want you like you know like let's say putting your straightness all over it or whatever and So I feel like sometimes

they're supposed to be these really safe spaces and you want to be exclusive because you're trying to preserve the integrity of the group. So I think there's going to have to be some sort of vetting that happens until things are completely different and everybody just is very accepting of everything. But on the other hand, I do think that people should make an effort to at least leave the door cracked. So if there's somebody that's like, hey, let me in. let me in, I want to. You should kind of like say, okay, you know, you can come in if you feel like that person's being genuine. But you're right, like, you know, because I know that

there are certain organizations that have black organizations within the organization, and they can be a little bit more like, you know, don't come into our club. But I think that's defensive. So I'm not, I think like, I'm going to have like a question mark. That's why I wanted to go first so that, So I'll build off that because we actually saw this, this came up with WOSAC. We had some men who were concerned about the fact that our chapter meetings are all women. And it does go back to what Steph said, first of all. There are times where these groups, they're about building that safe space and they're about making sure that we have an

environment where we can identify with other people who are doing the same work that we are that maybe we don't get to see every day. That can be important, but I think to break through what you're talking about, one of the key things for these resource groups to do is to sponsor events that aren't specific to anything related to their purpose in existing. So for instance, our women's resource group, You know go out and sponsor a you know a lockpick village in or you know sit down And this is something I'm actually proposing in my company right now then so if they're watching they're hearing about this for the first time But seriously having you

know women in that group is Hold an event in say the cafeteria where you just teach people about practical security for every day You know from whether it's personal assistant devices or online security whatever these types of things or you know pick those different things where it's not a Women's event. It's a hey, we're gonna teach you this But yeah, it's all the people that are represented by this group because now you can pull in that involvement you say hey We're all about being with the rest of y'all Yes, we have our safe meetings where it's really our group, but we want you to be a part of what we're doing too. That's actually a

fantastic suggestion. Chloe, anything you want to add to that? All right, well, we have just a few minutes left, but I did want to remind everybody that we had a little contest going on on Twitter. And so we got some submissions, but we also wanted to extend it a little bit more so that way we could get more. So if you want to share your story in a positive way, Please go check out their Twitter feeds and go look for the hashtag #InfosecDiversityGap and share something positive that you did to either overcome a stereotype or something where you became the face of your particular group to be more inclusive and encourage diversity. And with that, the top pick that we will eventually, between us, choose, we'll actually

get some free pen testing courses and certifications from eLearn Security. But with that, we have a couple of minutes. - Hold on, Dan. - One more question, yeah. - Yeah, I wanna toss one thing in there real quick. If you are not comfortable sharing your story out loud-- - Slide in the DM. - Please DM us. That was actually a topic that came up, somebody pointed that out to us. We don't want this to be difficult for anybody. If you wanna participate and you don't wanna share it, we're not gonna share it with anybody. Yeah, send us the DM instead. Exactly, because as we mentioned numerous times, you may not be at the place where

these ladies are, where they're very open and willing to share their stories. You may not be there. And so if you want to DM us with your story, that's great. Another question? Yeah, hi. Yes, sir. Name is Richard. So father of two beautiful girls, six and four. And, you know, some of my best employees are women. So I'm glad that you guys are doing what you're doing. Don't give up. Keep on doing it. What would you have advice for a father of two girls? And then also, what are you doing to help the future, right, the future of girls in the industry? Yes. Okay, so there's a couple things. One, I always recommend with fathers

that have two daughters and you want to kind of teach them how to hack because I'll be honest, even if they don't want to be hackers, it's something really empowering when you can break shit. And like, I don't know, something about that, like, I take all my anger and rage, and I'm like, how can I break this? So I think one of the things you could definitely do is there's mentorship. So if you want to, like, I could connect you with a mentor who can, like, be there for you, kind of like a daddy-daughter thing. I think that's really good. Also to keep enforcing to your daughters that regardless of their backgrounds, There's going to

be men that are not going to want them to have higher positions. They're going to ignore them. Just know that the most powerful women are the women that are empowered. And my dad kept ingrained that in my mind. Whenever I had a low moment, he's like, whenever you are an empowered woman, you're the most dangerous thing to a man's eyes most of the time. So I honestly just keep enforcing that with your daughters. And if there's anything I can help, just DM me and you and I can have a sit down and talk for like 30 minutes on a phone. I'm totally down for doing that. - And most of our other panelists are that

way too. So if you have any additional questions that we didn't have time to get to it today, tweet them, contact them, meet us out there. You can ask us questions. We're more than willing to help and share and hopefully empower the rest of you. Is that our time? - That's our time. - That is our time. Thank you so much. You guys were great. And thank you to our sponsors again. I hope you have a good conference. And I have socks to give away. So who wants a pair of socks? I do. Yes! Yes! It's the closest to a Shiva, I swear. We actually started doing this at the start tomorrow.

Oh nice! Oh hey, how's it going? Oh I know, I was like, I didn't see you at first. I was like, oh it's such a different, I'll come over there. To talk with people, that's actually a really good point. I was like, I don't know how. That's a really tough one. Yeah, I bet. Yeah, and that's why we're doing the same thing. Making something that's not about you. We're not out here because we want to preach. We're here because we're in church. Oh, I'm sure I will. As long as my volunteership doesn't mess with it. Oh, QueerCon, I'm sorry, I thought you said QueerCon. QueerCon, I haven't even gotten a badge. No, I saw yours. Thank you. I think I'm committed to

something doing it. I'll take a look. But if nothing else, it's okay. I'll get that shit started. Oh yeah, sorry. one two one two 1 2 1 2 1 2 1 2 1 2 3 4 5 6 7 8 9 10. 1 2 3 4 5 5 4 3 2 1. Pardon me, sir. No, no problem. We might have to share it. We're sitting at a seat right now. Why don't we disagree and we appreciate it? This is, yeah, this one's set to be really, really, to just have it really close. Step outside and continue. I guess so. Okay. And I'll have everyone introduce themselves. And then we'll describe the-- All right. That's right. Excellent.

We're-- Okay, thank you. I have not used a single slide today. I did, sorry. What? You had one. I did one, sorry. Which said, next session is at 4:30. Go eat or something. If this one doesn't work, you can talk really close and it works. It's there. It used to work on top of the museum. We'll need that to just... I didn't realize it. Thank you for coming out to B-Sides Las Vegas in the Ground Truth talk. We are here this morning with Ian and his panel. This evening, it's Las Vegas, so it's morning. I'm sure there's some people in Vegas just now getting up. Ian will introduce the rest of the panel as we go along, but first we need to thank our sponsors, especially

our inner circle sponsors, Critical Stack and Valor Mail, as well as some of our stellar sponsors, which include Secure Code Warrior, Blackberry, and Amazon. These talks are being streamed live and recorded. So if we have audience interaction, which we are planning to on this talk, please raise your hand and I'll run the mic for you. And since it is being streamed, if you can silence your cell phone, we would appreciate it very much. With that, I have two pairs of socks to give out from our sponsors, and then we'll get started. No demand for songs. Cool. Awesome. Thank you. Good. So, hi everyone. My name's Ian. I am the... Hello. I'm the chief security officer for Sympress.

And what we have today in the next 40 minutes or so is, if you're familiar with the Meet the Fed panel at DEF CON and VSides and stuff like that, this is the Meet the CISO panel. We just finished up a full day CISO track and I have sort of handpicked a few participants from the track. that can talk about their career, they can talk about their expectations from people coming up the ranks towards a CISO position, they can talk about their learnings and experiences in security. This panel is basically designed to cater for you guys. So most of it hopefully is gonna be driven by your questions. Again, it could be career related, it could

be professional, like how do you deal with this, how do you deal with that? Open it up, I will make sure that I stay mostly silent unless you have specific questions for me, which you shouldn't because These guys are the core team. What I did when I selected the esteemed panel is I tried to make sure that we have an interesting variety of backgrounds, experiences, and current roles in terms of companies. So without further ado, Sandy, would you like to introduce yourself? Absolutely. I'm Sandy Dunn. I work for a healthcare organization in Idaho. Hi, my name is Joe Sullivan. I'm the CSO at CloudFlare. My name is Shama Rose, and I'm CSO at Avant and also

Amount. We're both financial fintech companies. And before we go on to your questions, I think it's if you can elaborate a little bit on your personal backgrounds. Like, where did you... not literally grow up, but from a security perspective, what was your experience, background, how did you get to the role? I think that's gonna provide a lot of meat for our participants. I started out working for a company called Leviathan Security Group back in 2005. And I was up in Seattle and I was an aspirational pen tester. So I got, in my opinion, taken under the wing of some of the people that I, to this day, consider to be some of the strongest in security. Great mentors too. So I learned a lot on the pen

testing side and got my hands pretty dirty with that. We were a very small company at that time, so I also took on a lot of the project management stuff and ended up, I think, just kind of naturally evolving into some kind of manager, although I fought it for a very long time. And then, you know, kind of got tired of the pen testing, consulting, reporting, that kind of stuff, traveling. So I went to work for some bigger companies and started out as a program manager, and that kind of in APSEC and that evolved more into taking on other responsibilities and other programs too and that just kind of led me naturally into a CECIL

role. Joel? Thank you. Joe? I actually started my career by going to law school and then I really, really wanted to be a federal prosecutor so I could be on the Meet the Fed panel. Never got invited, I never got invited to meet the Fed panel but I was in the US Attorney's Office here in Las Vegas in the 1990s. In 1997, I started here. And I was the only prosecutor in the office in his 20s. And I had a computer on my desk, so I started doing the tech cases. And then the Department of Justice created a program and then I got training and then Robert Mueller was the US Attorney up in the

Bay Area and he wanted to have a high-tech unit in Silicon Valley and I wanted to leave Vegas and so moved up there worked in the US Attorney's Office in Northern California after a few years left I went to eBay worked on trust and safety at eBay and PayPal I went to Facebook became the Facebook CSO I joined the company in 2008, was the CSO at Facebook for 2009 to 2015. Was recruited over to Uber, spent two and a half years as Uber's CSO. I was fired from that role a little less than two years ago. Took some time off and then found a position at Cloudflare. Awesome. So I'll kind of keep it short. So I I got started doing competitive

intelligence on MFP printers and at that time, this was about 2001, and I started going, well, if we're sending off these printers, shouldn't we care about who we're sending it to and what we're sending? And so we really didn't have anyone who was doing security on MFPs. Nobody was really talking about it. And so I started listening to the Paul.com and CyberSpeak and they talk about it and then I take notes during the podcast and then I download all the tools that they talked about. So what happened was I became really knowledgeable about security and then the go-to person that transitioned to different careers and I kept growing, took some SANS classes. and ended up

being on the cybersecurity team at HP. And now I've been at my current employer for about two and a half years. I was telling Ian on the way in here, so I knew... I was pretty good at translating security to the business. So I saw being a CISO as my career goal. And so I had this trajectory. I was working on my master's. I thought, well, in five years, I'll be a CISO. And I got hired as the IT security architect at this company. I was brand new to it. I was there for two months. The CISO left. and they plugged me in as the CISO. And the worst part was I was trying to

take my finals for my masters and I was like, "No, this is really bad timing for me." But when the door opens, and part of me was like, well, I don't know if I want to be, because everyone kept saying, do you want to be the IT security architect? I love the geeky stuff. Or do you want to be the CISO? And I'm like, I don't know. So I end up being the CISO. I have a great team, and it's been a very interesting journey. Awesome. Thank you. I appreciate it. With that, any questions from the crowd? We would love... to address anything. Can we use the microphone for the people listening online? You answered my first question, which was did your high school guidance counselor

suggest that you become a CISO? I'm curious about the changes you've seen in the cybersecurity and information security field over the time that you've been doing this. Anyone in particular or randomly select? Volunteer? I went first last time. Okay, I'll do it. I've seen the position change a lot. So I've been in the CSO role for about a decade at three different companies. The thing that I've seen is it has become much more of an executive level of focus and attention with boards. And I think we as a profession are really struggling to catch up with the heightened expectations of us and the heightened need for us. I always think about if you stopped a CFO in the hallway and said,

"How do I become a CFO?" and you stop 10 CFOs, you would get very similar answers from all 10 CFOs. They would say, "Go do this in college, go do these three jobs, and then you'll be ready for CFO." But in our profession, if you asked the three of us, or you looked at the four of us and our backgrounds and how we got where we are, we all took very different paths. and we just spent the day together, like 50 of us CSOs, and we probably had 40 different paths among the 50 of us. And we'd probably give 40 different, kind of recommendations and we're still struggling as a profession to figure out like

do we want to report to the CEO? Do we want to have quarterly board access? Or do we want to stay hidden down in the director level of the company? So I think that the profession is changing a lot and we're all getting dragged along with it. Yeah, I would agree with that completely. I think in a lot of my roles that I've been in, I've literally invented that role. I saw somewhere in the company where something wasn't working, and I thought, well, I have the skill set to fill that. I know AppSec, and I know program management. That sounds like I can run this program for this critical infrastructure here. Yeah, so I mean,

I think that the beauty of that is that we're really... truly defining what this industry means right now. And you guys are in the best spot to do that because you're on the front lines of literally everything and you know where the weak spots are, you know, literally and figuratively. So, you know, like he was saying, like we really are still trying to figure out what this all means. And, you know, I would love to say that we have all the answers for it. everything but I've seen it evolve from it from there being literally no no structure to roles or what we're supposed to do to you know major companies being like oh we

should probably you know hire somebody to do a security thing you know and it's a major news network and they've had one firewall dude for 45 years and now they have a security team I remember that I think the other difference too is when I accepted the CISA role, I had to actually turn to my husband and say, the likelihood of me being fired has just escalated. Or seeing you in the next... Yeah, but I don't think a CFO has to say, I'm going to get the likelihood of me getting fired. So we still, that's a maturity thing where you take it on because you're willing, you like fires. I think, like Ian said, we

were just all in a room together with 50 of us and it was great conversations and there were so many strong personalities in that room. But the reason, because you really have to be kind of a bull in a china shop to be a CISO of, today um hopefully the industry will mature where it becomes more of a cfo you know this is your role and responsibility and we're not going to just fire you you know if there's any security issue cool question in the back yeah i i've got a question and it for all the panelists and and the moderator as well um based on your varied histories to your current positions i was curious about probably

three perspectives if you care to share them. One would be the size of the company versus your, for lack of a better word, attack surface or your vulnerabilities and the amount of resources you might have. And perhaps if you have an insight to share on the ethical dilemmas that might get you fired. And lastly, Do you think the C-suite executives, and I'm stereotyping again, who may have come through their position as a CFO or maybe a bit more traditional career path as opposed to the variety you've exhibited today or described, how that might influence their awareness of data protection, information security. I can tell you from my background as an engineer and an attorney, C-suite people don't always appreciate the

fact that it's going to cost money to protect the data they've collected, and they're not liking what you're telling them. That's a lot of questions. Yeah. You can say what you like. I can answer the first one, which is like, essentially, if I could distill it, how many security people do you need? Right? It really, there's no right answer to that. I've had external consultants come in and try to do some formula that's like, for every 50 tech people, you should have one security person. But that doesn't, quantify the amount of risk and/or IT assets or define out what your threat landscape looks like at all. So it's really, you have to figure out a way to communicate that

up to the people that are deciding who's getting what resources. And that's really up to you. So I'll use those external consultants, even if I think they're wrong, to paint the picture that I need internally. So I don't know, there's no right answer. Yeah, as a profession we haven't really picked a good model for evaluating risk yet. It's something that's one of the hottest topics in security leadership right now is the different risk models and how you calculate risk. And the reality is you can't really look at the size of the company or the number of engineers or your product. Or revenues. Or revenues. Like a company like mine that sits in front of thousands

of other companies The risk, if we said, oh, we're only 1,000 employees at that company, so we should have a pretty small security team, that's not factoring in. All of our customers' secrets are being decrypted in memory on our machines. So we have a heightened security risk, even though we're a smaller company. And so we're going to invest not based on the size of the company or the number of engineers, but on a more thoughtful approach to risk. Just to strengthen that point, I've seen, I've worked with companies, hedge fund is a good example. You have about 30 professionals, like 30 people who actually do the work and about 20 people in security because they're rolling money. bazillions of dollars every day. And they have a

huge attack surface, they're completely ignorant, and all they do is put their brains to work and bet other people's money. I've had, in my current company, we're 14,000 people. My security team, half of it is probably here, is less than 30 people. So it's not a scaling question, as Joe said before, pick any of the parameters, put them in any shape or form, there's no formula that can answer that. You have to sit down and figure out how does this company work, what's the attack surface, what's the risk models, how effective can we be internally, what's the operating functions inside the company, how centralized, decentralized, does it operate, what's the executive leadership like? So there's, sorry to disappoint you, there's no formula

or direct answer for that. As far as, I'll start picking up on the second topic, which is the kind of other C-suite slash executive approach to risk or security. First of all, I think it's our responsibility, it's our literal job to be part of that conversation and facilitate that with inputs from our end. So it's up to us to identify, first of all, how the business operates. So whatever you're providing back as inpu