Embracing Automation & AI in Security Compliance

head and start perfect can everyone hear me good okay if you guys can't stop hearing me as point just let me know I move around a lot apologize ahead of time I'm Samuel I'm GNA talk about embracing automation um it's Adobe branded so you'll see Adobe branding but I'll talk about some stories from there um and about what we've done it's a lot about things that went from Cradle to where now of starting a whole automation process around compliance now want to little know a little bit more demographics of who's all here so do we have like how many people here are like college students high school students that folks a few over here sweet a few there

perfect so little more entry level there and then do we have a lot of security Engineers or security folks who are in the depth of things I'm assuming a bigger portion do we have any compliance folks I got a few comp folks here okay so these are the folks that everyone else doesn't like so much we understand any Auditors that go with that compliance side or they all the same okay any other demographics that they want people want to identify themselves as good okay that puts a little perspective on how I'll play this then okay so one of the things I want to talk about is the problem that we have with compliance in general one it's

super resource intensive so for a lot of the folks who may not be familiar I hope some of them are but when you're looking with audit things typically you're providing tons of evidence to things you're reviewing paperwork reviewing work other people are doing and it's very manual mundane and a pain in the butt and no one likes doing it which is the audo mindset um we have lack of agility compliance hasn't really evolved other than till a few recent years when a lot of startups started popping up to try to solve this problem as well um but typically compliance doesn't involve that much it's lots of screenshots it's a lot of evidence a lot of paperwork a lot of meetings oh my

gosh so many meetings um then audit challenges so here's one of the things that you have is sometimes the evidence you get is wrong and you have to go through the whole process and doing it all over again just because the things you get aren't what you ask for right um or you have problems where you're saying hey I need something like I need a password you rotate you're like cool I can you screenshot PW where I Rota they're like oh no no from nine months ago and you're like how am I going to have a screenshot of a PW where I rotated nine months ago they're like oh but we need evidence of you doing it

back in June and you're like there's no way I can provide you that like that's not happening so so these are some challenges that you have and then so they have high risk of error right like a lot of times what you're asking for is not what people understand so a trash can a recycle bin people putting a banana peel and recycle bin some people think a trash can regardless right but when you're talking about evidence when an auditor wants sometime isn't what the engineer is expecting product team's expecting you to provide so you have lots of error there one of the pain points is having screenshots and you have to have these semantics on exactly

what's in that screenshot to prove that it was what it is so that's the problem and before I go into further I want to Define automation we have the use of largely automatic equipment system of manufacturing other product processes that's Oxford's definition don't really make sense to me but so this is my definition the use of automated processes or systems to perform a task you can argue with that one as much as you want I agree with you regardless and then this is my boss's definition it's a dashboard and yes the dashboard it is Automation in a sense but I'm not going to waste my time just building a dashboard so um let's talk about automation then um

and how we how I've been defining it and how we can also find more definitions of it so there's a lot of opportunities with Automation and so when you're doing it you create a plan you identify hey this is what I want this is my purpose I'm going to try to do this right and here's my scope now I'm GNA identify a few things if you don't have a scope this is an endless forever whole and Leadership is going to expect you to have an end date but you'll never have an end date if you don't have that scope defined because they just keep on adding more and when you start automating things you're going to be like oh man

this other thing's GNA be helpful this other thing's gonna be helpful and someone else is GNA be like hey would you mind doing this at the same time while you're doing that like it'll be really helpful to everybody and you're just like oh yeah let me help you there it's black hole Define that scope otherwise you won't get anywhere so have a purpose what you want to do scope it then talk about types of automation you have and next slide we're going to talk a little bit more types but high level it's how you're going to get that Automation in place now potential impact this is how you're going to get your budget because otherwise you're not

going to get any time or budget to do anything right so you need to identify hey this is what I'm actually trying to get done and how this is going to add value to the organization either yourself or the company it's a pain in the butt part but that's the one that's the business really wants then you have to identify how you're going to prioritize that because I'm sure everyone here is super busy with their own job and now you have to automate something but then that's going to help your job but you don't have time to do it chicken and egg scenario no fun but it's part of the deal then you have to

identify how am I going to do it similar to the type of tool you're going to use but a little bit more of what's the plan what's the road map what's the design so let's talk about that part the tools you have different scenarios and this is just high level examples of scenarios but one if you're an auditor and you work with auditors you know they love Excel Excel is their baby everything's in Excel and if it's not they say hey export that in Excel for me so I can do it in Excel U you're like no I have it a nice database nice interface you're like no no an Excel would be great it's like

okay so one is definitely excels in VBA like they and some of those some of those UTS know VBA really well and they can do those things and they've done some great automations just in that scenario but Excel that's one another one is write your own scripts um especially if you're security a lot of folks in security know how to do scripting at least right it may not be a software developer where they're building things like Photoshop or some other May product but they can do some amazing scripts that can do a lot of work so that's another scenario another one might be build in buying a third party tool right um we have here a lot

of vendors so like parami dra Matt Hillary presented earlier that some third party tools are amazing for what they do right and for your business it might be the bees it might be the best thing you can have for exactly what you need so identifying that purpose and that plan might be saying hey let's pop on the third party tool we can get that audit done all those things done all those projects quickly right in contrast you might say hey our environment might not fit with those needs we need to build a whole shebang so as I talk through little examples Adobe we've done all the above and it's been a pain but it's been awesome so let's

talk about the next thing implementation strategies um these are my three I talk about parallel phased and switch bang um parallel is you expect it you're doing your old way and your new way and it takes lots of time but you can validate the crap out of stuff you can say okay did why planned it to do exactly what it's originally did and for a lot of people that's nice to be able to have that validation but it's very time consuming energy consuming then you have phase where you're slowly moving things out big projects this is very nice because you can be like okay we're going to do this big initiative work towards it see

the impact get funding do the next big initiative um it's really nice on more budgeting of time and Finance on last side then switch to bank this is the scary one anyone who's done operations they understand like switching from one environment to the next environment in one night is always stressful you're just hoping it works so that's ripping the bandid off sometime in compliance is really nice where you say okay stop doing that terrible process starting tomorrow this beautiful environment um it's the most expensive because typically you're buying a tool to be able to do that but just noting keep those in mind so monitoring and continuous Improvement is the other part and so during this process a lot of

times leadership is going to want to be able to see what value is actually coming from all your efforts or money or Investments and you won't be able to prove any of that if you aren't measuring things so one is improvements mod are the improvements you're doing right know okay is it running is it working especially once you build automations and you start doing it a lot some of your older ones you forget about and then they break and no one knows until the quarter end and then they have to run something and you're like oh fix that real quick that's not never a fun thing so put it in when you write things develop things

monitor it make sure it's working measure impact you made a a proposal to leadership at one point that says hey this is the impact we're gonna have now you need to prove that you made that impact or you exceeded that impact and if you didn't what went wrong what impact are you going to provide if you still have it and what can you change and that's that reevaluate right identify what you did good what you didn't do good and make it better so that's the simple like explanation the logistics now I want to talk about how a little bit of how I've gone about doing these things in my own thought process and take it leave it

that's pretty much how this toic works but so first thing on here is how to build simple control automations now there are simple things earlier we'll talk about those when I talk about more examples but simple automation this is how I go about doing it one one is data you need data if you don't have data you can't really automate crap so a lot of times when you work with teams and they say hey I'd like you to automate this tool this process you're like sweet where do you get that data and they're like well someone just emails it to us you're like oh that's good where they get that data and you're like they're like I

don't know so you have to go find that person find that person you have to go through this process to get the data because once you get the data you can actually do something with it but you can't really automate something if you don't have any data automate right I think it's pretty self-explanatory until somebody asks questions and then it's a little more complex now another part of automation is improving the process you can automate something to do exactly what it was done before but you're not really adding a ton of value if you're doing exactly the same thing a lot of times especially with compliance the process is archaic and you don't want to

automate something that's archaic for example providing screenshots you don't want to automate the process of taking a screenshot like that doesn't add any value instead get rid of the screenshot and automate the process so you don't have screenshots right so improve the process now self-service if you're having a boat that's sinking because there's a hole in it you can bail water in fact you should bail water but then you should probably plug the hole too right if you automate a process that has manual efforts around it get rid of new things automate the process another part of this is making it self-service in the fact that have them come to to you if you build

something phenomenal and you push it out to other people a lot of times they're going to hate change they're going to be like no I don't want that I'm fine the way we're doing it's great but then if you say hey look at all these things and this is all the time effort and everything you save and then you look like an amazing person and they're like oh I want that they that team did and you're like Well here here's a Wiki here's the process on board to this process you can have all the benefits they have right and now they want what you have so it's a little different process but if you have them come to you

for security they take ownership you're not owning their process they own their process you are facilitating them to be more compliant more secure wherever it is but they own their environments their systems their business so that's one thing next is actually automating the process um process automation is what my bread and is so we look at what they're doing say hey let's get rid of all the mundane painful things and make it better and then yeah have machine learning AI so this whole conversation you guys are probably like hey there was no AI discussed so far and that's why I came down to sit here for it's because that's the cool thing I understand it is

the cool thing and all my developers are like AI I'm like cool budget no one got it right so but there are some sweet things you can do with AI and so I'll throw those examples um when we talk the example section but using the right tool at the right time is key right right now the key term is geni and all those things so leadership is all willing to love the idea of you doing that without any budget but using that AI to perform tasks or action tasks can be very beneficial and we'll talk some of that and then AC Arrow this is a continuous process you'll never get away from it once you

start so for my side architecturally I do these five layers I call it um in the end going back to how we Implement as I said Adobe we've done all the different kinds of implementations this is one example where we built a platform in a platform you have a UI someone who interact with it they have a way to do it you have a rules engine and that actually does your checks then you have your integration that's it connects to the world pulls all the data that you may need and then you have your data your databases where you actually storing that so you can provide evidence as on demand and as needed a lot of

those are coming from different logs so let's talk about that so this is an example change management I'm assuming those who work with software they're familiar with change management and the joys that come with it now if you're an auditor change management is such a pain it's almost as bad as asset management but that doesn't exist anywhere let's be honest so now change management is something that does exist you just it's hard to manage um in the sense that people do change management crazily now I'm G reference open source CCF it's a great thing out there if you need to use it it's awesome but anyways so in this use example a user comes to this thing and they say

hey I this user is gonna be an auditor and I'm going to audit the process where we say hey no more do I need to go and ask teams to provide me a population of all the changes they did in the last year or the last six months that's a very grueling process um and for you to self-service that if the if the company or organization doesn't use a really good change management system oh good luck but anyways so in this case an auditor goes hey I need this team's information this 90 or this last year and give me the evidence I need for it right that's the example I want so it sends that to the rules engine through

UI that rules engine is going to say okay open source CCF give me all the requirements for that change so the one I'm thinking specifically in my mind right now is approvals making sure that all changes are approved now if you're an SRE or someone who's trying to do things approvals to get things out and about is a pain because you're like hey this is a bug this is vulnerability I need to just get it out I don't necessarily need approval we understand that from an honor perspective you're like every single thing better have that approval otherwise it wasn't approved so so anyways that's the control we're going to test so you're I'm going to go

to that c open source ccpf say hey I need the controls requirements about changes for this right and that things going to return back saying hey you're going to need who the approvers are for that team you're going to need to know the date time stamps of all those things to make sure that time stamps were like actions were done in a correct order you're going need to roll back plan you're going to need the name of the change you're going to need like what systems are going to be like affected all these requirements sends it back to rules engine rules engine goes back says hey I have this team name now give me the manager give me the metadata around

that team so it's good to have information about the team so that's another one so it sends that back saying hey here's the manager of Team Alpha whatever you want to call it now we go to active directory and say okay active directory or whatever user directory you have give me all the people that part of that team now we're going makes the assumption that they've approved everybody on that team to be approvers but anyways um give me everyone who reports to that manager who's the team lead for that thing we're trying to get the data for and we Spock all the users now you're going to go through a change management system and say okay now give

me all the users or all the changes submitted by all these users for this this time period and for all these events now you could have done that manually good luck it's a lot of work you could have done that manually but now you just submitted one thing and now the system is going to start collecting all that for you right it goes through the change management system pulls all the required fields that you've already identified that you've identified in your CCF control that you've said this is a control so it's even better you don't have to even identify the requirements it does it for you anyways you collect all those and it sends back

to you now the rules engine is not just going to dump that data it should then start analyzing that data What fields are missing red flag when was the change approved was it approved before the change happened or was it approved after the change happened was the approver on the approved list check or flag right was the change did it have the appropriate backout plans right if it's a emergency risk like maybe it's a security risk and you have a way to flag those then maybe the blackout plan is no you got to get this solved because there's a security vulnerability maybe you have a regulation that says oh if it's a low priority change like a management change

but there's the problem there's appropriate backout plan so you're able to validate that configuration then it dumps it out from there that could have taken depending how fast your systems are and how nice you have it could take anywhere from five minutes to maybe an hour but you've now automated that whole process right no more having somebody go through providing all that detail for you and you have to go check every single thing you now have an Excel sheet because it's an auditor they want the Excel sheet you have an Excel sheet that has checks and flags and you can just now start going through and saying okay how good is this how clean is this

you might even do that before an external audit and say hey team go fix these things real quick and now we're good all is well so that's an example of change management um now I'm just going through other examples that I have time no a little bit of time sweet so I'm going to slide back to that original side of what tools okay here we go this one I want to just throw out some different examples that might come around so when I first joined Adobe man those are some fun days we I was in charge of around 120 teams to do Audits and I had to go and write emails for every internal audit and every

external audit to every team say hey here's all the evidence I need from you for everything and we were we were outing for ISO sock 2 and a few other Hippa I think was been there but anyways we're outing for those things and tons of evidence and then I have to set up a two to six hour meeting with them where I'd sit down and record them going through every single one to prove that they did it and then they would have to send me the evidence via email if they weren't able to show me and then I'd go through the recording for six hours hopefully I took time stamps if not I was screwed but to go through and take

take screenshots of every point in thatting and that was the most miserable thing I said okay now I got to do that for email twice a year and I have to manage those emails and it was miserable I was a right out of college and let's just say email was not my forte um so Kenny Scott prami he was my boss at the time at Adobe and I was like hey Kenny I can't do this I'm done and he's like no no audit's almost over take some time after the audit you have one month before the external audit starts during that one month find a way so at that point I was like okay I know they're

using a ticketing system I'm GNA integrate with that ticketing system I'm not I'm not doing emails anymore that's the number one thing that's going away so database I didn't have a database I made a Wiki and a massive Wiki it would freeze for five seconds every time you loaded it it was the worst but I had a Wiki of all the teams and all their metadata and then I had another team of all their systems and so I had two database of all the controls all the systems and then I just automatically generate jur tickets around 4,000 tickets every quarter and funny thing is the security leadership was not happy about that they're like why are there so many

tickets coming out of security all of a sudden like what happened and then I was like sorry but this is how I'm managing evidence collection now Engineers love tasks in a ticketed system that they can track it not through an email that they can't prove evidence of action and security was like H and then the product teams were like we love this send us more tickets and security engineering was like no more tickets so we built more so now we're generating like 8,000 tickets and then that became too much security engine product teams were like okay too many we love that it's actioned but this one script isn't going to be enough and that's where at Adobe

we started doing CCF automation we say okay we've automated this process of tasking this thing out now let's automate these tasks so as we automate those tasks we drop those tickets dropped it down to like roughly from 60 tasks per team down to like 15 right and now it's a lot more work because each task is this environment and sometimes buying a third party tool is the right way to go sometimes automating that through another platform is the way we've went right but anywhere at your stage that you're going through it' be compliance maybe it's not maybe it's engineering work that you have looking at those ways that you can automate things can decrease it now I want to

throw in last plugin on AI since I have one minute um one of the things that we're doing that might be interesting for folks is sometimes you can't get away from screenshots of evidence sometimes you just they have to happen you're just like I hate it it but sorry it's not worth my energy and time to automate that one thing that we're thinking about don't quote me it's all recording so I guess you can quote me darn but is to think about these things okay can we analyze an image can we say that image and then immediately after someone submits evidence in the image format can we notify them say hey by the way I'm not seeing this this this this

Tim stamp server names user instances right I'm not seeing these key attributes please re-upload right with all these things now you don't have a two week gap of like hey I upload evidence two weeks later oh sorry your evidence wasn't wrong upload it again and this cycle of like oh but I did no I like but you're missing these things like you can automate a lot of these things by validating items right you might even go through and say hey data awareness is key when it comes to compliance and what you're having maybe you're M automating and connecting an AI to be able to answer questions of like hey what kind of evidence do I need to

provide for this and they don't have to go and bother an auditor who has no idea what he's talking about and then who ask another auditor who's like oh yeah let me tell you which who which auditor you need to reach out to to answer that one question about that one framework about that one thing and AI can answer that within seconds chat Bots are legit nowadays right so those are some things I had and thanks for your time I appreciate it