The more things change...

now ladies and gentlemen Bruce Potter [Music] all right so I'm Bruce I'm really loud so this will be fun for the audio guy I like to troll them so I'll back up in the microphone and move toward it there'll be feedback it's really exciting I've been starting my talks the same way for the last 20 years give or take and I encourage you not to believe anything I'm about to tell you there's a wide variety of reasons for that I'm a serial liar so that's a good starting point but I'm also a college dropout I went to school the University of Alaska Fairbanks which is anyone go to UAF right it's one of the few schools that

actually has an acronym for a security thing use after free ha so I have a u AF t-shirt it's geeky and it's where I dropped out that I went there for 4 years and decided and like doing it and ended up running system network operations for largest ice P in Alaska I knew too much other wacky crap but like a lot of other people from my generation I got into cybersecurity because I thought it was interesting and I did it kind of on the side I was self-taught you know I had a bunch of random crap under my desk that we would build systems out of and break and have fun understanding how the world worked but

we didn't learn it in a structured way so I didn't really know if I was learning the right things I was just learning things if you're over the age of 33 you probably don't have an undergraduate degree and anything cybersecurity related because most of those degree programs didn't exist you could have a graduate degree program you know if you went to Purdue and studied under spaff where you went to Hopkins with aa B Reuben or something like that you might have a graduate program in cyber but you were not trained in this in any kind of structured way you know this in my generation I'm in my 40s there are a lot of people who got into

this who came from all kinds of different directions and we still have that today right the hacker ethos is still like I learned I like it I do it but coincidentally I may have also gone to 20 thousand dollars worth of training and taken to four-year graduate program undergraduate program in the college which is very different than the things that I went through so by and large what I'm about to express to you is my personal opinion based on my personal experiences I've tried to wash out my own personal biases and things of that nature but some of it will shine through I will encourage you if disagree with me if you think what I'm

saying is [ __ ] throw something at me I'm not making that up people that have been to shmoocon or know what we do we arm you with little squishy foam rubber balls and tell you to throw them at the speaker you probably don't have foam rubber balls but you sir have a drone so I'm gonna work a my best to just really offend you and see if I think or the beer as well like we've got maybe throw that in small one ounce increments at me and that'll be that'll be okay so before we really get started with this talk and this talk is going to go nowhere right like you've been lost in

the car not where you're going this is the next 45 minutes we're lost in the woods in rural Carolina we will come out on the main road at the end and you won't know what the hell just happened so I'm just saying you are wearing the shirt god dammit so can you stand up sir you have googly eyes oddity of it you keep turning around so you know that's my likeness on a shirt and I've tried to buy that off the market because I don't like them and there was there $100 a shirt as it turns out we can go to the ATM after and I'll buy that shirt off you I'm attempting to reclaim this but

it's really disconcerting they like go to the Columbia mall in Maryland and like someone walks past you your faces on their shirt it actually happened and I walked up to the guy I pulled out a lot of cash I'm like I'll give you this for your shirt and my wife she was just appalled and and in response of course for the next MOOC on she did a reprint so there were 200 more shirts on the market that's a first gen man that's og founded my firewall shirt that's great so this is starting really well so I been a consultant for a long time I'm a suzhou right now and so that basically means I'm the scapegoat but in the past I was

a dirty capitalist they did anything for money a big part of my job as a consultant was to provide conceptual models for our customers so that they can understand their problems and then understand the solution to make their life he's gonna make their life better right when we would sit down and do a scoping conversation with a customer just trying to figure what they needed we we propose to them the work that we wanted to do we would write up a one or two page our understanding of the problem so is parroting back like here's what we think we heard from you to make sure that we're on the same page and there were a number of times where customers

said I would have paid you for the proposal right you added clarity to my business because you were able to create a model for my company that helped me understand my problems better and that was just in the proposal right there was one technology company we had we interview people for a day all these portfolio managers head of these products they really didn't understand how they all stitched together and then we drew a diagram like this is all your products put together and like holy crap that's our company I'm like right you're security consultants shouldn't be doing the vision stuff right like that's that's not okay so when I think about security I think of there's different parts of

security and and security operations the responding to events and alerts and actually operating the big levers of the controls that we have and things of that nature is really a trailing indicator of the security industry at large right because at the end of the day you can only be as secure as the things that you buy you can't be like wickedly frustrated with Microsoft and say I think I'll build my own operating system right cuz it's not not 1992 anymore and your name's not Linus right you don't get to do these things you just get to go buy an operating system you are welcome to try to build your own CRM but you're better off to go buy Salesforce

right these are things that you don't have a choice you buy from the marketplace you don't build so that got me thinking I'm presenting off an iPad for the first time so like this is gonna go really well there's a theoretical maximum to how secure you can be and if you buy shitty products your theoretical maximum is very low right now I know you've seen the Mythbusters in this Mythbusters episode where they actually polish it into a shiny ball and so there are rare occasions when like you can make that the bar is higher who's seen that one right that's a pretty good episode they made a nice big ball of poo and like that was pretty cool there are

rare occasions where your theoretical maximum is better but that's just because like you did the Herculean work of polishing that ball of poo in reality what you need is a system that has more potential security right you can think of this as like if you want to get like kind of physical physics on this the bottom is kind of your kinetic security like the security that exists the light green is the potential security it's the security that could exist if you have the time and the energy and the staff and the resources to configure it's like for those of you that do like AWS security and every time that reinvent happens and there's more security tools that come out like that

bar just keeps going higher you're like I don't understand how to do any of it but I'm sure there's a class or a contractor or a third party product that might that Amazon will make obsolete obsolete in the next year because that's what happens every year reinvent they make a bunch of companies obsolete when they're like oh there was a problem and we fixed it and now you're all out of business so when I think of security operations I think of those are the levers those are the controls that exist that's your sock that's your IT security people that's what they can do closing that gap starts to become an engineering exercise right this is the kind of thing

where you know it's it's I'm trying to figure out how to plug things in better how to integrate these controls better how to make my system better given that potential security space that I'm operating in well that's cool and all but how do we push the ball for it right this is clearly a dynamic environment that changes every year so ultimately what we want to be doing is building more secure systems so this is either internally on building more secure systems for my customers or externally I'm building products and services for consumption and sale that I need to build security into I need to make more secure right this is Microsoft and the trusted computing letter and Bill Gates

saying we have to build more trustworthy systems right this is that mantra of like we're gonna build things that are more secure that usually has kind of a near-term time window right that's an engineering problem you're using existing off-the-shelf techniques and capabilities to build more secure systems so in my mind that kind of building more secure systems has like a two year lifecycle right where you start thinking I need to make things more secure from the get-go in two years time I'm probably doing that on top of that then there's the final level which is foundational research in security right this is the work that again Google and Microsoft will put their own money into

but DARPA NSF organizations like that put their money into as well that's long time horizon type activity right so that's the kind of thing where the payoff is long it's risky but it can have immense benefit to us as a society if it works now if you are like Joe's auto parts shop and you're running a sock you're not thinking what I really need to do is invent a better way to sandbox applications and maybe find a better way to do process isolations so there's not side channel leaks on processors right like for your muffler shop those are not things that you're gonna spend time on as much as you may conceptually think those are really cool

problems you're not going to get paid to do it if you do you should go start your own company and stop working for the muffler shop also if you work at the muffler shop it's really hard to recruit security professionals right it's really hard to be compelling when you're in in that space so one of the challenges we have from an MSSP perspective is actually hiring people and it turns out we're kind of attractive in that regard because people can come here and they can solve all kinds of cool problems and lots of different customers if you are in a non attractive part of the country and I don't mean to disparage any particular part of the country everyone

has their own biases of what parts they find attractive and not attractive but there are parts in general that aren't attractive as a universal state it's kind of a joke sorry that was WOW that one felt flat I was gonna keep right on right I did not disparage Raleigh or Durham in either of those statements by the way it was more geared at Ohio so at most of rooms like yeah Ohio that's about right you have a really hard time recruiting when you're also competing against Amazon Google various security companies that kind of thing so in general you're hiring security operators we're only going to bend the levers that that you're able to buy so why do why do

I bring this up when I start thinking about what does the future hold which abstence at least kind of the purpose of this talk you know it's useful to have a model of like how we can affect the future and the future as much as like we can make changes in the stock we can make changes in the operational basis it doesn't have a material change on the world right we are a trailing indicator how shitty the thing is and the fact that a lot of people need to exist in security operations is a testament to how bad all our systems are nothing else right we can be very good at our trade but that doesn't mean we're necessarily

making the world more secure we're just holding back the damn right we're keeping everything from falling down that's security operations job it's the job of the people up top to make sure we have better products in the long run so we need fewer people holding the dam up and I've held people who account as best I can in my role to that regard actually got asked to speak at the DARPA cyber cool cool colloquium a number of years ago where I kind of read the ride after the DARPA director on stage about not funding cyber security research enough and I still retain my research contracts that I had with DARPA so I was pretty pleased with how that all that all

turned out but there have to be organizations like that who are thinking about greater good issues at the top of this in order to make our lives better at the bottom of this anyway so I have a question for it sir you have a question yes that's what we're going to get to next question isn't the sea level continuing to rise and that's exactly what I'm gonna get to next well that's why I'm going to ask you okay all right this is my straight man I like this I did not pay you yet sir but I will pay you soon yeah take a tick damn it first edition only so I'm going to show you three graphs and you have to tell me

which graph you think is the right graph so there are three views potentially and I'm leading the witness here there are potentially three ways to view the cyber security industry we can look at the amount of work that we've done versus the amount of work that there is to do like what the attackers are capable of in that kind of space as parallel lines never to converge never to diverge right this is the Sisyphus problem I'd do the same thing every day and I'm exactly the same place at the end of it as I was the beginning of it wash rinse repeat I've been doing this for 25 years there are certainly times in which I feel like I'm

that dude I'm not as chiseled and cut as he is because I'm not Athenian or Greece or whatever Sisyphus was Roman I was get confused Roman Greek mythology right anyone knows this if this British or a Greek all right we'll go with great thank you Wikipedia or is it the abandon all hope view where its divergent these lines are not only not intersecting they're getting farther apart anyone watch them vader's him and know the doom song doom doom doom doom yeah there was Bob with the inflection everything else breathe the voice actor surd oh yeah I kind of wish I was a cartoon as well sir and then then there's a much more hopeful view of written rainbows

shooting unicorns we're at some point in the future just past the horizon they connect right so if I can rewind who thinks we're this one all right a handful who thinks we're this one potentially a supermajority who thinks we're this one one person maybe someone in the balcony but I'm blind I I I believe we are actually this one but also I also believe that's not correct this is the reality right life it's a wild ride my friends right there's ups and downs it's super exciting to all of us geeks and when you explain it to the lay people they're like that's really boring right like all of that was terrified I don't understand any of those words but thank you I was

able to sleep so I appreciate that you've cured my insomnia what I want to call out though in this completely imaginary graph that I made an illustrator based on lots of data analysis that I did is that there are transformative events that occur in cybersecurity that cause kind of step functions either in attacker or defender capability right we are not linear right there are things I mean the example that that one of the examples I like to call out is shell shock right like our natural shocks easy heart lean like the day before heartbleed came out we weren't really thinking of a threat model that involved adversaries from around the world reading all the memory

off of all of our ssl protected web servers right people weren't really thinking like how do I protect against that like well I don't know drink more vodka because that's a really stupid threat like that that will never happen and then you woke up the next morning like haha I told you that what happened it was it transformed us and now we think about like there may be another one of these things like heartbleed we're at a distance someone can do something to my front line servers that's so catastrophic that I have to react in minutes and patch and fix my servers and do all kinds of things that I didn't think I had to do the day

before so that's a transformative step functions there things that change over time but there are a few things that you can point out and say like that's a big deal as an example from an attacker perspective the use of return-oriented programming to be able to bypass certain protections on you know operating systems and applications was a big deal right like Rob enabled all kinds of exploits that you couldn't exploit prior to Roth existing on the flip side a SLR address space layout randomization where memory spaces inside of programs are randomized that made it very difficult for legacy type of tax to work and required something like Rob to come along and transform that so when Microsoft pushed

out a SLR in XP service pack 3 it was a big deal right like it made it a lot harder for attackers it was a good thing for us you'll notice there are points here in which the slope is negative and I contend there are times we go the wrong goddamn direction so you know from an attackers perspective like when you start outing apt groups you know post Google Aurora post some of the dip attacks that we're going on in some of these apt groups mandiant and crews started outing them that slows them down right there you don't have operational cover anymore because we're sharing information about them I mean that's a big deal on the flip side like so I was

New Orlean on this the other day um I bought like a Pentium for a while ago a while ago to be clear like that like last week and that career clocked out it like I mean 3.8 gigahertz or some nonsense well you buy a processor right now actually you don't really have any clue how fast it is like Intel's like giving up on that war cuz Moore's law kind of trailed off a little bit and instead what we rely on is heavily paralyzed at execution I mean 100% what allows us to have like wicked performance on our iPhones and stuff like that is not that the 20 gigahertz processor in here it's at the processor

can execute 64 threads at a shot right remember what having remember some of you weren't born yet but remember like the desire to have a symmetric multiprocessor system was like somebody made a dual proc seller on board right I owned what it was a server like it was glorious it was the cheapest dirtiest server but could run two threads at a time on Celeron processors it was awesome and now we take for granted the fact that you can run multiple threads like many many threads that are shot at any given moment that's what allows us to have fast computing as it turns out it's also it allows us to leak lots of data through side channels to have all kinds

of other idiotic security things happen because no one actually understands the modern processor architecture it is psychotically complicated right the people who design the chips don't know there are operating systems inside the chips that can be patched on-the-fly Oh what like I thought silicon with silicon no this is pretend silicon that can be reprogrammed and changed in all kinds of things and then when you get the side channel attacks and you have to back out all the stuff that allows all this stupid stuff respect or a meltdown to exist the processors get slower like who knew right breathe this is where you tell Bruce Bruce you should breathe let's know alright if your Amazon and

you've got like say Hecht acres of freaking servers and then one day this stuff comes out and Intel's like by the way the way to fix this so you don't get owned is do this thing that were decreases the performance by 40% Amazon's like I guess I'll buy Rhode Island and pave it and fill it with data centers to make up the difference because that screws up my business model right like that's a material problem for a cloud providers when when Intel hat says by the way these patches and we're still contending with us like for those of you who run necess scans on regular basis like every goddamn month there's a new specter and meltdown thing that you

have to care about like how much you care about it not at all right I don't care about it no one's on my box no one's gonna do side channel stuff side channel attacks are cool and all but they're like rarefied air they're slightly less rare than people using weak cipher Suites on SSL connections to get credit card numbers right cuz that's a thing that has never happened right for the PCI people in the room we get I get emails every once in a while Khanh where someone's like you use a week's or you allow week ciphers for your SSL suite I want to go through the internet and choke the person like literally like reach through because

here's what would happen as an attacker let me just paint you a picture first of all I have to be in a place in which I can watch the SSL connection nice you are the PCI guy Oh Jeff is pointing out that it's miss problem this is gonna be a deep rabbit hole come out the other side of the world but he did throw food which I appreciate so yeah well if it was a beer I'd be coming down to thank you sir so Wow where the hell what were we talking about PCI right so tickets for everybody so this this is the start of the talk by the way just buckle up like if you had

dinner plans you could throw up right the hell out of so anyway so the the problem is I have to be in a spot where I can see the transaction okay I have now man in the middle of the network somewhere okay wireless network the head of crack to get into or I've compromised in ISP and latch down there at OSI 192 when I found an SSL session that uses a weak cipher and then I what could I just pay a guy like yeah or I could go like y'all human and I paid it it's very complicated but at some point as expended an asinine amount of energy to get one SSL session it's still encrypted

so then I take it and I throw it up into Amazon and say I have all the power and a credit card except to pay for this and I grind on it and twenty five dollars later I've cracked the session yay and I open it up and it's a cat gif damnit so I go back into the data center and I wait for another SSL session then I get it then I go back and it's another cat gift right after about a million dollars I find the credit card number and I use it to commit a hundred dollars of fraud before it shut off and my return on investment is really negative and I made bad choices in life and I'm

gonna go mine Bitcoin instead so that's that's my impression in the PCI sorry Jeff its NIST fault I know I know I

think my actual better thing would just be hitting you in the head and seals wallet like at the end of the day like the most successful crime is one that you know is gonna work like that like humans are still bloody double so you you know we've known about bludgeoning for a while but we have not come up with anti bludgeoning defenses so there's no unless that I do wear a helmet a lot just in case I get bludgeoned so anyway banned it back to the future thing anyone know anyone read this report I was gonna anyone know what this report is but it turns out it's in English and on the screen this is an Air Force study

from 1972 I would encourage you all to go read it right I actually haven't I used to reference this report a lot and haven't referenced it in probably 10 years and I went back and reread it a couple days ago computer security technology planning study from the Air Force 1972 it is one of the first public documents from the federal government to talk openly about problems in computer security and you can read these quotes I'm not going to sit here and read them to you but that the concerns that are expressed and the problems that were faced by the Air Force in 1972 are not materially different than the problems that we face today and the way that we think about

what we now call cyber risk management right you can see the precursor for everything we do from a cyber risk perspective in this 1972 document from physical security to multi-tenant issues to the quality of code to insider threat all these things all called out here right and this is what makes you think maybe the lines are at least never going to intersect if not diverging because when you see this piece of art from almost 50 years ago and you look at what we've accomplished today you're gonna be like well I have job security but it's terrifyingly depressing that I have job security right this is I don't feel good about this kind of job security right

there there I might be chasing ambulances and the ambulances are literally getting built and I'm just fouling them out the door so it starts I mean this is it like those starting point like we can go back like the dawn of time 2001 like wherever you want but in my mind like this is one of the big markers in the sand transformative event where people publicly started talking about computer security 1972 air force planning study then there's been other things like the eternal September I love this meme like this it's like I just needed a reason to use this this is not the eternal September that I was talking about but it nonetheless I got to use

the hunt so I mean was anyone alive and does anyone know what the eternal September is I yes Jeff you you must know Jeff I'm not calling you old okay it wasn't this compelling I usually call people out like the gentleman up there who's leaving bye sir he didn't turn around what type of turnaround was actually a client of mine he he wasn't as amused as I thought he would be eternal September September used to be a bad month on the internet as if there needed to be like October cyber wearing this month in September was the shitty month so every September in the late 80s and early 90s freshmen would show up at college and they would all get accounts

and they would all get provision on to Usenet and anyone in this room been on Usenet before okay for those of you older than 35 there used to be a network of servers around the world that would passport news to each other and it was really just forums right and people could pass around things it was just it was really peer-to-peer networking before that was a term where someone on one side that world could post something it would then flood across to his bunch of servers and somebody other side of the world would eventually get the I think you're wrong message she this is like Twitter before Twitter was a thing it was just really slow like you know

you had a like a days long argument it couldn't unwind in a couple of hours so what yeah you do it overnight yeah no I mean we when we're in Alaska we had two tea ones and 20,000 customers and as it turns out like we did our big use that transfers on the overnight because that's when only time we could sneak bandwidth the way sir oh because there was nothing new right imagine if you could only update Twitter between 9:00 and 9:30 in the morning wow you've been around sir I mean that in a good way good as good as possible so the eternal September so what would happen to rewind every September you get all the newbies

who'd roll up on Usenet and be in all caps hey how do I use this thing and you'd have to then explain netiquette right like you'd be like first of all there's the caps lock key find it hit it once and then pull it off and then talk like a normal human to be polite right and so by October things had settled down and people have determined how to be human and everything be all right September 1993 yeah that was kind of the end of it right AOL had become a thing there were a lot of other factors Jeff pointed out a few of them during his talk in 1993 the internet was really gaining momentum and

by early 1994 there was this realization like the Internet will never be the same there that influx of people to be super clear I got my first internet account in September of 1993 like I am part of the problem and the problem persists today like we have Twitter right like the eternal September has come become Twitter yeah thank you I'm in I'm like the on the proto millennial right like I before there were Millennials there was me screwing it all up and now look what happened so proto millennial this has gotten some weird places so but it's it's hard to argue with the impact that the commercialization the internet NCSA mosaic came out that year all these

things happened in 1993 which completely changed the face of the network before it was like just a network then it became a way of delivering content to people became a way that we all interacted and became a way we interacted as society not just a bunch of industry and academic geeks right which is really what ed had been before it's in the most part so another transformative event I mentioned ASLR earlier so SLR is partially in response to I mean it was a lot of things going on but smashing the stack for funding profit who's heard of that paper it's kind of a big piece of work if we haven't I recommend go Reena LF one wrote a paper called smashley the

stack funding profit and it was about how to basically find and write buffer overflows and use them to exploit the system right you're right past the end of the buffer you at the return address you jump to a place where you've written some shellcode and poof you can go execute whatever you want you have interactive access to the system and it's actually when you read the paper it's very approachable and one of the reasons is approachable as systems weren't that complicated back then right like memory was in static places when you compiled a thing the address was always right there and it was 32 bits and it was like a piece of cake and I

could train interns to write buffer overflows in like an afternoon and it was not that complicated when you know in the in the mid-90s like it's like every day on bug track again Thank You Geoffrey laying the ground on that you know on these different mailing lists and IRC chat rooms people were coming up with new buffer overflow exploits and finding new things that they could go own and compromise and it was just like the wild goddamn West because it was there it was oh Dale every day it was I mean it was it was crazy like it's just all the time like people just dropped over because it wasn't that complicated to find it wasn't hard to write and then

there were had been research done around limiting execution address space layout randomization things like that that very rapidly became instead of a research project like we got to do this to protect ourselves so Microsoft started integrating SLR and XP service pack to a little bit mostly service pack 3 and then it became more and more anti exploit techniques were integrated into future versions and Windows to the point now that it is really pretty difficult to do these kind of attacks anymore unlike modern-day instances of Windows right it is a very different world to write these attacks now than when it was I mean there was a bunch of stuff that happened was robbed and other exploit

techniques but we left the realm of being able to do like artisanal handcrafted exploits which is really where we were in the mid 90s like you could sit down with a hex editor your bare hand and a bottle of Beam and like in a half hour you'd be pretty drunk and have a working exploit that doesn't happen these days you just get drunk right I mean that's it's not all bad there's there's upside to that so there article artisanal exploits you're you're here for the show folks like happy I hope you're getting your money's worth out of it so there were various UNIX security isms that I think we're transformative you used to just be

able to go to the password file as a normal user and read the password hashes Oh like did you imagine that world like cat Etsy password wow look at all these hashes and they're hash oh very simply excellent and then we got the idea like maybe everybody shouldn't see the password hash so then we created the shadow file or whatever the hell it's called in Linux land master dot is it shadow oh [ __ ] is the FreeBSD as in that's mastered a password curse you okay I'm a FreeBSD person Linux is an abomination to the entire planet bring it I am whole talks on that it's an accidental operating system people it shouldn't exist like it's just because

of force of will that you have Linux the BSD czar actually operating system Linux is just a grand experiment it's a social thing it's stupid radio for the 21st century I like it you're here for their show so um shadow passwords got they limited the ability to see the hash they put in a route only readable file they got better hashing and it really it was the precursor to what we think of today is password protection right all that stuff that happened on UNIX wasn't Novell it wasn't Windows this is all driven by eunuch said Novell right yeah net where net where admins in the room yeah yeah right a few really it was easiest way to play to them right yeah

you get it like IP addresses hit IP x my friends right you all know that that are older than 35 um TCP wrappers was a level service that allow you to control access to applications per IP address or per user or for a bunch of other crazy stuff it's sort of like a precursor to a lot of the network based access control that we think of now it actually has a stronger authorization model than a lot of network based access control that we have now and you know it was I think have been around forever and it was very effective at limiting people's ability to get to services and and I just want to call this out FreeBSD jails have been

around a long time we just didn't have cute names for him like kubernetes that's basically kubernetes is is a freebsd jail except with a bunch of stuff rounded to make it like possible for mortals to use tisk well not even anyway I need to I need to move forward because I'm literally getting long in the tooth and I haven't even gotten to the material yet so so browser sandboxing this is a big deal you used to be a little like I punched a hole in the browser and I got to the kernel I choked it to death right like and that was all one move it was like it was like a you know martial arts movie

just like right through Firefox he got the kernel and it was super cool and then the browser was like hey we might be a material part of the security of the planet we should think about security a little bit so they came up with things like browser sandboxing to try to isolate the browser so that if bad things happen you were just punching the browser in the face and not actually getting all the way through to the kernel now we have things like site isolation in chrome where this is a really neat idea every tab has its own process which is good because I think we need 64-bit process IDs now right because chrome is going to have about a

billion processes on my box see I never closed any tabs ever right so it's cool and all there's a memory issue that comes up right like this is becoming like slacking in when it comes to memory consumption yeah anyone's lack memory use like you ever noticed slack uses like a terabyte of memory question mark whatever so it's like I work for a memory provider it's great we have a relationship if there's gonna be monopoly about it later we'll be in jail but like the last pound to own had to UAFS and an integer overflow to get to the kernel right that's not trivial that's a lot of work and that was actually a short chain there was a there

was one of the chains that saw a couple years ago it's like 10 steps to get from the browser to the kernel right that's not your again 30 minutes in the bottle of Jim Beam that's like dedicated amount of work that's a lot of tooling that's a lot of expertise to do that browser Bourne attacks that go after the operating system just really aren't a thing anymore this is a step function this is the thing that has materially changed what we do real quick rise of online commerce and online fraud so many moons ago when Amazon first came out we had an opportunity to do public key based credit card transactions through this thing called secure electronic

transaction I was involved in a startup that was doing asset based network nationwide deployment of set it turns out Visa and MasterCard killed set why because nobody wanted to reduce you a bunch of cards with chips in them didn't want to reissue all the readers in the physical places to actually have Chip and PIN readers in the stores because there wasn't that big of a threat of fraud in 1999 so we didn't do it what happens you fast forward you know twenty two two decades plus or minus and we have target we have Home Depot and suddenly oh my god we have to do shipping signature right because like it's something you have in something you scribble totally

appropriate security I hear that's what duo is going for next year so the the signature thing is so goddamn stupid the the killer for me is like that wasn't really online fraud like target was a crappy HVAC provider cybersecurity and Home Depot was whatever the hell it was but like they just went after again they weren't really going after it the SSL connection they just went after the people that had all the goddamn credit cards insect the merchant would never actually have the card right it cryptographically would have been blinded you would never have the problem where merchants have credit card numbers it was impossible in the system for you to have a credit card number if we use

set and that deployed it in the mid-90s but instead all we have now is slightly more secure activity at the terminal and people are still sitting around on credit card numbers and databases really god damn stupid also the standard that we use on the chips is 25 years old right EMV has been around forever turns out Europe has been using it for a stretch we could have used it too we chose not to and now we're sitting here half-assing it without even a pin so sometimes I hide my feelings of usually when I'm asleep this is my my big point for the day I think that ransomware is the greatest thing that's happened to small midsize business security since

it's existed why because they're all getting owned and now they have to deal with it right like we've all had the calls like hey you're the security person in the family my buddy my friend my sister my whoever just got owned and their boxes got this flashing skull laughing at them and saying that I need to pay them in Bitcoin or litecoin or aetherium or something and can you come help me and like yeah you I will buy the Bitcoin and pay it for you right like because I'm sure you don't know how to use coin Bank so I my brother-in-law got hit and his first instinct I was like it's probably like an Eastern European

crime ring it's like I'm gonna fly to Easter here I'm gonna beat somebody up I'm like you're gonna die right like nothing about you landing in like a former Soviet republic swinging a battle-axe and like find me the criminals none of that's gonna end well for you let's just pay the 2000 dollars and get your files back and he was very like they're not gonna give me my files back I'm like if they didn't the revenue model would be broken and no one would pay so they have good customer service and they had very good customer service and they were very upfront like before you do this you need to patch your systems because if it happens again it

might be us again and I can't take responsibility for it so here's what we came in through you should patch this it like thank you and so we patched it and then applied it and we got all those files back it was it was insanity so um I do think this is causing the Reformation in a small midsize business world where they're having to pay attention to these things cuz even if you don't get hit your peers get hit and that gets your attention and that causes companies to think so okay so now for the meat of the talk um if you laugh a little bit like well I will just fly through the next ten

slides cuz what do I think the future holds I'm gonna make some bold predictive statements so you can hold me to account in ten years and tell me I was wrong about and I will totally agree with you so first thing the enterprise as we know it is going to die right we are not going to own our own data centers we are not going to have God please Active Directory servers anymore there will be a point Active Directory is the biggest risk to any organization that still has them today we're gonna bail yeah except for the companies to have no bail in which they have the time machine so like they can go to the future and get the good stuff

because they're obviously living in the [ __ ] past so for the pen testers in the room when you're in an ad land and you get on the one host and you have to do a lateral movement what do you do anything you want you just roll around it's so exciting there's so many ways to move around inside of an active directory where universe if your cloud only and you don't have a D it is trench warfare you go from box to box to box it sucks right that's why ad is such a liability we are at the point where companies are existing and growing that don't have ad which was almost almost unthinkable five

years ago right I think that we are terrible running our own data centers because when you run your own data center what you're really saying is I can do a better job at Amazon and Google and I will say that's [ __ ] like 99.999% of time there's no way in God's earth you Ken if you've got threat model that requires it to be internal that's cool but it turns out even the CIA doesn't have a threat model that requires their stuff being internal right they use Amazon's Cloud if it's good enough for them sure SH it should be good enough for you full-stop okay so we will have increased diversity in our tech stack I think that

because frankly developers are rabid squirrels and they're just like a shiny thing and they integrated in and it's it's a challenge right now to like pump the brakes and say like we need to do a third-party assessment of the random thing that you just bought from a random company in an Eastern European that has a built-in crypto minor like that's cool but but it solves the problem we have with connecting to our core database so we will see increased diversity we will see risk because of that but I do think in general what it means is we will run less of our less of our own things and rely on others to do the one thing that

they do very well you will have a provider that's your cloud database provider you have a provider that's your cue provider you have a provider that's for your website and some other stuff everybody's going to have discreet providers it might all be Google or Amazon or a bunch of providers but it won't be you well that also means is sysadmin is a dying trade except for the people who actually run the big data centers like Amazon and whatnot and even then it's all disposable right when it breaks it's one of a trillion so you throw it away right you don't have to fix things in those universes so I also did this in Old English because I have an axe to grind

on wherefore art as a concept what is wherefore art mean why other Shakespeare geeks that's good it turns out like people use wherefore like to mean where and turns out doesn't mean where it means why it's anyway that was not really as funny as I thought was gonna be so next up privacy is gonna be a big deal like really big deal in the future why companies are gonna get fined a lot of money tons and tons of money what does that really mean right now in the US there's not a single regime to drive us there's a CCPA there's gonna be in Nevada law there'll be other state laws it is going to be chaos and it's going

to affect everybody in this room and you're gonna have to figure out how to deal with these privacy issues both from a compliance perspective and an actually doing it right perspective because those two things aren't necessarily the same right you can be compliant like say I don't know PCI compliant Jeff and still get owned I don't know Home Depot and so you can be gdpr you can't be gdpr compliant by the way I have someone who's trying to give where's your gdpr certification I'm like that's not a thing I don't know how to tell you that but yeah it's like it didn't get sued as my certification no active lawsuits yeah that's my certification I'll put the

seal up if the seal ever says number of active lawsuits nonzero then you can fire me it turns out though we really don't know anything about privacy engineering and when I say we I mean a body of people bigger than a few hundred right there are a few hundred people in this country who are good at privacy and good at bringing together the the privacy kind of policy issues and the the societal issues of it with the actual engineering the software the infrastructure concerns and that kind of thing very few people understand that and very are you one of them sir is Sloan odd yes okay he's he's very hireable so you write him a

large check because whoever you will get a lot of money sir I promise you a thumbs up he's like very excited it's going to be a very hot area we're all gonna be clamoring for the same thing it's gonna make the rush to hire cyber security people I think look like child's play it's gonna be it's gonna be a bad scene if you're looking to get started now then this privacy framework draft is out and it's a good place to start I don't think the final is gonna look that different I worked with Miss to help create the cybersecurity framework and I did a little work with them on the privacy framework as well and knowing how they work the draft

that's out right now is probably 95% what the final will be our company expel we have or will have released in the website shortly a self-assessment tool for the privacy framework it's not part of our business not what we do just I release my internal security stuff publicly so that you all can benefit from it because we're all slaying the same dragons and I would encourage you if you can do it to like we released our third-party assessment process or CSF or privacy framework or instant response table topping process we release all that if you have things that you can do that are repeatable please work with your company to release them because we're all trying to solve exactly the

same problem right so please go home do that as yeah anyway real quick the future holds from a defense perspective when you when we think about security operations and and and and I've been doing security operations for a long time prior to working where I work now you're only as good as the signal that you can receive right whatever's being emitted from your organization you can only transact it's the same as the first graph right if I can't see it I can't instrument I can't understand if it's good or bad and therefore I can't you know make determinations about instance and my network we've gotten pretty good at that enterprise thing inside of our walls inside their own datacenter I can

introspect really well and get a hold of it what I can't do is in a cloud provider with Salesforce oh hey Salesforce I'd like to see like the state of all the patching of their servers could you like give me a live feed so I can do a vulnerability scan of your data center right yeah no hey Salesforce can I see when this person logged in last maybe if your pay enough right like that's the level of introspection I get we are going to go through a period where as in the previous slide we move away from our own enterprise and we go to the cloud we're gonna be like I'm blind I can't see anything so cloud provider I'm gonna

discriminate my buying based on how good a job I can do of getting signal to be able to operate to protect myself that'll become not as important as the functionality but more more important that it is now it will be table stakes that they'll have to express and provide more signal for us to be able to actually see what's going on Steve Ballmer is doing the developers dance developers developers again if you're older than 35 you probably don't know what I'm talking about automation will change things I think pretty dramatically frankly there aren't enough of us to go around and it is going to require us to automate our jobs there are things that the robots can do better

than us and we need to hold our vendors to account to help automate that right soare products and things like that are a good addition to a lot of organizations but frankly shouldn't have to exist because you would hope the rest of your security stack has enough automation in it to help do some of these things kind of my bold statement there we are going to have to rely on automation because we can't breed enough of us and I don't mean like you know biologically breathe I just mean straight-up like train us fast enough to do this work attackers to real quick things I'll close it out exploits are gonna be coming harder than harder to

find I think that you know I mentioned earlier like humans continue to be susceptible to bludgeoning right we're just big sacks of water and we know and we've known for a long time if you puncture us with high velocity things like the water all comes out and it's a bad day and we haven't been able to armed with that knowledge like make ourselves better right we're still big squishy things of water we knew about attacks of like hey people are smashing the stack and causing necks place to happen and now we can fix it so that can't happen we put countermeasures in our network all the time when we see an attack we have an IOC that we can inoculate

yourself against immediately across our enterprise right that means as its hackers you know as we find more and more attacks in the network we continue to neck down the body knowledge that the attackers have based on known exploits based on their ability to move all kinds of things and at some point system level access via exploit stops really being a material thing that we have to worry about not because it wouldn't be bad but because there's so many countermission is a place that's so hard to do it we're not going to see them anymore so put another way it's all about the data we see that today attackers work on getting data not access it used to be

access and nation state actors still do that right nation state actors doing intelligence operations still want access and that threats not going to change but for general run-of-the-mill adversaries for criminals things like that hacktivists you're not going to see that focus the focus is to get to the goddamn data and they're going to be leveraging legitimate access to do illegitimate things that's where the future of attack I mean that's where we kind of land now and that's where we're going to the future also this is the pen test literally the piece of paper that you see there is the testing of pens which it took me a while to find very excited to have found that because of all of

those things those of you that are pen testers are going to find your job changing dramatically in the next decade breaking into systems will not be as cookie cutter as it is now and I'm not here to impugn pen testing as a religion I have done I mean I've been paid to break into stuff for a long time and mean that my company we were very good at breaking into things but a lot of what we did was very bespoke people would hand us a thing and be like break into it okay and we would figure out a way to do it and but most of it was impossible to do with like run-of-the-mill off-the-shelf type stuff

I think that's going to become the rule not the exception and it's also going to involve authority that you don't have right again hey Salesforce I'd like to run a pen test against you because when your customers wants me to that's funny right there are all kinds of things that you won't be able to test we're gonna have to find different ways to evaluate security controls they're somewhere between audit and actual online assessment because I can't pen test because I don't have the authority and audits just pretend so where's the middle ground see what I did there all right with that it is five o'clock straight up involving a wonderful audience and also though I want to thank besides Raleigh for

fighting me down this has been outstanding I really enjoyed it thank you very much