Preparing for Dragons: Don't Sharpen Swords. Set Traps, Gather...

Well, hello everybody. Thank you so much for joining us at uh Besides SF 2025. I have a very special guest and presenter here today. I'm going to look up his name to make sure I say it properly Adrien Sanabria. Sanabria. Darn it. Close. Okay. His topic is really cool. Uh preparing for dragons. Don't sharpen swords, set traps, and gather supplies. Um, this is a headliner room, so he is definitely a special guest. I'm going to turn it over to you. And, um, if you could do us a favor, if you have questions, we have a QR code for something called Slido. Um, you can actually type in your questions and I'm going to be happy to

read them towards the end for our presenter. Okay, there it is. Very good. So, if you take your phone, QR code it, type in your question. I'll be happy to read as many as I can towards the end. All right, take it away, my friend. Thank you very much. Welcome everybody. Uh, I will lead you to lunch out of this talk. So, that's that's where I'll be heading directly as soon as I finish up. So you can follow me there if you have any questions uh that we didn't have time to answer. So this is definitely the biggest screen I've ever uh had the privilege to have my slides on. And um I was worried about uh the the footnote

there, the resilience-based approach being unreadable. Uh but I think it's it's probably very readable for most people. And uh I very much enjoyed Wendy's talk. Uh, how many here caught the keynote this morning? Wendy's keynote. Excellent. Um, I did not change these. I didn't touch these slides after Wendy's keynote, but we worked together for a long time. She hired me in at 451 research uh long long time ago, and I I guess we just think about things in similar ways. Uh, but I was delighted that uh we're going to have kind of a common theme uh running between my talk and and the keynote there or some similar theme. She she covered a lot of

ground. All right. So this talk in addition to resilience, it's really about focusing. Cyber security covers so much ground. Uh who here has seen that CISO mind map of just all the things that CISOs have to worry about. Yeah. And it's just this enormous mind map. You have to zoom in on it to see anything. And uh and it increases every day. You know, we've added AI safety to that. A lot of CISOs I've talked to have had fraud added to it. A lot of CISOs I know have to worry about executive protection, the physical security of of their uh executives. So more and more gets added to it every day. So this talk is uh a lot of it is about focusing on

the right things and how we figure out what the right things are to focus on. So that's kind of what I mean by work smarter not harder. And a lot of it is preparation and and prevention is are are things that we do in the downtime, right? Whenever that happens. And uh less chasing dragons, which which I now realize I think that means something in drug slang. I'm not sure what that means, but um in this context when I say less chasing dragons, um think the RSA expo floor, right? think uh the billions in marketing uh that's there to distract you and and convince you that the latest threat whether it be AI or quantum uh is

something that you should be spending time on as opposed to um you know the things that are actually going to make a difference. So thinking about this um threats are very public and when new threats come out it's very easy to imagine uh issues. We we see all kinds of really cool side channel attacks. We see stunt hacking. We see a lot of stuff that's really never going to be a risk for your organization, but it's very visible. uh which makes it easy for vendors to latch on to, create companies around, market around, and yeah, this is I've I've got I think two or three slides that you probably want to take a picture of and and this is one of them.

Very bullet point heavy. I'm sorry. I didn't uh spend enough time to eliminate bullet points from this talk. So, there will be bullet points. And I' I've worked in marketing for startups, right? And something you get very very tired of writing is the threat landscape is constantly evolving or cyber threats are becoming more sophisticated. And one of the things I do uh I I do some research uh uh when I have time and one of them is uh doing postmortems of breaches understanding how companies fail. And I I vast majority of the time and sure there's exceptions where sophisticated interesting things happen in attacks, but most of them look like a mediocre pen test from 2010 done by junior

pentesters. They're not that sophisticated. They're not evolving that much because they don't really need to. There's still a lot of lowhanging fruit out there. Uh there's sonic walls, you know, that people have forgotten about that have default credentials or haven't been updated. uh you know there's a reason we're constantly seeing Ivanti, Forinet, Sonic Wall, you know the names of uh router and uh firewall and VPN providers uh all this legacy hardware that's out there. And on the flip side, when somebody has a really good day in security, it doesn't make any headlines and we're not exposed to that. It's constantly, oh, it's it's, you know, postquantum encryption, you know, the threat of quantum computing. are the

headlines we're seeing. Meanwhile, you you you don't see the headline about the company that switched half their people to Chromebooks and a lot of problems went away, right? Or had really good outbound filtering and the C2 didn't work or the exploit uh came in but couldn't create a connection back out. So on one side we have the industry's produced these very threat specific products. you know, you're going to buy a product just for SAS security posture management or just for uh one specific area of uh you know, like SEA uh for application security. You know, we've got all these uh you know, these little tools around and maybe SEA isn't the best example that there because it's not really threat

specific. uh but the things where you know it's attached to specific TTPs on the MITER attack framework or it's attached to very specific threat actors or types of threats versus the more broad defenses that can help you across the board with a lot of things you know that that gets you uh a lot of the way there uh without having a lot of overhead. And another thing about threat specific products is they tend to be high labor but very low efficacy. If you think about the average sock and the amount of those alerts that are something you actually want to, you know, maybe contain a breach or, you know, take some kind of action like

that, you know, you look at the numbers, you look at the ratio or the percentage of those alerts you actually want to worry about. It's at the point now where we have an entire market of solutions that generate the noise and then another market of solutions that sit on top of that one and try and filter that noise back out that the first solutions generate, right? You know, so if you think about your SIMs, uh, you know, now we have all secops AI. We're going to eliminate the triage layer of of SECO ops with LLMs or something like that. Or in vulnerability management, we got the riskbased vulnerability management where step one is give us that noisy uh report

that came out of tenable qualis rapid 7. Give it give us those scan results and we'll clean it up for you, prioritize it for you. Uh so it's it's just kind of madness that we're stacking these things on here, the the fixes for the problems that are created uh by things that we all pay for. And yeah, I think one of the things I want to highlight on the defense side is when I do this analysis of breaches uh and how companies fail, I can't think of a single case where I was like, yeah, they they needed a ZTNA solution. You know, that would have that would have stopped it. You know, they were missing

some tool or something that they bought. They had things that were misconfigured and very broken processes, a lot of assumptions, which was something that Wendy talked about earlier and yeah, best attempts, but lots of bad assumptions is is what I tend to find. So, kind of good news, bad news. Like, it's a lot of work to do foundational security stuff. Um, but you probably already have everything that you need. So, that kind of leads me to this uh this idea of enlightenment. Chop wood, carry water. Before enlightenment, after enlightenment, chop wood, carry water. Uh that no matter how sophisticated you get on the defensive side, you know, how much progress you make here, uh you're still having to do

these basic fundamentals of, you know, making sure when employees leave their access is revoked. You know, making sure MFA is enabled on on all the accounts. uh just this um almost checklist type stuff and prioritizing the fundamentals. So like a lot of people talk about fundamentals but even just looking at asset management like it's overwhelming to try and do a good job with that to try and put together a good asset list for both software and hardware. And you know there's a lot of prioritization you need to do there to be successful at it. And 20 years ago in security, 15 years ago, when we came up with best practices, we were guessing in a lot of cases. We

thought, oh, you know, this Knack seems like a good idea, right? Network access control or application control seems like a good idea. Um, or making people change their password every 90 days seems like a good idea. But we are, thanks in part to ransomware, flushed with data on what works and doesn't work now. And there's reports getting released almost every day that will help you prioritize that foundational work and say, "Okay, I need to have really good data flow diagrams. I need to be really aware of where my customer data is stored, where it's going, all that kind of stuff." So, these are kind of the eight steps we're going to go through. I don't think the timer ever

started, so I'll just use my watch. Um, and uh I've kind of broken things down to the into these eight steps. They're not all discreet like some of these like uh recovery uh survive and recover a lot of those that stuff uh where we're talking about resilience, keeping the business up and running. Uh that stuff goes on all the time during a lot of these other steps. All right, let's jump in. So, step one, and I don't know if anybody noticed the first slide. Um, at this point maybe you've already forgotten, but what was wrong with that first slide? That title slide I had up. Yeah, the horse is great. Yeah, AI is great, right?

Yeah. I didn't ask for fire. I just asked uh for a dragon, I think, and it decided to throw the knight in there riding the horse and and the horse is breathing fire. It's it's a work in progress. Um yes so reducing attack surface is huge. I would I do a lot of enterprise advisory work and one day I I do a lot of vulnerability management as well and I'm talking to somebody about their vulnerability management process in Excel. I say why don't you just share your screen you know like I feel like it would be easier than you describing this stuff to me just you know we have an NDA you know let me just see what you're

looking at. and they share their screen and clearly you can tell what we're looking at are web servers from the name of the hosts. You can tell they're external web servers and you know just looking at some of the vulnerabilities there uh immediately you could tell these are just default Red Hat enterprise servers. No hardening's been done. It's running all the services that come out of the box. Everything is still installed. They're running cups on enterprise uh on external web servers, right? Why are you running printing services on your uh external web servers? And just imagine how much easier vulnerability management is when you pull those 16,000 software packages off these systems that don't need to be

there. When you shut down all these services, you shut down all these ports. And it's a lot of work. Uh and in some cases, companies uh that I work with have done this work, but now the image is three years old. And the moment they build eight new servers, you know, the trend line on vulnerabilities just snaps right up. Uh because that image is three years old and now they have to patch all over again. Now they're three years behind. Uh again, you know, so they're constantly one step forward, two steps back because of that. So data as well. If you look at the FTC and the fines they're handing out, a lot of them are

for storing too much data about customers, you know, which is kind of uh antithesis to a with AI. You know, companies want to take advantage of that data and collect as much data as possible. So, it's kind of we we have a contradiction here, but less mess makes everything easier. Uh shoring up passive defenses. These are things that just protect you because you half your employees are using Chromebooks like I mentioned earlier like there are whole classes of attack that attacks that now don't work you know very carefully choosing the application framework that you use can cut out entire classes that's why people build stuff in rust that's why um you know maybe you limit the kinds and and

variety of WordPress plugins that you use you know to just a few very well-maintained plugins. uh but a lot of these architectural choices and you'll notice as we're going through here um it and the choices they make uh control a lot of your pain in and security here you know so a lot of these things we are we are dependent on the IT side for um but if we can guide them and we can say you know what if what if we use this framework instead you know there there are opportunities here to make things easier just proactive tech refresh uh I remember scientia did a report with Cisco on security outcomes and one of

them showed I I think it was uh the best thing you can do for employee morale is proactive tech refresh like just not making people have to take care of stuff that's out of end of life out of support old and clunky buying parts on eBay um just that can erase so much attack surface and take care of so many of these problems so I'm thinking the of these as passive defenses

and upgrading defenses as you go. If you remember the flow from earlier, this is where the arrow comes back to and having this process flow. I feel like we need some version of sigma 6 or uh or six sigma uh for cyber security or maybe it just works as is for cyber security. But this concept of constant process improvement, which means you have to track how good of a job you're doing, which means you have to have some way of measuring value in your processes, the products you have, the services you have, um, and replace them as as needed. Um, but this is this is where you're going to apply new lessons learned. This is where that lessons learned comes back

from incident response or it doesn't have to be your own failures. Maybe you're reading a report and you you learn a really good lesson from that report. Uh this is where you put that in. You know, this is where the feedback loops tie back to. And I mentioned underperforming services and and products here. Uh the idea that a product can have negative value is a very real thing. You I sure some of you have experienced this where you buy a security product and not only does it do nothing for you, it creates overhead. It eats up people's time and resources that could be working on other things. So when I say negative value, that's what that means. That means this

thing has entered your life. It's just a pain in your butt and it gives you nothing back. You get no value, no benefit from it. So yeah, it doesn't go to zero. It goes value goes below zero when you're measuring that. And you can measure that in dollars. You can take the salary of the people working on it and and uh I I used to do this. I used to have a spreadsheet say okay you know we bought fire eye uh here's the number of times it's actually caught a piece of malware that could have gone on our systems which was zero uh 100% false positives with it with the old NX appliance and here's the amount of time we spend on it

every time there's a false positive they want us to jump into the command line run this command create a zip file of all the logs FTP it to a server this is 2012 you know maybe it's not FTP today. But um yeah, it took four hours of time every time we had a false positive and they'd come back and say, "Yeah, just take the the hash of that binary and and put it in the allow list, right? Like why is this thing sitting here? Why do we pay a quarter million dollars for this thing that just burns our time? Just sets fire to our our resources." So step four, yeah, understanding, you know, so this kind of

builds on what we talked about earlier, reading industry reports. There's amazing stuff out there. There's uh I mentioned Scientia before. They did a a meta study of all the ransomware reports that different vendors had put out uh and made a heat map basically of the MITER attack framework and said, "Okay, here's the things attackers are actually doing." You know, because the MITER attack framework is an encyclopedia of everything that's possible, not everything that's actually happening, right? You know, so you shouldn't aim to have a detection for everything in the MITER attack framework. you're just going to end up with endless amounts of noise. And there are reports out there that will tell you here is what h what's

happening. The Verizon databach report uh for 2025 just came out has a lot of good data in it. Uh will help you focus on those fundamentals on on prioritizing the fundamentals that you work on. Speed of exploitation uh also a big one here. Um I I think the DBIR also says for critical for exploited vulnerabilities uh it's 5 days before we start seeing it exploited from when uh vulnerability disclosure happens and for edge focus so those the forinet the you know for whatever reason the management port of your fire uh PaloAlto firewall is hanging out on the public internet uh zero days is the number for that one uh you're going to see it within 24 hours of that disclosure

happening. because all the attackers have to do is put together a script and just autopone across the entire internet and that's what they do. Oh, and yeah, last point there. Don't just share intel, share solutions. So whether it's through Isax, however you do it, uh defenders need to spend I've talked to so many defenders. They're like, "Hey, look at this cool way that I do this. Have you talked about this? Have you released anything open source? Have you shared this?" No. like don't tell me about it, tell everybody about it. Like this is something really useful people can do cheap and uh that probably doesn't occur to them with with the tools and resources they already

have. So preparing countermeasures, this is kind of like passive defense but the active version of it, you know. So, this is where you have broad mitigations, uh, outbound filtering, exploit prevention, uh, the ability to do virtual patching, uh, maybe it's going to be a week, it's going to be a month, uh, before you get a patch out. You know, what mitigations can you do to prevent that exploitation from happening or neutering the exploitation, the ability to pivot or uh, reach back out to C2, you know, whatever that mitigation might look like based off of the the new zero day, the new vulnerability. Uh there's a lot of mitigations you can do. In fact, you could think of the patch itself as a

mitigation, right? You know, that's the preferred mitigation, you know, but since it comes with availability loss, maybe we want to consider some other things, you know, maybe it's a it's a W or something like that. Uh what? Yeah. So, reducing the effectiveness of the attack is what we're after there. All right. So if stuff does get through, uh, we want to make sure we know how to handle it when it does. You know, we we still see a lot of organizations where obviously from the outside their PR folks did not know how to handle the breach. Their executives are panicking. You know, they're denying everything. I think we saw this recently with Oracle on two different breaches at

the same time. You know, that is not the way to handle a breach. uh you can very much tell either somebody's unprepared for it or they've got a lot of lawyers. You know, there one of two explanations for for handling a breach that way and denying what's going on. Uh but beyond just the PR aspect of it, just the tech technical aspects of it, you know, when we're talking about resilience, we're talking about keeping the business up and running. We're talking about keeping operations going, keeping revenue coming in, you know. So let's say you know like what happened with the CVE program happens with let's encrypt tomorrow and the day after tomorrow all your certificates need to renew but let's

encrypt is gone and that's where you're pulling all your searchs from. You know how quickly how agile are you to handle that kind of a problem if that rug gets pulled out from under you. Uh so yeah tabletop tough decisions. Uh and again this should be based off of what's actually happening. let's encrypt. That would be kind of a a black swan event, right? Um we don't have any data to suggest that that is going to happen. Um but uh yeah, eventually you get to those kinds of black swan events that you want to prepare for, but pro that's probably not the first thing you need to be worrying about. and monitoring queries. Like that's a real fun one um that somebody

turned me on to a couple weeks ago where they find a lot of breaches just by all of a sudden somebody's searching for passwords, you know, searching for these like really obvious like somebody shady is in our environment. Either it's an internal uh risk, an internal issue with an employee or somebody from the outside has gotten in and now they're using Microsoft Copilot to look for juicy stuff in our environment. So monitoring queries is a good opportunity. Uh deception is severely underused I think in the industry. uh particularly for uh folks that maybe you outsource a sock, use an MSP for that uh or an MSSP uh or um I I I think for pretty much everyone,

you know, there I don't know how this started, but there's this this uh view that you need to be really mature before you start thinking about deception uh using it for detecting uh attacks that have gotten in. I think it's the absolute reverse. I think you can set up some good uh fake accounts, fake data, um you know, some fake traps. You know, just go to canary tokens.org. There's stuff you can do for free. There's a lot of open source on GitHub, a lot of honeypotss, honey token solutions out there. Uh there's some commercial ones as well. And uh and you can know the moment somebody gets in your system and those things should fire every time you

have uh a pentest. And you know, this is something where you should be able to get it down to zero false positives pretty easily. And there's not a lot of detections out there where you can do that, you know. So, this is a quick way to kind of shortcut uh this ability to uh figure out what's going on in your environment. And this is the ultimate goal, survive, recover, and thrive. So, as quickly as you can get back to day-to-day routine. Um, I don't think we get extra points for preparing for AP 5678, you know, versus just keeping the business running. I think this is one of those disconnects between the business and security departments where, yeah,

I've I've seen people just go down the rabbit hole on trying to figure out how to secure against uh exotic vulnerabilities and attack techniques and things like that when the only reason you're there is to keep things up and running. So yeah, anti-DOS, quick backup recovery. Um, and do you test this stuff or not? You know, that's the other thing. Uh, you kind of need permission from the business to break stuff to get to resilience. I don't think any of us can get to resilience as long as we have somebody saying you can't scan that VLAN, things will fall over. Well, if they fall over, you know that that's we need to solve that problem. All right, here's the feedback

loop again. And uh so talking uh a little bit about continuous improvement here again uh super important learning from these lessons. Every time we have a failure, somebody else has a failure. Uh this should feed back into this cycle uh where we we improve the the work that we do. And it requires measuring a lot of stuff, you know, like how often has your MSSP actually brought something to your attention that was a problem versus you finding it yourself. You know, have you tested your MSSP? you know, uh, try I I don't know how friendly they are with this kind of thing, you know, but, uh, make something happen on your network. We used to

create a file, an Excel spreadsheet, and just put it on a file server, uh, you know, this is 20 years ago, and then we delete it, and then we'd tell the backup admins it was super important. And we found maybe 10% of the time they were able to recover that file. And that was really useful information. So, as we outsource more and more to managed providers, we need to know that percentage. All right, takeaways. This is the other one you probably want to take out your phone for. I'm not going to read through this whole thing. Uh, but this kind of sums thing things up. The CIS-18 is really useful. And, uh, I'm not anti- vendor. I

do a lot of work with vendors, but man, there are a lot of distractions out there and they have a lot of money to distract you with, you know. So, that's kind of the key takeaway from here is read these amazing reports that are out there telling you how people are actually getting in, how damages are actually occurring and and focus on that. Prioritize your your fundamental work uh on that and not on the latest uh you know, agentic quantum AI whatever. All right. All the all these pictures were done with AI. It did a lot better than I don't know if any of you saw my talk last year. Uh but the images were

pretty bad, you know. So this is I'm kind of testing the quality of AI image generation uh as I give talks at Besides San Francisco and uh I I think that's a decent likeness of me. That was fantastic. Thank you, Adrian. Amazing. Right. I love that his presentation was in tandem with Mary's our keynote speaker. So, thank you so much for that. Um, a couple coincidental. Say yes. Completely coincidental. Completely a coincidence. H I think not collective consciousness. All right. What documents can beginners use to get started reducing their attack surface in their personal environment? Oh. Mike. Yeah. Yeah. Uh in their personal environment, you know, I I think you need to So there are

a lot of services out there like Delete Me that will do a lot of this stuff for you that will kind of crawl, but like learning OSINT techniques, you know, there's bunch of tools out there that are free that you can use to, you know, just Googling yourself. You know, just using search engines is a is a pretty good start. And um yeah, it's uh um yeah, just look up OSENT tools. Maybe go to some OSENT uh training. You know, there's O's OSENT training online and things like that. But learning different OSENT techniques, you know, I think you can do a pretty good job in discovering and and really those techniques, anything you learn there is going to translate to your

organization as well. And that's that's another thing is the the line that blurs personal and business is gone. Like I mentioned, some of these CISOs being responsible for executive protection that involves that executives that CEO's home network. They now have to worry about what's on their CISO's home network. That that is a CISO's job. Now, one final question before we break for lunch. Uh what specific surface do you recommend to learn about insurance payouts and their mo and their root causes? Yeah, so there's uh some insure techs out there. Cowbell Cyber is a great one uh that will put out some reports. Uh that's the only one I can think of off the top of my head, but I

know Cowbell Cyber recently put out a report. Yes. And it's spelled Cowbell like you think it would be spelled. It's a funny name. Um but yeah. Yeah. And and we're seeing uh one of the things we're seeing out of those reports is to give you a bonus. Uh DBIR says 30%, Cowell Cyber says 40% of uh breaches are coming from third parties. So that's uh thirdparty risk management is is uh going to need a whole lot more focus as far as those fundamentals go. Fantastic. So as one of our headliners, we have a little special gift for you. I also want to mention that Adrian uh also helps run the Bides in Knoxville, Tennessee, which will be May 9th, I

believe. Yes. Um so we're very pleased and proud to have him as part of our team here this year. Thank you so much. Please give him a great round of applause. Yeah. Amazing. Absolutely amazing.