Follow the Rules

so hey everyone so we're going to go into our final keynote of the day there is a funny story here we thought we were gonna be clever and do like a surprise keynote and then I check on Twitter and then it's like the not so surprise keynote so I don't know if we were just not bad security conference like we're not good at security or you guys are too good I'm gonna try to go for the ladder so that we can save ourselves a little bit but as you guys already know yeah I'm gonna present Wolfgang Gorelick and he'll be talking about following the rules everyone should do that thanks so much alright guys I'll hear me okay I love

the Michael of the podium but I paced so I might go off I apologize I'll speak nice lob yeah this talk is is following the rules right that's where we're all hackers right we like to foul rules be told what to do no not at all not at all my name's wolf and a little bit about me I love b-sides I was involved with b-sides Detroit up until this year is one of the organizers huge fans of the b-sides movement so really excited to be out here in Charleston I also do an apprenticeship program I'm responsible for an apprenticeship program in CBI which is my employer we put around 60 70 people through it now it's a two-year

program where people come in and you train and get mentored get coached and at point in time where I was like we can't find people we got an average 55 people for every one person we let in that program so it's a real cool group of folks that get into that and then my day job is I'm on the defense so I've got a peer who's in the pen test so we're going to a meeting and people are like he's a red teamer he's the Yoda of information security he once broke into the Pentagon ladies and gentlemen there was a king and then I come in next night okay and there's wolf and he has

spreadsheets he tries to stop there yeah so a lot of this is from the defensive perspective today that I'm going to be covering but race stems back from this fact that an information security we're moving towards professionalizing what we do right it's become a profession a lot of us gray beards like myself we started when it was a hobby I remember getting on BBS's going I want to get in what do I do and they're like you need to get sis admin and roots and I'm like yes what is that and they're like I don't know but you need to get it I will get this this admin what do you do you're one much too trash okay I don't want to

do that but you know ya got in in the ground floor and none of us knew what we're doing in there were no rules and today a lot of folks are coming out of the university and going into my apprenticeship program a lot of folks are coming out of the school system and they're coming in to the the very organizations consulting with them advising with and we've sort of like cemented this this layer of rules that people are supposed to follow and that's what I want to poke some fun at today because I think that's really dangerous because you better believe that the bad guys don't follow the rules right so the way this talk is up is like this I'm

gonna say here's a rule they tell us when you talk about technology not risk and then I'm gonna talk a little bit about how are we doing this here's where constrains us here's where causes of problems here's the issues alright cool from the defensive side red teamers can mock me all they want because we all know red teamers well and they'll flip over the table and oh god damn you red teamers I'll lock the table down next time so let's start with that start with this constant that we're supposed to talk risk this is like embedded in so many different university programs today it's like Cecil one on one don't talk about the technology talk

about risk and I do love risk I love the game they're here here be monsters we will protect the eastern seaboard but part of the concept of risk management always comes back to this idea of risk appetite have you guys heard this we got it we got it no one organizations risk appetite so we can define their security and I love that question because you go and you ask like the CEO hey what's what's your risk captain like hi we're in business to take risk oh my god okay that's not really helpful but alright you ask the CFO and it's always like to the penny nine million eight hundred seventy five thousand sixty-seven cents to the last

quarter that's our risk appetite that kind of tells me how much I should spend on my security budget I guess the CIO is I keep the lights on no rest don't do anything scary keep the lights on please don't pen test my mainframe or touch any of my systems and by the way who are you again and should you even be in here right sale yes bourbon are a CIC so right yes cuz see so what the risk appetite is it's my risk appetite and that's the one problem that starts with this whole issue is that we we have this idea we need to talk risk but no one really has a clue what risk means and if

you're a young person you like that's a risk because you can run responder in the dark you shouldn't talk technology that's a risk because you can give passwords well we don't really care cuz everything's no professor and you creates this weird cycle where we actually don't solve any issues moreover there's there's a bigger problem when you start figuring out what the real risks are for example rhinos seems like a weird Segway but they're with me in in in France a couple years ago maybe you guys heard the story in France a couple years ago there's this beautiful rhino and they got the Rhino and they had him over here in a cage fence about this

tall and people said over here well no that's effective that's a beautiful Rhino and that was a day in a pair of sue that was the case for about a month about a month the zoo had this Rhino after a month the Rhino got killed sadly by poachers but when I saw this I bother my mind I got something that's supposed to happen like a third-world country you were in Paris man get some wine and some good food why are you messing around with a rhino and I saw it digging into this and trying to figure out what going on because you know they had a most that offense should be fine why are you when you actually did the math on

this Rhino it was a little bit over a million dollars that horn million dollars now if you think about a zoo and you say I'm gonna give you a million dollars of gold coin right here no no they're absolutely not because they're gonna treat that as a completely different risk number two problem with risks is we think about it as the nice animal that we're all here to see not what's enough for the criminals right and what's in it for the criminals is oftentimes abstracted from what the business is seeing which is why this he's so says bourbon and the CIO says you know they'll keep the lights on the CEO everyone's got their own perspective

it's oftentimes not oh I've got a million dollars rhino horn right there it's not the way we think so back to the game of Risk this has some really strong implications we set up all our pieces to protect Europe right I'm gonna save that rhino horn haha and we've got all our pieces around everything's good and see our bra parameters and we see our perimeters and we see our borders we're like yes this is fantastic and this is the defense of you however the attackers see a completely different game same pieces but completely different parameters completely different edges if you guys sat in the red team talks today you heard that here's how we see the

network here's how we see Active Directory here's how we see bloodhound to map it through bloodhound is not what our Active Directory admins are seeing right they're like oh I'm damn it and we put everything to me that because that works no no it's two completely different games and that is the next problem we are fundamentally at any given point in time putting the same pieces on two different boards because one of them is the way the business works the other one is the way the criminals work and the difference between whether or not we protect that rhino horn is whether or not we have the piece the right place the right time and hopefully we do until

they change the board problem number two no one knows the real likelihood or probability of an event when we talk about risk management we all get excited about it very difficult to do I do a ton of risk management or risk assessments to my organization we just in like 50 a year and before then I was a CSO of financial services firm so company's gonna do risk assessments on me and we'd always come up with these great reports and I'd be like your risk is somewhere between high and whining I'm like okay good and down here's blank stare which is my favorite category of risk but you get these weird charts you're like what the hell does it even

mean and yet we're supposed to act on that and build security around it risk management sounds really exciting and really fun until you actually to go ahead and do it that's a problem another thing we're taught from a very young age 101 class what are the criminals want intellectual property they're out here to steer our data right this is what they want and yet oftentimes I'll go in organizations I'll have a very similar conversation I'm like hey what's what's your intellectual property I was working with a cabinetry company cabinetry company that built cabinets I'm like what intellectual property you have and they're like where can the company what do you mean if people want to stare

camera so go to the places you buy the cabinets and they'll like measure them and there goes our intellectual property we have no intellectual property so oftentimes I'm like what's your sense of data we need to protect look we don't have any yes I see something like yeah this is why we drink it's stuck in this trap right but we know there is rhino horns out there we know that cybercrime is a thing cyber crime is reported to be three trillion dollars annually three trillion dollars every single year made by criminals defrauding us doing terrible things with our data and and so if you start piecing that out that gives us some better visibility into how high we need

offenses to be and how why we need the months to be intellectual property first number one half trillion dollars every single year stone blueprints stone plants you name it right stone Pat's next one of course as you might imagine is credit cards intellect or in your health information 160 billion this is actually dropped and this is one of the things that's kind of interesting about cybercrime this used to be like the number one way right I would steal someone's credit cards and then I would make all the money do you guys know what killed that why dropped no before then dare to head it right target happened home see people happen how many times have your credit cards been stolen I

mean big credit card value would from like you could be $300 I'm a stolen credit card to like 10 I need 10 me before that because maybe I can like charge 15 bucks Network right same thing with health information amid an anthem went and would crash so you do that math 3 trillion - those things

criminals might still be doing some other stuff and usually when I put this sign up there it was like I know what it is I know what it is I have the answer ransomware because we hear about ransomware all the time right this is like one of the top things customers asked me before like hey can you get the pen tester in here cuz he's the cool guy I'm like okay second that top thing can you can you help me protect against ransomware why ransomware because I heard in the news we had this thing called security by volume right now I don't mean like water volume that would be kind of cool maybe I guess just flood everything and then

we don't have to worry about it no I mean security by how loud the media is yelling that's really how tuned we are to risk when you hear about all the time ransom so must be ransomware check out the stat the ransomware last year 1 billion dollars 3 trillion total only 1 billion when transport when I was researching this talk I pulled out a whole bunch of reports and everything Casper's get some good numbers and really surprised me because ransomware actually fell by 1/3 fell by 1/3 at the same time I was still freaking out about ransomware fell by 1/3 one of the reasons is of course it became harder to get people to pay and people are said to

have backups and god forbid they actually protect their data that's happening somewhere I hear and still criminals like wait a minute this is hard and we're doing all this work to get cryptocurrency how can we get the cryptocurrency quicker so of course you might imagine crypto mining is what's on the uptick I've got a good friend who does web hosting and he found Manero up you guys are for millionaire it's like that the prime way to do crypto mining now Bitcoin is is too hard for for the criminals Maneri can put the browsers great he found one narrow people had used apache flaws sprayed manera all over his web firms and something like 1.6 million dollars was in stolen

wallets running off web front-ends in this data center it's cool you should keep that no no I can't turn it off good your ethical that's great so what was the wallets and you but anyways so crypto mining right that is going up 44% kind of interesting so ransomware and crypto mining are gonna do some like this and maybe you'll hit about a billion maybe two million we'll see what shakes out us still a lot of money left one of the primary ways that I'm seeing attacked or I see my clients attack today is actually invoice fraud you guys are probably well familiar with wire fraud hi I'm the CEO please transfer your money and someone's

like oh there's a CEO here's our money that has been going on forever wire fraud is a thing but invoice fraud is on the uptick here's the way it works I steal your cribs okay somehow I've gotten into your office 365 email I fist you or whatever and I'm gonna set up rules and those rules are gonna be whenever I email you you're gonna forward it on whenever they're you ply back you're gonna send it to me and then you're gonna delete it so you don't see it alright so now I'm gonna email you and you're gonna send it to you and you'd be like oh that's my my email from Jim hi Jim how's it going you see it for back

to me deleted I'm like hi I'm Jim how's it going right and we started a conversation that way they've been targeting Accounts Payable folks I've seen this all over in my manufacturing customers and then when they says oh by the way you may be interested to know that I've got this brand new Acme billing site that has all your invoices you're like oh that's great cuz I think all I need to know is what are you owe me so I'm right so I can reconcile oh here's what I show great now here's the thing if you pay now I'll give you 10% off this here how many times are gonna fall for that if your accounts payable

person you want to be the person at the end of the month I said I saved the company million dollars I am a hero so people do and they pay all this money and then company gets to fraud as several millions of dollars very interesting attack this is the point on the slide where I love to give you a great statistic of how many billions of dollars that's happening but I don't have I can't find one and that is really interesting two trillion dollars remember is unaccounted for so why is there no stats in this we get called in all the time to investigate these things one of the reasons is if you're compromised for this you couldn't tell

anybody oh by the way I totally lost you know your payments do as a matter of fact New York Times did a survey they found that only about 1 in 10 crimes is actually reported one in ten crimes so we're all panicking about ransomware cuz that's what everyone's yelling about we're all worried about intellectual property if we have any and we're all told to like worry about crime but yet most crime we have no idea what it is about two-thirds of it no clue what we're even defending against most what goes unreported unknown scary thought scary thought and really big hole and how we go about doing security wenonah guys are thinking don't worry about it

wolf don't worry about it all we need to do is secure it like a castle we just build walls or run organization tow walls thick pair or thick walls parapet another mode we're good right secure like a castle it's like the quintessential way we're taught to do cybersecurity just need a castle we're gonna build a firewall what I'm gonna do I'm gonna use a castle I'm gonna build my website what am I gonna do I'm gonna do a castle I'm gonna do how to do it's okay we're gonna build a castle I don't get that one but at the same time we've been talking about building castles forever we've been talking about building datacenters forever right and

we all know the other centers are like on the way out but I think there's some really good like crossover there because you take a long time to build a data center you take a lot of money to build it is so similar with the castle this castles harlech castle this castles in Wales it's considered by many to be like the prime example of medieval castle really great defenses has stood the test of time some interesting things about this castles when they're building it it took 10 percent of the revenue the entire kingdom to build that castle those of you in defense please raise your hand if you have ten percent of the company's revenue and I got the band I I am

looking for a job so no no generally a gardener says we get 0.2% of IT security spam usually when I put that up someone's like I wish I had 0.2% right we don't have the money for cast oh we love our castles but there's no way we have the money for it problem number one back to France for a minute back to our Rhinos this site in France is really freaking cool what they're doing is inserted in 1997 and I hate giving out years because now that my my apprenticeship model is grown and people are like there's always that person Gold I was born in 1997 of a goose top pocket so for those of you

maybe born in 1997 congratulations thank you for being in cybersecurity we need you but for a minute don't make me feel they they're building an entire castle by hand by scratch they're like dragging the stone up they're crushing the stone they've got like hatchets to make the wood they're doing this as a archaeological project to figure out how castles were built really freaking cool they got 50 expert craftsmen working on this and they figure it's gonna take about 25 years to build about 10 million - to construct they're learning at time time and you can go you can visit their it is your google it when you're in France go see it don't see the zero

there's nothing in the zoom exactly but this also gives me hope for all the rest of our spray beards this are my retirement plan I'm looking for 50x for craftsmen to help me build data centers send me an email we have tours will show the kids this is a hot aisle this is a cold aisle of a great but think about the way we build data centers and think about the way we build castles and think about the way we build infrastructure it's all this waterfall model right here is my 3-year plan that I'm going to construct something and here's my revenue associated with it and my full-time employees at the same time we cleaned to this waterfall model in

cybersecurity in the 90s application development of courses went way to agile smarter loops feature functionality implement feature function element when I was doing DevOps back at a financial company I thought it was really really cool and I got to a month and we were like calling the press and we had a white paper on it and my smiling picture was and that sounds cool and so then I'm sitting down with my friends they're like we do DevOps Mike it's great what's your velocity they're like once every four hours what did you guys do at the same time once every four hours they're changing the environment we're being asked to build a castle around that not knowing where it's gonna be in

a week let alone a month let alone a year that's the next problem with castle building it just takes too long specifically given the pace of modern IT infrastructure I would before it the following definition of security security is not castle building anymore it's not high walls it's not strong doors security is bells on strings strings rolled from one side to the other and bells that ring when attackers are moving across your network following given path that is a great way of doing security and I say that people are like that's great once we have the strings we can put weights on and we can do defense because that's the only thing we're all taught about right I got I love I love

it when folks come in and they're working with me and they're fresh out of college and they look at this environment they're like we can solve them we just need to do defense and death look that's great how are you gonna afford it they're like I don't know do you worry about that here's what we need and the flipside to is what's always exciting is when you talk to a CSO or a CIO see so they know better a CIO and you're like what's your defense in death right I do a lot of these risk assessments that's what we start with us re-interview sit down okay how good is your defensive death when they go home we spend a lot it takes a

lot of time our defense and depth is deep that I can it's littered with the bones of our enemies oh my god this has got dark but okay building bones of our enemies but then we bring in our pen testers and anyone was on the red team knows what we're gonna find the defense in depth is more like this right you're like what happened what why you guys you guys were awesome what I heard such great things in the interviews so if we jump back to risk for a minute for those of you guys who have played rest probably recognize like you can attack these places that you're touching and it's a numbers game if you've got

three guys defending and you've got six people attack you like with the wind this is defense I got my defenses evenly distributed across my entire environment and if you're designing a network you but like this is good because we don't want but but if you were to take those same defenses and put them on the perimeter otherwise design it right where the attack is gonna go you're gonna be much more successful if you focus on where the attacker really is you can build a good defense it's not defense in depth then when you go to do that someone's got all we got all this weakness over here look did you hear about the caravan no forget about the

caravan the United States is fine we can focus our defenses right but no one wants to focus defenses at the senior level and at the junior level you're like but I was defense-in-depth I want to spend everything and it's not like you know the people who may have a magic quadrant don't encourage this you talk to the Magic Quadrant folks they're like here is our security here's we're gonna do it's really simple I just need you to buy one of everything and then we've got expense and death I have three Sims I'm clearly protecting my environment it is oh good I like to think about security more like balloon tower defense and if anyone wants to spend like the next week

playing balloon tower defense their bosses like what are you doing I was a security conference and they told me this is security I'm playing I promise you can get away with that but if you imagine this the red is the attackers okay and they're following the attack path through the network someone is always gonna mess there's always gonna be a mess oftentimes multiple misses but if you actually layer on the defenses along that attack path you can have multiple chances to get them right you can have my a-v be only 60% effective I can have my guys who cook fishing only be 25% effective and 75% they click things you can have this if you have

defenses along those that path and this is the beauty I think of threat Mellon you can take any take a kill chain take an attack path take whatever framework you want but layer on the entire path that that balloons gonna take and say there be monkeys I'm gonna stop them here I'm gonna stop them they're everywhere but where could I put those monkeys a few times during this conference I've heard the words might attack framework a few times I'm assuming you guys have as well miter attack framework today is the way that I think about these things I look at that path that they are taking and I lay across my to attack framework and say

what are the real tactics are using what are those tactics that are being performed and once I know those tactics I get people in the room from that organization and I say okay how can we add some prevention how can we have some detection how can we increase the time this book is time based security win for two great great book very fundamental I think in how you do so security and this whole thought was this security is defined as follows it is secure at the time it takes to breach the de prevención is longer than time to detect and respond time takes use breaking the house takes you longer than the alarm system go off and the

police to arrive you're secure I've got a fireproof safe and it burns for eight hours but it's rated at ten your contents are safe right that's security right there if you can figure out ways to drive up the prevention how long it takes detected to thwart that and drive down the detection how quickly you can get to them you're in a secure state and if you look at that path you start doing that you can lay out monkeys I think you have a five plus two strategy if I can stop five tactics twice detect and prevent I'm probably in a pretty good state and it's a hell of a lot cheaper than buying one of everything so that's

the next problem defense-in-depth sounds great but without a clear use case is expensive it's expensive expensive and it always has gaps and when we think about how oftentimes pen testers break in it's those gaps that they're following the next one we hear all the time is don't do check box security right don't just check the box we've got to really be compliant everyone's afraid to check the box or somebody's I don't know why but it's not like you usually compliant with one thing there's like a bazillion things that people have to be compliant with these days right and then they just keep adding GDP are now CCPA next who knows what's coming after it and the

answer is you just no problem we'll build a road map which again you might remembers if we just have three years we can be completely secure and just throw a bunch of money in it I thought you there's only so much money and fortunes are you so many monkeys and so how do we spend that money and how do we position those monkeys really determines over there secure back to software development for a moment you guys have probably heard MVP Minimum Viable Product and I love that concept for security if you think about Minimum Viable architecture what's the minimum that we can put in place to satisfy the requirements and check those boxes and then and then

here's a crazy thought if we used a tack framework or other detective methods what if we were to get feedback when those controls were touched or triggered we use right what if we can lay out the compliance and every time someone trips over something we go ahead that's pretty weird I checked that PCI box but three times in a row Frank bypassed mfa and then go hot I can invest in my fake or I checked that checkbox and you know what damn fa is Roy crappy so no one has ever tried to steal passwords from that never not gonna happen but you know I'm saying kind of an interesting way to flip it on his head

so from there is blind compliance just as bad as defense and death and we always say don't just check the box but make it to 11 each one we end up spending a lot more than we can actually afford probably the the quintessential like bumper sticker for rules like a people in trouble though as I think is the one do not do security through obscurity the actual rule for this makes a lot of sense if I've got a path to where the bad guys are going don't just hide stuff because that's gonna be easy to circumvent but people take that to the nth degree I had a very long argument one time with someone who is

bound to determine to put SSH on the Internet I'm like all right we can do SSH in the internet but why don't we change the ports you and two guys going to no can't change the port why not that would be security through obscurity and I know that's bad like I'm not trying to trick you bro scanners are looking for SSH but if we move it isn't that giving up no it's putting in a good control so the scanners don't get to you oh and I've had similar arguments did you guys see Tom's talk at was it nine o'clock we mentioned how the Qualis users are always like Qualis user and like admin abilities scanning the full networking

and Qualis if it's across user and so red team loves to look for the koalas user I was talking to our companies do like why don't we need that something else like Voldemort well that would be security through obscurity I'm like yes and then when they pull down our user accounts they're not going to go there's the Qualis account I'll steal that cred probably won't even say the name out loud so this is this is one of the fundamental problems of this idea of security through obscurity good obscurity adds time to circumvent the prevention it makes it more difficult for the determinate attacker good obscurity increases the likelihood of detection especially via Baltimore as the account and Qualis is just an

account that no one uses until someone tries using no one to use that you use it you are the bad guy done right drop the net it's a way of slowing down that determined attacker by confusing them if you hear like red team horror stories it's usually the obscurity oh man you have no idea they have your computers all named with numbers and I'm like what the hell and they're these service accounts and they were named after artists and I'm like I can't even I can't even right now and I'm trying to map this out and the maps won't form that is good obscurity because it really pisses them off and slows them way down

now the thing about determine attackers though in most organizations and most organizations it's not what we face most the time about 90% of the seven percent of the time across the organization's I work with it's not the determined attackers not the hoody guy with the superpowers it is some malware right now that's not always the case I recently hired a guy from the energy sector and I was talking through this neat that way back you know what what he goes no Russia really is out to get us yeah but your energy I mean like for the cabinetmakers guys it's usually just some malware that's spraying around so quick story of mine back in the day back

in the day used to install Citrix citrix metaframe now is that a frame or whatever and you install it to a funky level right you installed to like an for me to frame it was clever and then when people logged in they would map their C Drive to the actual C Drive so they could browse and I never thought about this as a security control ten years ago but we got hit with some malware from one of our partners because they're in a network and it jumped the network so we get hit with us malware and it's scanner on our network and I had no idea what I did know was suddenly we're getting pop-ups that an executable failed that's

weird Wow an executable failing and come to find out the malware was hard-coded to the right to the C Drive and it wasn't I'm the secret windows 9 C to have it crashed it got past our IPs it got past our IDs the cap passer endpoint AV change the drive large done killed it completely prevented our us from being affected whereas my partner who was connected to us whoa they're done for days kind of interesting kind of interesting and I've heard other similar people go hey shoeless when malware is like in the sandbox can't run like yeah so you know what I did I go what you do it he was like I found the registry keys

is looking for and I push those to all my windows endpoints that is brilliant malware infects the box looks cool I'm gonna stand back shut down be quiet and it sound like the secretary machine life is good right obscurity a little bit of obscurity is really a lot of fun because you feed a bot bad malware and a bot does what suffer always does with bad input it does and then we're protected then we're safe so problem find that clever bumper-sticker like I don't do obscurity has actually caused much more problems it prevents us from finding some really cool clever hacks that we can deploy all right next one is and this one drives me

nuts we have a town sure did you guys hear this we need somewhere between one and a billion people to solve the InfoSec problem numbers may vary but I think it's up Mundo billion look before I tackle that one more thing about castles castles and knights right back in the good old days there was a percentage generally around the time of Harlech Castle that works something like this for every 200 people you had about one night and for every one night you had like five archers supporting them that was the number that was about the number the English have and in the French give or take you know percentage here there similarly we can slice and dice with IT folks this

numbers comes from Gartner wonderful ASEC professional for every a thousand employees wonderful SEC professional for every 20 IT pros kind of scary when you think about it kind of scary because that means 20 people are doing who-knows-what who knows where who knows why probably with admin rights at any given point in time to get one inputs that guy like wait guys you saw that what you do those numbers kind of paint a bleak picture but you know this castles is nights and we all know good metaphors are hard to find when you go and look at Cecil says I say hey we got 0% unemployment when you go to look at like yeah we can't find anybody at the

beginning of this talk I mentioned that my program has 55 qualified applicants for every one person I hire and I bet you a bunch of guys here are looking to get into information security and a bunch of people are in and are looking to move up how can that be how can we turn away 54 people but have 0% unemployment doesn't quite make sense something is not adding up part of the problem is this concept of and you I'm sure you guys have heard this if I only kind of clone myself you know if only I had one more of me risky risky thinking hey I would never want to clone myself because I would not want to work with

that guy no it breeds this mentality that talent must look like me right and a lot of us who are in information security just sort of like ended up here it just seemed fun at the time and now people come up to goes you've been doing this for two decades I have but we didn't start out that way so why are we looking for people like us it doesn't make sense the other thing is is that human mind is inherently flawed right the the the flaws in the animal brain are fantastic and phenomenal we have things like the choice support bias whatever I chose was the right choice it's what my brain tells me it must be

true you have things like the like me bias if their people are like me and studies have shown this again and again if someone looks like you or you your boss your boss rates you higher you get raises faster you get promoted quicker weird weird I don't even look like my boss which is why I need a raise performance by the same thing right if we think people are like us we rate them higher so think about what this is doing at the moment I talked about this the cementing of what it means to be a nympho sack as we turn into a profession we're getting this point where like hackers I know how to hire hackers this

is a quote someone told me I have no problem hiring hackers because hackers look like hackers what the hell dude we got into this thinking hackers are weird right it's it's a it's a meritocracy the smartest idea wins hackers are strange we're people with the Mohawks and the flamethrowers we're where the people go to like the Wall of China and realize we don't have any money and con our way down onto the back of a you know there's some weird stories with hackers but this idea the hackers look like hackers concerns me because we've solidified in our mind what that means and at the same time we're embracing all this weirdness whenever someone is not weird like the

way we think a hacker is suddenly they don't belong right something they don't shouldn't be in the room something we should've listened to them slowly why are they at our conference I think it's so scary and so terrifying right hacker diversity diversity inclusion hacker style should mean finding weird finding the new weird finding the weird weird not the guy with the Mohawk we can hire him that seems cool but I mean what about the person without a mark but the person who looks normal likes to wear a suit well if it's a woman loves its you name it finding new and exciting folks right that can change the status quo so paramount right now in a day a nature

would say we can't find anybody because I can tell you there's tons of people want in we're just not talking to because they don't look like Acker so that's problem number one we don't have a counselor get a hiring problem we have a hard time hiring people who are different than unique problem number two I'm mentoring some people right now from local university and one of my mentees it's not the mentees men-tel's I always want to say Mentos like what am i Mentos it's down I'm the dico no but he sits down with me he tells me about this interview he wants me to help him interview like why do you need help interview I'm a

terrible person I don't interview anyone great I'm sit down like hey you look cool you want to go intervention they're like yes I'm like you're hired terrible interview what do you mean he goes well here's what happened he went into an interview he sat down all excited he has hi I'm Sukkos all good and he weighed in the camps room for like 20 minutes and the hiring manager comes in this early looking like IT guy and comes and sits down with him he's like we're gonna start with the technical questions first cuz this is a hard job all right sure he's like tell me what's the difference Eugene telnet nice to Sage and the guy didn't know it

was an information assurance degree he was taught compliance he had no idea it's like I H s SS what no clue and you know what happened the hiring managers I got thank you very much packs up of stuff because you can see the door the HR people will contact you yeah ask one question shown the door she's and I had me thinking about skills right the skills that we used to value and I was joking a little bit about the data center back in the day but I used to love building data centers and I'm gonna brag cuz I can show the slide only for probably like another year before no one cares ever but this was my data rack

they're pretty wiring really thank you thank you I thank you I am really pretty wearing we did our entire cabinet this way it was beautiful I could find everything and at the time I could tell you like there was a queue all 2340 fibre channel card I knew the name of the firmware and everything I love this data center loved it and and yet it kind of makes me want to be like well if you can't do that should you even be an info SEC bro should you even be an info SEC had me thinking about when I was a young man and my my father and my uncle's my grandfather gave me a lot of grief because I'm terrible at

working in the car can't change a spark plug can really change my oil I probably could figure it out but why I'm like why why are you guys giving all this grief I can take it to someone and they will do this for me that's the way there's people who do this now I'm like no you need to know this and it wasn't until I was a little bit older that occurred to me why that was when they were my age all the good jobs in Michigan I'm from Detroit so all the good jobs in Michigan were manufacturing and if you can work on your car you were not going to get a good job and they were so concerned I

didn't know the mechanics and a light want bulb went on because I'm like that's exactly what I'm thinking about because I'm like oh you don't know what SSH is you don't know what a fiber card is right I think the real talk is to us Greybeards is is this skills that we needed to get here are not the skills of the young people in this room are gonna need to get there but we got to remember that when we're bringing people in so vitally important and when we hire them this is great we bring out the young people are like how do you do your job like just do it and if you haven't seen

ass now skit for that you guys like move you guys should google it you'll enjoy it this is our attitude right oh you can't do it move out of my way kid what's going on there's very little apprenticeship programs there very little mentoring is very little coaching we just expect folks to know it and then we have a real hard time today bridging that gap of college to professionals so that problem number two is we don't have a talent shortage we've got plenty of talent talent a lower-class town in here telling everywhere we've got skill shortage we got training problem we got a mentoring coach problem alright it's okay it's not like we have an ego or anything which reminds

me my next point we can't patch stupid

there's someone back there going amen thank you and then you got the great bumper sticker like don't click it right you know in in a in a building in a building that my wife used to live in there is this problem right the elevator wasn't stopping on the right floor and people were getting hurt we're getting hurt and at one point time it stopped like too low and you walked in he like fell right and cut yourself into this blood and everywhere and she's sending me photos and what now and she reports this to the property manager and people would report this is a property manager again and again and again and they fixed it they finally fixed it after her

report after blood and photos and everything finally fixed it here's how they fixed it please look down what'd he give him the elevator they didn't actually fix the problem god forbid and I snapped a photo so like that's InfoSec gardener gardener my favorite four-quadrant folks had a quote that said 95% of cloud security failures will be the customers fault in 2020 it's their fault that's three buckets open their fault bunch of credit card lovers leaked their fault right and and I read this I'm like ah this is this reminds me of something because I had read this book of design theory so I'm looking looking and spending a lot of time looking at design these days and

they had this comment that industrial accidents industrial accidents are caused by humans right estimates range from 75 to 95 percent ok that makes sense up to 95 percent how is it so many people are incompetent the book asked and I was ills at the bar on the page of a guess why are this own competent why can't we patch stupid I click to the next page click to the next page that's terrible alright I click to the next page and the types of answer they're not it's a design problem like why are we doing right we build these security systems people trip over them we block access we block usability we allow people to click

on stuff and they're like huh they're stupid it's their fault we've got to figure out better ways to get folks in because for every one of us is a thousand of them how do we engage some of those folks to build a better security to tighten things down maybe we can scare them a little bit that's one way right and the quintessential way you scare me as we all know is is pen test we just did that pen test will show them that there's a risk and we'll get budget so I was spending some time looking at pen tests and I found like the first pen test was at besides Detroit earlier this year I was asking people was the first

pen test and I got some great answers all the young people are like like 2010 yeah I was around then some folks like 2001 yeah you getting closer 1995 when hackers came out that was it right cuz they almost the boat almost flipped and it was terrible there would have been oil everywhere and was cool about hackers by the way is the guys skateboarding through a data center I can tell you a ID not very good skateboarding but B I had a data center and see you better damn well believe I tried that don't try that you get nothing else don't skateboard as 1988 when the Morris worm hit and took down the internet that's the other thing I

heard one thing does fastly about cybersecurity cuz we're so focused on this being a new discipline new domain we oftentimes forget our history and forget where we came from we need some historians but I want to take you back to a time it's 1967 that's not the first pen test but 1967 all you need is love was the song and the top of the charts I pulled that record out the other day and listen to this phenomenal summer love was happening cars look like this computers look like that and ran corporation got a bunch of people together they threw the very first conference they like Colonel that grew into besets Charleston in 1967 I got

15,000 people together and said hey we're building on the stuff computers and networks were built on stuff you think it could be broken into we know the answer today right we know the answer but they launched the first pen test those by a guy named James P Anderson I love it because he sounds like neo James P Anderson 1972 he published his results JP Anderson today looks like this job making me feel old but the first pen test was phenomenal read because you read it and for a while you forget you're reading history it's like here's our attack scenario here's a were thinking could happen here's what the threat actors would do and then you

get to the point where they're talking about and they could shuffle punch cards you're like holy hell it's 1972 but we've been doing this pen test in the exact same way right can it be breached yeah can we get funding okay we've been doing this again and again and again since I'm sure we made improvements there's nest there's pitas but we're so focused on the pen test on the weakness side we forget the strengths we forget to say okay break in this room and they're like we can break through that door that door that door we forget to say okay where's the walls and can you get through the walls we forget to figure out how to build on those

strengths and core tenants if you're testing that way you test something like this does that control even exist seems silly but I can tell you from experience CIOs think I exist until you get to someone who goes that's funny no we haven't done an act in five years is it effective does it actually like to stop the bad guys we're talking about Equifax earlier in the speaker lounge Equifax had a fire eye box it was incredibly effective except it wasn't looking at thing in their web firm so they have briefs didn't see a damn thing all right can't be circumvented operationalize when you're doing these tests is someone actually respond think back to that prevention detection it

looks something like this this is testing your prevention and the detection response is all about the operationalize a different way of testing a better way of testing for 45 years we've been doing the same thing right this goes back to a time where you couldn't trust politicians so much has changed not going to touch that much further than that but mash was on right the Waltons were on and at that point I'm the og James B Anderson did the first pen test we've been doing this again and again and again not necessarily focusing on strengths but always focusing in the weakness is the quickest path in is what pen tests show so that's the problem

but in what you guys are gonna say right well we got to do that because and this is the last one and I'm gonna wrap it up we have to be right every time but the bad guys only need to be right once you hear that again and again every single scary slide ever right every single time we need to be right but do we do we if you've got a good attack path right and you've got controls along that and you put a hell of a lot of monkeys on that you're gonna get past that guy and not be detected and not ring any bells and at that point time I'd argue they have to be read a whole lot of time

so they have to be right every single time along that path to really get in and still the rhino horn or whatever their target is so how do we do that we do that by playing both games by protecting the resources of the organization and preventing the criminals and mapping those up and realizing that we don't have a hell of a lot of visibility either one we're dealing with a lot of unknowns the fog of war is the world of InfoSec today we can say the criminal mind we can get a better idea of their motivations their tactics by pulling in reports by looking at the analysis folks do by looking at our own environments we can skip

building castles and instead focus I'm very flexible very fast defenses that we put in place and one of those bells ring we rip them back out taking a lesson from the agile community where security is a feature that's rolled and really quick and rolled out just as quick if it's not used we can check the check box where we need to saving time in some other areas and spending time in where it counts to be bear compliant but to raise it up where we actually need it we can build weird things which is what is exciting about InfoSec embracing the obscurity when designing so we trip up the attacker so we trip up the software

so we can come up some really clever hacks like embedding the registry keys for hypervisor and all your machines so malware shuts itself off we can hire weird people which is also what makes InfoSec exciting different people right strange people to us more diverse people who bring in different ideas in different ways of doing things we can pen test strengths right we can build those defenses and hire those people and put them in the right place and then test to make sure those defenses are working test to make sure people are responding test to make sure that the right things in the right place that our assumptions are holding up when they don't we can improve those instead

of just finding the quickest way in because we all know there's a million in one ways in or network because we don't have enough money we don't have enough monkeys these are some things we can do or don't right and this fundamentally I'm talking a lot for the young people right here is my call to action to you guys don't break the rules right think for yourselves find new ways to do these things argue with us all Greybeards hack at yourself don't sit there when someone handed you a bumper sticker that says don't flex should think that they're the rule right don't be in school when someone says build your defenses I could casually go yeah so but maybe not maybe

argue about that maybe challenge that set of school and come up with new and exciting ways to do things because for 45 years we kind of doing it the same way and it's about time to flip some tables so I'll leave you with this thought me that dumpster fires daylight and I'm talking about those guys who follow the rules right the dumpster fires that are lit by people every day you try an over engineer and overdo and push people away and not embrace true security and finding new clever ways I mean the dumpster fires they light light your way thank you very much [Applause]