Securing the Distributed Workforce

have a lot of data and we're continuing to do more and more data and my slides of speed they're there but first and foremost the really cool part about working at nuna is our founders and executives have our they believe in security from the get-go so we have a hundred percent backing there hasn't been one time that we've gone is that hey I need to hire you know another instant responder I need this product they go no justify its kind of been cool to actually be in a spot that they just sign off and say yeah go get it we need this but enough about that what's the problem here traditional corporate networks do not apply to these new

companies and especially at nuna we like to consider ourselves somewhat a hipster company for this very fast-growing dynamic a big mix of everything big mix of the type of technologies that we use a different stacks are stacks are constantly changing we continually deploy and tear down machines there seem to be a lot of lack of players in the game or people who are truly going after this type of community or this type of company you still sing a lot of these cool new innovative designs or network appliances for network security and it's like really how that'd be awesome I want to get that but [ __ ] I can't get it it's only if I can have an appliance in mice

in my rack or a network tab and yeah I'm in the cloud so you can't do that too much i'm not a big player so i don't have a lot of money I can't convince Amazon to go give me the separate cloud rack with all this stuff that would be really really awesome if I could so we're having to do things a lot differently come up with our own unique solutions there are some awesome solutions out there I will list some later on in this presentation a lot of them were using using effectively but a lot of stuff for having to attack very differently and when we talk with these companies that are doing these

traditional appliances we asked them what can I replay traffic to you or do you really need a tap and you know the answers are like no we need to tap we need this and so we're trying to be dynamic and the solutions that we create and that we're actually deploying here at nana because we in fact our cloud-based we do have a distributed workforce and we're going to step into what i mean by distributed because not everyone might have the same idea of distributed as what we think of it nin and the security team so traditional corporate network it's very common took it from online it's you know we've got a bunch of users some servers

got your mail servers the DMZ some firewalls and ids if we were to tap this network and think we're could we actually monitor some stuff that the main place would be the IDS system that's the center point things come in and go out it's makes sense but does it always look like that for us in the cloud or can we even get that type of information so when I say distribute the corporate network this is really what I mean I've got you know region of AWS over here with the BBC I've got region over here some different VPNs in this great cloud in the middle is mysterious Internet where you know good and bad things happen I guess but then we have

some places like the bottom right this is what I call HQ where our own set but really I should have drawn the bottom right like this guy on the left over here everyone that we consider the office is unique node a unique VPC in sorts even though that we go to the office and there's you know over a hundred people there at any given time we don't consider it a you know single Network we consider every laptop separately as if they were on their own network is if they were working at home working from starbucks so we attack things differently we don't try to do network monitoring at a corporate level there with like a bro instance I'm truly

because we have some quirks and like why should we do this will it really benefit us does the time that we are going to take on the money that we spend is it going to be really beneficial or can we tech this a different way and so that's kind of what we're doing here at Nina and which is really really exciting cuz we get to do all this fun research now and try try things it doesn't work we go do something different so we're in a unique position but first we think how do we internet again in this distributed network so that's what we're going to talk about so how can we monitor now by

an AWS who's familiar with AWS does anyone use it deploy it anyone have awesome monitoring deployed can see everything that happens no whenever a keys made whenever someone creates a bucket or accesses that look it this one creates a policy that is beyond what should be based on corporate standards it can be very difficult and it can be hard to do things who can see all the network traffic in the AWS infrastructure yeah no one raised their hands for those of you who can't see in the back it's really really hard and this is what we're trying to address and some things that we're doing at nuna in order to tackle these things because the NWS we

have things like cloud trail and if for those of you aren't familiar cloud trail is like api api based monitoring so whenever someone creates an API key uses it creates a bucket because of that key things like that so i can only tell api base actions so what access keys are being used when how where they have cloud watch is really cool but this is more like infrastructure monitoring like oh [ __ ] my server went down quick deploy really cool if you're doing things like VPNs you can otoscope group of one if you need and if it ever dies it just redeploys right back up it's like sweet awesome ah but yeah not too much

information VPC flow lots when i first heard of the baptists is like hell yeah finally network security monitoring in the cloud wrong you can get to in front or I guess from and to and accept reject empty use it's kind of like I send a packet from this machine of this machine and it was accepted or denied or I'm getting this traffic here but you can't actually see what's in that traffic so that's a problem because what are you going to get from that information ok this guy from Israel was like hitting our network but he's being denied so that's all I know but we can't see what kind of data he's trying to send what

he's actually trying to request and it goes for us here we're truly tackling this at a individual user in point being the laptop but also we're applying these concepts to our endpoint servers as well but at HQ how do you do monitoring you can do network logs put in a bro IDs SSL termination if you so please but how do you do that if your workforce is truly distributed like any given time at nuna we have about seventy percent of our workforce in the office we have a bunch of people working on the East Coast for us but you know at any given time during the day I'll have two of my guys from the team decide that they're

going to go do a sink at starbucks or you'll go to starbucks get a coffee and you end up half the engineering teams over there because they just got distracted by what's going on it's this new startup open space people get distracted they just need to get away so how do I protect people at starbucks I don't know what about at home office since we have a bunch of people working in the East Coast we don't have a East Coast office so they're just working out their houses so how do we protect it we don't control their network we can't see into their network so it's really difficult unless you have some sort of Ottawa always on VPN but in our case

we're in the cloud so if we're always on VPN all we get are okay you connected our VPN and now you're trying to hit these servers we still aren't getting the traffic that you're wanting to actually see and because we don't have those Network tabs and I'll talk about the issues here and I just as I mentioned seventy percent of our people in the opposite in agreement on this is probably pretty a big number especially on like a friday or a Monday morning and then at any given time during any big client engagements we have a handful of people out of the office and this seventy percent it's rotating it's not the same 70 so it's not like we can take

the thirty percent who are never there and apply different things to them and then the 70 the other seventy percent are always Montillo secure in some ways we have people go travel to India or to China and visit their families and we're still allowed them to work from there because they need to get the job done and we're a start-up and we have to move fast so we're no network taps in the cloud unless you're big and you have money and then AWS is willing to work with you hey let's talk maybe we can get you this we can get to that a device is good they can now transfer a lot of big data into AWS with like these hard

drives that the ship you load the stuff you chip it back they'll actually rackmount some hardware appliances for you and hook it up and tie it into your VP sees the problem with that is your VPC better be well defined you better not add any subnets because you're going to have to just make all these requests amazon hey can you change this k change this can you hook this up the cool thing with AWS and what we do at nuna is completely distributed completely dynamic at any given time we might redeploy a system daily once or twice or weekly several times so those are things that we're doing in order to protect ourselves and protect the client data is we're

constantly moving or constantly redistributing things and we're actually adopting processes that you might not normally think of when you're in the security I'll talk about that here in a little bit and so VPN is not required for all of our work so you will find often times even when they're at starbucks they're just working on code locally or they're not actually distributing or deploying code so they don't have to connect our VPN or their certain systems that you know in our third-party cloud providers that you don't have to go the VPN to get to them so it's you can't rely on something like that in order to protect all your data and then once again we're back at the

okay even though there's in a secure connection through the VPN we can't see what they're doing so that's a big problem from the screwed standpoint and Ethan up here up front works for me he would say I need logs I need headers I need all that good stuff show me the data I give me the data and then once of all the biggest problem in any company i think is you can't trust the users the users are going to click things are going to do things they're not going to follow processes set them and think they're hardening in place and you're going to be wrong I can tell you time overtime again I've been proven wrong at

nuna at my past positions people go and skirt processes all the time so you have to attack this problem with the mindset that people are not going to do what you really think and start guessing what they're going to do so you can protect yourself so how do we solve this there's a couple approaches and i'll talk about one more particularly in this talk on how we're trying to get some interesting things for network security monitoring but we truly treat every input as distributed my laptop right now i'm on my phone argus hotspot and I'm considered a separate note of our network it would be the same if I saw my hot spot at my at HQ or just

that HQ Wi-Fi it we're truly everyone's separate there's no way that we can get into each other's computers like you would at a corporate network we do have some cool configuration management type stuff where we can push packages pool packages run some really cool dynamic queries we'll talk about that a little bit here in a bit but we're trying to do things differently and what we're finding is we can't just go buy a solution so some of the things we can buy some of the things we're having to create and some of the things we see we just don't like and we want to do it or it's a little too heavy weights we're going to do a little less light weight

or we want it more customizable but today I'm going to talk about kind of a simple proxy type solution that you could put together and distribute across your employees and get some more insight into the network because we don't have things like a central networking monitoring with with bro and that kind of stuff so even though headquarters were different don't assume the standard work for as i mentioned we're not going to always connect to the VPN i can tell you i look at our concurrent users on our VPN at any given time and compared to the number of people we have like say noon we have 110 employees at any given time we might have 30 concurrent VPN

connections to our main tools VPC that's not a lot considering our engineer workforces like 70 of the 110 you would think you'd get more but that's because people to connect to it all the time they like the freedom of Wi-Fi and being able to roam and they like being able to just connect and not have to be worried about being forced through a VPN and the you know the internet speeds going down so be creative don't be afraid to create something create something put it out there open sources everything we develop at nuna is going to be open source at one time or another spoke last month at apps at California on our new identity

management infrastructure that's open source we're deploying it right now and once we get it out and tuned correctly it'll be there for anyone who wants to look at it it's kind of like crypto put it out there people break it you fix it that's the one thing about we we saw the details of the bug hunter right researchers can be very friendly don't piss them off or they could be really really mean but yet learn from others people talk about things so you can learn and do it just because opendns or someone like that published something doesn't mean you can't use it use it and use it proudly talk about how you applied it or

how you change things that fit your network or your corporation but learn from others and especially it you know as a hipster company you got to move fast you got to do things don't invest the six months to develop a solution when it's out there just because you want to be proud full and be that company that developed it just do it nike did not pay me for that by the way so i mentioned some things that you wouldn't traditionally contribute to the security except there is a talk i think at the end of today about rugged dev ops and security but dev ops see I cdcd continuous integration can you continuous delivery continuous deployment and i like to say c DC DC DC

DC DC and that's because we deploy things all the time hacker box and we'd redeploy like it's really really cool you can do these cool things but you have to learn from others because someone else has already done it they're already talking about it go learn apply and figure out if you can apply it better and then provide you know provide back to the community that's like one thing here at nuna everything we're doing we're trying to give back because we didn't think of all this cool stuff ourselves we use a lot of really interesting systems that people like Netflix people like Open DNS and other really awesome companies that have been out there in space for a long time are

doing it makes my job a lot easier so we're truly talking about doing agent based approaches do the fact that your corporate network isn't like a chore your company network now isn't a traditional corporate network you have to think of things differently so brace yourself you since we have a problem right not many agent based solutions exist we're not many that exists that can actually do what you want there are some but you'll see like the big companies at RSA yet evil RSA word so I guess they're going to show you really awesome things that you have to wreck now or you know it's good for your corporate network on Prem so depending on if you're totally

cloud-based or if you're on prim it might work for you might not but even if you're on print agents worked really really well especially if they're lightweight and the users can't even tell that they're there so s query is one Facebook awesome who uses OS query anybody it's really really cool we use it we even have dynamic ad hoc query that we're doing so if we suspect that you're compromised we push these random OS query excuse me sequel commands out and then get that information back but we keep it light weight as lightweight as possible to one not bogged down the are logging system and to not not create a unworkable environment for you silence

they're AV solution is pretty awesome very lightweight agent-based mathematical model doesn't require you need to be on the internet and connect to back-end to keep your signatures up to date really interesting tenable they have a agent-based vulnerability scanner now you don't have to actually have your Nessus scanner reach out and scan boxes you can have an agent actually scan the system and return the results t yep and opendns umbrella really awesome DNS SEC all the time and then this latest jus lipsy opendns was protecting you before you were able to patch yourself really really sweet but this is an exhaustive list I couldn't tell you I didn't go do the research of what agent based

solutions are out there they're coming up more and more but people are still thinking in the traditional sense so solving network monitoring how are we doing this at nuna or and what could you do at your company so let's define a proxy we can't monitor the network in the cloud because we need a tap and in order to get that we need a lot of money or we don't have bro installed and we don't plan to the corporate office so how do we do this we first create a local proxy I installed on the user's machine very similar anyone ever used burp right lots of hands there burps awesome you can see stuff has anyone ever used python

implementations of proxies written their own scripts so that you don't have to go do things manually in burp applying that same principle let's create a lightweight proxy for the internet here at our nuna corporate or any of your companies that you want to plot it to you so it's got to be very lightweight we might want to support SSL termination probably so especially if you like force https traffic and all of your requests and make it very configurable and we'll see why here shortly about four blocks but make sure that we don't forward all the Lots as far as like who's seen that mean like for double lives yeah yeah anyway define classes so with anything

that we're rotting we want to have a well-defined structure of data that's actually being sent back and forth so if we're tackling truly the the web proxy right now HTTP HTTPS anything over standard web so we have requests and responses so we define this simple request class got cookies headers the actual content what host are we going to the full path right because if any HTTPS all we're seeing is domain we don't know the full path of us were actually monitoring that network traffic what HTTP HTTP version are they actually using is it like s old one is it brand new two point oh how are they actually doing that and what method are they

actually doing are they getting are they putting deleting what kind of stuff can we see malicious stuff like we should never be deleting but we're seeing all these deletes fly across our network now like that's not nuna standard so who's on our network responses what actually comes back the cookies that come back our headers content I'm all the good stuff this is the good juicy stuff especially for all you honey Potter's out there that like to see them our that comes back here it is get the content but then most importantly let's define this he kept kind of standard that we're going to use across the enterprise which contains these requests and responses but also some other stuff time stamps

source ip's destination ip's supports something to give you more that if you needed to go back through and actually through the logs on a system you have some more juice to go with but things to consider when you're actually designing something like this don't invade privacy SSL termination pretty scary I've noticed when we push new things out to people or when we use like we use do at nuna and we started applying people or our end users of BYOD devices that they have to have a certain version of the operating system it freaked our users out we got so many requests like what the [ __ ] can you see on our phone it was

pretty crazy and we had to do this like big talk or a big like slack conversation on alright this is what we can see should I point you at the SDK so you can see what every app on your phone can see oh and for the five of you that are rooted yet who knows what those other apps are looking at but if you're scared of the duo app you've got bigger problems like so yeah privacy something that we're having to juggle a lot like what sites do we actually intercept or which ones do we pass through so here's some examples like Bank of America gmail maybe we don't want to read our users personal emails that would prompt they'd

probably feel very in dated how many you have a question yeah very very carefully so yeah you have to protect your private keys and luckily if you have like a configuration management or system like chef or something like that since we're the hipster company we're not using SCCM you know we're not a windows-based we can push and change these keys as often errs infrequent as we want but yeah it's very hard to protect those keys especially since since they're private they live on the box they have to be on the box in order to sign the requests and actually intercept but yeah it's one of those certificate management issues that everyone hates to tackle is very

hard if you do it wrong you yeah you're [ __ ] you yeah you could even go into something like in the book hat the bug hunters talked earlier today about how the guy was able to get ssl keys and all that from an s3 bucket like do it wrong and leave a hole open it becomes really really tough but yeah it's it's it's definitely a problem keeping private keys local so you have to put them in places or protect them or constantly rotate in order to truly protect that no unique keys for every machine yeah no super fish and then it we one of the cool things with our environment is we have different roles

in different things so we can we can choose whether we want to actually push this out to someone or what kind of keys we want to share and how frequent we can do it but since it's all you know the DevOps fashion we can automate things and continuously push things out you do have the problem that if someone doesn't connect back to the network or if there is a network problem that they don't get the new key that's pushed out so there are a lot of things that you have to consider on if you're going to do something like this this is something that we just been toying with we're not actually deploying something like this

yet but it's been fun to develop figure out all the problems especially because if you are doing SSL termination and you forget something like ssl verify upstream cert like then you really have an issue because then you're not going to catch all the self sign websites the websites that are trying to look like other people that's when you get into definite issues because you're proxying you're signing things as a root authority and all of a sudden you've come across this fishing site that they're look they're making it look like you and you allow it or you know that your users are prompted with a bad certificate or in this case any any certificate that's verified upstream we

drop so you can't even access those sites and if it's something you really have to go through you have to submit a request so it's like it's those processes that you have to think of certain things that you have to do and a lot a lot of testing and research to figure out is this something that's even viable should we do this how dangerous does this or how dangerous is this for us does it make us more secure or less secure do I want to publish our key anywhere I think I've seen two three different cases of people publishing keys and doing some super fish like was it McAfee that their antivirus chrome extension had all sorts of manned middle

capabilities I forget but be dynamic is the most important thing here for us at least and I'm sure any of you guys that are using essential logging but how much data do you actually want to capture and that you actually have to go through and does it make sense that we capture everything or do we only capture some things if we think someone is actually exploited or you know infected so what what do we do do we log all requests do we always lock the headers do only log request headers and only response headers sometimes for content do I care what's being sent if i log request headers I risk the possibility of logging sensitive passwords but maybe I

want to do that in detective people are actually sending password to see some fishing domain and if I can detect that our passwords are being sent out somewhere else then we can auto lock and reset user systems it's kind of like the google map password extension they try to detect when your google passwords being used elsewhere oz so it's kind of cool thing to consider it's a fun interesting problem to think about and if you talk to any instant responder that will be like I want all the data give it to me but it doesn't make sense especially if you use something like Spock it's really [ __ ] expensive so we have to play data games and that's

why we go with things like being able to push dynamic custom configs to people's systems and say I want to see everything that Ethan's browsing today all the content and the request because he bounces traffic through China yesterday or something like that be dynamic don't log everything especially because if your users end up seeing that you're logging everything or get the word and being in the hipster people are a hipster company we're fully transparent and what we're doing on the security side and people talk and we have like a hundred security expert in our company the worst thing we did was make a public security channel in our slack because people will report report a fishing domain or something and

then we have about ten analysis of it before I our employees can actually get their analysis posted and something in place we have all these people that think they know what they're doing or they want their aspiring to be a security professional and they end up making us even more at risk we saw some site once it was like a proxy to github it looked just like github and people started yeah well it logged me in and I was able to get to my teeth at my oh my god alright so worse best and worst thing because we can educate people through security but people click links all the time and then you think oh from

the screw deponent standpoint I'm going to just kill all the links of slack and it's just going to be text and then you're going to get all these requests like you [ __ ] suck I can't click a URL from slack I have to copy paste my life is horrible we hear that stuff all the time will will create fishing plugins or things like that to help try to detect links that are linked to other places or you know we do this math calculations to try to determine how fishy is a link and we start doing things like that and people are like I can't go to this page without it popping up a warning what page are you going to

and should you be people browse all the time and they think oh but I browsed in my non noona chrome profile so I'm safe right the company's safe was it on your noona laptop yes are we safe so yeah lots of fun things to consider especially when you're coming up with you new unique solutions so this has been one that we've been toying with it's a hard problem it's something that might be good in the end we might just toss it out and decide this is way too dangerous and we don't want to be on the cover of every national news site because we're the now healthcare super fish so future what can we do being a

healthcare company we have access to healthcare data and we have requirements like no ph I personal health care information should ever be on your laptop does that will all go back to the issue that people don't follow process very well or people think they might be following the process but they forgot to like tunnel through that one box to get to the other environment before or they had something cash and they thought oh yeah this work school and then you end up with a boatload of pH I on a local system and then you're performing clean up or they have patreon their system and you don't know about it and then when that laptop goes stolen you don't report

any health records being lost because do you weren't aware and the user didn't really know so could we do some sort of agent-based local file system monitoring for sensitive data like social security numbers and if we tag something like Social Security numbers should we look for other things and one of the most important things when tackling a solution like this is truly understanding what does it mean to be pH I and since I work in healthcare it's a hard hard problem and this is what I'll talk about a lot but it applies to every industry that you you work in what does it mean to be proprietary information or what does it mean to be personally

identifiable information like what does this field actually mean because in this case it's just an ID but in other cases it's a social security number so oh I didn't know that but I downloaded a whole list of that to my computer so we're looking at things like this like how can we detect things locally on a system without like sending them through a proxy we're having an agent that actually searches all of our you know documents in the cloud it is so in the end I mean the overall ideal goal would be that we could do that but we're starting simple and we're going to move to more complex systems and that's the one nice thing about being in security

at a company with a bunch of data scientists is I can pull in and say hey let's tackle this problem or what are your thoughts how we try to detect this type of information and be successful and they might tell me [ __ ] off you can't do it we can't even tell you what PH I is when I look at data half the time because it's very complex and this this last name with these three digits of the zip code but combined with this address all of a sudden span try and you're just like I did not know that so it's one of the biggest problems but to me it's one of the most fun things is to research

this kind of stuff and figure out unique solutions because if you ever could figure out how to do this be it through mathematical process you know something like silence is doing with antivirus if you could figure out how to mathematically do this it's going to be and I'll jump to a couple bullet points but there it is the next big thing yeah oh no so the only person alone devices or users mobile devices which are used for like two factor and slack communication stuff like that but actual work data can't leave our protective cloud infrastructures and we actually do have things in place to prevent stuff like that happening but I talked about social engineering protections we do a

lot we have we hard this PhD software guy it's doing a lot of mathematical analysis and trying to figure out the problem to fishing because I come back I come from a pen test background big red team er if I couldn't get into your network I could find a user that would let me in they would give me their password and then maybe reset the password and they would change it and then I'd rolled it password by one number and I'm back in or they think i will use two-factor authentication you can't get in yeah like who thinks with two factor authentication you're protected a hundred percent a little bit right you're protected from the fact

that they might not be able to get in twice but they're still getting in that first time if you're being a dumb user and we have lots of dumb users I'm not saying all of our users are dumb a lot of them are including ourselves I remember designing a fishing exercise at our company and sending it out and like it got cute in our email server and I was off you know squirrel moment I'm off on another topic and i'll send i got this email like oh my god and then I'm like [ __ ] that's my fishing you know don't click that [ __ ] almost did it but yeah I truly think agent based solutions

at least for noona and your company's I'm sorry if it doesn't apply but agent based solutions are what we're doing it's what works for us especially as we're this new up-and-coming company yes we have money but we don't have buku bucks like a facebook or something like that we can't convince people we're never going to have on prim because it doesn't make sense we're to focus on our product and evolving then trying to maintain and run our own things ourselves and we're adopting these new things like DevOps in all of our practice so my VPN server is only up when I needed it might be redeployed every week it might be required every night so if you do actually own one of

our systems you better get the data fast kind of deal we get to do things like that because we're this hipster cool company but we're doing mainly because we're using cloud solutions and we're upon these concepts but these traditional things don't work for us and we're investigating all these cool agent based solutions which are awesome scary and fun I guess you know the research is great but it brings up questions like we had earlier are you using the same cert on every box how are you solving this problem it's things like that and a lot of testing that brings these open to us and not leave our company with this huge goal or this huge gap yes all i really

had today is anyone have questions about anything

correct yeah so we've actually thought and it's still in our pipeline on whether we actually want to have this auto on VPN for a safe browsing at least corporate network monitoring solution and we could choose to do some on prim really powerful VPN and then have some bro IDs it's something we haven't done yet mainly because that's something else we have to maintain but also it can affect user experience and as fast as we throw systems up and create these new client environments we constantly be reconfiguring that VPN as well because we'd be forcing people to VPN from their home to our corporate office and then VP inning to another cloud somewhere else where the you know personal health data

lived or something like that it's a lot of in the air cards cards moving around that we're not really sure how it's going to play out as part of being the the new hipster company and you've been very dynamic but and also we're total cloud based on at least all of our production infrastructure so we'd get monitoring into browsing if we did something like that to our our home base VPN but then we have a bunch of different unique environments that we have to connect to based on our roles that once again we're in the AWS problem where we can't tab network traffic so it becomes like a chicken and egg type deal we solve it here but then once we

actually go do real work but then we can't get that information but maybe we put a process like you only connect to this VPN when you're accessing the pH I or this kind of data and every time else you should be just connected to the network but then it's it's one of those things that we can't kick people off the VPN if they're logged on too long it just cuts the date the work fro flow or they might be deploying a system and it's the thing that oh I forgot I was going to the DPN so you couldn't monitor everything and that's when I got pwned or that's when I click that link or called we've had people actually browse

to some site and it's one of those your computer is infected call us to help you deal but yeah that's why we haven't gone that auto on VPN forced route all the time in the back yeah I love Hardware tokens I use them we have them so at nuna we've deployed Hardware tokens if your device doesn't meet duo our duo policies so we have these strict to a pulse or semi strict do policies i should say i wish they were stricter but because of our users and because everyone's so cool and rad and the enders they understand that not encrypting their hard drive is a bed I'm excusing a good thing or whatever they think but yeah so we're deploying you be

keys on certain things some devices you actually have to have a UV key hardware token to actually authenticate you can't use any other two FA but also we do things like if your device doesn't meet our do a mobile policy then you can't ease do push technology or pass codes you have to use the Yubikey which people think oh great I don't have to worry about it but then you think oh [ __ ] i don't have slack on my phone anymore or i don't have you know that they forget the fact that they can't put a UV key in their phone to authenticate to stuff on their network so we've basically solved the BYOD problem for us that way in the

fact that they can't get email they can't get slack they can't get other things without actually having a you know a decently secure phone or what we thinks decently secure in the back yeah so we have ideas on how we would do that and once again we haven't deployed this across or corporation so it's not something that we have to have in place yet but there have been some good talks on how you might do things like that we do run things like OS query all the times we know changes OSX collector is one that gives us a lot of data on our mac systems especially at times where we think why are you hitting the spot knit traffic or

we've seen button it traffic is it because you're browsing to a site that has a bunch of malicious ads that are loaded or you truly has something on your machine but we're toying with how to connect systems like your OS query OS X collector and our configuration management system to actually do these I think we might have had a key go out let's collect some information automatically and have it they're ready for investigators so that they don't have to then go do all that things we do have rapid alerting we use want heavily so all of our data is going into the central location we have really awesome alerts that generate automatically generate tickets and if you're

interested in more stuff that we're doing ethan talks tomorrow I'm kind of that kind of thing and how we're actually doing some stuff to protect our users and actually try to rate our users at who's the riskiest person in our corporation at being fished and maybe we monitor them more than others but yeah we're we're setting up these automated pipelines that if we detect things are you know if you meet a certain threshold that we saw these kind of requests and traffic from your computer that we automatically run these collection agents and then send it back our IR teams built visualizers around that data so we don't have to go parse JSON locks manually we can just instantly load it

up in one of our viewers and see it pushing here yeah so so the question was how would you or how are we looking at other standards like PCI for example and are we ready for that luckily as a company we don't have to worry about being PCI compliant we're truly hippos our biggest concern and the different various compliance factors that go along with being a healthcare company so we've been these things that we're doing are truly focused around ph i but a lot of the things we're doing would solve pci issues as well i can see those fitting just you'd basically be changing rule sets that we write in order to meet pci and most likely when we actually release

something like this that we are using we have rule sets for other things like pc as well because it's kind of instead we would want it to see as well especially if we have corporate credit cards we don't want that information coming around our different systems and we're mainly looking for yes eight against stupid users and what kind of data they're using it and I just say stupid users they're not stupid they're probably some of the broadest people in the world but they're just not very security savvy i should say they don't know that what they're doing is causing problems for us as a company the other questions in the back yeah you're right gmail might be ways and I've actually

seen like proof-of-concept code that i was using gmail's that cnc sania command control so yeah it might not be the best thing that we do to say let's not monitor gmail so this was just an example this isn't actually what we're doing so I just say if you want to look at gmail you can sometimes as a company like when i worked at lockheed martin i couldn't get to gmail it was just blocked if i wanted to do personal email i had to do it on my own system so how you want to tackle that at your company this is just an example of how you could do it obviously if there were more there's more banks in bank of america so

our ignore this would be a lot longer than this but you can also tackle this other ways as well but yeah gmail i definitely tell the users if you want to do personal browsing it you're going to be watched so if you want to send personal email do it on your own machine because this is there's proof of concepts out there and I don't know how many advanced threats are actually using things like Gmail but yeah it's something that we have to look at because they use reddit a lot too or you know Twitter and the accident rates world any other questions so right now we're not focused with agents on the phone because none of our actual company

data is allowed on phones the only thing they can actually have on phones or like slack communications or email and at any point we can expire your email session in the email gets automatically white and then select communication or hour traffic's not logged excuse me stored for more than certain number of days I'm so it's something that based on our policies were not allowed to send files with our pH I data over slack or anything with that so it's something our team monitors a lot to make sure that nothing's doing that we have a policy that there's only a certain number of private channels that are allowed that actually exists but we're a truly transparent company so I find a lot of

bad things in our engineering and our products basically by joining the engineering channels of slack and I find all these things like oh I can go here and get this that's bad and then I give them more work because they have to go fix it but yeah transparency is a good thing but yeah we don't tackle the mobile problem mainly because we don't allow much on our mobile devices but we do have certain number if we were to tackle that we'd then probably offer corporate devices that we can truly manage but with anything like i remember when i worked at lockheed I could use my personal device if I agreed that they had access to the entire system and at

any time they could wipe anything or log anything and a lot of users probably won't do that especially this day and age they freaked out when we told them what versions of their iOS and and they were running so I think they would really freak out if we were having them install apps that we're doing monitoring on their devices also any other question of you in the back yes scaling is definitely a problem especially in how lacks some of our processes are like godland policies are one of the things that we're looking at is a whitelist approach to browsing as an example it becomes a problem really fast if not done correctly and that's something that

I Ethan here has been working especially because one of the biggest risk is interrupting workflow or if you're in a big sales presentation and you're trying to get to a website to make your demo and it's not on the whitelist and then you're blocked that's really really bad thing this is kind of the same where the ignored list could be a problem continue to grow that's why something like this is we don't put it as fast as we move it as a company we put a lot of thought into how this would adversely or you know adversely affect our population before doing it and since we do do distributed data and things like that we're very familiar with scale at least

our DevOps that's one reason security work so closely with DevOps is so we can do things better faster and at scale so that yeah this would be something that it would have to reach back or be pushed out continuously with our configuration management or our chef systems in order to step to date and it would have to be constantly reviewed to thank are there any known threats using these sites like if bank of america had this cool chat feature all of a sudden one day right we'd have to rethink on whether we we would monitor bank of america or not he has something that any of these solutions that have any sort of ignored lists it can be really hard to maintain

part of the reason we're still trying things out trying to get a feel for and I guess Phil and guidance from our privacy group on what we should be doing

yep yeah notes it's a as well it's one of these problems that I think that constantly trouble me and our fund research and figure out because how can we create a truly dynamic white list if we're if we're looking at the whitelist approach on how can we effectively whitelist things especially the white list is contained at an agent level and how does it continuously update in I guess ro autonomously without leaving us you know exposed because we don't want I don't want to hire someone to go handle whitelist requests all day long they're much much more valuable doing other things like monitoring any other questions cool well thank you guys for coming out if you have any questions

I'll be around ok so thanks to will again want to thank our sponsors most especially Fitbit we've got another track coming up in about six minutes so stick around you brought untenable and some of the other ones they would be they would be competitors oh really it's so not so we should walk because the issues they're dealing with is my sandbox in technology or forensics or analytics tool like any one of them if you're still dealing with ghost Lursa false positives that is a fact and that's that's our sweet spot and that's better than that's where we kicked their ass and in we mitigated in less than seven seconds there's no bender economy us today and

we did a proof of concept of carbon black and we destroyed it we just we just now so many ways around we were just on a think-tank meeting with those guys their vp of sales is you guys are eating our lunch this is the vp of sales per probe it nine four Expos we definitely needed ha ha no definitely cuz we did carbon black I was really exciting this in the process like recording all of that but yet we work we found so many ways around their black listen give easy stuff like encoding something four times got past you know they're in our detection you're going to I'll show you something like interpreter shells getting past carbon black out of

the box of you are which is how you made fun of a volunteer actually right here have your return