Building a CULTure of Security: How to Utilize Guilds to Scale Security When Your Resources are NIL

can everybody hear me okay do the whole job open thing you know you might come up with this you guys watch the podcast okay we'll go ahead and get started um so thank you to the sponsors my favorite sponsor up here is probably no stars press so if bill ever watches this thank you for all the quality content those books are awesome i've probably seen it a lot when it goes over here and my wife just appreciate that so getting started this talk is called building a cult picture of security how to utilize guilty resources or nil and notice i highlighted colts because basically this is going to teach you how to build a cult this is my informal

title to my talk can you talk that i do i didn't i add an important title and i'm going to take this information and teach you how to build your own cultural organization if you don't know me i'm a cyber security engineer for carfax uh i do have quite a few hobbies so if i'm not doing security research or working i'm probably living in the gym i'm doing weights or probably in the gym and doing jiu jitsu if i'm not doing that i'm spending time with my family and i also do a little bit of research right now it's been really focused on reconnaissance research right now but i also do serve part time with missouri air national

guard where i also do cyber security but it's more of my information concerns policy and paperwork because i truly don't like myself uh for all you grc people out there for those of you who expected like a technical talk this is not a technical talk this is more focused on people and less of tech but for those of you oh yeah also this kind of falls in line with what uh aaron scaling he has a really good talk on how we're doing it wrong so i highly recommend you talk to him because this kind of correlates with thing kind of helps solve some of these issues that he presents but for those of you that need kind of

that tech hitter maybe that happening will i got something for you so this is showdam this is a water tank found here in the city of kansas city i'm not going to tell you which one it is but that's an ics system connected to the internet you may want to notify that person or team that is connected because that probably shouldn't be cool so let's go ahead and set the scene from the description you guys probably read you might have a small team and they have women's resources with the budget you may have you know limited number of assets or people to cover on your security team also as security folks we don't know everything we might be

structured in either development security penetration testing is a response administration and then the so-called talent shortage you know they keep saying we have a talent shortage in infosec like you agree with it or not um but these are the resources this kind of scene that maybe a lot of you are dealing with i know i knew what did my job maybe you guys deal with it as well so exactly what do you do about that well you'd be like ron swanson and just keep up on humanity go and throw your computer away move out to the middle of nowhere or you can be like every other cyber security analyst or engineer saying hey i'm going to quit cyber security i'm

going to go start my regenerator farm and just live off the grid i don't know why it seems like that everybody wants to just be a farmer after this job and i'm not blame i want to do the same thing but you could also use uh scale to scale your security team and your knowledge using the guild and you're probably thinking what in the ff is a guild well the wtff first of all came from my daughter she said hey dad you know what wtf that means i'm like oh my god i hope she didn't teach her that she said yeah it's what the french fry i'm like okay good context anyways uh a guild is not

killed three games we all probably played back in the day i never played it i was more of a runescape guy myself part of the legends guild inviting your play runescape all right three nerd four nerds in here great awesome but if our life will feel that's kind of what it is it's like an inclusive group you have a sort of service for a certain set of skills knowledge whatever it is to be a part of that so what does it mean for infosec and technology and law so a guild was actually coined by spotify it's an agile concept that can actually spread knowledge information best practices code and the main purpose of it was during

spotify's growth they had massive growth when they started i think they went from like 20 employees to 350 within a year time span and so they said we need to scale this growth with people we need to have some coverage so what they did was they utilize a skill concept to actually address that massive spike of growth you know in the context for security we're going to be called a guild member a security champion and now it's not what you think it's not a hacker with a hoodie to hold the trophy of but really is somebody who kind of has that knowledge of tools and the code and the best practices that you train them on

so the security champion can be one or two or multiple people of one team or one product that you can take and train on and give them the proper skills and tune in what have you to kind of bring them up to that level one security spot this is a graphic of what spotify did again they call them tribes and whatever voltage word you want to use you can use whatever one but they took you know four people from each tribe and they went ahead and made them part of whatever guild it could be architecture it could be cloud it could be security uh it could be the food services guild whatever they wanted to develop that's

how they did it so how did i structure our guild at carfax well we have over 16 development teams we have an old infrastructure team and they have sub teams so we have from automation to the windows team to the linux team you also have the administration so general departments like finance hr a lot of those legal and so what i did was on the development side i took one or two developers who had an interest in security so i just gave to the entire audience i asked i said who's interested in security so i went ahead and broke them down and then i talked to some managers about who are some more security oriented people as in

getting security stuff done and i made them a part of the security guild on the infrastructure team they actually opened this they embraced this idea because they wanted their people involved into that security guild so we have a whole host of infrastructure people in our field right now and then we took some people from you know the admin department so such as finance and legal and hr and kind of made into technical pocs and we we compiled a security guild so the very first step uh once you have your guild organized and this is how you kind of build a cult or the culture of security is that you have to take extreme ownership and before we get into that i want to

talk a little bit about the colonial pipeline breach do we all know about that everybody remains to know about okay some of you did raise your hand so there's this group uh darkside i think they're nation state actors that they compromise the user's credentials and they're able to log into one of the clinical pipeline systems and they're able to deploy ransomware using those credentials so if you guys didn't watch the news um cornwall pipeline actually paid out the ransom you could to get the encryption key they didn't have a proper backups or the other security controls in place so uh not with just that supply breach or splashing breach but there's going to be many more happening there was one

that happened in iowa earlier in the week and there's another one happening so uh all this stuff's not going to slow down but the thing i want to focus on is who was at paul uh was it the users was it the developers was that networking did networking fall here or was the security how many people work in security just raise your hand okay we got one two well i got these for you we're all upset that's our fault that's that's extreme ownership we failed the company now some of you could be thinking like you know that's that's not the case you know i don't work there you know or the people advise them i

told them to write or wrong thing but in order to take extreme ownership you have to accept the halt for those issues so any security exploit issue vulnerability is going to be horrible not their fault it's our fault and it's usually a failure to use verification access to tooling anything that we can offer the organization we're either not communicating right or we're not training upon them and we're also not holding people accountable too so that kind of falls into it uh you've got that you have to implement some sort of decentralized command so it's really impossible for us to know everything and that's where we lean on the people who are on the front line so

when i say frontlines i'll talk a lot of military terms but the people who are doing microcode like developers the right code every day they're going to know a better process and they implement like security scanning into a cic pipeline than anybody else i can talk a little bit of code here and there but i'm not gonna i'm not gonna have that expertise and uh back in 2015 i took a sam's class with john strand uh 504 was one of the greatest classes i've ever taken but he said you know people are the biggest lie literally but they're up they can be your greatest defense so if you can utilize them to defend your organization

through training education i think that's going to be the biggest defense and biggest return on investment uh yeah so alyssa miller she tweeted this uh on september 20th so not too long ago and this really stuck with me and for those who don't know you can't say i'm not gonna read the whole tweet but she's basically saying that users are not found developers are not lazy and then executives are not inherently dismissive and it's really on us that we can't influence that behavior uh to actually make infosec better and make our organization stronger and that that just kind of like stuck with me and i just really wanted to put this and do the mic job because that's really

a mic drop sweep for me and i've seen this in my organization using guilds so step two in building a cult or culture of security you have to give them some sort of purpose and what do i mean that well if you're going to have you're going to put the resources the time the money the people into it you're going to have to have the purpose of that guild in order to do that you're going to need top down buy-in and so when i was structuring our guild i actually proposed this idea up to upper management and you know the executive suite you know i i said this is going to be the purpose of it that's going to help

us augment security and this is going to help us actually scale security through people they said okay well we'll go ahead and do it go ahead meet the directors and the managers and we'll see what we can do and so i got buying from the directors managers and even people are down below on the front lines for the developers the infrastructure people and also the admins and then from that uh you have to go and organize like you can't go in just saying i'm gonna start a guild these one or two people are in we're gonna go ahead and do a court but you have to kind of put together some sort of document some sort of like

charter and i you have to have predefined goals such as like the mission statement what is the purpose you know what are they called what are they doing and i think the most important thing here is what benefits that will they have you know a lot of input on certain pocs you know they can influence the security cost of the organization and so i think out of all those uh describing the benefits to those members is probably gonna be the best key on organizing your own guild and also have fun with it you know give the group a name we call ours uh i'll show you here we called ours box out because i'm a big metal gear nerd i love kneeling

yourself it's one of my favorite games of all time so this is the special forces group it's a video game for those that don't know but this is the special forces group for the military that uh solid state was a part of and so i want to call this fox out so i sent this logo i said hey marketing can you design me something that's similar to this and they said yeah sure we can go ahead and do that you know it's pretty cool it's a little less lethal than the knife hanging out of the mouth and they told me they couldn't do that but you know really that look was pretty cool and everybody

liked it so that's kind of that's our security build logo this is an example of the chart so we have all the information that i put in there we have a mission statement we have a purpose we have exactly what a security champion is what they do as far as like triage uh as far as you know what their responsibilities are our weekly meeting so we actually meet every two weeks and we discuss certain topics depending on what's going on in the world at the time some sort of central communication place whether that be any hill distribution list a slack channel or some sort of uh centralized place where you guys can talk and then also down here you can see

we have the benefits of being a security champion and this was really i think key in selling it to people is that they have input on what the organization looks like as far as security posture goes they can actually bring in tools themselves that they look like they can go ahead and bring in you know a threat modeling tool that they like you and we also put them into like our uh our training pipeline so if you have any conferences if you have trainings we want to come up we'll go ahead and operate to our secret security build numbers so step three in building a cult or culture of security is training so one of the things that we did and

i've been told that i'm crazy for doing is i gave all of our security build members access to security tooling so that goes from code scanning that goes from vulnerability scanning that goes from our local sem edr platform npr platform anything you think of that we touch a security field member has access to now they may have limited access but they can do their job we also train them up on certain tools that we use so we have to give a specific training so for example developers we're using a code scanning tool and we train them how to use it we train them how to trigger out availabilities we treat them so we train them how to

analyze their reports same thing for infrastructure you know we had a necessary server that we allowed the infrastructure people to log in and run scan to their owns and then in administration it was more like basic security training platforms such as phishing we allow them to see what fishing equals coming in on a daily basis which was really nice and then we kind of developed a training plan this is just an example of what we execute for our training plans and so they're different depending on the organization so if you're a developer you have different training plans that want to operate as operations training than with the organization but if you notice one thing here everybody's

enrolled in one training plan across the board and that's just because we want to cover inefficient track authentication for everybody you know that shouldn't just be limited to one group or one organization everybody should be trained on that but with these are focused on the different types of job duties an employee will run into and also with tech tech you know the developers they run about four or five different tech acts but we also train them on some security vulnerabilities of what tools can help them achieve their goal so step four in building a culture of security is measurement and uh metrics seems to be the most important thing of 2021 i think moving forward even for senior level even for

management level and even at the employee level it seems like everybody wants to capture metrics and it's also a good way to measure how you're doing if what you're doing is effective in order to capture those you know what we use we use vulnerability closures we use code fixes we also use the training passes and failures within our phishing program so if 85 of the organization is passing that's also a great score if it's you know 10 that's a terrible score we definitely don't want that so but also are the security champions being proactive do they have knowledge uh the knowledge they can share across the team so just because they're security champion doesn't mean the knowledge security

knowledge stops with them they have to propagate it across the organization or across the team so if you're training somebody on node vulnerabilities you expect that entire team to know what the basic level of vulnerabilities you know are they handling extra responsibility that's kind of a hard sell sometimes but a lot of the developers that i train a lot of people i train they don't consider extra responsibility as you know we want to push security is everybody's responsibility one of the things here is that is the code getting fixed quicker or is it getting better and you can capture those from your static analysis tool you know whatever one you use if you know what source when you can capture

those metrics and then on us you know how can we give the developers or infrastructure better training or anything else to help them achieve their goals how can we improve this metrics ourselves do they need more training on a certain language or are they looking at like graphql abilities and again capture this metrics report because this is one of the metrics we captured from our static analysis tool so this was back in 2020-ish maybe 2021 on a camera which year but we kind of introduced a security build around this point right here at an all-time high so our code and the blue bar represents like code flaws you know falls per megabyte so as we introduce the yield we give the

developers more access to the tool and you can tell you can see the metrics like that so our code flaw started to go down even though our analysis stayed you know pretty stagnant for the most part so we were able to kind of scale some of that level one and trigonometry code fixes uh through the security guild on the development side and it really did pay off for a sketch in every 20. that's where it is but it really didn't pay off for us even though that we kind of started small we kind of grew organically but it's definitely something that we uh saw a lot of payout done this is near here in my heart this is actually

from uh one of the engineering teams or operations teams you guys don't know there was a critical vmware vulnerability released this week and before i was able to notify the team this was in my hands and i was like that's that's pretty awesome thank you for going ahead and pushing forward with this and this again this is on the infrastructure side it's not limited to development so they're able to catch that they're going to start to patch up our patch process automatically so with the change ticket and move forward and getting that patch they beat me to it which is pretty awesome yeah and again so i was slow too so this was another team that they had portable

servers a pretty nasty remote code execution vulnerability and as you can tell my dms that it was already fixed before i even caught it now for not getting it but they they had it already patched and ready to go and that's that's got all those proud dad moments you know you get the robert redford meaning just shaking your head yeah that's that's a good job so let's go ahead and take another technical break for those who like the technical stuff this is a remote code execution vulnerability on confluence servers i can't remember what version is vulnerable to it i'm just going to put that in here but i forgot but there is the poc script all

you need is python you can run that against your own confluence server and see if you can execute any advance and so this is this one's pretty work togetherness and building your own cult or culture of security and this means doing things together and it's taking in that extra step of building relationships with people you know from bottom up top down manager to employee get to know the people get to know their interests you know what are they working on why it's important to them what do they do outside of work is fun it's kind of nice to kind of get to know what people do outside of work and what's outside of your work friends

and then establishing the cadence that's super important when you build a security field um having to be i think more frequently in shorter talks like 30 to 45 minutes is probably more beneficial than having like a once a month meeting or once a quarter meeting or it's like two hours so we do one from uh every two weeks for about 30 to 45 minutes and then we also train the teams outside of guild meetings so one team might be using graphql we'll train them on the basic vulnerabilities from there and we also send out a bunch of different like security conferences trainings stuff that we'll be going to uh through our you know centralized communication channel that could be a

slide channel private channel or an email distribution list or even like a group text we do have group text where we keep the engagement up and then again we don't know everything as secure professionals is there a way we can automate some of the stuff that we're working on or they're working on and we do have this in our security field we have one team that's really good at automation they're actually helping other teams push this across the organization on how we can automate certain deployments based on the tech stack that they're using and then we also i've had a few um people propose like security best practices to leadership we're talking to c-level suite

leadership they're able to do presentations over some of the stuff that they're working on how it'll over the security department organization as with anything there are drawbacks to this so the best thing here is that security is simple it's definitely not easy it's still going to be hard at the end of the day no matter what this thing takes time this was a two-year project that's still grown organically to be effective so i had to put the time of building relationships selling into management implementing and starting a pilot for growing so over 60 members and it takes a little bit of time takes a little bit of effort and then you're still fighting the business at the end of the day we're all

still fighting this business security versus the business and so you may not get full participation due to like what the demand or work demand is because at the end of the day security doesn't make money with a cost center but if we can make it a part of everybody's responsibility i think we can actually help solve that and then we also run into uh of hiring new people other people go sometimes we teach you some of the same techniques and tools and so it can get boring but we try not to do that we try to focus on outside training for that and again you may not have a good means of measured performance yourself just

because i have some of these tools that i can show you guys may not have that or some of your resources are small but just capturing some sort of metric so you can measure to see what you're doing whether that be closing out tickets or emails or messages people are working on stuff that can be a metric as well

these are some resources that i've used to kind of start our security guild yeah just about four different books i've read is extreme ownership i dropped it like batman same one and they had dichotomy leadership by the same authors seven halves of highly effective people and uh meditation by marcus aurelius if you guys want to check out what spotify did as far as like scaling their services using guilds you can check out those two links as well and go ahead and take some of this information go ahead make some kool-aid other than that that's in the presentation i'm going through that pretty quick but i hope it's informative and if you guys want to connect those

are all social thank you

oh