Into The Dragon's Den

Thank you for joining us. Here to present to us uh the title of the talk is I forgot. Here we go. Don't got you got you. It's into the dragon's den with Jacob Salassi and Mckll Fresh Fresh Skin. I'll hand it off to you guys. Hello everyone. Welcome. Uh thank you for coming to our talk about taking your SAS company into China. uh we know it's not something a lot of teams have experience doing. We didn't have any experience doing it when we started and so we wanted to share uh you know what little knowledge we have on this on this topic and we'll start talking about the risk that China introduced and then we'll talk about what we can do about

them and finally wrap it up with some high level best practices. Um yeah. All right. So, awesome intros, which we debated doing it all, but uh my name is Jacob. I spent the last five years working at a major SAS database company leading product security with my good friend Michaela here. Uh I'm no longer with the company. My opinions are my own. These scenarios are fictitious and representative. Uh what I like to do is solve problems with my friends. I'm actually not too picky about what kind it is. Security ones are fun because they're hard. And most importantly, I eat Taco Bell. I'm not ashamed. Uh even though Michaela for the entire course of our over 10 year

relationship has sought to make me ashamed of that. Yes, I'm Italian. That's what good friends do to other friends. So that's how it goes. Um I spent my last five years leading instant response detection and the right team, major SAS company. Also my opinions are my own. The scenarios are milary representative. Uh I like I like to solve security problems. I really like like crafts and creating tools. Cool. And then now moving on like just before I start do the talk some disclaimers, right? Um operating in any foreign country it presents like complex legal challenges. We're not lawyers. This is not legal advice. Um we're operating in America, right? So our opinions and assumptions are shaped by

it. Also, this is not a talk on how to defeat a nation state in like 45 minutes. is more about mental models like we found useful in our experience when operating in a potentially hostile region. Um yeah. Okay. Um so you know if you take a look outside every country, every world power is locked in a battle for sovereignty. And I guess like the timing of this talk is pretty good because you can see it's not one country, it's every country. They want to control their own destiny like you do. So I don't think it's necessarily bad. Like countries want to do that and each country has a unique set of strategies. So very topically,

the US is currently using tariffs to exert its will over global trade. Uh Russia, for example, exerts its will over Europe through the gas trade. And as you'll learn today, China also has a very comprehensive plan to dominate global trade and to be a sovereign nation. We're not here to make any claims that one's better than the other. We're not here to pass judgment. Really probably not a good idea to do that anyway. Uh it's important to realize they're all playing the same game and most of us are just pawns in in a much bigger uh scheme that's played out by our governments and and leadership. Uh so first why don't we talk about some

risks. So uh first culture culture matters right China is not the US we're not France you know culture is different everywhere. So something that businesses in the US struggle to understand is that they don't expect institutionalized corporate espionage espionage to happen. They're not thinking about that. In fact, they're not thinking very much at all. US companies are typically thinking one quarter at a time and our government is usually only thinking four years at a time. In contrast, China is thinking, planning and most importantly executing because the only thing that matters is execution tens and hundreds of years at a time. And so it matters because when it comes to global dominance, China has a strategic long-term plan and an entire

ecosystem that powers it. That's really difficult to achieve when you change plans every quarter or every four years. So these plans are infinitely patient. They're intentional and they can easily outperform democracies that are slow to reach consensus. So a big part of that plan uh is named made in China 2025. And I I would suggest don't think of it as a mere espionage program. That's not doing it nearly enough justice. It's an entire operating system uh designed to facilitate knowledge transfer. So espionage and spying as I mentioned before it's not unique to China. Uh but technology acquisition is a major part of the strategic plans that China has or rather the Chinese government has for

sovereignty. So, made in China lists 10 domestic industries uh in which China seeks to significantly reduce its reliance on foreign produced technology. Does that does that sound familiar? Like is another country trying to reduce its dependency on foreign produced technology right now? Interesting. Interesting. Uh and they want 70% of those components for these projects in China coming from China. So, we can see that it is targeted uh along with medicine, transportation, bunch of other ones. Could you raise your hand if you uh do not work in one of these sectors? Could you came to this talk then? Huh? Yeah. So, you know, you should assume that your industries are probably targeted because it's just it's like

right there. It's not a secret. It's a highly publicized plan, strategic plan. Um, so how does it work? Well, you know, like every good plan, you just have like four steps to profit. So it's uh introduce, understand, assimilate and renovate. Uh so you're going to be encouraged to enter the Chinese market. The Chinese government in that market is going to become a dependency for you. The Chinese businesses and the Chinese state will as a result become a major part of your supply chain. And then the state is going to use those dependencies as leverage uh potentially leverage to acquire your technologies, potentially leverage to influence your global decision-making. And like a real simple basic example of this is, and we've seen

this historically, demand to inspect your source code for security or strong suggestions that you adopt or remove certain controls. And you know, the motivation makes sense. Uh like we said before, China and nobody wants to be in a position where an enemy can cut off critical technology supplies. Um and so I just reflect one more time like it's good to have goals and it's good to have plans and it's good to have the ability to execute on them and the Chinese government has all of that. Um so we talked a little bit at high level what the strategies and goals are, right? But now let's talk about what does this look like in practice if

you're a foreign business in China, right? And for starters, the Chinese government will require you to form a joint ventures with Chinese companies before you get market assets. Um, these companies are called operating partners and we'll encounter them a few more times in this talk. Um, these companies are often ties with defense and security services and they are one of the many vectors by the used by the Chinese government to gain access to foreign proprietary information and technology. So now you pick your operating partner and then what happens? Uh well once you've done that uh then you you're potentially inside of China and you're providing multiple opportunities for the Chinese state and government to probe

and map your product infrastructure. So great uh and you can assume that any of the data or knowledge transferred is going to be exploited and that it won't just be exploited against what you have in China but it is more importantly going to be used to target your operations outside of China. And so congratulations like you've your your infrastructure is now targeted. And so I just want to reiterate one more time like it's bigger than you. Uh China wants to be to data what Saudi Arabia is to oil. Like just just watched a video two days ago about this statement. So it's like a huge massive investment. And so when you think about acquiring oil, we think

about you know governments and businesses being willing to use all the tools whatever they are uh as a weapon or as a you know enabler to doing so. And uh you know law is a weapon. So laws are interpreted to best suit the Chinese government's goals and interpretation is going to vary over time. That's probably like the number one the number one thing. And what that means is is that complying with frequently changing Chinese laws and remaining in compliance with US law makes you vulnerable to sanction. So a concrete example of this, the US cloud act and Chinese or rather China's data security law require you require data disclosure for law enforcement or intelligence when legally

requested and most importantly regardless of the data's geographical location. Oh, sounds okay. But article 36 of Chinese law states that business operators in China cannot provide foreign data to foreign law enforcement without Chinese government approval. So you're a US company. Who are you going to listen to? What are you going to do? Uh that's no longer like a trivial decision. And so I I really like this quote. It's it's you're this ambiguity is the point. so that you're supposed to be out of compliance and not so they can shut you down, but so that you can figure out the direction they want you to go without having to be told and then go in that direction. So, how many here

have worked in a regulated environment in the US or or elsewhere? Okay, we got a couple. So, and you know that interpreting regulations is squishy, right? Like it's how well you sell it, who your auditor is. But imagine a scenario like and that's like no one's too sad about that. You think about the win. But there's another scenario where your operating partners advising you on how to best meet Chinese regulations and you learn that it's really squishy. Uh for example, you might hear that um not everything you use for security has to be MLPS certified and that you can get away with, you know, most of them being that way, right? Like I think the

question is is would you take the same chance with a regulator in the US as you would in in China and and what I would say is uh you probably wouldn't because there's a whole system that's designed to put you into that position. Uh so it's not about fines, it's about coercion. In the US you can pay money and move on with your life. In other countries it's a window for coercion. What I'll also say is geopolitics is a weapon and timing is everything and like it's a bad time and it's been a bad time uh when you think about USChina relations are really not in a great state. Uh McKay. Yeah. And probably not a surprise

people and companies are also weapons, right? So every individual is susceptible to being co-opted. I think individuals with ties to mainland China are more vulnerable to this. Chinese law demands that every citizen to support party and security agencies wherever they are and whenever they are requested. And if you're just thinking IP theft is not just that, it can also manifest in more subtle ways like interference in company strategies or decision making. Um, and businesses are not an exception really. The Chinese national cyber security law states like the Ministry of Security can compel technologies companies to assist in intelligence operations and the national intelligence law requires that they keep it a secret. So, you know, hearing all this,

you're probably thinking like, uh gosh, entering China might be a bad idea. And like if you had done a lot of this research and like you were doing this because someone paid you to do it, you might have already told people in your company that it's not a great idea. You might have invited the FBI to present all the exact same data and tell you it might not be a good idea. In fact, you might have talked to lots of people and heard zero of them tell you it's a good idea to go into China. Maybe no matter what, you're going to hear some of these objections from those business leaders and they're going to say things like uh

company X is already there and and nothing bad happened to them or or these things don't happen in the US or I've never heard of it happening except like well AWS and Aloud like you couldn't really point directly but you might think that Alleloud was a consequence of AWS. Um, so you know the bad news is is you're probably not Amazon, Microsoft or Apple. Like you haven't had years to build up regulatory influence, lobby, you don't have lobbyists, you don't have any geopolitical influence. And most importantly, you do not have gazillions of ad dollars. And even if you are one of these players with all your lobbyists and gazillions of ad dollars, you're not going to be immune. Right? We talked

about source code earlier. Microsoft was, you know, famously compelled to share source code with China. And, you know, our good friends at Tesla recently learned a valuable lesson about operating in China. Uh, and that is that, you know, just as FSD launched, now there's a big crackdown. Interesting how the regulations changed to penalize a business because that is probably geopolitically strategic. Well, they're going to learn. So, what I'll say is the decisions already made, right? Uh most likely there's already been some calculation about the business opportunity in China and if you're a security professional like get with business opportunity. It doesn't really matter about your feelings. You need to think in terms of business. So there's

an opportunity there. And so rather than fighting the business, you need to be thinking about what it's going to take to make it happen. And what you should focus on if you did want to have this conversation is the actual risk. In other words, what is the opportunity cost versus what is it going to cost us to build all of this mitigating infrastructure? And so, if you're going to make less money, you know, uh, trying to defend China than you would otherwise, that's maybe a conversation you can have with the business. But like your feelings, your subjective feelings about how bad this might be is not a conversation anyone is going to care about. Wow. Well, uh I guess depending

on who you are, you might feel a little defeated and you might be asking this question of like what what can we do? And you know, by everything that you know right now, the obvious solution is to to just lay down and die. Would you agree with that? Well, you know, maybe, but but hear me out. Uh maybe not. Uh maybe we can say, well, there's a set of things we don't control and we're never going to be able to change no matter how much money or resources we pour into it. And maybe we can know the things we can change and maybe we can have a plan, right? So let's focus on, you know, some

classic problem solving. Let's go through the things first that we won't be able to change, things we need to come to acceptance on. So your operating partners are going to be there. They're going to have elevated access to your systems. They're going to be used for coercion and that's going to be independent of which one you choose like uh you know dcc viet whoever that doesn't matter doesn't matter uh one's not better than the other. The second thing is is that the Chinese government is going to have data access. They're going to make very sure all data residing in China is accessible by the government. So accept it and say that threats will be a fact of life. Uh we

see people and companies are key components of the Chinese government strategy. Um and then few more things you cannot change about you heard about the great firewall. You probably know it can block or modify any traffic passing through it. Uh as it turns out they can also mix network assets unreliable and laggy. And we also already mentioned laws in geopolitics right we cannot change them just got to get used to get constantly put off balance. And the other thing you can't escape is being probed and mapped while you're operating in China. Those operations again are going to be targeted for knowledge of global operations. Uh they're going to be targeted to tunnel into global operations. Your decision-m is going to

be influenced. And I think like a simple metaphor if you've seen the movie is like you're going to be the star of your own Truman show. Okay. So that's sad. All that stuff we can't change. We can see the area of sadness. You know, only sadness there. Uh so then let's think about things that could make us happy. What what can we change? Um and it's not just four, but these are the four we're going to tell you about. Uh and the four we thought were representative. So it's it's your architecture, it's your operations, it's your insider risk, and it's travel planning. And what we'll start with is architecture. So we found it useful uh

to think of entering China like a mission to a remote icy planet that is uh hostile toward life as we know it. Uh, and when you think about a mission to a planet like that, you think about bringing everything you need for survival with you. You think about first targeting a planet with resources that can sustain you that's worth exploring. So that's like that riskreward benefit. But you also are going to need to work out like safe and reliable ways to communicate and get supplies. You're probably not going to be able to escape that. But most importantly, if your planet dies and you die with it, the impacts won't really be felt outside. Uh, this is a version of sovereignty in

that like you are the master of your own destiny. You can go to Mars and die and the world will live on without you. Earth will live on without you. Um so like what does it mean? Uh well first it means like I said you need to bring most if not all of your dependencies first and third party with you. So let's start with the first party dependencies right we want to have first minimal dependencies on our global architecture. And some key areas I want to highlight here, you know, that stood out to me were things like metadata stores, data pipelines, SAS services, and API integrations. Like it's not maybe the things you necessarily think of, but

your product is more than a monolith. There's a lot of dependencies in your product. So I think the first thing is to understand the key dependencies in products. And a lot of products have things like metadata stores and data pipelines. And a lot of times those are going to be heavily tied to all of your operations. And why are we focusing on these is because you're not going to reuse any of those services or accounts in China. You're going to need to come up with a plan to bring those with you. Uh another first party concern is data residency and isolation. Like you're not going to be sending Chinese data back to global infrastructure. Uh and you're not going

to be sending global data into Chinese infrastructure. Uh and what you know, so Chinese data needs to stay in China and global data needs to stay out of China. I think that's like the main thing. And so, you know, a way to think about that is you might need a plan for regional encryption. I think like physical isolation is great. We can have a deployment over here and permissions, but coupling that with cryptographic isolation is is even better. So, ideally, you're going to physically and cryptographically isolate global and China operations. And I think it's important because we're going to say the word global operations a lot, but it actually makes me cringe a little bit

because you really can't think of it as just like global and China. It's you need to be thinking about like sovereign regional operations and every region needs to be as hardened as your China region and they all need to be resilient against total compromise and maybe that sounds pie in the sky but like that's the game you're in now so get with it. Uh another way that another important thing is to think about segmenting identity uh thinking about regional IM like your identities are not going to work across regions and you're just going to have to figure out how to operate your service in those conditions because again we do not want to create an opportunity to pivot from one region

to another. So what it kind of means is you need a real plan for zero trust uh not just for for China uh but more importantly for everywhere else. So like all those ZT projects that you never prioritized all the tech debt that like oh we could never do this well figure it out that's going to have to get done now. Um so you need fully segmented architectural primitives. Let's talk a little bit about uh thirdparty dependencies. You don't want to forget about your SAS services, GitHub, Whiz, Jura. These are not Chinese companies. Uh, and accessing them means you're going to traverse the great firewall, which means you're not doing that. That's a non-starter. You're going to

have to find alternatives like Gee, Prismacloud, and Zentau, and you're going to have to figure all that out. You're definitely not going to use the same AWS accounts and organizations there. And I think it's really critical that you don't forget about IT systems like HR, sales, and billing. So, Salesforce is offered in China. uh workday maybe not. Are you going to use the same accounts? No. Like and you might even have to use a different contract. You want to be maximally leveraging whatever segmentation you can have in those SAS platforms that you're using. And so for AWS, it's typically accounts. Orgs would be better. Um and you're going to have to figure that out for the rest of the platforms uh that

are out there. Um I think what's also important is that you know again there's a risk of thinking that the threats only come from China or that the threats are going to come out of China or something like that. Attacks are going to come from anywhere. If you remember we told you like all of your operations are being probed and everything about you is being understood and it wouldn't make sense to do something very obvious like attack you in China to get somewhere else. So you really need to think about like everything can be targeted at any time and so any point that can lead to a total compromise of your global infrastructure. That is going to be a

huge problem. Like that is not a possibility you're going to want to entertain. Um all right let's move on to the next slide. Oh we're good on time. Wonderful. So you might be thinking uh no problem. I'll just fully air gap every region. Uh I thought that initially uh and in fact I kind of just told you to do that but this exposes in reality like another dangerous fallacy. You probably can't fully airgap. Um my experience showed that the cracks in this appear in telemetry and then billing data. So if you have like a SAS that you monetize like billing is probably going to happen in one place or a few places and the billing data is probably going to want

to like make sense. You got to get paid. Uh so then you're gonna have to figure some of these things out because maybe it's impossible like maybe the architecture is such that the lift to you know thinking about timeline and effort maybe it's impossible to change because of the way the architecture works. And so what it means is that some of these interfaces are going to get exposed. Um but what you need is in addition to these isolation primitives you need a robust way to inventory exceptions, minimize them and secure them. And it's not necessarily a bad thing. Yes and no. But what is good about exceptions in some ways is that they provide you concentration points uh

where you're going to develop focus detections. Like the number of things that you know that you definitely need focus detections are is known a priority. Um so an example right is everything segmented but these four data streams. So now we know the four places we want to monitor the most. Um, so maybe I'll just close this slide by saying, you know, like countries want sovereignty, your deployments and your regions want it too. And I encourage you to to to give the people what they want. Have have a concept of sovereign deployments that are separate from each other with a known blast radius that's okay with you. All right, let's talk a little bit about operations. That's architecture.

So, we don't want to have like artisal rocket launches like we do here in America. In fact, this whole thing is kind of playing out now between NASA and SpaceX. Like you got this idea of like hundreds of humans involved. Um, you know, most services you depend on today depend on a human pushing buttons, putting artifacts somewhere, configuring and twiddling knobs for a customer. But what's important to understand here is everything you do is knowledge required to operate your service. And you kind of want to keep that to yourself because even if your IP is lost, the reality in most situations is even if you had all my IP like you couldn't operate it because you don't know enough about how

it works to meaningfully do anything. So actually operations need to be thought of maybe more more than a lot of things as a trade secret when you when you enter a country like China. And so that means you got to shift your thinking to fully autonomous deep space missions that are resilient to human interference like active human interference. And so I I don't know how many people have seen Space Odyssey. Like I'm a elder millennial. A lot of my jokes miss, but Howal 9000 was an AI that flew a ship. And how 9000 killed the occupants of the ship. And what's important is he didn't need anybody to tell him what to do. He didn't listen when the operators tried

to countermand his orders. And he took drastic measures to make sure that his mission was a success. And so I would encourage everyone here to be more like Hal uh and less like NASA. You got it. uh deploying your service or your product should be fully automated like ideally no direct interactions. Uh and so of course that automation is a way that you limit the operational knowledge that's required and the amount of knowledge transfer which can possibly occur whenever you're working with a operating partner. Um, it also has a concentrating effect in the sense that if it's fully automated, that means I don't expect you to manually access anything. And if you did, that would be

like a blinking red light versus uh maybe a model many of you participate in, which is lots of people are involved in a deploy. And manual access is a regular thing. And it's super hard for you now to figure out which of those manual accesses was the bad kind. So obviously automating it gives you the opportunity to really focus on those things. And so maybe like a starting pattern here is you think about like a storage dead drop in China where I just place deployment artifacts and automation picks that up, rolls it out, uh, and and takes care of all those things. Um, it gets pretty deep though. You know, there's a lot of ways

deployments can fail. Uh, and you're going to need a plan and you're going to need to practice that plan uh, for all of those scenarios. And again, this is to avoid having to uh transfer knowledge under duress like oops, we didn't plan for this type of operational failure during deployment and now we have to get on the phone with the operating partner and explain everything to them. Like that would be a version of a failure. However, um if your service does fail in China, like you got to be able to recover it somehow, right? Like well, okay, so debugging in production happens. uh what I would say is your posture for touching production needs to be indirect

and non-interactive. And so in other words, like don't touch it at all. So you want to think about like a predefined set of domain scenarios in a menu. Like you can't order sushi downstairs. You can just get coffee, popcorn, hot dogs, things you should eat in a movie theater that don't smell bad. So you can't like make that error. So it's bad to like let me SSH in and and get what I need. Like extending the food metaphor. It's like a personal chef cooking for your family. Like what if they make a mistake? What if a malicious actor becomes that chef? Like you're very sick or very dead. So better than that uh might be to like gate and peer

review. All of the actions and scripts run on a host. So like, okay, we're going to do a runbook and then we're going to run this runbook. That sounds pretty good. But thinking about some of the things we talk about like what if peer reviews subverted by an insider? How many people remember the XZ supply chain attack? Okay, I'm going assume all your hands went up real fast. Uh, and that is where numerous coordinated actors harassed and coerced a package maintainer so they could slip a back door in. So like think big brain. Uh, you know what if somebody makes a mistake there either on accident or on purpose. So the best is to think about

gathering a predefined set of data from a specific kind of host for a specific kind of scenario. And so like core dumps is something that has been a feature of my life. Like you don't need a SSHN to fetch your core dumps. Like you can detect a core has been dumped. you can bring that core off to intermediate storage and you can provide an isolated environment to interact with that core. Uh and that also gives you a known blast radius where you can focus detections and have high fidelity logging. Okay. Um let's talk a little bit about secrets and credentials. I think a lot of people think about like scanning for secrets. Um you want to

make sure they don't end up in code. Uh and you want to try to find them quickly when they do leak. So I think what's important is to live in a reality where you leak secrets and you live in a reality where they're going to be leaked in source code and you live in a reality where they're going to be stolen and used by thread actors routinely. And so thinking about secret scanning as a primary defense I think is a flawed approach. Uh it's like playing where's Waldo when you just have like seconds to respond to a leak. So I don't want to be searching every single file in data store under duress to find some secret.

I don't want to find that one. You know it needs to be rotated. There's a bunch of other ones and I don't know where those are. So, it's not that you should stop scanning, but it's that you need to have an inventory and a rotation capability for every single secret. And what you need to be tracking is the number of secrets which do not exist in inventory or are in inventory and do not have a rotation automated rotation. And you really need to eliminate those. I think a lot of people would say, oh, let's let's get most of them done. I I I would encourage you to live in a world where like all of them have to be done

because there are going to be stolen frequently and all the time. So, you need to be living in a world where that is not a problem for you. Um, so we talked about architecture, we talked about operations, secrets management. Uh, I'm tired of hearing from me. So, let's hear from Michaela a little bit on insider risks. Okay. Um, I'm sure this won't come a surprise to anyone, right? We have to talk about anyway. Um, just to get started, like how many of you already have an insider thread program? If you can raise your hand. Awesome. Okay. Okay. Cool. At least what I'm gonna And this what I'm going to say is not going to be

completely useless. Um, so obviously I'm not going to try to attempt to explain how to build a program in five minutes, right? I'm instead going to share some thoughts based on my experience, right? On things that you might find useful if you're going to start your own inside threat program, right? And the first piece of advice that I have for you is that the idea that borrowing resources from the existing threat detection instant response team to bootstrap the program is a recipe for disaster, right? For a variety of reasons and I'm going to give you a couple, right? the complexity and potential volume of cases when you start looking inside for insiders can quickly overwhelm your

existing resources, right? And likely end up disrupting your day-to-day operations for those teams. Um, on top of that, at the beginning, you're also trying to navigate this intricate landscape of privacy regulations to understand what you can and what you can't do. um if you are by any chance like a multinational organization that is compounded by all the different legal frameworks that you for for each country right so all to say um really get a dedicated staff right um you need to build new capabilities you need to acquire and deploy new tools you need to establish processes and playbooks right and really let me stress this thing right the moment that you start looking you're going to find things and you're

not not ne necessarily going to find the things that you were looking for right but you're going to find them anyway way and then you have to also investigate them anyway, right? And most of them won't necessarily even be malicious, right? Just humans doing silly things and perhaps lying about it after, right? Um, also probably not controversial to say, um, it's not really just a security tech problem, right? It's a fundamental human problem, right? So, while designing sophisticated detections and threat hunting is sounds definitely exciting, that's just not enough, right? To not ignore the human aspect of it. So for example, recruiting of insiders rarely happens on your work laptop, right? It happens on LinkedIn, it

happens at technical conferences and it begins usually with a request for innocus information, right? And then begs the question, does everyone in your organization know what isn't isn't sensitive information and does everyone know how to spot report suspicious activity? Um, and would even report it if like if they thought it was suspicious, right? It takes time for everyone to pick up the clues and even more time for them to feel comfortable reporting them, right? Um perhaps one of the worst mistakes one could do is thinking that only ethnic Chinese employees or foreign citizens born in China are the only ones that you need to worry about, right? Nothing could be further from the truth. There have been several cases of US

citizens like conducting at Poness for China. So focus on behavior and motivations, not nationality. Um, and while you might think you might not be a direct target, uh, it's also good to understand if any of your company customers is, then you might be also be a target by proxy. If you are, I guess the good news is that you know where they headed, right? So, it's an opportunity to focus your attention on specific data and systems. Um, and more of this, right, we've stressed like several times like the the Chinese strategies and plans are very intentionally targeted, right? So, we're not facing facing any opportunistic attackers, right? And we can use that to our advantage, right? So identify what

are the likely targets in your company and the access paths that lead to them and then that will help to focus your efforts. Uh if you have a red team that really pays off to do this exercise with them and to have them simulate some of these attack paths. And then another thing like we talk about this it's an ecosystem right? So there's only so much you can do as a company. So the good news is the FBI FBI has vast resources to counter this specific threat. U more good news is that they really want to help you as businesses. So find your local FBI representative and understand how they can help you. And coincidentally, uh

they might be the same person that going to call you one day in the future to share some insight or to share some bad news. So it really pays off to have the relationship going at that point. Um and then TTPs, right? Um there is plenty of public information out there, so won't go too much in details. I do though personally like the ones you can find in public court cases. Um you can see some examples here. fairly fairly easy to find on Google. It can also be referenced in various public US government reports. Uh and so if you're out of ideas, here are some, right? Look at downloads of data from on personal devices. You can look at file sharing in

chats and other collaboration platforms. External storage data movement is a good place to um to look. And then let's not forget about the old classic, right? Like have you seen what people send to their personal email from their work email? Uh so yeah all places to to look at the messy basic but they would take plenty of time. Um let's talk more about insiders. Um so um it's fair to say that like insiders can be found anywhere right and act for a variety of reasons right not something that you're going to face only if you enter the Chinese market. What is unique though about having a team in China is that you're certain that any of them is or will

become at some point an insider right but we still need to work video chat exchange files with them every day right just like any other coworker just to be clear this does not make them bad people right they just like us they're doing the job best as best they can they just have to play by different set of rules um sorry um so you uh have this group of employees right they're likely to become style at some point uh but we need to collaborate with them ideally without adding too much friction and without leaving the door open to get hacked. Easy, right? So, one way to think about is like the same way that we

did for a product, right? These are just collaboration interfaces between individuals. So, but in this case, we're talking about chat, email, wiki, and so on, right? So, now the question becomes, how do we secure these interfaces, right? One way could be to use the same platform used for the rest of the company. And if you're thinking that, then I would ask you, well, when was the last time that like you find a secret or token in your chats or wiki? and where was the last time someone shared by mistake sensitive data to the entire company depending how you answer those questions what kind of guide what kind of solution you want to implement right but it's also worth remembering that

like a part of our defensive strategy is to limit the amount of knowledge that we have to share with that team so one way to to approach this problem is to create a separate instances for the collaboration platforms right to be used only specifically between your global team and the team in China right so you have full control you can funnel the activity ideally to a place where you have completely visibility and can monitor activity, right? You can limit the damage in case of compromises in mistakes and also add a little bit of a healthy friction in case you want to share data. You really have to think about it, right? Um obviously it's not

the only solution. You can also decide to model it at a completely external company, right? And then defend it as as you would do in that case, right? So um either either way like be mindful that like uh there will be of course strugglers, right? And so you also you cannot afford to just look in those in those collaboration platforms. Um so enough with insiders. Let's talk about something more fun which is traveling right. Um this is just a madeup email just to ideally have a laugh or cry depending you know if you're working in response. uh just to make a point right while you're busy architecting writing detections and updating playbooks and all that right someone has already flown

to China and probably with their work laptop and all your secret plans are on that laptop right and you really don't want that to happen to you so let's talk a little bit how to avoid it right and the first thing we want to do is to place put in place some checkpoints right like we want to better yet be an approval process really so basically you want to know when someone is planning to travel to a high-risisk regions right for work and get notified ahead of time. And I'm sure none of you are looking forward to reviewing and updating the company travel policy, but it really kind of pays off in this case. Uh, and

once that is done, we can move to the more exciting and frustrating issues of deciding what can people bring with them when traveling for work, right? Um, the answer really depends on your company culture, how much influence your team has. Uh but what I would suggest is to agree on the first key assumption which is like any data credential token cookie open sessions on any device that you bring with you and the potentially any system that you're allowed to access while traveling can and will be compromised. Um if it sounds too extreme, give me an opportunity to convince you because I'm not really talking about spy stuff or sophisticated attacks, right? I'm talking about something definitely more boring. And so

let's paint a picture, right? You're crossing an international border and you're stopped by officials and you're told you're being selected for a security inspections. They're going to walk into a very small room, no windows, and in there you're being requested to unlock your work laptop and your phone. And maybe you're being asked to log into your company Octa. So now ask yourself, are you going to refuse? Are you going to refuse? No. Okay. So if you're like Jacob, then you should think about how you're going to software to protect you against that type of scenario, right? Um and if you have some sort of like a some application sorry password management application have a similar concept of

travel mode right where they had specific set of credentials right so you want something similar to that which is like you want to reduce and completely understand the blast radius in case that scenario becomes a reality and you also want to make sure that your company security does not depend on one person refusing to lock their devices under the rest. Um so how do we build it right? Uh we first define we sort of like start with our packing list. We define what devices we can bring while traveling and what system applications are allowed and the restrictions and permissions on them. And we finally designed the procedure to turn this mode on and off. Um so with the devices of of course less

is more right. Um and then so that means less credential less secrets and cookies to worry about. It's not just the number, it's also the quality, right? For a for a work laptop, like it's probably the worst possible choice. They're packed with like years of sensitive data and credentials over the years. So, not great. Burner laptops probably better. Chromebooks even better. And they're also much cheaper. Um, and then leads to application, right? Again, less is more. You want to restrict and have a very aggressive profile while traveling. And then really the most important thing when you enable this travel mode on and off like you really need to make sure that like whatever you define in your packing list

is exactly what you're bringing. So if you decide for example a specific application is not allowed then if you make sure that all those open sessions on devices are being destroyed first right so you don't want anything that like you don't know about being brought while traveling and the same way on the way back right before traveling. So after you come back you want to ensure that like all credentials on the device in any form or shape has been created like you have destroyed them right before you lift all the restrictions for travel. Um so think about sort of like a decontamination steps right and so many ways is not really different than considering that account compromised and

acting accordingly. Um uh so finally so we talk about a bunch of things right uh we want to wrap it up with some high level concept hopefully your old severance fans or depictions won't make much sense otherwise um one complicated topic we won't be able to cover it in full rise like we talked how to defend your global infrastructure and operations against insiders and attack attacks coming from China but the truth is you also have to defend your Chinese infrastructure right and so um there are many consideration I think The things I want to to share with you because I struggle with these sections like what can I say that is widely applicable. Well, the first thing is like most of

your security tools that you're using today won't be available to use in China, right? They require a special license. So, you have to pick different ones anyway. Um, there is also not a lot of public threat intelligence on what threat groups operate behind the great firewall. Um, but I think a reasonable assumption is that like whatever actors exist, they're not the same that you're facing in your global infrastructure. So in the end what you have built might not necessarily be applicable to your infrastructure in China anyway. So it might be better off take a completely different approach right anything that like prevents you or like you know prevents you from sharing your existing detection and incent response plan with

that team because that basically handing over to to the attackers and then see more things. Okay. So start thinking in terms of compartmentalization and sovereign deployments. Um, I think just we're a little pressed on time, so I'm going to just mention I think the big opportunity here is this is a way to rationally justify the 10x improvement your program your security program is going to need to defend against a motivated opportunity. So I think attacker rather. So first you have to do the 10x like I don't have a better answer for you. The second thing is like don't sleep on this opportunity instead of like panicking and curling into a ball and dying. Like do the work, figure

out what needs to be done and then get it funded because you will not you you know you're not often handed too many opportunities that allow you to dictate significance amount of budget. This will probably be one of them. I mean really one thing to remember is like a please get a dedicated staff for this if you're trying to do that. Do not borrow from other teams. moment you start looking and the moment the floodgates open. All right. Uh and I think it's really important to understand like your emergency exit where are you going to draw the line like when you're coerced what's what's going to happen. Uh I think it's important to understand it's

not a decision like you are going to make individually as a security team like legal executive leadership but that needs to be a plan. Uh and you need to facilitate that conversation. Another question is like what are you going to do if you detect malicious activity in China that jeopardizes other global operations? like you can turn it off. Uh you're going to need to have a plan for that. So like have a plan and your role is to make sure that the discussion happens uh so that you can have a plan. And so I think you know the biggest lesson of all maybe you're all thinking this is like oh there was no secret uh

specific anti-China magic. Uh it's just that you got to be on it with your basics. Uh and you're going to have to fight for those investments. And what he wrote here was I don't think we have time for questions so feel free to find this after. turns out to be true. Uh but thanks for coming to our talk and uh besides organizers, thanks for for giving us a chance to present. Thanks. Oh, we did get a question. We're going to take it. Okay. Okay. Here we go. Apart from risk to company infrastructure, are there any security privacy risks that security engineers should be aware of on a personal level if they're working on products entering China? Uh I mean I

yeah like personally we worried about whether or not we should travel to China at all and like whether that would put us in a position for detention or other things. So I think first like your profile as a person who actively works on this is higher. Uh nobody did get detained that I know of. Uh beyond that I I think like I don't know we often think we're targeted by the NSA and stuff and we're not. So I would just say like when you travel to China and other things like that's where I think our experience mostly showed like that's probably where your risk is going to show up. I think if you're here in the

US, you know, maybe if you're a big deal, you would be targeted. Or maybe if you're doing something really stupid, loud, and obnoxious that allows targeting to happen, like the same kind of things that would get you targeted by any threat actor group. Uh, so that's how I would think about that. Cool. Thanks again,