A Pitmaster's Guide to Security Design

all right well i guess the floor is mine so welcome everybody i hopefully you've had a wonderful day at besides denver so good afternoon good evening for some of you you know especially those who might be on the east coast if we got any folks hanging out out there it's actually getting kind of mid-evening now so um i'm alyssa miller as was already stated and let me just begin for those of you that don't know me by introducing myself uh so first and foremost i'm a hacker and researcher i have been hacking computers playing with computers doing all this fun stuff um well pretty much my entire life i mean i can go back to when i was four

years old and my father used to bring a computer home from work over the holidays so he could close accounting books to at 12 years old when i bought myself a computer um so we're talking like early 90s here late 80s that that wasn't typical most people didn't have computers in their homes yet um yeah i my first hacks were in prodigy trying to get into games that i wanted to play without having to pay for them um and it's you know i i went through years as a developer and ultimately became a pen tester and all sorts of other fun stuff i've been doing security for 15 years um and where i find myself right now is

a company called sneak and i work as a security advocate which means my job is to get out into the community and talk about things that matter in terms of security and i blog i do research projects other things it's kind of a pretty cool gig i'm not gonna lie i'm also an author and a blogger uh when i say author i am totally uh you know in the midst of writing a book right now so i can't tell you the name because we haven't really settled on a title yet but hey you know that's uh we'll we'll get there eventually but writing a guide actually uh to help people find their way into a

security career since we all know that uh finding jobs in security especially an entry level kind of sucks um and then finally i am the co-host of a podcast called the uncommon journey i host that with chloe mustaghi and philip wiley if you recognize those names at all um and yeah we we interviewed a lot of great people focused on their uncommon journeys into cyber security now the most important part for this talk though is i'm also a i guess you could say amateur because i don't get paid to do it amateur pit master um i've been making barbecue for years and i got started honestly because i live in wisconsin yeah a little dark scene here just a

little bit and if you want actual real good barbecue you don't come to wisconsin for it so if you want to and you live here you got to make it yourself and you know i've been doing this for a long time i recently bought the smoker that you see here uh just brand new this year and the timing couldn't have been better by the way i mean literally buying this wonderful smoker to replace an older one i had right at the start right before covet hit perfect timing it was great um but if you follow me on twitter or anywhere else you've uh you've seen probably some tweets from me from time to time with pictures of meat maybe a wagyu

brisket and i you know i've found other people in our community who really enjoy barbecuing as well and it was through that discussion we were talking about a lot of the strategies that uh are pretty well adopted in the world of barbecue you know barbecue is this interesting thing it's kind of a mix of a science and an art form so where there's lots of things that every pit master is going to kind of do their own way and they're going to go and do things just slightly differently there's also those certain rules that are just they're tried and true and they pretty much if you're gonna make anything decent in terms of barbecue you

pretty much gotta follow them i mean they're just they're they're the basics of how you make good barbecue and so we got into a discussion one day and started connecting it to security and i realized you know there's a lot of commonality between these rules that we use to make good barbecue and what we need to do when we start talking how we're going to secure our enterprises it ended up turning in this really great metaphor and of course anytime you come up with a good metaphor for how to do security that relates to something really cool like barbecue i mean you got to turn that into a talk right so that's where we find ourselves today so

let's talk a little bit about the breach trends we're seeing right now um you know none of us i don't think if we've been in security and you're paying attention to what's going on in the security world i don't think any of us it's a foreign concept that the cloud environments have been a primary target for breaches we've seen countless stories of s3 buckets being exposed to the internet and uh you know titles like this one here of you know the latest in s3 breaches but we're also seeing increased activity around things like containers so as we're moving and we're doing more in the cloud containers are one of those things that are starting to become more and more of

a target and we're starting to see vulnerabilities within containers have some really significant impact and we'll get some talking some more about that in a few minutes and then finally there's my favorite topic the internet of trash or internet of things if you really want to you know be colliquial about it um we're connecting everything to the internet everything is becoming a smart device um one of my favorite ones i just saw actually i've got two two really great uh internet of trash stories for you really quickly one is a curling iron and i struggle to understand why anybody needs to control a curling iron with their telephone it's mind numbing to me and it makes you

wonder why are we doing why are we connecting all of this stuff to the internet just for the sake of connecting it to the internet but it gets worse like as bad as i thought that was did you know that there is someone had put out a kickstarter to create a candle that could be lit using your smartphone now what's really interesting about this besides the obvious fire hazard that is this situation it it could only light the candle it couldn't put it out so like i started thinking about use cases here why why do we do these stupid things like okay i can light the candle wouldn't it make more sense if i could at least put the candle out so i

leave my house and i realized oh my god i left that candle lit click a button on my phone i put it up nah no can't do that but you can light it up so if you're you're coming home with your date and you want to create the right mood i guess you could fire up a candle scary stuff but this is what we're doing and of course all these things especially in iot space they all rely again on cloud and it's those cloud environments where we're finding some of the most significant breaches so last year i was leading an organization centered around our assessment consulting services at a previous employer and every year we kind of did a look we

look back on the previous year's performance what we saw trends and themes in our our assessments our application pen tests our network pen tests and so forth and what we saw was kind of interesting and that was maybe not surprising considering everything we just talked about in terms of cloud environments but configuration management vulnerabilities lead the way more so than any other type of vulnerability we were finding things where there wasn't a needed patch there wasn't some you know tremendous oday discovered these were simple things if you just configure the software right you would be safer but we find 40 percent of those tests or 40 of the vulnerabilities i identified through those tests to be

these configuration management issues so then i look back i said well what has it been over the longer term and i went back and you can see three years very very steady right around that 40 percent mark and in fact when i drew a linear trend line through it which is that dotted line you see in the middle that sucker is flat it's r equals zero there is no slant to that there is no slope in that line at all now that tells us a really interesting story that for the last three years despite all these new technologies despite any proven technologies all this change the thing that we continue to get wrong more than anything else is

how we're configuring our environments that's a scary thought it also explains why s3 buckets and other things are what are being exposed but the s3 buckets aren't the only cloud technologies remember i mentioned containers before well what do you do when you're going to build a container most people don't build containers from scratch if i want a docker image i'm going to go out i'm going to grab a base image from docker hub and i'm going to build a docker file that then structures out my entire image in which my micro service or something else is going to run and it fires it up and it goes a lot of people will go out to docker

hub and they're going to look for those official images because there's a there's an implied trustworthiness about something in docker hub that's labeled as an official image well just a few months ago uh as part of a research project for the state of open source security report that we published at sneak back in june i took a look at all at the top 10 official images in docker hub and looked at the known vulnerabilities in those images and this is the performance and you can see this is year over year because we did the same thing in 2018 and what we see is it had it was scary in 2018 in 2019 it didn't get any better that

node base image by itself is pretty terrifying when you see 642 known vulnerabilities in that official base image for node and all i did was i mean i grabbed the latest tag for each of these and you can see the others are far less that node one is kind of the outlier but even 66 83 78 these are all high numbers for known vulnerabilities so what the the moral of the story here is just grabbing an official image doesn't make you more secure and what about vulnerabilities in open source we think about docker hub those are open source containers what about when we think about the rest of the open source community we've been talking about open source

software for about as long as i've been in security and the fact of the matter is the more these ecosystems grow things like the javascript ecosystem with package managers like npm or in java you've got maven we find that there's no way to get away from open source if you've got a 500 000 line application in your organization the chances are the majority of that is not code written by your developers but code that came from the open source market repositories that are out there on github and when we look at the vulnerabilities being reported in there what we see is it's a lot of the same old thing we see cross-site scripting we see

you know denial of service and rce all these things this is these are identified vulnerabilities that exist in the open source community these are things that developers especially working in a devops potentially cicd type paradigm are introducing to your software so the challenge is i don't have to tell any of you if you're in security you know the complex space of what it is that we're trying to secure so i got to thinking how does barbecue serve as a metaphor for the things that we can do to make our environments more safe so i've got five rules five rules that every pit master must follow that serve as terrific metaphors for how we should also be approaching

our cyber security infrastructure so let's get started let's get that brisket on and let's talk about some tasty barbecue and let's also talk about how we're going to shore up our defenses first and foremost if i am planning a barbecue the key word there is planning planning and preparation wins the day what you see in the background here is me taking a brisket and trimming that brisket i don't just decide one day hey i'm gonna go make a brisket at you know four o'clock in the afternoon and throw something on a smoker and go first of all if i did that i wouldn't be eating until about midnight at least and like any meat you buy that

meat coming from the butcher still needs some prep it needs to be trimmed it needs some dry rub it needs to be re made ready to go on the smoker the smoker itself that's a process that can take anywhere from 8 to 10 to 12 hours so i've got a plan days in advance and know how i'm going to approach this how am i going to structure my day around managing the fire in my smoker to make sure that everything turns out just perfect well when it comes to security initiatives we need to do the same those of you that attended besides denver you're going to recognize some of this topic because i talked about this in more detail last

year besides denver and that is how do you win support for your cyber security initiatives you don't just go out and say hey you know what we need this really really cool tool and i'm just gonna buy it and i'm just gonna tell management hey we need this and i'm gonna go give me money to go buy it it doesn't work that way we understand that but we have to be playing a long game in security we have to understand that in order to implement any security initiative i have to be able to walk into in many cases a board room or at least an executive committee meeting and justify why it is that i want to do what i want

to do now the issue is if i go in there and i dump a lot of fud i give them a bunch of fear uncertainty and doubt it doesn't work but this is what we've done in security for years and years and years we say things like well it's not if you get breached it's when and we talk about all the horrible things attackers can do but the reality is that doesn't motivate people to help us out that doesn't motivate people to take action ultimately we want those executives those board members to take action by giving us money and resources for our initiatives a number of years ago north shore university hospital did a study and their study

shows us the neuroscience behind this situation so they looked at problems they were having with infections and in particular they traced it back to [Music] medical practitioners not washing their hands properly so they started to they installed video surveillance at all the hand washing stations and they told everybody about the video surveillance they hung signs that said hey you're on video be sure to wash your hands and what they found was they still got less than 10 percent compliance with their hand washing policies so then they tried another step they put up signs and every time somebody appropriately washed their hands the sign would give them a little congratulatory message well what they found was when they did

that they got 90 percent compliance and the reason why is this if i want to discourage action the best thing for me to do is to use threats and fear because if you think about it when somebody fears a threat their first response is kind of a fight or flight response and most often as human beings we respond with flight we're going to do everything we can to avoid that threat it's only if we're forced to deal with that threat that we're going to go to fight and so by using threats and fear all i'm doing is discouraging action if i tell them hey all these bad things are going to happen unless you do this well that's a threat

and instead of attributing that threat to the you know the apts or whoever it is out there that those threat actors are going to be their mind attributes it to you and they're less likely to want to help you out now if i want to encourage action what i need to do is offer rewards just like that posit it could be simple just like the positive messages on those signs got people to wash their hands we can do the same thing when we're trying to win support for our initiatives but how do i do that what rewards can i offer well good reward is to just demonstrate cost savings how will this security initiative save

me costs may be able to reduce the amount of time that our help desk spends rebuilding pcs or helping people with their pcs after they get infected with malware because i'm going to install some new next-gen endpoint or something great that's that's a great way to start showing that reward what's even better is if i can show how that cost savings and that resource savings allows us to tackle a wish list item every organization has that wish list they're not able to get to because either they don't have the money they don't have the people or both and so by saving efficiency you know gaining efficiency over here and saving money i can oftentimes open up those wish list

items the best thing though is if i can use a security initiative to open up a new line of business or revenue stream for instance i worked with an organization that managed intellectual property centering on patents and as they were going through a cloud transformation the one thing they didn't want to move was their system that they used when people made basic like an open records request when patents published people can request certain records that were filed as part of the patent and so they still were looking for people to do this very manual process because they didn't trust their cloud environment so as they were looking to implement casbi in their cloud environment and

they were trying to win support we just demonstrated how that casby solution would allow them to set up this subscription service by which people could come in and make those requests for those materials that was a new revenue stream and that that went over huge the executives loved it they had a new line of business new money coming in that gave real roi to that security expenditure which is always the hardest thing to find now if you're gonna do this you need to also understand how do you talk to the board or how do you talk to senior managers because it's not the same as going in and giving a presentation to a customer or something like that

first and foremost what you have to understand is that their time is very short and they're very used to operating in that way so unlike how we've always been taught through school like hey you know tell them what you're going to tell them then tell them it then tell them what you told them that whole strategy you don't do that walking into a board meeting you have three minutes to get your pitch out there in front of them so as you crack your presentation the things that you want them to hear and see the most need to be the very first things you put in front of their face because after two to three minutes you

may get stopped shut down you they may tune out get it out there in front of them right away and then support it with your facts and all your detailed figures and then you can summarize it at the end if you still have time the second is be prepared to get interrupted because they are going to interrupt they know exactly what questions they have in their mind and they're not going to wait until the end of your presentation to ask them so again this also plays into why you need to have your main points up front understand who you're talking to and play to that and then finally speaking of understanding who you're talking to

anticipate their questions and have answers you can get away with one maybe two i don't knows i'll have to look into that type answers after that you just look unprepared take a few minutes to understand their motivations their concerns and anticipate what it is that they're going to ask so that's it for rule number one rule number two when making a brisket low and slow you cannot rush it remember i said a brisket can take 8 to 12 hours or sometimes even longer that's because we're not cooking that sucker at 400 degrees if we did we would be eating the toughest slice of cuta meat you could ever imagine instead as you see in the upper left

there we're cooking at 225 degrees sometimes maybe 250. we want it to take long because the other thing that we're going to do is we're not cooking that meat to 130 or 140 degrees we're taking that meat up to 200 degrees or more which is the point when a brisket actually starts to get tender so if you did that at a really high temperature you dry out the brisket it'd be really tough and it would just be awful so we do it at a low temperature we infuse all that really yummy smoked taste and what we get is this super tender meat that's the whole point of smoking a brisket so when it comes to cyber security it's

the same story we cannot boil the ocean you cannot secure everything tomorrow instead we need to focus on concepts of continuous improvement so when people talk about ci cd i always ask them what about the other ci you know cicd being continuous integration continuous deployment well what about continuous improvement what are we doing to constantly get better and better and better now when i talk cyber security i bring up the castle metaphor and i know some of you are cringing right now we've heard castle metaphors used for decades in cyber security and really they're usually horrible but let me flip that usual script on its head what you see here is a perfect example of a medieval castle

this one is in i want to say it's in dover if i remember correctly and in the middle of it you see this large monolithic structure they call that the keep and inside the keep is where they put all their most critical assets the things they wanted to defend the most then they built around that keep all these other you see concentric walls and everything else they built all these other defenses you see moats which now it's a road it's no longer filled with water you see uh you know hills and open fields and other things that were all a part of the defensive nature but it all started with that keep that was built on the top of this hill

and that was the most fortified structure their point of last defense we need to think about cyber security that way and to do that first of all we need to know what are our critical assets what do we care about most and i'm not talking i t assets i'm talking things like private data if we're in healthcare those are healthcare records if we're in financial services it's you know those financial records but whatever it is what private data do we have private data that we care about is that what's critical to our business and keeps our business in motion it might be critical functions you think about ics and uh or if we think about

utilities delivery they're just keeping those functions running being able to deliver those critical services that is a crucial asset for their business that's what matters to them financial assets of course are important to every organization how do we protect our money we're in business to make money if we don't have money to pay the bills and to pay our people we're out of business what about those people aren't they assets to us too and aren't they assets that we have to defend with our it systems of course they are so we need to understand what those assets are and make sure that they're a part of our keep and then finally all of our secrets

whether they're trade secrets whether they're other things that we need to protect from the marketplace things that don't fit into any of these other categories those other secrets how do we defend those that's what we need to be focused on this is how we need to think of those assets and then we can start to talk about how do we go about defending them now when we defend them and i think about that that castle again we have basically three types of defenses in a castle first of all there's those preventative defenses they're those things that are very just um you know they're like the walls they don't really do anything they're not active they just stand there and and they kind

of they do their thing um then we also have those the archers and the more active defenses that are preventative they're the ones that are actively going to try to stop people coming in but then we also have things like mitigation defenses and mitigation defenses are meant just to simply slow down that incoming attack so you think about those long yards between the walls so even though somebody breached a wall they now have to cross this yard and our preventative defenses have time to respond to them as they're crossing that long yard or you think about that moat it takes time to get across the mode if the drawbridge is up things like that and

then finally we have our detection mechanisms which are those guards that are watching for people breaching the walls and other defenses we need to do the same thing as we build cyber security you see we build those concentrically out from our critical assets and then it's just that continuous improvement it's identifying those assets translating them to where they live in the i.t space establish small perimeters around them defend those perimeters we assess those defenses and then we just repeat the process that's how we get to continuous improvement pin master rule number three good smoke is essential dirty smoke will ruin you what you see here is an image of what we in the barbecue business call clean

smoke clean smoke is almost disappearing it's very blue in color sometimes you can't see it at all but it's not that big billowy plumy white stuff when you have that big billowy plumy white stuff that means you're burning creosote and creosote imparts an awful taste in your meat you don't want creosote getting created in your burning process so as i'm burning wood i'm looking for that wood to burn very efficiently such that it creates only the small amount of smoke that you can see on the slide here or maybe there's so little actual smoke content that all you see is that visual distortion of the heat that's what we're talking about when we say clean smoke

and that's what gets us that beautiful wonderful smoky taste in our barbecue if that creosote gets into the food the food is ruined it'll have that bitter taste and there's nothing you can do to get rid of it but how does that apply to cyber security we need to think about metrics and i know we talk about metrics a lot but what what are we really doing with our metrics you know when i think about vulnerability management how do i make sure that i have not just accurate metrics obviously i want to know how many vulnerabilities am i discovering how many vulnerabilities am i fixing things of that nature but how do i make them effective just

knowing that we fixed 200 vulnerabilities this quarter doesn't tell me anything maybe that i mean okay great i fixed 200 of them did i fix 200 of them because we're fixing vulnerabilities faster did i fix more of them because they were all low hanging low severity vulnerabilities but we still got a bunch of high severity vulnerabilities is the number of vulnerabilities i'm having to fix an indication that we have more vulnerabilities coming into our vulnerability management database because our developers are creating more code with higher levels of vulnerability we need to understand metrics to a greater level we need to look at our metrics and be able to draw a better picture of what do they actually

mean because the same metric the same increase in a particular metric can be good or bad depending on its relationship to other metrics and that's what we need to be thinking about as we start to build these out of course metrics are important because this is how we demonstrate that those initiatives that we went to the board to for and got them to buy in and provide us funding and resources for this is how we show them hey we're actually making progress we're doing the things that you told or that we told you we would do it's having the expected impact so we need to make sure that those metrics are effective so that when we look at them we can

discern them analyze them properly and present a a more valid picture and let's talk about how we present our metrics for a minute we're going to set goals we always set goals on metrics unfortunately what we do a lot of times when we set metrics because we're trying to make them measurable and attainable stop me if you've heard that before we set them to arbitrary numbers so on the right here you see attainment oh we're going to fix 80 of our vulnerabilities in six months well is that really an effective goal does that prove you've done anything what if the 80 you fix are all low and medium severity and the 20 that you didn't fix are all the critical

ones that are immediately exploitable and you know have patches but you just haven't applied you haven't measured anything positive it's still not better so what we really want to understand when we look at metrics is how are we improving and we want to set our goals based on improvement not achievement so again when i'm thinking of this idea of continuous improvement that's what i need to be setting my goals for how am i going to keep getting better today than i was yesterday and then when i think about these goals and i think about these metrics and how i'm going to present them i need to be aware of the audience i will tell you right now the very worst

thing you can do is walk into an executive or board level meeting and start throwing around all the metrics numbers because when you come back the next time and the numbers say something different even though they may indicate a better overall picture those executives are going to see those individual numbers in question why did they go down instead of up why did they get worse instead of better and now you're on your back heels trying to explain hey this is what this all means it's actually a good thing when all they're seeing are graphs that are going the wrong direction now conversely when you're working in tactical teams understanding a lot of those detailed metrics are very important

and looking at the numbers and which numbers you choose to look at are going to change based on the level of audience that you're speaking to but what you want to do is make sure that the story that you're telling using your metrics is appropriate for that audience when you're talking to board level they want to understand risks they want to understand what does this mean for the business how could i lower this risk in a different way how can i address this without having to spend money or how much money do i have to spend and what will it mean to me in terms of risk reduction when i'm talking with teens on the other hand i'm talking very

technically and i'm talking about how do we get these numbers to change month over month quarter over quarter and so forth so being able to understand your audience and speak to the things that they think about on a daily basis is what's crucial when we start talking about metrics rule number four there is no set it and forget it now i'm gonna get some people are gonna argue with me i'm sure there are people out there um i i'll probably get a phone call or a tweet from dave kennedy or someone else who i know who loves their pellet smokers whole point of a pellet smoker is it's supposed to be set it and forget it so

let's forget about pet pellet smokers for a moment and let's talk about stick burners or ones that burn wood in my opinion and this will be unpopular with some real smokers okay um the reality is there is no set and forget i have to constantly be watching the temperature in that smoke box am i getting the right temperature to the meat am i getting the right level of smoke i have to tend to that fire every so often you know generally when i'm smoking meat every hour hour and a half i'm going out and i'm adding wood to the fire to make sure that i can maintain a proper temperature i might have to adjust dampers to make sure

that you know i'm getting enough air into the fire to make it hot enough or to cool things off if it's getting too hot don't want to overcook my meat i don't want to undercook my meat i want to get done on time so when we think about you guessed it continuous improvement how do we apply that to devsecops so devsecops we have this really interesting situation we in security have known about devops since 2008 when it was the first paper was written on it we've been trying to insert ourselves into that picture ever since and we've been failing miserably there's a couple reasons for that first and foremost with devops and cloud native technology and ci cd

what we have are three conflicting motions we've got security pushing left we're trying to we've been talking about hey security's gonna push left we need to push left we need to get earlier in the cycle we've been talking about that as long as i've been in security and even before when i was still a developer that's like two decades of talking about pushing left but we still struggle with it meanwhile because of things like containers and infrastructure as code kubernetes all these wonderful cool new technologies that are being launched in cloud native environments we have developers pushing further and further right they're defining the very infrastructure on which their software is going to run and then

once again because you have that you've now got your ops folks who are pushing up the stack instead of being able to focus on hardware and you know low-level operating system stuff they're having to understand this infrastructure as code they're having to they need to be excuse me to be able to read things like yaml and to be able to look at docker files and understand what's going on there and be able to interpret that so we have these conflicting motions where security fails is that security has traditionally introduced friction i have been to no fewer than a hundred different talks on how to implement security in devsecops and to a t save for maybe

two or three of them every single one of them has talked about what we've done in security forever and it's the thing that doesn't work in devops and that is this idea of creating gates well before your your user story moves from the backlog to code and commit you need to do threat modeling and then once they commit the code you need to do sas and sca and make sure you scan it and then after we build and test it then we need to do dast and at each of these gates if it fails we're going to kick them back to the left that doesn't work those feedback cycles take a long time and it breaks the it definitely breaks

the cicd model it even breaks an agile devops model this is what we need to get away from and we need to think about things that i term and you'll hear term in the marketplace frictionless enablement how do i make security frictionless and the key to that is instead of being gates between these phases we need to bring security as an inherent part of those phases so threat modeling happens in the backlog sca and s bomb creating an s bomb that happens in the coding and commit cycles sas and das are part of the test process they're not separate we do container security all these things need to be part of those phases we cannot

have them as pieces that are going to kick us back to the left in terms of the pipeline now how do we do that well we need to meet them where they live first and foremost as security practitioners in a devsecops environment you need to be working with devs on a daily functional basis attending stand-ups going to their meetings being a part of sprint planning doing job shadowing creating things like that mutual engagement by working together day to day building empathy because ultimately what you're trying to do is pave the road for them to make security truly frictionless we need to make security the path that is secure that we want them to follow the easiest path for them to follow

because what we've seen in security forever is that the more obstacles we create the more shortcuts they'll create to go around them so we do have to focus on automation but automation alone doesn't do it we cannot forget about the other steps here and include the people and processes in that but when we can create those people we can create those processes we can engage those people together and we can provide tools that automate much of this now we can trust the developers to do those security steps and they're more willing to adopt them finally pit master rule number five know your tools your abilities and your limitations check out this smoker this is a

colleague of mine who recently bought this smoker this thing's crazy i it's 700 gallons of smoking space plus you can see there's also two very large rotisseries i look at that and i'm like there is no way i could use that one i just don't have enough people to cook for that's a lot of meat going on there now he does things professionally i don't smoker like that doesn't make a lot of sense for me it does for him for me i would be lost with something like that just trying to manage the fire on something like that even as much experience as i have with smoking it's just too much that's too much tool for me why would i

ever go out and buy that when instead i've got this the super nice smoker that does everything i needed to do and i can manage it easily so where this plays into security is we know security does not have unlimited budgets and in fact according to this survey from help net security going into 2020 you know a lot of organizations were talking about things decreasing yeah we see a lot that we're planning to increase as well and that was good it was a great picture ultimately the majority here were increasing but then what happened covet hit those budgets have dried up so it's become once again incumbent on us as security professionals to spend our money more wisely now when

we go to the marketplace the marketplace tells us this here's everything that you need you need a tool out of every one of these buckets and sometimes maybe multiple tools out of every one of these buckets no one's going to buy all this the fact of the matter is that security industry is 177 billion dollar industry i know this because i used to work for avar this was this was our space we sold this kind of stuff but with all of that just making sense that noise and really prioritizing what you're going to use can be difficult and as your budgets are shrinking because of things like covid we need to be smarter now there was a

really interesting study done by fireeye not that long ago and they found out some interesting things 60 plus 60 plus tools in use on average in any enterprise environment of all the enterprise environments that they surveyed they found that on average each had at least 60 tools in use or more think about that for a minute 60 different technologies that we're trying to integrate together into some cohesive strategy for securing our environment that's crazy that's a lot of work 35 of those tools overlap meaning they do the same thing maybe in different ways maybe different parts of it we use them for different reasons and then not surprisingly eighty percent of those tools are underutilized as a

result so we need to be smarter how can we use what we already have in new ways rather than just throwing another tool at it let's be smarter let's use the tools let's buy the right tools the tools that fit our environment don't go buy that big smoker when you can use the smaller one that's going to serve your needs for your family just fine do the same thing with your security tooling so bringing this all together to wrap this all up planning and preparation wins the day in barbecue you win executive sponsorship by driving business value can't rush your barbecue and you cannot rush your cyber security either you need to you can't secure it all tomorrow

that's just the way it is just like you can't cook a brisket in an hour good smoke is essential dirty smoke ruin your barbecue the same way that if you can't measure your program effectively it's gonna fail there's no set it and forget it and barbecue even if you got one of those really cool traeger smokers you know what you still have to be paying attention you still got to be watching temperatures and you got to do the same you got to watch the temperature of the culture within your organization and make sure that you have accountability and enablement built into that and then finally know your tools and abilities and limitations and do the

same with the tools that you have in your environment don't go chasing the fads use the tools you have when you can rather than going after something else you follow these rules you end up with a gorgeous brisket just like that check out that smoke ring that's what we want to see look at the juice pouring out of that that's a good brisket so as i wrap up just some things for you all things tasty first of all if you want recipes i got recipes lots and lots of them i tweet out all the time different foods i'm making including a dry rub recipe i saw someone celebrating in discord when i mentioned dry rub

there's a dry rub recipe out there in my github go ahead and grab it also check out barbicon.com whenever the heck we get out of this covet situation this is going to happen it will be a conference that will be food we are going to barbecue i don't know where i don't know when but this is what we're going to be doing we're going to get a bunch of people together we're going to barbecue we'll talk some security and we're going to eat some really amazing barbecue food if you want to follow more of what i'm doing check me out on twitter hashtag hacker barbecue hashtag hacker's kitchen you'll find everything that i've been doing all the tasty foods i'm making

and then finally here's where you can find me social media hook up hook up with me and let's talk let's talk about all the wonderful things in infosec it's what i like to do i like to share ideas i love to hear your ideas i love to have you challenge mine tell me different ways i should be thinking about things that i like to do the same with you let's just continue the conversation you see me on twitter that's the easiest place to find me if you want more of a professional environment if you you know you're looking for help getting a job or something or whatever you want to talk that way find me on linkedin you can

also check out my website that's where i've got all my speaking engagements i do have a blog out there although i will admit it is woefully inactive at the moment um we'll get that going again soon kovitz been rough what can i say and with that thank you so much i want to thank all of you for attending besides denver for attending this talk uh thanks sneak my employer for making it possible for me to be here today and of course besides denver i can't express enough how much i appreciate you guys having me for the second year in a row um i'm back because it's a great conference i really loved it last year

so sad that we had to be virtual this year because i was really looking forward to seeing a lot of the people i met last year but hey we'll be back and i'll i'll be back too hopefully so um thank you everybody again i really appreciate it