MichaelSpaling

[Music] so without further Ado I'd like to introduce our opening keynote Michael Smalling manager of Information Systems in the office of the chief of information security officer at University of Alberta Michael sping has built his career around cyber security in the post-secondary industry he leads the information security team at one of the best research and sensive universities in Canada and a top 100 in the world Michael is a recipient of the Queens Platinum Jubilee medal for his notable contributions to the security industry and was recognized as top 10 under 40 by can Canadian Security magazine he has a handful of published cves to his credit Brave the world of startups as the chief security officer

for an organization that was first to Market offering digitalized legal services and a little known fact is a co-inventor on a patent pending patent currently working its way through the US patent and trademark office when he's not working Michael enjoys time with his wife kids and family dog while making countless trips to the LEGO store or waiting patiently for Lego deliveries to arrive at his house so without further Ado over to you

Michael we good I've been I've been informed by the tech crew we need like 30 seconds just to quickly unplug stuff and uh set things back in so while we do that um to everybody in the very back uh the two front row minus Jill are literally completely empty there's not a single person sitting up here so I don't bite or anything but if you got we got a few seconds you want to just move you on front you are welcome to take the front row be a Keener and uh that's all we need so let here for the tech crew by the way they do they do a good job arold is plat for you while you do

this we still got ceas and I still see people back there come on people okay how you doing yeah we're good can we to try it we you to try that

one probably have to log in and just extend it or something okay yeah I'll do this one press this I go to extend so that should work put it back in this is one I was using earlier that did work I think how you

doing when all those fails plug the cable in is that is that what it was okay I shouldn't have said anything but don't worry hey there you go I just did a thing okay I'll put it back to extend look at that good work guys girls Team all right perfect so uh can take a quick sip of water here welcome how's everybody doing this morning awesome awesome good busy tired now we're doing awesome anybody excited I'm I'm really excited it's always fun to come to Calgary um I'm from Edmonton and my in-laws are always they're all down in Left Bridge so I don't actually tend to stop in Calgary very often Calgary is just kind of halfway for most

of my travel so it's nice to finally get to Calgary and be like I'm here we're at the destination that's good um I'm going to do something I wasn't planning on doing I want to read a text message to everybody that I got late last night from a friend and colleague her name is Kim um this is what she said to me so exciting about your keynote you will do a fantastic job you have a knack for being easy for The Listener to connect with and come across like a pretty normal guy if only they knew what a weirdo you were so that I told her I'm going to read that to like you know 7 800 people

uh because she unknowingly put into words exactly what I'm going to try to strive for today in our keynote and that's normal but weird so if you know me I think you know those three words are pretty good if you don't know me you pretty much know me now um but here we go hacking slacking and snacking random usings from a cyber security manager so I'm G to break it up into those three parts um quick question though uh just show of hands who is at a cyber security conference for the first time ever wow okay that's actually a lot more people than I was expecting so that's that's awesome um it's fantastic to see

so many new people here uh I was going to talk a little bit about that but then uh Steve kind of stole my thunder so I can just jump to the next part but yeah it's fantastic to see so many net new people here um one of the nicest things about about being a keynote for so many people that are new is that you have nothing to compare me to so I can crash and burn all all I want up here and you know hopefully won't notice um another one how many of you you've been to cyber security conferences but you're at bites Calgary for the first time okay good one and last one has

anybody been to every single besides Calgary since 2016 a few I think I think I missed one year I think I missed 2016 but awesome so it's it's good to see so many um friendly faces here so when when James asked me a few months if I'd be willing to to Keynote uh besides calg great 2023 uh obviously I said yes because here I am but that's not what went through my mind okay I did have a thought I didn't say it or type it I definitely thought it and that thought was me really like don't you want to attract people to this thing and uh you know I was a little like like really like okay um how many of imposter

syndrome you know you you look at how many people in the room put their hands up okay so so so there's a there actually there's a talk I think on on overcoming Oster syndrome I saw it on the schedule uh topic very near and dear to my heart I'm not going to talk about it now uh but what I do want to say is even being asked to you know keynot conference um and whatever was said in the bio there uh even I have imposters in as well okay even I think to myself I'm not good enough someone's going to be like you fraud get out the room so if you think that to yourself just you know

I'm not therapist but just remind yourself even even Michael has it so don't worry about that part um but I did actually encounter uh quite a big issue that I struggled with for um the weeks after being asked to do this and uh I asked what what do I need to talk about because normally when I present to an audience I'm usually you know told it's a very specific audience very specific theme very specific topic and I find those those sort of guide rails really easy to work with uh that's not what James said James said anything you want I was like oh okay that's a that is a huge hu that's a very broad topic

anything I want I could talk about literally anything all right um but I was immediately reminded of a conversation that I had uh with a really good friend of mine at some point over the years um I don't even remember where we were what we were talking about but I remember what he said to me uh he said I'll tell you what he said I wrote it down here don't forget this he said he said Michael you're just you're not very good at many things are you and I was like yeah no and he he's he's like he's like in fact you suck at pretty much everything I mean he's a great friend of mine don't worry and and and and then he

ends it with accept leading Enterprise security teams he's like he's like that's you You're great at that that's that's your game you're awesome but everything else in the world don't touch it and and the thing is like I'm I'm not even offended by that like he's right he's right I genuinely suck at most things the other person who can back this up is my wife um if you talk to her and you be like you what what what do you feel when Michael approaches the power tools it's going to be a whole lot of like what are you doing don't don't get out of the room go go go to your computers um so so I actually struggled

with that because I was like what what what do I talk about you know when you're told you can talk about anything you know for a lot of people you know well for me it's not a matter of choice it's a lack of options because there are only three things there's only three things I could genuinely talk about forever and here they are cyber security Lego and Star Trek okay if you if you know me as a person like you you know this to generally be true if you don't know me as a person there's not much more to me we're halfway to BFFs at this point just by seeing the slide um but I

I started thinking like what do I actually want to talk about for such a diverse group of of people I kind of figured you know we're gonna have a lot of sticket sales this year the numbers are trending up we're gonna have new people um established people what do I talk about that would resonate with everybody and these are really the only three things that I could spend forever talking about so I analyzed each of these and these are my results um cyber security I actually I thought to myself we're going to be at a cyber SEC Conference filled with cyber SEC people with a lot of cyber SEC content do I really want to to that no

so I decided you know what actually um I'm not going to talk about cyber security so James you said I could talk about anything James hasn't seen this by the way so I hope he's not sweating right now you know what do I what do we put ourselves into here um so I can talk about Lego uh which is actually really cool um just a question how many of you have a passion for something that is not cyber security like you're equally passionate about it look at that awesome anybody want to shout out what they are singing Sweet what else hunting mountain biking films what was that video games yeah there you go and any Lego fans in the

house yeah Lego there Lego right St Trek all right so so the point is this is um when I said random musings I have 10 of these okay we're going to get through 10 of them the last like six or or the last three or four are we're going to PL through them but random music number one for me is have a passion that is not cyber security so it seems that many of you do if you're maybe new to the industry or or getting into this and you're looking around and you're seeing wow there's so many people that are doing so much cyber security stuff all the time I have to be like them and you

start doing that and you get completely burned out that kind of happens so so my first random using is have a passion that is not cyber security okay um for me it's Lego Lego is my genuine passion obviously I'm not going to talk about Lego if if you kind of figure out what's going on in the presentation here but I love Lego I've always love Lego for me Lego repres it's that one thing that's not in front of a computer screen it just lets me use my hands with a books and bricks and just be creative and gets myself away from computers so I try to keep a very very strict separation between like my my personal passions of

Lego and my professional passions of cyber security so do I really want to mix those together well no I really don't so what does that leave us well this is with Star Trek so so um I uh I was at a conference last week in B and there was a guy there wearing custom Star Trek themed boots and they looked amazing and I saw these from like like halfway across the venue made a beine to the guy and just said can I take a picture of your feet like I'm not a creeper I'm not a creeper I promise but I was like I love your boots and he was like absolutely I took this really great picture of his boots

because I love them and uh he said to me afterwards he just you know what Michael he a funny thing like I kind of figured with this type it was an IT conference with this type of audience way more people would recognize my Star Trek boots but you're like the first one and and it was hilarious that he said that because I was also reminded of um something that happened at a supervisor's meeting a few years ago at the University of Alberta uh we were about to embark on on this massive consolidation effort and um I came up with what what I thought was the most amazing analogy ever based on Star Trek and to summarize it it was I argue that

the United Federation of planets and the arch enemies the board Collective ultimately have the same end goal and that's unification just one does it through promoting University and one does it through assimilation and this is generally welcomed and this is you know resistance and uh I was sitting there like yeah was a good analogy and someone put up their hand and they said does anyone else have no idea what Michael just said and like two-thirds of the room put their hand up and I was just like what like you guys are all like nerdy computer people and I say that with the most amount of respect and sincerity ever Jason's wav having me hi Jason um

so I'm not going to talk about Star Trek either as much as I wanted to I was like I don't think that's going to resonate with with the vast people in the audience so what do I do what do you do yeah well we could go to Star Wars uh I'm wearing I'm wearing a custom Star Trek themed suit right now you can see it later that's how dedicated I am to Star Trek not Wars um there's probably an excuse for like a fourth one that could say you know self-deprecating humor or something but um what are we we're nine minutes into this so one of the best kept secrets of the security Community to all the newcomers is our Keynotes are

like 10 minutes because everybody hits the stage and then we just say thank you and we walk away um because there's know to talk about that's a joke I'm just kidding so what do we actually do in a situation like this I've been told I can talk about anything I want there's only three things I could talk about I've decided not to talk about any of them so what what would you do in a situation like this we we had a road stop like a block like I came up with this part of the presentation like 20 minutes this was easy but I kept running it through my head getting to this exact spot and

just I I don't know the what the presentation equivalent of like writer block is but I hit it for like two weeks so I shelv the presentation figured you know solution will present itself um and and that's actually exactly what happened um so I'm going to jump to random music number two and believe it or not it's okay to re evaluate prior decisions um it's funny that I have to say this but the amount of times in my day-to-day professional life where I'll encounter a decision that's been made based on the best um evidence available and information available at the time and the decision gets made and then at some point in the near future a bunch of

new information is discovered and it should change the decision that we already made and we should maybe you know tweak things a bit or go there and people will be like no Michael the decisions made I'm like what but we we should really reevaluate some of this stuff come on and uh so I'm just want to throw this out here it's okay to reevaluate prior decisions so that's exactly what I ended up doing I thought to myself you know Lego Star Trek okay fine maybe but let's go back to the cyber security one what what could I do that is not so much cyber security focused but still resonates and then um I saw a post that James made on LinkedIn

which is also talked a little bit about here earlier and that's that's um besides Calgary really has become a community of community ities so James listed off all the different communities that are here today um I'll highlight some that were in his LinkedIn post I apologize if I missed someone but he talked about I squared um is is here he talked about ysis uh Western Canadian women and cyber security group University of Calgary security uh information security club um Security Professionals information exchange so there's a lot of people here in fact many of you might you know overlap and be part of many of those groups so I kind of thought to myself oh you know

it's a really diverse audience so why don't I you know just talk about my life and my career and I'm going to throw a whole bunch of stuff out at the audience today whether you've been doing this for 30 years whether you've been doing this for three days you just learned about it hopefully something that I say will resonate with with all of you to some degree so this is not a presentation designed for every single person or sorry any individual in the room this is more little bit of what I've learned so yes I'm I'm a manager we'll talk about that later but I really want to talk about just kind of my career trajectory

kind of how I got into security some of the key things that I was doing um a major shift in my career career and the things that I've learned since then uh I've been in the industry for about 15 years and there's a lot of stuff that I've learned particularly in the last three or four years that I really wish I learned way earlier in my life for my career so I'll throw those out there and and hopefully some of them stick so uh let's let's do this and we're going to start with hacking so hacking slacking and snacking we're gonna start with hacking um that's the uh the place where I kind of got my start and I've noticed

talking to people especially students many of them are learning about cyber security through through you know through hacking that's where they find it you talk to students and they go you know I you how did you learn about the industry and they go hack the box or pent Test YouTube videos or SQL injection there there's a lot of like more exploitation and Pen testing Focus here so I'm no different so um so I do want to do one thing real quick um before we get into this I want to talk about something that I learned a few years ago that completely blew my mind because I would I had no idea it was a thing and I was completely unable to

relate to it and um I want I want to start by asking everybody um I can relate to this first part how many of you thought you knew computers and then you joined a new team or you went to a conference and you realized holy crap I know nothing everyone put their hands up yeah if your hands are down I'll just assume you don't want to be single though um we've we've all been like that and um when I uh when I leave conferences um yeah I I I usually learn a lot I meet a lot of great people I learn a lot of new stuff and I find it very invigorating like I I leave excit and I can't wait

for the next one um but I learned recently that not everybody actually experiences that um and it was a surprise to me uh someone told me a great story um they actually went to it was at bsides Calgary um a number of years ago and they went to the conference thinking you know I'm not in a security role yet I really want to be and I'm ready for this and they left the conference going holy crap I know nothing I want to be in this industry but I'm not there yet and and what they did is they actually they went into a downward spiral of depression for a couple years and they kind of changed

their device traj or their their device trajectory I'm thinking some of our products sorry they changed their career trajectory and um they weren't I would say they weren't really happy you know but but it was weird how uh invigorated they were and happy they were to go to security conference really want to get into it and then just completely shutting down and the good news is um uh they ended up getting a role in insecurity eventually now they're doing fantastic but that's my random using number three okay so not everybody experiences this but if you do um if you feel inadequate shut down or demot please tell somebody um again it's not something I can relate to but I I can

absolutely be on that other end of receiving these sort of discussions people are like Michael I feel worthless it was a good conference but holy cow I don't know you know I just I I realize how little I know and how much more I need to know and and I'm not feeling great about this um if you happen to feel that reach out to someone tell them and let them know to other people in the audience if someone approaches you and talks about this please don't reject them and be like yeah get out of here be like no you're you're great okay we want this um you want belong for starters and this is not the end okay it's the start

of something really awesome so if you feel this reach out to someone my email's at the end of this heck send me an email I'm pretty good at just responding to people and and and uh providing my time so let's talk a little bit about pre-management life which was the cool part of my career so I um I was in that exact same boat uh back in about 2015 so I've been doing security for for a number of years but I went to my first like purely technical security conference in Vancouver in 2015 and if you ever like like you know rooted an iPhone or something like that like the people that actually develop those exploits that

everybody uses uh they were the ones presenting out this conference and I went to that conference going I know all there is to know about computers and I left that conference going holy cow like computers are a mistake I know nothing um my my Approach at the University going you know forward is let's just shoot all the stuff under the sun we use tablets and paper because uh this is this is ridiculous but I left that conference truly um uh I wanted to get more involved that it was my first real exposure to vulnerabilities and exploit development and I was like this is this is awesome like I didn't realize there was a whole industry in a community

around looking for vulnerabilities and stuff and you know trying to make things work the way that they that they uh uh that they weren't supposed to work so I made a goal I made a goal and I've since learned this is actually a goal that some people knew to the expc and tried to make and that was get my first cve if you don't know what cve is I think it stands for common vulnerabilities and exposures it's an online database of you know just just exploits that exist in various of software and versions and that was my goal just get a cve find a vulnerability in something uh publish an exploit for it get it public and and

I'll Pat myself on the back and be like oh I made it um so I started looking into this stuff and um one thing I should mention um at the time I had this weird Fascination Fascination it kind of still do with antivirus software so you know you know normal but weird um yeah you know like you antivirus software every time I saw it and heard it was this stuff is so cool uh not going to talk about the effectiveness of any of it but um it was just the idea was uh was with all the respect every in the roomers and whatnot um it was just cool I I liked it and I decided you know

that's kind of the one thing that I really like about security I like antivirus software so let's start kind of focusing there and I started reading um like literature and research and white papers that were out there on antivirus softare just to learn more about it and one thing that I learned was the sheer volume of of what of information that was all about like evasion it was like so you've compromised a system that's got an antivirus or an EDR which wasn't really a terminal at the time you want to evade it without getting detected all right um that was that was kind of cool but I recognized that was way Beyond like my skill set at that time um so I had to

come up with something new so I started thinking a little bit and um I came across this there's really really common well I was thinking but you what what are the common functionalities in all antivirus software um I'll be completely honest to time out for a second like when I go to Best Buy even today like I can't leave the store without going to the antivirus software AAL you know my friends are in my family they're you know whatever DVDs and video games and where's Michael he's he's looking at the consumer AV products and you know seeing what they're pedaling Mom and Dad these days but uh you know looking for the weird random random vendors and whatnot

because it's just a weird you know normal but weird Fascination um so there is actually a commonality across all antivirus products that I've ever come across and that is the ability to create exclusions or you know so if if the antivirus product actually goes out and detects something that it shouldn't be there uh it props up a user we're all familiar with right what do you want to do do you want to allow permit deny quarantine whatever um that function of allow that fascinated me because if you hit allow the malware is going to keep running I mean the antivirus product has done exactly what it needed to do but you do have an option to allow it so

what I started doing um and when I say started doing I went back to Best Buy I went to the antivirus aisle I made a note of all the you know the different consumer products went back home and I downloaded the trial versions of you know maybe a dozen or so of these different products VMS and I would just turn them on uh install them with default settings and starts just having them catch catch malware and then what I was doing was I was kind of building a baseline of how the product worked and then I would have it or what configuration what it looked like and then I would have it catch the malware

and then I would uh allow it and then I would compare the differences um really I'm really summarizing uh some work here but that was the gist of it and with that information I could learn um what actually changes fundamentally in an antim product when uh an exclusion is allowed and being enforced um and I learned the most fascinating thing there's no standards for this and I don't think even today there's no standards for how to do this uh developers are entirely on their own to decide how to implement exclusion functionality in AV products which is awesome because it means every AV product is going to be different and that gives me you know a lot of creative

flexibility uh to to look at this stuff so so to summarize some of that work I was able to get um exclusion um exploits working on three of the 12 uh that I tested and um nowadays we talk about what we call you know living off land where where you're you're not necessarily bringing malicious content with you you're just maliciously your malicious intent is using uh tools that are supposed to be there and legitimate stuff for for you know illegitimate purposes and that's exactly what I was doing with with this antivirus software many years ago was sort of I would say bring my own exclusions list so if I could get onto a system um and you know

not be detected yet and I knew that the antimalware product would detect my malware I could exploit some of these vulnerabilities in how the actual allow functionality worked and I could sort of inject if that's the right word my own exclusions list right into the processes without being an administrator of the system or the tools and tell the antivirus product to basically ignore whatever I wanted it to ignore and then I could then deliver my malware and it would it would ignore it and woohoo cool so um ended up reporting some of those uh and I hit my goal got my first cve it was in malware bites um you can find it online got my first Hall of Fame first

Bounty payout all that cool stuff um and I have this kind of problem where I can I do this thing once and I'm like yeah good enough so I immediately set my focus on something else um how many of you play video games on work time as all the hands go down yeah one person's honest okay okay how many let's try again Pro tip if the security team is asking you this I'm I'm probably preaching of the choir be honest and just say yes because we know okay we have those ADR products across the whole institution and when I see you know wow.exe was spun up four hours ago and it's quite active and you're like

actually Michael I'm on break I'm like 9:15 a.m. you just started you're not on a break so so that was that was one of the things that I started looking at next um I focused more in the network at that point because I wasn't quite familiar with the network stuff and um what I noticed was um if I were to packet capture given my my point of privilege and University equipment um I could see some some video game traffic particularly authentication traffic uh moving through our Network and that was how I got my start with writing like like static IPS signatures because I started thinking to myself oh just had a sheer curiosity say I wonder how many people you know on my

team are playing World of Warcraft on on work time fired up this this s and we could see it you know truthfully not very many um well there's like three of us at that time we all shared an office I kind of knew without having to write a signature um but then we we spread out across campus we could start seeing this so I'm gonna I'm gonna skip ahead because there's um there's an entire presentation online I I did it at at besides Calgary 2017 um on our password sniffer but this ultimately built the foundation for what would become um a full-fledged plain text password sniffer uh that we end up developing so looking at nothing more than World of Warcraft

traffic and seeing who's playing video games on the campus Network um we learned a little bit about how the authentication Works we're able to fine-tune uh that that signature by looking for like some wild authentication stuff and then we hit a gold mine when we started looking at un encrypted traffic and we were like wait a minute we can just straight up sniff out credentials for anything that's un encrypted uh we took that we built it into a password sniffer that uh actually the what it does is it looks for the usernames and passwords uh going on campus that un encrypted checks them against like our credential Authority if they're valid it expires those accounts

right away the idea being that if someone's you know on a fishing is going to a fishing form that's un encrypted or someone's using you know the U OFA credentials for third party service un encrypted that's the key thing you got to do this you know either either you have to use TLS like like decryption function to get into the traffic or you just have to pray that everything's un encrypted there nothing is um then we would expire the password reason being that if someone were to ever compromise those systems or someone were to do what we were doing and was just abusing well professionally abusing a point of privilege on the network um Upstream

from us on one of our SPS or peers by the time they went to validate those accounts none of them were valid so that password sniffer over the years um eventually would go on to win a national award um we worked with an organization called cbera uh they actually ported it to a platform called Zeke for us so if any guys using Zeke or anything of that there's actually a password sniffing module uh that cybera cybera wrote based on our Tech out there which was really cool and like this was like all that kind of fun neat technical stuff that I was doing for many years and loving it and then things changed considerably I

went into management which is where I've been for for many years now so this is where you know cool Michael kind of stops and and not cool Michael starts um go to the next Slide the notes are there okay so slacking quick question how many of you when you saw slacking in the title you thought like slack the app like you know slacking slacking nobody perfect oh yeah one person okay it's it's slacking is then slacking off um I learned a lot of stuff uh going into management making that jump from peer Technic into management summer of 2016 the UA said we're going to build a dedicated security team because up until that point the security team wasn't really a

team it it was a bullet point on the networking team right underneath like routing and switching so it was like where is Security in the organization oh it's DNS routing switching security we're like that doesn't make sense so 2016 we built a formal team and they were like hey Michael do you want to lead it and I was like really like the normal a weird guy okay um we'll try it and uh I I do have I have an honest question I want everybody to be honest for a second how many of you think managers suck are useless you and look at all the holy you guys no my own two of my teammates are here they just put their

hands up they they report directly to me wow they used to report yeah exactly you know what you know what we drove down together but if anybody has space for two more tomorrow going Evington I know some people that are going to need a ride unbelievable I think I set myself up for that one I I appreciate I appreciate the um I appreciate the honesty because truthfully it was something that I experienced uh for the first wild management like not like yo Michael you're a manager you suck like seriousness hopefully they're not serious um but uh I learned very quickly that many people I kind of learned what they thought about managers you know just one fell career change same

organization same colleagues it was like n Michael you're not cool anymore like you go you go you go do your go do your thing you know don't don't get involved with our technical stuff so I kind of got got voted off the island of awom and um my life basically became four things so my team loves to remind me on a regular basis they they swear they're joking but sometimes I wonder they basically ask me four things on a regular basis number one management don't you mean manglement I've been hearing that for many many years um my favorite shouldn't you be in a meeting spalling uh that one usually pops up when I'm getting too chatty on one of

our various team chats and you know I'm just found something really excited about and no one else is excited about it because it's like Lego and and no one else cares you know they'll be shouldn't be a meeting spoing that's basically their way of saying you know up and leave us alone um other one that doesn't look like a spreadsheet yeah you know I got to share my screen for something and that always comes up um I've learned to troll my my team with that one and I'll tell you what I've been doing I've been exporting a lot of my data sets as PDFs now not csvs so that when I actually share data it shows up as a PDF in a

browser not Excel and they'll be like that doesn't look like a spreadsheet exactly it's not a spreadsheet anymore I'm learning um and my favorite hey can you approve this thing real quick um so emphasis on real quick uh I'll tell you guys a funny story that happen recently and now that I think about it I understand why they put their hands up this actually makes sense um we moved we moved to a new Enterprise service management tool in the last couple weeks and one of the things that they did not Port from the old tool to the new one was pending approvals and I think on my team I had like seven of them that were

pending and uh Cassandra who's sitting right here um one of her approvals was still pending so I just sent her an email was like Hey this approval in the old system can you PS the new one and she and I did I didn't read it okay I I have to admit that more than I care to admit I didn't read it I just whatever and uh Cass got back to me and she looked at this approval and she said hey did you actually read this thing and I was like No And she goes do you know what it's for and I was like no she said it's for bsides Calgary and I was like didn't I prove that she goes no this is

for 2022 and I was like what so I went into the the Enterprise service management tool and I looked I was like crap yeah so Cass went to bides Calgary 2020 do technically unauthorized travel because it was never actually approved so so yeah when people say they don't like managers okay you you guys can well you're welcome back to the rental you can you can now you can come back to Evington with me now because uh uh yeah so um obviously I'm going to try to score a few points for the managers in the room here um it's not all doom and gloom I just wanted to start with that um who's a manager let's here for

the managers wow I wasn't expecting actual response to that good work Tim good work I was I was not expecting response I wasting like Boo um so so uh this is the next part I want to talk about is is I want to talk about you know kind of what it's like going from a technical role to a manager role because it does change your perspective quite a bit on a lot of things and um I'll share a few of them so Random using number four by the way I'm GNA plow through these near the end if you're sitting here looking or watch and being like I got six more of these um you may not be able to win but you

can still minimize the impact of losing okay so not everybody agrees with this statement I've learned that I'm going to State it out anyways just mostly just as start of conversation um I find you know in a lot of marketing out there again you know full respect to everybody in the room um a lot of times I've seen a lot of marketing will say things like you can win you can win it's a winnable game yeah cyber security you can win you can win you can win you can win you can do this um and then you share for the Oilers and you realize oh gosh mind you we did win yesterday I didn't look I was going to make a joke

about the Flames but then I looked at the standings and I was like I'm in no position I think I think we should have one big group hug Evington Calgary for how our our respective teams are doing this year um I feel for you I hope you feel for us so uh you may not be able to win but you can still minimize the impact of losing so I would have I if you had asked me this honestly like like earlier this year I would have been like heck yeah it's a winnable game let's be positive and optimistic um and then something happened that completely utterly changed my mind and I was like holy crap there are scenarios where we

just can't win and if we can't win what do we have to do we're going to lose but what can we do to ensure that you know we don't lose as hard as we can so I want to tell you a fun story that we've been dealing with um one of the fun things about working in postsecondary is I'm sure maybe everybody deals with it but I think we deal with it a lot more is we deal these things called we just call them job scam emails they are the bane of my team's exist and they tend to spike near the end of a semester um I won't go into the huge details but generally they look like

this someone pretends to be an authoritative group at the University who helps students get job placements for the summer they pretend to be that group and they approach students and through email and they say hey we're this group as you know you worked with us we have a job opportunity for you um it's with a company and uh we're going to pay you UPF front as a show of good faith and you just do the work over the summer and some of the students are so desperate for these jobs that they'll be like yeah absolutely and then how many of you do mobile check deposits you know like where you literally just if you've never done it you can take a picture of

a check now and go to the banking app and deposit it and they'll validate it so you don't even have to bring a physical check to the bank as long as you have a picture of a check you can deposit it now if it's legitimate if it's not obviously it's going to bounce but you will have that brief period of time where a couple hundred bucks or so might be available to you until the check clears or doesn't clear and then you know it is what it is so the attackers are really good at this um in fact they will tell the students um here's a check they will ask the students do you know how to use mobile

check deposits all students nowaday seem to know how to do that they will send them a picture of a fraudulent check and they will say upload it or deposit it tell us immediately when it's deposited and then and then what happens next is they go oh crap we made a mistake we overpaid you sorry about that can you please send us a couple hundred dollars and everything will will will sort itself out with the check clears and people actually fall for this so so we dealt with this so many times that we um we ended up sending uh we had formal Communications drafted okay we uh the same thing that probably many of us would do we talked about education and

awareness we sent out coms to all of our students saying this is a scam this is what it looks like this is what to look for this don't fall for this blah blah blah the whole you know what happened we actually had a few students respond to that email saying I'm interested in the job that is when I realized we can't win we can't win I did I did hear some chatter about um like English as a second language so we did have it translated to like like you know first languages recent and and um and when I say first language I mean like like you know language I speak primarily um and same thing like not everybody you

smaller numbers people were still responding to our our educational messages about the scam saying I want the job that was when I said you know what we can't win but we can impact we what can we do to minimize the impact of losing so I want to show everybody what one of those checks looks like uh this is it so this is straight out of one of the um incidents we dealt with uh the black box is the name of the individual um there is actually something on this check all of you are looking right at it right now uh that if you know what it is it tell you know immediately that this is this is fake

just can anyone if if I've told you the answer um don't don't don't don't repeat it but but does anybody want to take a stab in the back what do you see 567 so so very very close I I so the point was right here if you can see 1 2 3 4 5 6 7 I assumed this is probably where most people are going to look it's the first place that I looked as well um so I don't know if that's if that's correct or not but one thing that I learned is that is that because it's I mean technically technically it might be valid you know I mean yeah we've all been trained to you

know look for sequential numbers and stuff but it's a it's a great one it's not the answer I'm looking for but it's it's definitely there yeah perfect that's exactly what it is what is the mismatch

specifically oh I didn't even see that good work yeah okay we're just going to jump to the answer because that is what I was looking for um but not specifically so so the answer that I'm looking for it is address related um my dad uh he he's retired he's the real you know Michael sping or do sping whatever uh I'm not a doctor but my students seem to call me that which is weird um you know thank you Dr spaling I'm like that's my dad uh he's on the board of directors for World Vision Canada and he was over one day with my mom and and I I showed him this and he looked at it

immediately and he said well of course this is fake I can tell you right away and I was like how did you know that you know what he said he said top top left see it says World Vision International below it is the World Vision Canada headquarters address he says if this was a real check it would not say World Vision International it would just say World Vision Canada and have the address or it would say World Vision International and have the world verion international address he knew that information right away so so great work on the side when you said address I was like oh he got it but I didn't realize that it says Ontario but it's got the

Canada bank I whatever but the point is that information was completely lost on me I had no idea oh really because people are saying that the check number is wrong for TD Canada I just learned again yeah oh so there's more on this awesome I learned something today I can go home everything's wrong about this check okay okay everything is wrong about this check but this this actually I I I can save this part of the presentation don't worry because the point is the more information you know about something the quicker you can um what do we talk about I wrote it down here uh reduce the time to detect and respond because that's huge right so when you're looking at at

a scenario where you can't win you really can't what can you do to minimize the impact of losing well the quicker you can detect and respond to things the better off you're going to be but often times that requires information so what I was trying to highlight about this check was that there's a key piece of information that one person in a non-technical security role knew about that when I learned about it I was like oh oh oh neat uh and now I'm learning there's actually there's a lot of stuff on this check that I didn't know about but a few people in the room knew about so look at that perfect perfect example working in real time these are not

planted by the way those are genuinely real um of people just just throwing stuff out there that they know and now all of us can look at this and say ah those numbers aren't right that address isn't right that's wrong so that's what I wanted to talk about about is um just really quickly to highlight again right if you can't win you can minimize the impacts of losing but one of the things we do at the university is when we deal with this type of stuff um occasionally if someone is is is like spoofing a real organization uh will'll sometimes I'll defer to my team often we do this but we'll sometimes engage those organizations and just say Hey listen

this is happening you're being spoofed thought you guys might want to be aware and they'll always always get back to us and say thank you for letting us know to help you detect this stuff better and quicker this is what an ual real thing will look like and this is what a fake thing will look like we also do that internally we know things we don't share this publicly but we know things about how our senior Executives communicate um and we can tell immediately whether something's spoofed or not based on usually um honestly it's how they sign their emails in in certain scenarios so this brings me to uh random using number five alling about reducing the time to

detect and respect or detect and respond this is not the random mus okay if you're writing these down don't write this down um it's not but when um this is a fascinating statement to me because I still I still hear this um I think that this is a bit dated in fact I saw it very recently someone's at at a conference they learned this it's not if but when as if it was you know a new profound thing for them and uh the idea is that you know this the statement is future focused right it means in terms of being compromised or breached it's something that's going to happen in the future and are you going to be ready for

it and will you be able to respond and buy our products and services and and just sit there and wait until it happens and then jump into action um I I learned as a manager that's that's not true um their actual real random using is this one it's what I'm going to call the next generation is that you already are you just don't know it um nobody when you see the these these breaches out there you know when was the last time we saw a data breach or someone said yeah they got in 20 minutes ago and we stopped them more like 20 days 20 months three years right I'm going to knock on wood hard because

I'm jinxing myself really bad right now but um that's that's the important thing and yeah this is a bit defe us and maybe it's not the greatest thing out there but this is one of the things that um I started talking about when I became a manager at University because I learned that people were it was always a future event and all it takes uh I'll I'll shamelessly plug the vendors um one of my favorite examples of this was just uh having an engagement with one one of the network security vendors they put an appliance on our Network and our record at UV is five minutes five minutes between us hitting go on that Appliance

in passive mode on one of our our commercial internet peers and them calling us saying do you have any idea what's in your environment and we said yeah and they said if we sell this in a bank like they would shut the branch down and my team was like yeah we're a research intent to University so we call that Tuesday morning and uh you know so so there there's a there's a risk argument there um but this is one of the most interesting things I would encourage everybody go back to your organization start using this now don't don't sit there and be like oh my gosh we're compromised everywhere um this is more more an argument for threat hunting

and whatnot I'll pass you all to the vendor booths go talk to them and be like and Tim Tim just did this so talk to Tim McCrate um the vendor boost and the sponsors and Tim um tell them this tell them this you can literally Say Say Michael the keynote said we are already hacked we just don't know it what do you have that can help us uncover this um that's that's random using number five but it also begs the question time where do you spend your time how do you actually look at all these logs and alerts and whatnot so I'm not going to give you the answer to that because I'm still trying to figure it out myself but

it brings me right to random using number six this is something that someone who I have a massive amount of respect for and consider a personal mentor of mine said to me at some point in the last year um as he was leaving leaving his se- level role and going back to Academia um he basically say he said Michael your time is valuable know where to spend it again I wish I learned this like 15 years ago um because I've spent a good portion of my career saying yes to everyone what what I write down here uh saying yes to everything everywhere all out one totally RI me all that movie that was really neat um and

man I burned out I burned out so bad saying yes to everything saying yes you're being everywhere being all at once doing so much stuff um someone said it to me earlier they said oh you're Michael I see your name on everything and I was like I don't know how to interpret that like is that good or bad because you know I try to keep a low profile but your time is valuable nowhere to spend it um so I can't answer this for all of you I can't tell you where your specific time as individuals should be spent but I want you just to know this as Security Professionals your time is incredibly valuable and um yeah

you know there's sometimes I look at stuff and and I say to myself you know it's not worth my time um I have to do that more and more at at the University now I get dragged every which way every meeting in fact I'm pretty sure I had a meeting scheduled for like right now by somebody I'm not even kidding I didn't even look at my schedule I was like I'm keynoting besides Calgary I'm not like as a politely I'm not joining your meeting at 9:00 am on Thursday to talk about something that I have nothing to do with but you want me there just in case I'm GNA start ranting I'm just going to move forward so I don't uh I I

I I don't drop names and whatnot um but it also uh begs the question um where do you do your best thinking so this was this was my my next sort of iteration of that was knowing that my time is valuable um truthfully not a lot of I I I like to tell people like I my life is not my sorry that was me I was banging my mic here uh my life is not my own okay um I'm constantly in the service of everyone else be it be it my professional colleagues be the security community be the Lego Community the Star Trek Community uh my wife my kids my dog especially that thing never leaves me

alone but I love her uh I get so little time to myself to actually just sit down and just just Bliss and then my phone goes off and I go that was a nice three seconds um so where do you do your best thinking and you can all just just think about that to yourself but um I wanted to share um where I do my best thinking uh which is actually it's kind of silly it's when I'm eating food like it's not a physical place is when I'm eating food if I have food in my hand and I'm I'm not first off I'm not speaking which is also a big problem I got to just you be quiet sometimes and

secondly I just it allows me to think um I've started doing something in the last couple years especially this year and I want to share with everybody because I've really enjoyed doing it especially as you know I wouldn't say covid is over but as you know the communities are getting more back back together and that's that because I do most of my best thinking when I'm eating I've been putting an honest effort into two things and that's having more lunch and dinner with more people particularly oneon-one just to get caught up again and just eat and truthfully we don't even talk about cyber security anymore we just we just you know keep those relationships going

and when I'm at home um this might sound weird because it was sure weird when I started it I don't eat in front of screens anymore I used to go upstairs you know microwave and melenas go downstairs put on some Star Trek and just you know watch watch Jane way go blow up some board uh you know that was that was that was my life for years and then or I go upstairs I put on YouTube and watch like Family Guy reruns at the dinner you know the dinner table or something um but I spent so much of my time eating in front of screens um that I st that that if I actually turn my

screens off and I just go meet people and just have lunch and sit down that is where I do my best thinking so I'll put that all to you guys so when we're at the third one um the reason I threw it snacking on here hacking slacking and snacking hacking is when I was cool slacking is when I'm not cool and snacking this is the best title that chat GPT could come up with um for uh uh yeah this is not I don't take I don't take credit for this for for you know how do I incorporate food into a cyber security presentation um that's where snacking comes from so what I want to talk about real quick mindful of time

why we doing good is um someone actually told me they said at this point when I was running I was just doing a sanity check uh someone told me at this point I should throw snacks into the audience and I seriously considered going to like like super stor just grabbing a box of chocolates and chucking them but as I was dry running this when I got to this point in the presentation I was like already over my allocated time so I cut that out and I'm like I still got quite a bit of time yet so I should have done that uh my my daughter she's nine she actually told me she said Daddy it's

Christmas you should throw gingerbread houses at everybody mind the Mind Mind of a nine-year-old I was like fantastic um but this is the part of the presentation actually I'll Sidetrack for a minute um I did a talk at Nate the Northern Alberta Institute of Technology uh with a friend of mine her name is Madison um so I'm gonna plug something real quick uh we have a presentation we put together last year it's called what not to put on your resume um I'll have to run it through chat GPT to get a little more interesting but it's um oftentimes we get asked like I get asked you know Michael what should I put on my resume

what are you looking for as a hiring manager you know I'm a new student or whatnot what do you do I've learned to stop telling people what to do because you can ask that question to five people get five different answers and be just as confused as as when you started but I have learned and so is my my friend Madison she's an HR business partner um between the two of us we've seen so many resumés that we've learned there's actually a large number of mistakes that people are making on their resumés that immediately make us go H questionable so we built a whole presentation around that um we've been marketing it or shopping it around to post-secondaries

um gotten quite good take up I have to do it at mchan with her in a couple weeks um but my point is we did it at at Nate um at some point in last year and they asked me they said is there you know this is the room this anything you need as a joke I kid you not as a joke I just yeah box of Timbits thinking they'd get like 10 Timbits and you know we could just snack on them as we were talking we showed up they had 60 Tim bits three boxes of 20 and Madison I were looking at each other like heck are we gon to do with 60 Timbits like we

want like three of these so we just we were like who wants Timbits and I was like yes we started chucking Timbits into the room and like you like way in the back you know open their mouth we can L it in there uh so I debated quickly running to Tim Hortons and just being like can I get like a 500 10 bits and make sure everybody gets one um but anyways back to back to snacking because I'm kind of going off off off track here uh this is a part of presentation we're going to switch gears so I want to talk about just a few little things that I've generally learned over the years uh that

aren't necessarily related to cyber security but um hopefully hopefully they resonate with some people uh things that I wish I learned so here's a fun one the internet used to be our escape from reality now reality has become our escape from the internet um this is why I like Lego okay this is why at the beginning of the presentation I asked how many you have a hobby that's not cyber security um if you love living on the interet it's okay like I'm not telling you all like you can't be on the Internet it's fine but this is I think what our modern reality is like right the internet it used to be our escape from reality when I was little boy

Michael nine years old running around the neighborhood with water guns and Nerf guns you know going on the internet was a treat like like man if I got 30 minutes to go with my dad to his university because we didn't have it at home and and sit on the internet and and browse stuff while he was teaching like it was amazing um but it was it was it was more of a treat and a privilege now that's really not what we do anymore now from the moment we we wake up the we go to bed we're on our phones we're on our laptops and and it's weird that I have to say this but it is one of the

reasons that I like Lego is that is that it used to be Lego as my default go-to like even into my childhood as my hobby the computer was the privilege now it's the opposite now it feels like I'm always on the computer on the TV what do I need to sort of break myself from that I'm gonna go play some plastic Lego bricks so what else did I have here um put my phone away oh yeah and a really neat thing that I learned recently um it kind of goes back to what I talked about earlier about just meeting with people you know trying to do that more just learn more have dinner have lunch with

people get to you know build those relationships for the first time in like four years uh we did an departmental barbecue um in our our staff barbecue um at uh the U OFA over the summer and one of the key things that that that I noticed and so do some others was you know you get 200 people in in outside in a quad having a barbecue was the sheer number of people that actually didn't have their phones out and it was the weirdest thing like you see 200 people everyone's always got the phones out doing that stuff and it was fine but to actually see people like who are you know they spend all day in computers and

Technology seeing them outside just eating like burgers and and hot dogs just conversing with each other it was such a weird thing but it was happy to see that so that's um that's just one thing that I that I wanted to point out there so uh there's lots of people in this audience that that I I've met with um you know lately one-on-one or in group settings but I would encourage everybody just try this okay just try this you know you might be like no spalling you're crazy that's okay you can have that reaction but if you want to just try something a little different take a break and and maybe try to balance out a little bit um because for

me there's whole talks out there on Mental Health um I don't want to turn this into mental health talk you can find those on YouTube um but this is one of the things that has really helped me uh with some my mental health is just taking a break from computers and going back to reality randomizing number eight we've got a few more of these and we're done this was one of the biggest things that I struggled with uh going from technical to management managing people leads to fewer wins but when they do happen they're far more rewarding so when I go back to technical if I think back to me going back to chasing cves

hacking up antivirus products building password sniffers um man that dopamine Rush was like constant it was just like oh boom boom boom clicking stuff it worked boom I figured this out boom and every few seconds it was just like and then I go into management and I get a delegate all that stuff out now now I have to deal with people and man that dopamine run just like and it died like and think there were were like for the first year of management I struggled with this because I wasn't feeling that that excitedness I wasn't feeling that that that woohooo you know that that that that fun and and um it's one of the key things that my

director at the time um he's now retired uh I brought this up to him at a year another role and I was like Kevin I don't I feel useless like I don't feel happy I mean I think I'm doing a good job but but I'm not getting that high that I was getting this is what he said to me he said Michael one of the biggest differences between your role now and what you're doing earlier now is that yeah when you're managing Tech technology and doing all the fun stuff you get those those those constant reinforcements that you're doing great but now you're managing people and people take time to change and it doesn't happen overnight doesn't happen

over week but you you will eventually be able to influence I think that's my next slide to make sure yes um you you will over time you will see who you're influencing both the good and the bad and hopefully the good and one day you'll get to that point where you're going to see someone who you're mentoring or you reporting to you their behaviors will have changed based on you as a person and your interactions with them and go and when that happens trust me it'll be a way bigger reward and it's one that you can ride for some time and uh I I completely doubted him because I was like no I'm a manager now no one

likes me what are you talking about um but he was he was completely right that that's what happened so in the years that that came since then um I've learned to to uh focus on on the people around me and focus on on not wanting that that that dopamine hit every few seconds running technology but also being able to just kind of you know I don't know what the word is but just chilling a little bit and pay attention to the people around me and see some of those interactions and be like oh hey I was able to directly influence that awesome which leads me to my next one almost done who are you influencing this

is something that my therapist said to me a couple years ago I've been seeing a therapist for five years because when you do cyber security management for as long as I have you just go loopy and uh uh it takes Professional Therapy to keep you grounded and S um I have no problems admitting that by the way so uh yeah there's lot of talks on there this is something she said to me that I never actually considered even though my my boss had said it to me years ago um who are you influencing so yes both the good and the bad but I want to share actually a bad story about this someone um someone said this to me oh some point

over the years um I I was getting I'll say quite animated in a meeting because I was very passionate about something by the way if you're ever animated in a meeting and someone goes like and see you have a lot of passion about this they're basically saying like you're being a dick okay I've learned that well you're passionate and I was like H yeah I know what you're saying you can you can say the word to me it's okay um but someone said to me they they said Michael they kind of pulled me aside and they they they said I don't know if you realize this but when you say you know X or what

you do it makes my job so much harder to do because people they they know you they know the work that they do they listen to you they respect you here and when you make those sort of comments it makes my job incredibly difficult and I was like I had no idea like thank you for telling me that because that was never my intention I just figured the people would leave this room and be like yeah okay you know Michael was all animated but okay cool I had no idea that that I would be influencing people passively in a way that would make the jobs of other people that much more difficult to do so

I was incredibly happy that that individual told me that because that was a wakeup call for me to realize oh you know what it's not just about cyber security as a manager that's one of my biggest struggles is I'll tell I'm sure all of us will be like cyber security and then you get into an actual organization and you realize it's it's important but it's weighed against other things as well and that was one of the biggest things that I had to learn learn about and how to actually manage and talk about that risk in a way that we can all be working together and not have the security guy over here trying to you

know control the conversation um and one of the things that I also learned uh it's not so much of a random using but um one of the things someone said to me is is that is that Michael you also you you humanize the professional aspect of corporate roles this was said to me years and years ago and I I I pay attention to this and I try to be a little better because you go into some of these corporate environments and everybody's Cutthroat and they all have you know these these obas agendas and objectives but someone said Michael when you when you know who you're influencing and you know how to interact with people around you um it it it's very relatable

and comforting because you do bring a human aspect into you know a traditionally corporate role so it's not intimidating and I was like ah okay you know you put into words kind of what what knowing who your influence feels like which brings me to my very last slide and then we're almost done and no one's asleep so I guess I I'm kind of okay here random USIC number 10 the end this is a very recent learning um you are exactly where you need to be um I learned that this is actually like like motivational posters and stuff that you see on the roof at the dentist uh maybe where I got it from um but this is this

is something that I I wish I learned years ago as well you're exactly where you need to be um this has helped my mind stop wandering all over the place right I mean therapy is help as well but um maybe it's become evident you know you know was it normal but weird yeah the weird is when my mind starts w wondering and I verbalize what I'm thinking um but knowing this has really helped me um because I can St worrying about regrets of the past uh I can stop worrying about the future and it allows me to stay grounded here and now so I want to share this with everybody as well all of you right here right now you

are where you need to be there's many ways to interpret this you know you can interpret it through personal growth unique aspirations your physical location just Google it there's so many of them but I want to focus on uh physical location right here right now so this is where I'm going to end the presentation with one final comments and for the next two days this right here at BO Valley is where you need to be okay learn something new say hi to someone you don't know if you don't know what to say just ask him what did you think of the keynote you don't even have to liked it it's it's the most universal question

for any conference just that what you guys think of that keynote go from there um have lunch with someone you haven't had lunch with in a while that's it's a good thing to do uh what else I got here um truthfully and I mean this honestly genuinely some of the best relationships I have ever built with people that I genuinely love and care about actually met first time right here at bides Calgary in 2017 not physically here but you know at bid Calgary um I'll give you a hint if you if you go if you kick their butts in the CTF they come up to you and they go who are you and you be

like that's some scrub from the U OFA and you just you you were friends now and we still talk years ago but best relationships I've ever met right here at Valley actually that was that s bides Calgary right here at bides Calgary um we talk all the time we go to each other's houses now and that's a fun thing a lot of these relationships have have branched outside of this hypers SEC Community you know we go to each other's kids birthday parties now it's really fun and it all started with just seeing someone in the hallway being hey what you think of the keynote um but that's it so most importantly remember you're exactly where you need to be you are the

community you are exactly where you need to be go out there be awesome you got this thank

you what's next so if it's Q&A or if you're GNA kick me off the stage sure I I mean we're at 56 minutes so if you need to go you're welcome to go if anybody has questions you want to know the score of the game yday yeah I know we won in overtime didn't we yeah yeah yeah I turned it off at 31 because it's the Oilers and 10 minutes left and we're not going to win yeah it's him saying this by the way not me okay go him so I feel people are going see me in the hallway say hi thanks for attending [Music] everyone