BSidesAugusta 2017 - Track1: Lessons Learned ISAC by Russel Eubanks

so awesome to be here I remember the day back when the folks from Augusta had to come to b-sides Atlanta take the trip literally this morning me and several folks on my team got in the car drove here I woke up at four or got here right on time and so excited to be here so wonderful look at all the cyber things happening in this area all the opportunity for us to learn something so who's learned something today that also we get to come here hang out together glorious day here getting to learn some things and so I'm really happy about that the best as cheaply as you can we'll talk about that framework to think about

how can we go and be better security practitioners as cheaply as possible I have one Astra come here for the lessons learned Isaac the hat trick means it doesn't think this but I want to call you to be invited to be a part of this movement here in this talk today a little bit about me things I get to work at prove it to do and working bunch of cool places and really want to mention that I'm really speaking for myself with respect to the comments that I'll make in class today and so with that setting the stage a little bit I think now it's a city think of it in terms of whatever industry that you might be in how can

you work together some collection registering initiatives that really allow us as security practitioners to learn from frankly our competitors where do the things we work in where security team gets us to learn from the Comcast security financial services financial organization and indications of compromised threats that occur the latest phishing attacks are happening and we do that to position ourselves so that we can learn for us to learn and be a part of this in our areas and again especially through the means to learn and share this information a BS of course it to someone in our industry we can learn those lessons apply those to our defenses and Neeley of course to be able to avoid those issues and our

respective environments I'll never forget what my son who is much much older now

we gave bucks if I suppose be nice to this when we're eager to learn about things we were shown that we should share what are the ways we can share the difference the things that happened to us the things that we can share with each other through in a protected environment or even through relationships that we've made perhaps today you're gonna guess what would it look like if we were to by default be able to share information I'm not talking about the nasty the ugly things but the things that we can use to learn from each other as trusted colleagues in many cases I see the default is to deny to say though I don't want to share that

I don't want you think [Music] to Oakland our eyes to how can we tear things what are the things that we can learn from each other to make our communities better very brief overview of looking at and how we're gonna frame this risk - this conversation is around just looking at a bit the process of it and like you've seen these you've learned these you've studied about these you spend a lot of time in these maybe you have a tattoo that lists all the steps that you can go through it should go through in order to effectively handle and dispose of a security incident I want to focus on and invite you to consider the opportunity to learn

from these capture these lessons learn the things that you have come to learn as we're sort of responding to incidents learning the expensive way learning the hard way and helping to inform better our preparation steps how can we better be equipped to respond to these and again what are the things that we can share with our colleagues those in our trusted industries to be able to help them as well what are the ways we can do that again to inform our improvements and response in our given areas the wages we can learn the ways that we can share how is it that we can again when we learn these lessons when we go through the six seven cent Halley

process we have got wisdom very expensively if it responds 49 the weekends your boss breathing down your neck and say what's wrong get the system's back online all their urgency all the stress that's the opposite that's the hard way to learn our lessons how can we learn these easier happening when those are applied make sure that we're prepared and equipment to make sure that we never ever ever have to fail that same way again what are the ways that we can do that what is what are some informative references we can look at to say how can we learn this way how can get wisdom as cheaply as we can a lot of sources it would help us know that

information it's fast thing to look at all the reports that's here what is happening in information security on an annual basis many reports like the ones that you're seeing here tell us what is the categories what are the themes what are the things that happen in organizations without maybe their names and porting the fingers and just showing all the gory details of business and response references some of these reports have been out for ten or more years we read we mark our calendar we can't wait to get that information what's unfortunate is it tells us the same thing year over here over here we can't wait to get to know what's gonna happen this time but it is always the

same information we learn about information security attacks and incidents from third parties even when we have all of our security controls we have our socks we look at our logs we monitor all the things we do for compliance reasons and yet we continue to learn about this from outside parties this number is actually getting worse how long have these attackers been in our organization before we know about it most recent Verizon data breach investigation report tells us that it's gotten worse now it's average of twenty months twenty months ago someone broke into our I want us to be offended by that we should take that personally that's too long think about that twenty months from now something knowing about

something that we should be dealing with what are the things that we can do to better position ourselves to know when that's happening to determine when this is happening in our arm it's much much faster how can we shrink that time knowing what to do knowing what to look for going through the instant response like I mentioned earlier that's the expensive way I invite you to occasionally occasionally sit back and look at the forks like all force level thinking what are the ways that we can't say stepping back not looking at the day-to-day the tactical things but look for things that might emerge maybe on a quarterly to be able to help increase the level of

maturity of your security controllers your prevention your detection and your response what are the trends that you're seeing over time it's nice to look at our security metrics it's nicer to be able to step back and say how does this compare over time perhaps to that's 30 days perhaps the last 30 months to give us more context by being intentional what if we are purposed what if we were bound to do this to ourselves something as simple as putting a calendar reminder that says what are the themes what are the categories what's the learning that I can apply in our given environments some say to continue to do the same thing and expect a different outcome is

what don't be insane it's a part of this what are the ways that we can learn this information as a part of instant response as a part of having information share with us that security practitioners in trusted environments just like this one of the things that we can collect themselves from now on I'm always going to and from now on what are the things that help inform to make our teams better to make our response time even faster when these things occur when we're expecting things different what are the ways that we can look for this if only there was a method to be able to to look at and show this one of these is one of the areas that

would focus on part of is all the critical security controls you probably have a poster in your all the 20 things that really help us understand what are the ways that companies win at information security and when we look at these it's a way to consider a multi-year journey that says how do we improve in the critical areas areas literally we're doing they're still able to be successful when they scan look for and try to break into our daily environments we're looking at what are ways that we can understand that look at the categories understand those contexts and literally be able to apply that to better defending and protecting our given networks many of us have

compliance requirements I call them our pretty green check boxes the things that we have to do whatever industry you're in you probably have one or more different sets of things that must be done recognize why are you doing this recognize how you are doing that in your environment you're doing that because someone made you do them you're smart minute lasted so long because what made us do it understanding that concept of it's not because it's a thing to keep your organization safe does it give us because it's worth to do that a little west of Atlanta we've got a the amusement park Six Flags Over Georgia maybe you've been there think of the clients like Six Flags Over Georgia you

must be this tall to ride rides that give you loop-de-loop and fast things make you want to throw up at the end you can be taller just don't be shorter what if you thought about your compliance program and looking at that as an opportunity to say what are the things that I as a qualified security professional in our given environment how can we reach toward rates from compliance towards security insurance knowing that we know that we know our house is in order what are those things again that we can leverage the things that we have to do to make sure that we're doing the things that good organizations do to defend and better monitor their organizations a

great example of this is looking at Department of City concepts and literally made tremendous results when I was first introduced to this all the critical security controls it was about looking at what the work that the department stated in one year with employees and every time around the world they reduce vulnerabilities across the board and documented it with metrics that were produced matters so I asked myself what am i doing Russell that can reduce security vulnerabilities and my organization's about 89% it's a very quick conversation because there was nothing that I was doing and so I wanted to invest and learn and apply those principles what's fascinating about the Department of State implementation is they only use three different sensors to

be able to collect ten different metrics and those sensors are that we have Active Directory and networks canon and microsoft SCCM to give metrics to compare one department against another to be able to show how effectively are they apply these concepts and their organization and again tremendous results by things that probably you have and you would be able to apply in your organization as well what does it look like one of the tools to be able to little free tools to look at this is to do an assessment against it for this particular presentation being able to look at these particular categories of these basic things that we know to do back when we were we were talking to our systems and

we're talking to monitor having an inventory of authorized devices authorized software on our network to be able to know when these things change and be able to inform better arts that response teams to know and respond when these things differences occur in our environment shrinking that amount of time that we're able to no shrinking from twenty months that verizon tells us how long it takes for the organization to realize information in areas like this what are the things that we can do how long did you stand not to know that there's been changes significant in your environment there's a new domain administrator a change to the running configuration on your production firewalls how long can you stand to not

know that what are the measures that we can do to apply automation to know when things like that change and happen and occur in our environments what if we had a culture of always wanting to make it better in our organization what if we could have this drive inside of us to make our next time be the next the best

partners or friends and colleagues to be able to shrink down that window or respond faster to know quicker what if you decided to give yourself a goal for next year to level up your level of maturity wherever you're at to be better quicker faster at responding and knowing when these things happen and your environment what are some of the strategies that we can do to apply that one example that I'll give you as a recent fans news became trends patterns that we're seeing out in the environment in French news up here that says what are the things that are happening what's the commentary with respect to these news items and what can we do to apply

that in our environment taking these stories and saying if these things were to happen in our environment how would we respond how quickly would we know what this happened in our can using these as perhaps exercises to apply and look at and get that wisdom as cheaply as possible what are the things that we can use for our formative references just like this to make our next time be the best time perhaps taking exercises like that and putting them into your tabletop exercises with your instant response team when this happens what do we do here's how organizations have responded to these how fast will we respond would we even know using these exercises not just when

what were all the reasons all the barriers that we would have to be in place what were all the things that stopped us from being successful how much like the news stories that we ready is our organization and collecting the list of the things to make our processes better to make our detection factory how can we collect these things and respond better the next time a lot of other areas looking at if you don't already have relationships with your state local federal law enforcement now's a great time to have those in my mind and my mind it makes me feel better knowing my state local federal law enforcement agencies by name ahead of time it makes me think I'd get priority

service or frontal and services now does it really I have no idea and really have good relationships with those who can help us into our time of need something you can do today all the knowledge we have just in this room trends patterns innovation automates could be learn about someone who you're sitting beside here in the room today I challenge you to do that sometime before you leave introduce yourselves hi I've been in security for a long time how are you what have you learned is chiefly as I can from you what is it that you can teach me having that attitude looking to share looking to learn looking to apply those lessons in your environment is

going to set you up this is being proactive reaching out being intentional knowing when these things are happening in our environment to be able to position us for success Sulli be wisdom calls what are some of the things that I would encourage you to do there's a part of me here and you trying to make yourself a better security professional decide in advance that you're going to share information decide in advance that they're saying as they can and this year in environments like this with other qualified security professionals helping them as it turns out it would help you as well sharing that information so you can apply how can we make our world our world a better place and happy you

decide to determine to join our lessons learned by sector information sharing what are the lessons making ourselves better defending our organizations like never before so the best part of being appears I get to give away some prizes so three prizes

[Music]

[Music]

congratulations you get to have a practical packet analysis book who's involved in a local life that man is part of working in there

[Applause]