BSidesMCR 2019: S-a-a-a-S-Security As An Actual Service - Samantha Humphries

always loud enough welcome to the john mcafee show I really hope everyone knows who John McAfee is he does feature more than once in my talk and hopefully means so welcome to security as an actual service my name is Sam Humphries I'm your host for the next 20 ish minutes I'm also the opening act for the bear farmers so come for the John McVie show stay for the bear farmers all good welcome new friends this is me there are some exciting things about me if you had any reasons to stay in this room in fact my only undefeated three times air hockey world champion a bang face that's probably the best one that's there I've

been doing security for way too long tired not a very good DJ I've done all sorts of things I've got marketing in my job title right now please don't judge me I've done Incident Response I've done a lot of apologizing on behalf of my former employer nicotine and that maybe is why I'm obsessed with John McAfee here even though I did not work there at the same time as him so if you want to chat sallet Eve outbreaks I am your girl that's two people not it great I talk a lot for money I've talked to some big auditoriums anyone who ever gets impostor syndrome don't worry about it I can sell you the most scared I've ever

been about bit doing a talk was when b-sides Manchester were like yeah you can come and talk and I was like what all right as you can see here I took two hugely crowded rooms and you're not scary at all fearful you're not so Security's an actual service this isn't just some once in Australia which I did and as you can see I spoke to a room I was a crap DJ and I went to b-sides Melvin but on that trip I went to the UTC in Sydney and there was a sticker on the wall and you know we're security people we like stickers and it was a sticker from the security team that kind of said who

they were where you could find them and a few things that they could do that's cool I like that anybody here work in a university security operations team Wow if I had a hat I would currently be taking after you these are some of the most disgusting horrible environments possibly on the planet to try and defend so I was talking to the team at the UTC and I was like how do you deal with this you've got all these students and with stuff and it's really hard to defend and protect when everything is changing all of the time come on him and they said well we kind of treat it a bit like a service in that we let people know what

we can do for them they want to come and get some help well here we are that's kind of it it was a bit what's in it but it's always pretty cool that's how you do a desperate situation but it got me thinking like how can we take this a little bit further so before we go into what SAS is and why it's amazing and you should all do it and your lives will be so much better these were the promises I made you that are in the program they're kind of the same thing now I was going to make a no stick as well I apologize for no prop but pretend but bottom line

at the end of this situation you will hopefully be more parrot okay excellent so why are we here other than we wanted to sit down and it's B sides here here is the problem right here this is the no stick anyone ever said no in their security career when someone's asked him for something alright anyone ever said that's great go ahead let's see I know is a real thing for us we say no a lot because we have to and here's why we get brought in to stuff way too late all right how many times does someone go oh yes we're releasing this thing right tomorrow can we have a security review you're like Aryan or they don't tell you because

they don't know who you are who they think security they're just gonna say no I'm not really gonna bother and then nobody knows what we do if anyone knows what 30 to 50 feral hogs are you want a prize fifth walkest best day on the Internet so unfamiliar we've all been here right yeah and this is a good day because somebody remember to call the security and ask them and then there's this problem right there's the whole shadow IT thing so because you said no in the past people are going to work around you or they don't know to come and talk to you at all but more to the point they're like now these folks aren't gonna help

me I'll do my own thing let's spin up that AWS bucket let's go this a problem and he was a good example of a problem and also an example of things that should never ever ever be on the Internet fish tanks does anyone have a fish tank that's connected to the Internet do you just see the dog anyway casino got hacked Internet collector fish tank camera thermometer default settings dart trace you can read all about it I can guarantee you the team fish tank didn't think I should chat to the folks in security before I roll out the fish tanks right because arguably something may have been different high-rollers information was stolen they got about 10

gigs of data out wasn't pretty or because somebody wanted to connect some fish to the Internet thank do not connect your fish to the Internet so in the name of research I did some some research about whether or not people knew or thought that folks knew what security did so thank you if you've applied to this if the 60 people who voted you are wonderful I will say that a sample set of 60 is more than female makeup generally has when claims are made so I'm happy with this people don't know what we do that's some Facebook friends as well because I'm like they're definitely not gonna know one person knew so well done Louise McAfee old

stuff yeah although she did say blockchain lots of people said I don't know some people said I don't care and some people said everything's on fire and they work in a school so right let's get to the crux of this thing right everyone loves carrots I [ __ ] love carrots right what is this ass so I mentioned I work in marketing please read my wonderful marketing statement and then we'll get into what it actually is in fact I quite like the last bit we don't like the oh [ __ ] moment and we get the oh [ __ ] moments because people don't talk to us they don't collaborate with us then here we are and sometimes they don't care so

what really is it what I'd like you to do when you go back to your organization's as security teams is think of them more of a cut as a customer and it's really not a customer that you hate everyone you quite like to get on with that would help things tell them what you can do I would guarantee some of your processes might be a little complicated so maybe think about that and let them tell you when you do well and when you don't that's kind of it in a nutshell but let's dig in a little further picture a world where this happens think about how you would feel [Music] happier I wouldn't it I'd like that

service early on in the ideas process not at the end not never not after no [ __ ] at the beginning but how do you get there for that I think Game of Thrones now is a little old from a mean point of view but who would you rather be Jeffrey Loria because I guarantee you some folks and the organization's see security as Joffrey and Joffrey got poisoned we've had enough time now thank you so you know we don't want to be a bit more Aria bit more carrot we want to be involved in stuff so here's what I want to get you thinking the benefit is not just for your organization it really will help

you you'll understand more about what's going on visibility's always the first challenge but we tend to think about that in terms of systems and applications but if you get a heads up on projects you're more likely to get involved in things that will require your skills earlier in the situation and then hopefully not so many ohshit moments less time fighting fires and dealing with people's poor planning and it's good for your right the projects don't get delayed most security said no right the end or security made is changing this stuff it's better for them the systems are better secured they might even learn from you and go wow this is quite cross-functional stuff's working really well we should make me do

bit more about let's go to the pub and they'll be able to innovate faster let's apply this to the fishtank situation this could have been how it went they knew to talk to security and they did security helped them maybe still said no but you know in this wonderful world speech tanks are now secured I never thought I'd be talking about securing fish tanks but you know sometimes your career goes that way fish pants rolled out everyone's happy fish having a great time high rollers gets gamble dr. Stein gets do a report all is so here are some things you can do tell people what you can do that's a good start I've got a menu that you can

use if you like coming up when you help people share that knowledge in might so that sometimes get thanked in a project email somewhere in the bowels of my yeah thanks legal IT security explain like do you sell a story tell them Toby how you helped you can be creative and they showcase the folks in your team I guarantee again that folks think of security is this amorphous blob and don't think of them as being human beings okay let's talk about folks new team whoops jumping ahead and then be easy to contact be accessible have your processes in line so they're not horrible to deal with have lunch teach people things have lunch don't teach

people things just make friends go to the pub so here's menu of services as an idea things that you can offer proactively to people's projects be that Penn's has reviews meme advice very important how long does it take what's the lead time and it's more of a service point of view than it is the no stick and stopping people from rolling out their beautiful project or their fish tank security often live behind the Great Firewall that is the helpdesk and there's some web by clan so if you can be a bit more accessible I'm not saying like put all your personal details in put people to your houses all that stuff but if there's ways people can contact

you and they know how to do it and like please respond it sounds simple but you know the black hole syndrome it's a problem across lots of parts of the business but if security are more accessible people will be more likely to come and deal with you is a hundred and fifty page process document is nobody's friend it's not the friend of the person you wrote it but you know if you give someone says well I need this thing you're like all right um fill this out they're probably not going to do it so take it and step back and being like what's we know what do we need to kick this off rather than scaring them

with gigantic PDFs things might go a little better this is the best piece of marketing real estate in the entire building I guarantee it how many times have you sat at the toilet and read the poster on the back of the door yeah one of the things you know about from the back of a toilet quite something and word to the wise have it a head height not looking up you're gonna catch more attention from somebody sat down a promising other surfaces are absolutely available but you know it's a sticker on the wall at UCC in Sydney that piques my attention with their team there's loads of ways that you can grab people let them know

how to get hold of you let them know what you can do and then you want to measure things right helpdesk doing all of that you know time to answer time to close all other metrics operate operations need to be out of function and and I just love that stuff but if you gotta treat this like a service think about it from a satisfaction point of view when you're doing customer sat never have an even number of options you need a mer you need a middle especially in this country I find we do lover kind of that's kind of a K or and I don't know which can we go find out there's different systems

you can use this is one of my favorite socially how much effort was it for you to get help was it a ball ache to deal with security was it okay that's a good thing to go measure because you can look at then how you're being viewed by the business and then the best thing with metrics you got to do something with them I don't look at them graph goes up graph goes down do something with them [Music] so run back into your organization's that's all the things we actually don't just yet okay like everything I need to project there's some ideas here of how you can do that you can have these slides you're welcome to take them back

into your organization tell them all about John McAfee it's very important little love you for it but yeah here's some ideas of how you can make this real so that and it's not just a one-time experiment you know people new people join your company new projects will spin up be accessible and I promise you your lives will be better alright obviously I'd love your feedback and I do love you more than to a magazine in simple maybe I don't who's got questions yes the word is actually on the screen right now did say sorry a lot a works in McAfee labs it's fine that's a serella generally for stuff I didn't do that was all right cool any

other questions about Sam's terrible life so if you wanted like talk with security mom or I think it's like a lot of things with technical folks right just generally from engineering point of view coming to somebody with an idea of what you'd like to do without maybe solving the entire problem fact I find that always tends to work better from a conversational point of view we've got this idea we're thinking about this nor I need you to punch this hole in the firewall dude that's gonna kind of work better so you know in collaboration that's what recommend come on Martin you've got heckling here where I've seen it more often and seen it done badly is

when someone's outsourcing just guests I'm really badly because they'll go to the letter of what the piece of paper said when they go but those guys at UCC in Sydney I think that was a good first step but they had a team of like minus one people or something so you know took three of them so it's harder to get on and it every organization is different so you got to do what you can with what you've got some of this will take time Oh since for the bear farmers click text only do you see my stat list right did anyone see john mcafee and a little ad in Faraday cage so yes that's a question I'm good problem to have in

some respect but I hear you I do think one of the things I found works for me when I'm going to deal with a team I don't normally talk to if if they run like an office hour session where they say for like three to four to Wednesday I come and talk to us fight if you want to ask questions that way rather than you know have a formal process stuff for getting lost in an email inbox that can help and maybe some smart sort of process around no just asking them like when do they need it for because sometimes I'll be like hey I'm just thinking in this amazing thing I've got these fish that I've got to stop

clicking on that [Music] I've got these fish tanks right I'm gonna put many well no I just heard about them that could still take up some of your time right so sometimes it's a case of saying like you know is this real or we know where are you in the process any more thoughts questions yes [Music]

so I know we think of as a service as you know something was billed monthly software-wise it's a web delivering software and I was putting the slides together I was thinking about this as to whether or not to include it and go down that rabbit hole I was thinking more of a service that where somebody needs something from you they know how to interact so more of a business transaction process and I see customers very very simply in the customer is somebody who needs something for from you so if you want to get into the hole or billing me for my time because my time is precious it is a way you can go and look at it there's there's certainly

multiple directions this can take I looked at also from a customer experience lens as well and that kind of felt like it was got a bit too far but this is more about providing a predictable service and making sure people can interact with you rather than just being either ignored or brought in too late some accepts I feel like we need to talk about this over beer like that okay any more questions marvelous you have been a wonderful audience and this has been emotional thank you