Reg MacWilliams - An Arms Race in Security

No thank you for coming the b-sides our first presented is coming in from jr. and technically spirity operations mr.

hello Nadine inherited lost a clip as mentioned name was razor blades up with I do where became every night hair on final report company certainly supported me over the years but you know this disclaimer all these opinions are my own not my lawyers so in case I say anything stupid or embarrassing ankle faults company for that certainly supported me over the years and developed my career and where I'm at I've been in ID for over twenty years now I have tenant security but I was doing a math class I'm probably closer to 15 so they just think I'm younger than that then I actually am usually always been a defender so working on perimeter controls being at that firewall or IPS

is a little bit event points use doing some server security so kind of jack of all trades but I was kind of focus on the defender side last couple years old sorry moved towards the opposite side of things so being ethical hacking want to get into certified web application pentesting working towards a some around the old devices and the security around that breaking into those gauge and app security so that's a sad look kind of like I've kind of seen both sides of the both sides of the fence - you know IP the offense versus defense so couple months ago saw that Curtis put out the call for papers and we're gonna throw my name in the accident

I've spoken before used to Ronnie they're a security patch which is like a monthly event that we ran throw up talking with different security ideas different presentations caught a lot steam is monkey just doesn't have the enthusiasts for security I guess it's president or how the backs does but that's it was still a great experience so anyways you know you're gonna throw a name and I have to speak and they may need a new topic don't look with an arms race and security obviously it wouldn't be security commerce if you didn't have at least something doing a military reference I would minimally I'm not a military of story I never read the air before cause I was gonna hit me but I've

never actually watched a full Star Wars movie so that all said I kind of get the gist of it so and you know I think there's a lot of tensions between including me more than two different-sized though when in our bases you know there's obviously traditional military arbiters even within that there's a couple of different facets you think of a nuclear arms race between the USSR the state's cold war went on for years look through those two countries that pista made up they seem that you see when we worked out a couple of special projects coming out of it or not that what news report to listen to then they got the you know more traditional

you know weapon based stuff so on the Left we have a you know a suit from the eighteen hundreds early eighteen hundreds and on the right to have a more recent generation instance silver seven years old now but you know the German Bismarck and you kind of see how things change in about a hundred twenty years it's important to realize the right side is not a 2 dot overage and of the left side you know over that hiring twenty hundred thirty years there's been hundreds if not thousands of iterations as new technologies and as navies have evolved to be able to produce you know better equipment or bust equipment more you know more powerful you know devices

in there so the arms race is kind of showed that you know there's you're always trying to want better better your horn so I was trying to one-up depend how do you politically wrap your Sarah gets so that was our on a knife it's a ironic but you know toward the end of World War two about its kind of came up not quite oppositely the Blessed Portland's different technology says aircraft carriers actually replace them in terms of capabilities because I'm able to launch plays the middle of the ocean could do more carbon tax so that it's kind of deprecated and kind of see is similarity ninety you know if the line is time and we had firewalls and

credentials signature base antivirus which was the only defense now those companies saw them apologize any sponsors here some men are struggling to keep up with you know defending against the some of a modern attack so some of those are losing ground space to young startup companies who have more drilling more flakes really and how they giving that yeah that no kind of arms race and we can think yeah we competing for this is it Google my topic for look up my top of beforehand but evolution sharing baby so nature basically the arms race happens is you know life evolves among nature's so a good example would be back to mosque and I didn't realize this you

know the bathrooms so barren technology basically who would play can depend on the echo that's how we're able to pick up insects that the proof their food source so anyways foods or for life you know for them to be mas mas have evolved to be able to listen to you know the sounds and be able to you know it's essentially so American or apply some time acoustic defense so that if they you know they sent to bad area they were able to adapt and you know avoid getting eaten but that's later on evolve to you know they kind of learn about this or new trace within species they are able to you know they start to adjust the

frequency to kind of confuse them awesome it was they believe Moss again that Lots basically develop the skill they can tell if they were being hunted or if they were being if the bats just flying by him so maybe they weren't at risk another example is invasive species so any Simpsons fan here and they're gonna watch bark that's Australian [Music] so 1920s 1930s timeframe Australia had a problem with insect that League was a king he know who was in investing their crops so their solution of the time was to bring in these cane toads from the Oh another country strategy and either they don't have to say an ecosystem that other places do so anyway you say well

these two frogs in a wild after a little bit of dusty and basically found out that not only did the product 90s the came beings they had known African predators in any any predators that did try me no immunity to the frogs pointer so they were actually so the species records have died not because they were eating frogs so you know it sounds almost like maybe you know whoever was behind it didn't do any testing or more release into the production or maybe the senior advisors that necessarily you know the Change review board didn't ask the right questions thankfully that's not a ninety problem right it's right yet fail fast and I have a 19 in this I

hope this comedy okay we can read that but in this corner we have firewalls in fiction a V software and this important again Dave and I'm up here to pick on dig every organization has ID great and depending on anyway foremost Ron's here but depending on the statistics probably ten to thirty percent of users are days they were the ones that are going to click on every email they're the ones that are going to you know pull files from the quarantine folder they're going to stop at nothing to open up the invoice PDF that's absolutely what they want to do right and the users are different IT people and I'm gonna talk about that in

a little bit but it's actually that you know for that it's a challenge but it'll users you know the part of the problem but they're not necessarily all the problem you know administer a product the vendors are a problem to technologies itself how this up business decision makers with an IPR issue you know maybe you can't babysit them fast enough to defend against you know threat you know the business demands so we absolutely have to have a product excessiveness environment somewhere else when it grows itself so doesn't matter what the risk are so there's a multitude of challenges we've had and continue to have so we're gonna take kind of a quick properly it's not it's not a linear view

of the internet history but tradition is shown that anytime you send up something on the internet there's always an attack or some adjustment may bite and the actors to you know how they try to kill me it'd be good so to speak you know so years ago know infancy turn the server there's no such thing as firewalls so whatever services were running on that system are now exposed to the Internet eventually after a while that you know people seem to realize it okay not everybody needs to access every single server something server they also just tell that door that's an MP or what happened because it's not everybody that accesses stuff is doing so in an ethical

manner so in comes a firewall place to limit okay this is servers got me mmm so I'm gonna stand up you know BC content or whatever that let's limit the other services to protect it and they've actually realize that the state require all that's an evolution from you know stateless firewalls added to protect in there so that not involved what would that force of course you know people trying to break into stuff but look brother thanks and you know the attack factor would be like a configuration or vulnerability on a service if you're if you're an administrator you know you can't stand up a web server those open it up eighty or four or three great to

just can't avoid you know I've tried you know I we start going to stable every single forward every day would certainly make my job a lot easier but that's not that's not feasible so of what you know because you now have a service available to forced attackers to look at okay what are something the polar bears are who are selling applies so they have to find some things such as default credentials on are they able to find you know some application or authorization issues you know get access on there you're not supposed to be able to match this or you know did they find some of all ability that's on a you know the running on the

service that you know has been after four years and an offense for that you know it originally would be ok let's start to best practice at Harvard you know some of these devices turn down unnecessary services block them what have you you know frameworks and come out on best practices and lucky we're all great at following those right down to the right down to the fine print break everybody does that there is on a percent compliant and all the best practice yes all right and then you can fall in buildings right so then well really meeting and this is kind of tangent it's not an application flaw it's a configuration or an operational issue if your what about pentester you

finding vulnerability that's not necessarily reflective of the application security and your overall Oscar is but it's you know let's see much fixable issue then you know see if you're fixed and it is trying to find out all the way since off sequel injection of cross-site scripting but you know as things started to get popped what we do is I realize that you know maybe - luckily now action assume they've all really done that right everybody has your a patch seconds so we're not maybe passions on a green card right now but it's Lester but not priority then you know the next iteration is a therapy season fo get back to some of the islands of the attacks you see you know

manually they start to get higher in volume more targets out there or frequency of events that are happening so you know you solution to that to bring in you know something around IPS or IPS intrusion prevention or detection systems these are great this is how I got my person in this grant me an f-14 I was put in charge and I guess they know you know what did and you know we clarified OB affect us we failed miserably because I had no idea what to do with the IDF lost certain research on it but of course to train again you realize okay you know within these millions and tons of events are being produced there

were some good value later what do the managing IPS are I guess property you have to have the same amount of level of patience they go through that process but also to understand at the packet level what's going on next year and that's happened and you know we have the block within five seconds or followed up you know get a sun block and pages about five seconds it's over selling myself like tender but about anyways that you like kisses bring them as things evolve what's one of the challenges was like yeses and the way everybody's moved towards a more secure implement you know not everything is proud of HDPE it's all HTTP them there are all the tradition

prevention systems are they all capable of encrypting nessus own that's not the failure to do there's a huge performance impact or you have to struggle keeping up at the Serapis to that to get that visibility which in the industry hasn't always happened so you know the odd cast which is great the text bunch of stuff but as things move towards secure protocols we start to run with some blank spots attackers move up this they move up the stack and their actions and their attacks and they start carving the application a little more look to get looking for a single injection opportunities or whatever the I guess while it can't do some of that it's not really designed to do

application level defenses and some capabilities but the exception ation returns or you put into it so what would that force the Pender Institute and Melinda Web Application Firewall either locally on the box or you put some technology in place to kind of romantic you know detect those attacks detect patterns the novel ease you know and report or defend against that you know it also put the onus on Kate maybe you before we deploy an application or a solution you have to take a better look at the screen to perspective so now everybody does call for a few words right no okay they are more common or you hired bringing a company to to do appendix before you watch that service

to the public because it's absolutely a lot better to pay somebody to find your flaws than it is to have any flaws point empty a because they're needed so let's become more calm you know my comment a lot of the things and this is just kind of the end on the thread a thread of dullness essentially you know all these companies if the Cisco's or the checkpoint I should mention it responsive here for Nebu check for anything so forth because they have these application and laws and firewall on you know they're able to figure out okay how their patterns so a medium signature chatter having a pattern from other coming from certain IP address you can quote certain URLs

served in you know pay loans go under prostrate will detect all that and slowly all the data give value how many here people here have never been a patient zero of a piece amount of that nobody right it's rare that you are patient zero or even a patient will honor patient to a basement three so you know because somebody else suffered you've already got you know they make it into this malware that nobody's ever seen before submitting it up to you know McAfee got a black or check on your whoever and then all of a sudden that goes into their their prep beats every subscribes to it then that defense against up now work is propagated out to

their other customers makes sense problem is is they're already covered is that those companies don't necessarily always share all their data together so I read a couple years ago that you know threat Intel Avenue vote you know if there's any over forty or fifty percent of all potential attacks I'm not because I'm sure what they mean by that it's just you know within their network but it's not a perfect number and liked in the Insignia Basin is easy to change or you know change your IP address so to change the demand you're coming from or going to it should say repackage a piece of malware so it's got a different hash or md5 value so it's still it's still be

available threat Intel is available but the thing is is it's still a lot better than trying to manually keep up on all this you know taking the feeds in from you know CC irce or the US version having taken all over started helped ease and manually inputted into here your firewall things it's so all better than that then you know next target you know all these people right you know we go back to date it's easy to you know it's even officially easy tricks on these social engineering czar going on for a procedure I keeps on an IT issue the old manager in Frankston I believe my research at once and that originated from summers back of 16 items

where there's a Spanish prisoner who was trying to get out and he promised the guard gave me some story that I got this husband there's famous he's a prince it'll give me lots of money you can get me out and so forth so we're just you know some of these attacks we just see them from regular everyday of everyday use cases but you know to the transcendent into I into IP so with that you see a lot more products and companies and programs around security awareness and anti-phishing how many people do wrong fishing camp age against their user base so in a regular interval you set the emails out find out who's clicking on something they do clicked on

the link you know are these demand their credentials do they stop you know what point in the process do they get caught then you know afterwards you take that information you try to educate the users say ok this was a piece that this was a fishing link this is why see the URL you know this is why you shouldn't you know set your credentials here on TV will never ask for your password and so forth so you know there's been more of a push in that especially the enterprise space small video business maybe probably not as much but you know that is you know such a popular narrative and it's so easy to get a phishing email in you know

with social networks you go to LinkedIn you can see that okay here's the owner or here's the president here's is an assistant so you know there's a relationship fish there actually that so and you know on this case here I'll get them all for educating users it's certainly better than the alternative of not educating them in price with your fingers and open for the best but people are not a they're not going to be a hundreds and after each sensor threat sensor on your environment you can't report a few years ago I told I was running an efficient campaign for one of my customers I told a toll the customer that bucket manager but I'm doing this

is that great I said it then the manager was one of the ones that clean them away and complain me afterwards he said this is too this was too hard I'm just it was still too real and I'm like yeah that's all a couple years later he tells me that running education campaign ready he said that is it box complain to him about quick time Lincoln they look too real and thank you yeah but they're like right so you know thanks a little slower than you want sometimes but eventually the point gets across so kind of learner right now not time a historical model interviews or the challenge that we have it we've got a lot of technologies are

built on deprecated technologies you know how old tcp/ip Cosma you know this

oh yeah an ipv6 is what maybe 15% new organization and that's a mess it is it is but we're alive and stuff that is though years and years old and some of the stuff just doesn't get cleaned up anybody familiar with a lot so the open web application security project so every few years they come up with a list of you know the top 10 street risks and I went back and I looked at the original list which was 2001 or 2004 and like 5 or 6 or top 10 things are still there right it custom not easy fixes because of some it depends on the protocol to build on or just kind of you know pile

it on but I mean things like you know default parameters or non power devices they still get turned up you know injection attacks you see being sequel injection a process a scripting signal injections a bit better now but you know cross-site scripting is a hard problem to solve well the input sanitization you have to do here you session stated users and somehow I was just depending on you know the underlying technology we kind of had to rig up something left to do it the other thing is security is usually behind development you know and that's are being done but there are you necessarily engaging security people at the beginning of you know the development lifecycle or for putting a

solution and for vendor when a security considers that afterwards but we have to get all these check marks or they involved initially so that security can understand what the business need is to feel properly done that kind of feeds into a business needs to risk management you know and often the business is asking you for something after four people in charge of technical risk or saying no because at the tactical risk over the years IP people are not always the best at explaining technical risks of business folks anybody never struggled trying to tell the manager or its own business on you know this is why you can do it and business they don't care they just want

something to work and the business sometimes struggle explain the business rationale for why they need product X to work right so it's a stronger if you don't have a good picture or risk management program or really - okay this is the risk if you accountable with you know accepting these risks as we deploy this application what what can you know what can happen you couple with a risk will you sign off so there's services and challenges there because of all this we're essentially we can't just tear down the internet and how things work and build it up from scratch not possible right so it's like you know the analogy is we're trying to fix an

airplane while we're client so airplane I've been at a video here because my coworker I'd asked him what was a good reference but I don't think you're gonna play that mom those speakers don't work and all they're pretty loud but anybody ever see you hotshots I've never seen it but I had the video pointed out but I'll just for a little comedic relief here will try to play it like a joke or how well you're gonna hear this

you hear that at all

[Music]

that's what it feels like Sunday's for us right

so today I mean the next you know the next iteration of fret recurrent review will I guess of challenges that the you know we've put up with while also trying to fix the stuffing about kind of things and always you know a little cloud and I'm not sure they're doing bingo cards here we should for keywords but I'm sure they've been for Mia but they're the next iterations of mobile devices and different kind of endpoints you know traditional before would be a limited amount of applications you would ever install on a person's clients desktop would usually come from you know Microsoft there might be a few other oddball ones but you didn't have to worry too much about them because they

had a very specific functions they're using it you know usually used but some kind of you know the you know business use all devices certainly change that anybody ever have to get asked to install a non-business thing to tap on that before your device so that happened right and hold you know laps it's it's tricky because hey anybody write a mobile app and get it published in the Play Store it is just ridiculous APIs or they do a little bit more reading but it's just a fear of a look at the Play stores just to shoot give the sign of apps that are out there so it is just doesn't spyware you take a look at some of the you know

basic apps like a flashlight app that requires access to your calendar your contacts your you know the waste storage and all this that why you know there's a flashlight really need access to that or they just trying to gather some data that they can use to sell or target app store noon or whatever right and it's outside of you know bridge devices have never had a really active worry about you know like device can connect it or rolling from one network to another all the noises are can change that right so you're gonna corporate device that slightly forward network can still have some of you forever controls in place you can firewall or content filter and

so forth but once it's off the network all bets are off so I'm kind of struggled with that it still white is still something we have to manage but it's a completely different way to manage and how we used to with you know the regular witness and you know on the outside you know it's different kind of software infrastructure whether its software as a service whether it's platform as a service or infrastructure as a service now there's these different technologies that are out there and it brings it in to the hole it's the cockpit screen comes for a while but it'll be dated to the side and I'm not against by I'm not against mobile devices would be a hypocrite if I

said that you know I went through an exercise a couple of months ago to seeing those fed out of Google and there's five and you're spying and all that so I actually looked at what it would take for me to dtopping myself from Google and it just wasn't worth it like that some of its things they offer it just so convenient like Wow or so cost-effective it gets on the product it's free it's just it's hard to move away from so you know the cloud mobile technology it's not going anywhere it's but it does offer other questions so if you're posting a cloud you know screwed respective you have new things to consider where is that thing

if you have day of residency you shoot super Gators and Canada isn't okay or resentence things you know G GDP are concerned with Europe better than you know your iam fine though you know what kind of protections on the data in the cloud is all the data being encrypted to it you have the ability to you know are the backups encrypted code you've been doing backups the ones to background and their administrators they just they just absorbs after somewheres else does they do their own hire their own people do background checks on them so there's certainly a lot of pressure I think into consideration so I'm not gonna get too down into you know concerns or issues of

cloud is it's not a cloud center table but they're certainly from a SAS issue the access perspective there's a lot of things you consider then you get into infrastructure as a service you know some of you guys might be consider going to AWS or as your or I've been on Google you know for some of its cost you to run your data center so if you're under that you know it's rare that you can only end up with one so you have to come in it's to migrants but managing the sewers and what do you got me anything an office 365 so how do you is it exactly the same as managing everything no it isn't is it although it's a secure

gamut is it in different places again right it's all over the places have a nightmare of a man a drink so now you have to have staff who's got to take really to manage multiple enterprise or idling multiple tool sets of the same product that's it kind of migrate through you know if you're applying if you're standing up you're maybe say you source your web services to the cloud you know are you going to just inherit whatever you know the ACLS that they do better you gonna put in virtual firewalls to do that those files go to integrate into your you know your other centrally managed files you have on from you know imagine say wait what's

the Pledge Tecna link so those searches for calendars there and what happened to names that they were briefed it was liable if your final provider is breached you're in a software firm if you're gonna have to deal with it but you know what's your contract going to cover and does that mean anything at all is exposed you have to pay a penance word for paper credit bottoms and resorts what happened so I mean with these new devices surely behavior would happen to drink with these new mobile devices info so once an attacker do you know for my from a perspective perspective I got you know file open service or application oh that's really have to change that

much I can go on you know show it as I'm showing and find out all these you know what's open to what I be it is right back through the main but you know find this up and really ended the change the wall you know configuration fly still have to find those whether your host a website outside are on friend or solution solar potential for configuration applause house if it's a staff provider how are they how they hired their the e21 patching or they go on there they go within there

I don't so we just have it much it's a much broader carrier right I mean it's technologies fixed exploded over the last fifteen years ten years five years you don't have it it's a much bigger baby so much you have a lot more carbons now they ever have there's a lot more to wasted there you know connect to the internet that probably have no business being there that's something so low I mean II but the action if the principles are really the same you're doing a recon you're doing your assessment regression testing application you know a test to see what privileges you have you can get a target to do those so that from a time perspective it really hasn't

changed so but of course you know we still have to have you know there are some new wooden benches for some of these things that are out there of course it's more technology I'm usually not a proponent from throwing more technology a problem because I think we all can anybody in the room say that they are huntersam satisfied the power than they use every piece of its created technology they had and they were packed so the beginning maximum use it Eric I work in there so no so I'm not always a component of throwing more technology their problem this what happen is you throw technology in place doesn't necessarily just always replace another price of now get all the science they

can be using two products or 50% of the capabilities but in some cases it does make sense but there are serious limitations to traditional antivirus right so EDR which is a kind of a next iteration of that or now when that guess it's what they call it now max get in here you know you collect all the logs collect all the changes made through machine all's processes or respond up all change major the registry all the changes that are made the user accounts and you know them sorry they remember linen some of the you know the signature based stuff as well where they get the technical malware and block it but what does that mean I mean you still have to

manage the product which is what we're doing with antivirus in re the but we also have to you know that's provided off giving you the frenemy so you're all just data here that EDR is provided to the but if you're not actively if you don't have a programmer got them if you get breached you're able to go back and look through that logs and say okay yeah we didn't know about it or the system didn't know better we never captured us you know I guess it feels good for that your technology did the trick and you still you don't have the cyclist to do it then another technologies I'm kind of a bit on the bandwagon is a cache using

cloud access security broker basically you know if you can start to control the traffic flow is going to all your cloud providers begin Microsoft the Amazon or SAS x1 is then you can start to do that you basically proxies all your traffic that you can apply application roles even limits you know what data is coming going to more from it what Jews are doing it where users can you can't get to blood that's relying on you know the SAS provider or the by provider you know accepting things like you know the additional controller integration and with those technologies hey I so and I was thinking we should have terrible a reference but that means what I can see happening the argument

there's a red box of this is you know at some point in the future probably already he's happy now to some degree we have essentially two pieces of eight I happen to be more than happy but what you have a bad guy that's just looking and analyzing all the data out there you know what it can do and automating the tax into that then you have another set of artificial intelligence that's just doing the inverse scam it's the only survivors wants to date this there what's what's a programming look like where is the chance towards not kidding you for a hack into it and can you block it before it happens right so you know

battles of AI against each other now how far away from is it than that a couple years I know some of the street vendors out there now are relying AI for some of the behavior stuff but you know it's probably closer than we think and kind of last thing is education I mean how many people here are comfortable with what they know in securities today how do you feel they becoming people feel they can take it for us to forces a year and then they would be good that know everything about security they need to do to protect our violence no so then this where I struggle is right there in that it's not a matter of saying you scream sap on a

stands for us once a year it's a five days sorry doable Santa great you will learn a lot of them they will a specific area but that's just that's just part of the iceberg right that's just part of the pool of water that you need to protect and it goes go under security folks right I mentioned earlier about you know the office 365 that are the Microsoft line that's where in you know all of a sudden you have multiple people are sorry the first thing to imagine multiple environments that really aren't that similar but their job functions kind of the same so they have to work on both but how trained up our of a I've trained

up early on those particular products to make sure that you know when they make a change to it it stays secure that is certainly a challenge I've been here 90 life like I said for almost 20 years now and you know in 10 to 13 years in security I'm still overwhelmed in a regular basis and I'm gonna come you know this isn't just a job to me I like to think I'm you know fairly involved was that I try to stay on top I'm probably at least average intelligence probably not smarter so if you guys are through here but I still struggled grasping at all and having it you know and some days it just keeps me up think

I'm like you know how is my organization you know where are the flaws what could go wrong you know reminds me to feel a few months ago topic here but a big SpaceX fan so I must admit felt they have you took off the show the video again afterwards you talk about all the things that could have gone wrong he wasn't expect to be a success you think of all the things that could have gone wrong and when it flew up but they after so the finger reaction that when it took table and using coke that thing took off right by my language but well it's true right if you think of your Sundays it's amazing

things still work so I've noticed for a while but I mean if we're hiring somebody in the university or promoting somebody from an ad or stop the stream it's an awful lot to expect them you know to know what we don't know after 20 years experience right that's certainly a challenge and how do we how do we change that and it's not an easy fix to know I'm not sure what you know to both my babies or my favorite YouTube committee driving sure artists I don't have the answer I almost never do but it's it's not it it's great sport fiction it's kind of got a segue to this because a couple weeks ago I had the pleasure of the tax

return go for the back couple years ago myself that I decided you leave Daenerys is here we stabbed after stuff for one night and he was talking about that you know some of the Saudi Arabia initiatives that are confident Rome involved sokrati okay so what we want the province and I knew they were gonna target that you know invest with you and we make some cases there at the university with Jo Stockman was they he was actually down at the meeting with two high schools and middle schools I'm changing the curriculum for computer and folks it on security so and to me that's great so couple weeks ago I had got asked to hit the participate from cyber

painting broke a broken and maybe you familiar with that okay so sense of the high school and maybe the middle school map yeah yeah so teams from middle school teams of three or four or five students get together and you know participated in I think it's mostly around offensive security like hardening our everything you know West's so I get a games with my former high school then I went in there to school the thousand people there's at least 40 maybe 45 students in there so 4% of school not a significant oh that's a pretty good chunk and they were working on hardening Windows devices but clients Windows 10 I think getting reserved just 12 for 2016 that

was stuff like insulting policy restricting news permissions so forth could make it into Debian and Ubuntu but what impressed me is that there was 40 students and their high school I talked to nobody and I had no address to talk to anybody you know battles you know I know everything I'm sure we're all kind of like that - very engaged asking questions for each n f9 frame to ask the Apopka no Jill this doesn't interest and it was kind of refreshing to see and like I I'm happy to see that the province has started to make an investment in that but it's amazing that it's you know I'm right out that level right to get pics ou're

1415 years old asking questions on ok why do I need to buy screen update - why can't just use this 7 min access on and they're you know they're challenging it but they're also you know they're they're seeking more knowledge and kind of gives me a whole business you know I don't have a strong pitching point but what I guess someone asked I guess is a lot of us here and me probably if we're open the only way that's going to get fixed probably not by our generation it's probably going to be by the next generation has to fix this of safety ball but we have to make sure we do a good job mentoring and coaching these guys and

came in working with them whatever we can to make our job easier down the road right just know there's no silver bullet in this it's going to be a community-based effort to fix some of these issues that working together you know open that these guys take the habits of security first whether even if they don't go to security going to develop as long as they have that security first mantra' you know our idea that you know we'll probably end up in a yeah hopefully a better state even as technology continues to grow hopefully we have a smarter more security aware who would be working on its own courage if you have the opportunity to tell us with that by all means that the

Debbie's questions reach out to myself or some of the others I've read need people here to look more than makes up for that that's kind of all Adam probably read through a little faster than I thought so we get time for questions probably one of the biggest challenges that I run into with the new technology is that our tools that we've had and we've gotten used to using them and very effective Academy actually because of the new technology yeah so for example I'm trying to test using like proxy or something like that when you're dealing with an html5 app it does like socket switching or dealing with a mobile app that uses certificate pinning so you can

actually encounter severed any of that I think it basically has rendered a lot of the tools that we depend on be today largely ineffective yeah and I'm in the waste look that's took every day and stuff like that that's what it stands for Scotty wants to go on breaking into mobile devices talking about that and usually take these cores to them there's a you know at least some form of you know a finished product to help kind of help you with it or at least some commercial products to help you evaluate security on all devices there's none I mean there's all of its there's a bunch of open source tools and thank you so much for the guys behind that but I

mean this is kind of a hobby for them they're doing to to bring angel and so it's uh it's you know it's but it's an opportunity I guess - how do you solve that for all pipe security is about solving problems but yeah we are hamstrung sometimes by the tools we have whereas even people aren't they have difficult rates and we have so another I mean concern where we're thinking an ongoing arms race into the future is what kind of terrifies me is the pace of change here is accelerating and particularly with the move to cloud things trying to get up on the I mean you know every three months you get ten new things out in the cloud in Azure or

AWS that I don't even know necessarily what they are I don't have time to get skilled up on them and yeah the pendants remaining right here a government that nice alright so I would demand that it is you have there yet concerned with you know five servers if it's just public data that you don't really care about or it's going to be something like personal records okay they need with a bit more buildings around exciting the ALMS have to have expressly for stopping imperatives yeah the problem is don't carry over stuff that resume you can't spend a hundred hours over that no and the problem is this they never come to us with stuff they know is public or

hardly ever oh and and then they last me for a security opinion on something that I haven't heard of and I have to go research it and figure it out within a couple days yeah then they are an expert nobody's willing to stand up and say this is data we don't care about no but maybe I do find that every time someone comes to me it's data that isn't private it isn't public sorry so it's a common challenge right not not an easy fix I think has be that's not a keeps motion and it's on a bottom easy solution but is that an adage of cloud access security broker is going to be your security team is going to be an effort

keep as it is involved you know data flows right net forecasts or your infrastructure pairs like your server guys because it's you know they always handle some of the web stuff will be writing so that's a whole other thing is you know how large or big in larger organizations with multiple teams there are there security teams optimized to handle the new technologies as well

everything good other questions like that I really appreciate you all showing up this little bloom here there's couple of minutes there's three people so I hope I hope I will provide some insight for him/her if not maybe just questions for you [Applause]