Our Journey of Building a Security Program at a Small Startup - DeFronzo and Erxleben

I'm going to introduce you to Gillian and Dan they are from a company called threat quotient and they're going to be talking about their building of a security program you guys hear me yes welcome back to basics our journey of building a security program at a small start-up I am DNR Slavin this is Julian the front up yeah so my name is Goan I'm a Solutions Architect at our quotient so my day-to-day is you know dealing with integrations and you know building any kind of custom integration you can do for our product and also a forward thinking and research I have some background and you know building security programs and some smaller startups smaller companies but I've also

worked in a major Sox provider as well as an analyst I am currently a DevOps engineer but I am sort of a jack-of-all-trades IT guy I do all of our from help desk to systems engineer to AWS management to cloud management automation configuration management everything I this is my second startup I came from source fire as well as join and I've been with direct 2-u for about a year now yeah so the keynote you know our titles you know usually are important but for this presentation and we'll get to in a second it's kind of an interesting interesting fact so why are we here so you know we were asked by our security executor our executives of NGOs a lot of

them are paranoid and rightfully so to build a security program and the challenge and the kicker is without any resources we barely have any budget you know we don't even have a dedicated resource or resources to build this program and that's what I mean by the previous slide is you know dan and I have day jobs and we were asked to build you know a security program and security team in our free time basically so so the point of this talk is you know to go over some of those challenges you know what we're focusing on and you know kind of what we're you know trying to achieve you know with what we have and general we

have security is easy I mean it means a lot of its common sense but building a security program from scratch is hard you know you try to fight the urge to do all the things and all the cool stuff that you may have done in a previous life or you know the latest thing you're seeing on Twitter and that's all great but you know if you don't have the foundation of anything is kind of hard it's hard to know where to prioritize know where to start and where do you start really the nuts and bolts of our presentation are where do you start when you have limited resources limited time and no funds where do you start when you

have an existing culture that you don't want to blow up but want to do the right thing and keep everyone secure and and maintain your your good reputation where do you start when there's no silver bullet - security management automation and orchestration type deals are great when you're a mature company and and you have a team of dedicated security professionals but we're a bunch of like worker bees who are just trying to do the right thing and then keep us moving the right direction the lucky enough that we work for a security company and we are all the majority of our development team and executives are all executive professionals so we have vast resources to utilize in order to to to move

forward and to put these things in place there's an understanding there but we also don't want to wreck anybody's day to day with strict security guidelines and also we were handed a handful of guys too uses resources and they all have conflicting things that they've done in the past and everyone of course is right so how you how do we as lower end guys sorry I forgot Julian's internet-famous so yeah how do i as a nobody make it all work the right way there is no there is no right way yeah and to the point about the silver bullets like even if it did exist and if it does and it's free can you guys let us know even if even if

there was one we can't afford it like we have a negative negative budget so you know this is challenging and trying to figure out you know where do you start so you know we put things into into three categories where do we want to start in our initial plan and to start we wanted to establish a security centric environment you know in a culture that's security first and you know in a maturing company that's not going to harsh anyone's buzz we didn't want to impact you know this this you know startup life you know hashtag startup live mentality and we won but we also wanted to you know start having people think about security the next

thing is you know inventory all the things we wanted to get an idea of you know what's out there who's using what where is data stored and just get an idea of you know where where our holes where where we you know where our gaps you know what are we missing just to get an understanding of what's out there and lastly is writing policies so you know everybody loves policies both writing and reading so you know it's great when you have to tie that with you know a startup culture so it's a challenge to say you know I want to define these secure practices and policies and without being overbearing without you know saying hey I'm going to ban all

this and you can't do anything except for using PowerPoint um so you know that's you know kind of where we bucket eyes all these things so for culture we you know we're a security company we like to hire people that are you know passionate about security so we have a lot of people that have an interest whether it be technical or from me you know I'm interested in the market stuff like that anyone is everyone is interested and we want to take advantage that you know establish a culture that's no security first and by doing that you know people you know people care and we broke it down in two things we wanted to be visible as a team and we wanted to

effectively communicate to everyone you know we're you know predominantly a remote company I think but what eighty percent of our workforce is remote but we wanted to establish this quote/unquote open-door policy you know we want to make sure that people are you know know who we are as a team you know what we're trying to achieve and you know you know put you know you know faces the names and and whatnot you know so that we're not seeing as that you know working security team that's you know in the shadows and you don't really know who they are clear them they tell me what I can and can't do and you know a big chunk of that is you know pooping

black channels right so we you know like every startup or really any company nowadays is it wisdom was in flack so we have these channels you know that are open to you know discuss news topics or even go in-depth we have separate channels that are more technically involved about certain breaches or you know I found this tool and I use this and you know and why it's cool and stuff like that and we kind of do we're starting to do some you know brown bags and stuff like that to further that point you know and you know by doing that people feel welcome to talk about security we also have an open you know security channel to you know for people

to ask questions you know you know what's the best way to you know what's the best password manager or stuff like that simple questions that you know can you Dan and I or anyone can really ask and it's not really just us answering questions it's you know everyone in the company is free to you know answer you know give any advice and stuff like that because that's it's what we're trying that's overall about and the second thing is effective communication we wanted to establish this cadence of communication with our employees so that they're used to hearing from us so we're not we're not just again telling them what they can and can't do we wanted to

you know bug the crap out in a good way to say hey we're here you should keep thinking about security and this is why so the best example we have is you know every week we have a email communication to the our whole company they usually talks about like news and events and you know any kind of social media campaigns we're doing as a company so we carved out a section to talk about security and most weeks it's about news you know what happened in the last week any kind of analysis around this kind of stuff but we also talked about you know dress like blog articles and you know giving you know writing out stories

about you know what's new what password manager like up here like this is the types of things that you should think about use a passive rendering and here's why and you know give it kind of total information about that and you know this is letting us set the groundwork for once we start writing policies and you know enacting these standards too before we do that we're kind of backing up our reasoning right so you know before we say hey you need to enable two-factor authentication on everything is hey you should start doing this in your personal life you should start doing these things and you know we're backing it up and we're not just saying hey you need to do

this it's hey you need to do this and here's why and have this open dialogue about these things so we've had people you know respond say hey I use this password manager or hey I'm doing this and it kind of opens that dialogue there and you know we're trying to do this you know without being this overly stuffy stereotypical security team so we're you know we're light hearted for the most part even though Dan's rough exterior then we as you'll see later on and you know in previous slides you know we have memes because that's important but only when appropriate so so inventory all the things we adopted a crawl walk yog type mentality when we

first started meeting and approaching security as a whole spreadsheets everyone loves spreadsheets as much small C's but we need to know we need to create a security baseline we started with documenting literally everything we're a young company but no one knows where anything is so we started with creating a central location we use Google Docs to to maintain everything and and collaborate as a team we started off documenting all of our known Hardware all of our laptops everything that's piecing together old audits and receipts and we we figure out how many Windows laptops and Mac laptops to network devices and what printers are out there and we've standardized our networking equipment but what's plugged into those ASAS that we're managing and

that allows us to to attack what the most vulnerable of those are when we get around to our actionable items documenting all of our software we use a lot a of cloud tech and how who's managing those softwares who's managing those licenses if they have a license who knows when they're going to expire it's it's really embarrassing when your your your SSL cert for your website goes expiring though isn't it so we need to know what the point of contact for literally everything in our our company is and we're young startup and we've been flying by night so how do we reel in all of that spreadsheet hell then we get to do some of the fun stuff by

moving on to the network scans you can start off with netizen and map scans just to validate what you're you're putting on paper but you just we use a lot of demo softwares and free licensing and some open source stuff to get a better idea of what what are in destructor is really made of we we work out of Colo for most of our development so we want to make sure that we know exactly what is behind that firewall moving forward we don't know we don't manage it we don't have hands on the ground we have to know in case anybody plugged anything and that shouldn't get plugged in same with vulnerability management we're using free wares and demos to sort of

get an idea of what our baseline vulnerabilities are of our current infrastructure my favorite slide who's your daddy and what do you do data we move on to remove from hardware to data and who are your most vulnerable people your front office and your HR people people who are primarily Windows users who in a start-up you don't have policies in effect yet so data to be literally anywhere they could be sitting on unencrypted laptops sitting in chairs with no with shared usernames and passwords and no two-factor authentication so it was an exhaustive process of interviews sitting down with your CFO and your HR reps and getting an idea of all of the software they use and

where their data is and it it went in to our inside-out mentality where we started only inside and found out where all the the real vulnerabilities are which are as we found out mostly people mostly users from other reservations today so we're able to strike on some of the low-hanging fruit like encrypting hard drives and managing user accounts and these cloud software's that we don't know we had no access to and making through factor authentication like a thing for everyone so actually before we're going to next slide and the goal for this wasn't to call people out for you know being dumb or wrong or not doing secure things it's we just won't understand what people are doing right

so we can't protect what we don't know and just by understanding how people are using certain tools where they're storing things we just get a better sense of you know the workflow of everything and then we can say ok well you know I know you're using these tools and you're doing these practices and we don't want to disrupt you because we're all about trying to get customers and everything right now because we're so early stage but let's inject some some security into those practices without disrupting your life all right so you're thinking just enable two-factor authentication like Dan said you know encrypting your laptop if you're going to store stuff locally all the simple wins that we can do we went

out and we tried to knock out and for interviewing we did not do that we did not beat them up obviously so policies I know I talked about earlier and we love we all love writing policies we all love reading them so even you know outside of the startup no one likes to do that so when you factor in a startup culture it's you know it's a challenge that we mean that we need to you know need to respect our culture we don't want to no one wants to read these strict dense policies that tell them what they can and can't do and we need to tailor our you know everything that we write to our

audience and we also at the same time after remember how mature we are as both a security program and as a company so that comes into play when we need to pick out what we need to start standardizing or what policies we need to start this and you know that's kind of where we you know we sat down and we're like well you know we're just building these things what are the what are the three things that we want to do and you know with that its first thing was workstation standards we identified that we have you know you know 60 or so Macs and you know and number windows machines so we went scour the web for

best practices and standards and you know stuff like full disk encryption you can strong complex passwords firewall screen timeout stuff like that to to you know memorialize in the standard and you know the goal was to for loot to be no surprises for our users no one should be reading this and say oh I don't want to do that that's dumb it should be nothing to be terribly inconvenient it's oh yeah this is obvious I already do this when I first got my laptop anyway so that's kind of how we approach those were played workstation standards the next is acceptable use policy you know a lot of time when people see you know the term acceptable use they start to

hyperventilate because now you're telling me that I have to use my laptop in a certain way at a certain time and stuff like that but it's incredibly important to start laying out and putting some some walls and rules around how our users can start using their machines you know just just you know cover ass really err just to understand you know making sure that we are identifying some of the you know attack surfaces in our environment so we want to make sure that people aren't you know downloading installing software that's not necessarily you needed further day-to-day job and it's all going to be common sense and you know startup friendly language you know it's going to

be no not this super long document with tons of bullet points we're going to have you know a nice one pager to cover everything that you can easily understand and it's again we're not banning everything we're loosing the reins a little bit we want to empower our users to make good decisions but at the same time we need to have some some documentation around that and then lastly something that's near and dear to my heart which is vulnerability management you know we wanted to identify you know what that even means for us right so what are the tools we can use how can we use them I knocked my first malt that I started out to our

quotient MariaDB came out with a number of vulnerabilities that you know scared the crap out of some executives and so they came to us and we're like what do we do where they're all panicking like tickets with their head cut off so I'm like well this can't happen again so this is a prime example of we started with our products at first right so identified that you know there's some gaps in how we can handle the future of area DB vulnerabilities because they bring us a lot of sadness so we wanted to identify you know who's involved in this remediation process right so you know who who does the work for the patching how do we how can we place it

in what Sprint is going to happen what release it's going to happen and how do we you know communicate that effectively to our scrum manager and you know everyone involved in the process you know how do we communicate to our customers that this is you know this happened this is when it's coming out with a release so just it's a high-level process that we came up with but it saves us you know a lot because we've had a number of times whether it be you know vulnerability drops and we find out on our own research or customers come to say hey I've identified these vulnerabilities we can say oh we know this when you already know that and we

have this in an upcoming release or it's oh that's something we need to identify and we work that through our process that we've defined and again because we're a security company this like this is something we need to nail so that we're seeing as you know I'm mature we know what we're doing you know when the next step after that is you know vulnerability management of our eternal infrastructure you know it's this is kind of easy right now just because we can use the previous process and also it's basically just me and Dan so I can just do our scan and say hey Dan fix this and we he'll catch it in five minutes but by defining this process now

we can start evolving it once we start if we were to double or triple in size over the next few years and where we're going to need a more mature process by having it now and you know just identifying any kind of problems early on it's going to make make our lives a lot easier in the long run so now we have policies we have procedures we have lots of documentation how do we start enforcing these things when you're a remote company like we said earlier we're eighty percent mostly 80% remote and and a lot of companies are taking on the remote environment so we've come up with standardized security trainings we've come up with slides and we're

making it mandatory for new employees as well as existing employees and some certain employees are getting extra security trainings we publish all of our documentation to a public wiki and we direct people and like our Runner reader blurbs to to documents in our in our wiki and we agreed on a a standard of tools and apps for everyone to really use like a standard browser like malware detection we'd like everyone to be Mac OS but there are some people that refuse to use it but I digress so with that you know what comes next what do what do we do after we've done these things and it's you know it's time to do real security work you know

assuming we can find some free time and you know some free resources and you know interested people let's start enforcing the policies and standards that we just sent out to everyone you know start actually doing like what are the other cool security team is doing Netflix and Amazon and rapid7 you know what are they doing and start like mimicking that and start to figure out what to do so you know we've said that two-factor authentication is important let's start doing that on more than just Gmail if it's enacted on all of our systems any kind of cloud-based things that help me offer it just enable it and use it and force that um you know let's

start centrally logging all of our stuff because we're got a lot of sprawl going on so we just want to be able to identify what you know if there's any attackers that are already there let's automate some vulnerability scans and you know automatically remediate those things because we're such you know a small environment for the most part this should be using it's you know I do a scan with a tool here the results puts us automatically Patchogue boxes we don't have much of an impact right now so if we figure out that process now it'll make it a lot easier both words they're out there CIOs top controls is something we've adopted as a standard

we've made it through three of the top five want to keep moving forward with that automating the mundane stuff we want to automate from a DevOps perspective we want to automate as much as humanly possible but we also want to inject security into that procedures like for instance we have a full-on QA Jenkins chain that gets kicked off with every PR but with every pull request there a the code gets dumped to a one of the slave nodes and gets scanned by a malware scanner so that we know that everything that is getting eventually dumped on to our repos and our servers are our malware free to our knowledge and also a new hot new thing is this

concept of chat ups and you know being that we live in slack it's a great opportunity to let's just have BOTS to do all our work for us because not like we have the time to do it anyway so you know notify us you know if we once we have the central logging notify us of all the weird you know if people if we can you know automate you know responses to simple questions and are in our security channel say hey you know I was you know kind of read those and you know give you know helpful responses and that's a kind of a quick win just because we just we can't always be watching other channels you know and

also you know make sure that people aren't just pasting passwords and API keys and stuff like that all throughout our channels a lot of our development and our engineering side is based on using third-party api's so there's plenty of API keys being shared around so it's something that we can tighten up for sure so that's kind of this whole new nebulous thing of chat apps and lastly let's user on product now our product for those who don't know is a threat intelligence platform I'm not gonna get too much details because also not a lot of time but like it's designed for more mature security organizations that have the threat Intel team or a threat hunting team or really anyone

that's that's focusing on that so we're not ready for that but we can you know start tailoring it towards our needs you know how do we use how can we use our product to further enhance you know further future enhancements or no this is how you know I've noticed this wonky behavior you know it's kind of this full circle of we're using it for our own defense we're also enhancing our own product so it kind of you know helps a lot of people by doing that so it's something that where you need to figure out just because you know we don't have much use yet for a threat Intel at Forum but you know our platform is so

exelon offset so there's plenty of things that we can do with it to help us out and that's it we got a call we got

any questions so the question is we know we are kind of generic on what tools we use we did that on purpose just being it's a lot of you here to be agnostic but you know where I want to answer your question but we don't want to be get too specific on what tools just because we had those relationships but you haven't paid or adopted anything we're making do with a baseline information from from demos and and and sort of deciding on what gives us what we need for the best call yeah so we're still actually like we're doing these things we're also trying to figure out like what do you what is the best tool in the first place

so you know

we value that we help you could tell you I mean where there's a ton of them out there and we've demoed a lot of them it's going to be it's going to be specific for your environment really and what your budget is yeah if you're more interested I can tell you one on one I get again broadcasting any other questions