Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.
9. ’ .But they won t
Business should
learn the
language of
.cybersecurity
10. companies will not change
Security is all too
often seen as the
thing in the way of
good profits like how
environmental
protection was viewed
, , ..in the 70s 80s 90s
… , ,Now well fracking
-reactor cooling
radioactive ocean
,water marine vehicle
,fuel leaks any kind
,of energy production
,Any carbon footprint
….plastic straws
16. So we try to
make
cybersecurity
sexier to get
’business
.attention
.Desperation
17. =Success numbers go
down
Times caught cheating
on spouse
Bones broken for
gambling debts
Raccoons in the
bedroom at night
Episodes of kardashians
’you ve watched
18. Security effectiveness is
going down
Security controls
%utilization from 40 to
%30
Avg Number of sec
products from 4 to 5
Avg Number of secops
from 3 to 2
The crowbar of statistics
:says
19. How do we move forward?
Cybersecurity is built
on human suffering
20. Cybersecurity analgesics
Separate threat and
security from assets
clean the environment
and own it
Control the interactions
Only after all that is
,done deal with vulns
21. 4 Point Process
2. INQUEST
investigate emanations
1. INDUCTION
establish facts about the environment
4. INTERVENTION
changing resource interactions
3. INTERACTION
trigger responses
22. Trifecta
1. How do current operations work?
2. How do they work differently from how
everyone thinks they work?
3. How do they need to work?
If you could have anything you want in the whole world, what would you wish for? On
the count of three I want you to say it out loud. Ready?
One--
Two--
Three!
You said “Better cybersecurity.” I know you did. Everyone always says that. And let
me tell you why the security fairy won’t grant you that wish.
Society relies on processes. Everything in society has a role and is part of a process. If it’s not then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness.
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s ass-covering.
People want fair. That’s why security is a process to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal maybe like a grizzly and a raccoon are both bears but that wouldn’t be a fair fight. (Unless it’s a washing putrid garbage in a stream before eating it competition and then the raccoon wins tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail. Then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.
If you could have anything you want in the whole world, what would you wish for? On
the count of three I want you to say it out loud. Ready?
One--
Two--
Three!
You said “Better cybersecurity.” I know you did. Everyone always says that. And let
me tell you why the security fairy won’t grant you that wish.
Society relies on processes. Everything in society has a role and is part of a process. If it’s not then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness.
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s ass-covering.
People want fair. That’s why security is a process to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal maybe like a grizzly and a raccoon are both bears but that wouldn’t be a fair fight. (Unless it’s a washing putrid garbage in a stream before eating it competition and then the raccoon wins tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail. Then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.
Society relies on processes. Everything in society has a role and is part of a process. If it’s not then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness.
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s ass-covering.
People want fair. That’s why security is a process to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal maybe like a grizzly and a raccoon are both bears but that wouldn’t be a fair fight. (Unless it’s a washing putrid garbage in a stream before eating it competition and then the raccoon wins tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail. Then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.
If you could have anything you want in the whole world, what would you wish for? On
the count of three I want you to say it out loud. Ready?
One--
Two--
Three!
You said “Better cybersecurity.” I know you did. Everyone always says that. And let
me tell you why the security fairy won’t grant you that wish.
Society relies on processes. Everything in society has a role and is part of a process. If it’s not then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness.
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s ass-covering.
People want fair. That’s why security is a process to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal maybe like a grizzly and a raccoon are both bears but that wouldn’t be a fair fight. (Unless it’s a washing putrid garbage in a stream before eating it competition and then the raccoon wins tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail. Then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.
Society relies on processes. Everything in society has a role and is part of a process. If it’s not then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness.
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s ass-covering.
People want fair. That’s why security is a process to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal maybe like a grizzly and a raccoon are both bears but that wouldn’t be a fair fight. (Unless it’s a washing putrid garbage in a stream before eating it competition and then the raccoon wins tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail. Then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.
We come clean and say, you know, we don’t really know how to keep you really safe AND let you open whatever links you want or bring whatever internet-connected technology into the office. Furthermore, we tell them that anything you buy needs to be hardened or sandboxed so all the amazing connectivity features they’ve sold you don’t work in the real world where anyone on the planet can wake up and decide it’s your breach time. And you know what? Maybe we’ll actually, finally, see some progress in cybersecurity.
Society relies on processes. Everything in society has a role and is part of a process. If it’s not then it’s dangerous or unfair. And that’s really what it’s all about, isn’t it? Fairness.
You follow the rules and you get rewarded. That’s fair. Or you follow the rules and you don’t get rewarded. That’s life. Or you get fired. That’s ass-covering.
People want fair. That’s why security is a process to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal.
But that’s crap. It’s not equal. Equal maybe like a grizzly and a raccoon are both bears but that wouldn’t be a fair fight. (Unless it’s a washing putrid garbage in a stream before eating it competition and then the raccoon wins tiny, filthy hands down.)
Look, you don’t follow the process and you get things done then people idolize you. They say you’re the person who rewrote the rules and rocked the idle establishment. But if you fail. Then people say it’s criminal how you thought you were above the rules.
The point of hacking is to get things done and damn the rules. That’s probably why it’s been a bad word for so long and why only the kids, counter culture, and truly productive people don’t fear the word. It’s also why hacking is so closely tied to security.