1 00:00:05,040 --> 00:00:07,200 so thanks for coming along everyone um 2 00:00:07,200 --> 00:00:08,880 so just to kick off a bit about me i'm 3 00:00:08,880 --> 00:00:10,480 jamie mcdonald and i'm the head of 4 00:00:10,480 --> 00:00:12,080 security at rasa 5 00:00:12,080 --> 00:00:14,960 um rasa build a conversational ai 6 00:00:14,960 --> 00:00:16,400 platform which basically means we build 7 00:00:16,400 --> 00:00:17,840 kind of an infrastructure layer that 8 00:00:17,840 --> 00:00:19,840 people build chat bots and virtual ai 9 00:00:19,840 --> 00:00:22,400 assistants things like that on top of 10 00:00:22,400 --> 00:00:23,439 um 11 00:00:23,439 --> 00:00:25,119 so my team works on both the security of 12 00:00:25,119 --> 00:00:27,359 the organization itself and also 13 00:00:27,359 --> 00:00:28,960 application security since some of our 14 00:00:28,960 --> 00:00:30,160 enterprise customers have quite 15 00:00:30,160 --> 00:00:31,519 stringent requirements for light 16 00:00:31,519 --> 00:00:34,960 security and compliance as well 17 00:00:34,960 --> 00:00:37,040 previously i worked at fortinet and zone 18 00:00:37,040 --> 00:00:39,440 fox doing security engineering 19 00:00:39,440 --> 00:00:41,600 so my talk today is about building a 20 00:00:41,600 --> 00:00:44,239 security function at a company and it's 21 00:00:44,239 --> 00:00:45,840 from the point of view of a kind of 22 00:00:45,840 --> 00:00:47,600 hybrid startup with a big engineering 23 00:00:47,600 --> 00:00:48,640 function 24 00:00:48,640 --> 00:00:50,399 that builds a product because that's 25 00:00:50,399 --> 00:00:52,160 what my background is and it's kind of 26 00:00:52,160 --> 00:00:54,160 one of the most challenging places to 27 00:00:54,160 --> 00:00:56,079 insert a security culture 28 00:00:56,079 --> 00:00:56,960 um 29 00:00:56,960 --> 00:00:58,480 this is a shameless attempt to warm up 30 00:00:58,480 --> 00:01:00,719 the crowd with a picture of cats and my 31 00:01:00,719 --> 00:01:02,559 cats before i get into the body of the 32 00:01:02,559 --> 00:01:04,799 talk hopefully that works 33 00:01:04,799 --> 00:01:05,760 so 34 00:01:05,760 --> 00:01:07,760 to start with uh we'll take a quick run 35 00:01:07,760 --> 00:01:09,280 through the kind of business aspect you 36 00:01:09,280 --> 00:01:10,720 need to consider if you're in a role 37 00:01:10,720 --> 00:01:13,040 either as the only um 38 00:01:13,040 --> 00:01:14,799 security person in the business or if 39 00:01:14,799 --> 00:01:16,240 you're in a role where you're kind of 40 00:01:16,240 --> 00:01:17,600 the head of security you're starting off 41 00:01:17,600 --> 00:01:18,640 a team 42 00:01:18,640 --> 00:01:19,520 um 43 00:01:19,520 --> 00:01:21,439 the business stuff is just as if not 44 00:01:21,439 --> 00:01:22,880 more important than than all the 45 00:01:22,880 --> 00:01:24,320 technical stuff because that's what 46 00:01:24,320 --> 00:01:25,520 keeps you on the right track and keeps 47 00:01:25,520 --> 00:01:26,880 you aligned with what the business 48 00:01:26,880 --> 00:01:30,000 actually wants you to be doing 49 00:01:30,000 --> 00:01:31,600 and then the second part i'll move on to 50 00:01:31,600 --> 00:01:33,040 the practical bit so these are actual 51 00:01:33,040 --> 00:01:35,920 concrete things that you can implement 52 00:01:35,920 --> 00:01:37,840 and kind of the key themes that you're 53 00:01:37,840 --> 00:01:38,960 looking 54 00:01:38,960 --> 00:01:41,439 to achieve um i'll give some examples of 55 00:01:41,439 --> 00:01:42,560 tools that you might want to use as well 56 00:01:42,560 --> 00:01:43,920 they're not endorsements of these tools 57 00:01:43,920 --> 00:01:45,920 it's just kind of examples of things 58 00:01:45,920 --> 00:01:48,159 that you might be wanting to use 59 00:01:48,159 --> 00:01:50,079 and all of this is aimed at the kind of 60 00:01:50,079 --> 00:01:52,159 context of quite a small company quite a 61 00:01:52,159 --> 00:01:54,960 lean team um where you're kind of in a 62 00:01:54,960 --> 00:01:56,479 high growth environment and a lot is 63 00:01:56,479 --> 00:01:57,759 changing you need to get a lot of stuff 64 00:01:57,759 --> 00:01:59,840 done so bear that in mind that this is 65 00:01:59,840 --> 00:02:02,240 not also uh 66 00:02:02,240 --> 00:02:03,840 gonna necessarily be correct if you're 67 00:02:03,840 --> 00:02:05,520 in like a big business or an enterprise 68 00:02:05,520 --> 00:02:07,439 kind of scale because different contexts 69 00:02:07,439 --> 00:02:10,560 need different approaches too 70 00:02:10,800 --> 00:02:12,400 so to kick off the business stuff i'm 71 00:02:12,400 --> 00:02:14,480 going to introduce some hard truths to 72 00:02:14,480 --> 00:02:15,680 bear in mind that will help kind of 73 00:02:15,680 --> 00:02:17,760 ground you and help kind of align you to 74 00:02:17,760 --> 00:02:19,680 what the business is wanting you to do 75 00:02:19,680 --> 00:02:21,040 as you kick off might seem a little bit 76 00:02:21,040 --> 00:02:22,959 harsh um but hopefully it'll make sense 77 00:02:22,959 --> 00:02:26,319 as we go through the rest of the content 78 00:02:26,640 --> 00:02:29,920 nobody cares about security 79 00:02:29,920 --> 00:02:31,519 so this is the hardest one to accept for 80 00:02:31,519 --> 00:02:33,200 most people here because people here are 81 00:02:33,200 --> 00:02:34,959 going to be genuinely passionate about 82 00:02:34,959 --> 00:02:36,480 it and you probably all wish that people 83 00:02:36,480 --> 00:02:38,879 would take it more seriously 84 00:02:38,879 --> 00:02:40,239 in reality if people do take it 85 00:02:40,239 --> 00:02:42,720 seriously people know it's important and 86 00:02:42,720 --> 00:02:44,400 but if it gets in the way of them doing 87 00:02:44,400 --> 00:02:46,720 their job and it inconveniences them 88 00:02:46,720 --> 00:02:48,239 they will try and strip it out or work 89 00:02:48,239 --> 00:02:50,480 around it to make their lives easier 90 00:02:50,480 --> 00:02:51,200 so 91 00:02:51,200 --> 00:02:53,040 your job as a security person in a 92 00:02:53,040 --> 00:02:54,239 business 93 00:02:54,239 --> 00:02:56,560 is to me is to facilitate people being 94 00:02:56,560 --> 00:02:58,080 able to go about their jobs in a secure 95 00:02:58,080 --> 00:03:00,159 way um ideally in a way where they don't 96 00:03:00,159 --> 00:03:01,519 even notice because you've made it so 97 00:03:01,519 --> 00:03:04,519 serious 98 00:03:04,640 --> 00:03:06,159 the point of the business is not 99 00:03:06,159 --> 00:03:07,920 security now the only place this doesn't 100 00:03:07,920 --> 00:03:09,200 apply is if you actually work for a 101 00:03:09,200 --> 00:03:11,519 security company or a vendor but for the 102 00:03:11,519 --> 00:03:13,519 vast majority of organizations security 103 00:03:13,519 --> 00:03:15,760 is not the point of the business 104 00:03:15,760 --> 00:03:17,920 so day to day it's not really anybody's 105 00:03:17,920 --> 00:03:21,040 number one concern apart from yours 106 00:03:21,040 --> 00:03:22,080 and this one's really important to 107 00:03:22,080 --> 00:03:24,000 remember because kind of projecting a 108 00:03:24,000 --> 00:03:25,280 sense that security is the most 109 00:03:25,280 --> 00:03:27,920 important team um in the business it's 110 00:03:27,920 --> 00:03:29,200 just gonna make nobody want to work with 111 00:03:29,200 --> 00:03:31,359 you 112 00:03:31,440 --> 00:03:33,040 you're not there to say no this is a 113 00:03:33,040 --> 00:03:35,040 really important one um 114 00:03:35,040 --> 00:03:36,720 so unless the company you join is made 115 00:03:36,720 --> 00:03:38,799 up of people who are fresh graduates and 116 00:03:38,799 --> 00:03:39,840 they've never worked anywhere else 117 00:03:39,840 --> 00:03:41,440 before um people are going to have 118 00:03:41,440 --> 00:03:43,040 preconceptions about what a security 119 00:03:43,040 --> 00:03:44,560 team in a business is 120 00:03:44,560 --> 00:03:46,400 um and almost certainly that 121 00:03:46,400 --> 00:03:47,760 preconception is going to be that you're 122 00:03:47,760 --> 00:03:49,040 the team that tells them that they can't 123 00:03:49,040 --> 00:03:50,480 do stuff 124 00:03:50,480 --> 00:03:52,720 so remember my last point you're there 125 00:03:52,720 --> 00:03:54,720 to enable the business to work securely 126 00:03:54,720 --> 00:03:55,680 um 127 00:03:55,680 --> 00:03:57,519 in the vast majority of cases you'll be 128 00:03:57,519 --> 00:04:00,000 able to work out a way that people can 129 00:04:00,000 --> 00:04:02,239 do the tasks that they want to be doing 130 00:04:02,239 --> 00:04:03,360 securely 131 00:04:03,360 --> 00:04:04,959 if you just say no to everything to try 132 00:04:04,959 --> 00:04:07,280 and eliminate as much risk as possible 133 00:04:07,280 --> 00:04:08,239 um 134 00:04:08,239 --> 00:04:09,280 people are just going to go behind your 135 00:04:09,280 --> 00:04:10,400 back and do it anyway they're not going 136 00:04:10,400 --> 00:04:11,519 to stop doing it they're just going to 137 00:04:11,519 --> 00:04:12,640 stop telling you that they're doing 138 00:04:12,640 --> 00:04:14,560 these things 139 00:04:14,560 --> 00:04:16,399 and in almost every case your job isn't 140 00:04:16,399 --> 00:04:18,320 to prevent people doing things it's to 141 00:04:18,320 --> 00:04:19,600 work out a way that they can do the 142 00:04:19,600 --> 00:04:21,440 things they want to be doing and 143 00:04:21,440 --> 00:04:23,199 securely in a safe way so work with 144 00:04:23,199 --> 00:04:26,320 people not against them 145 00:04:26,320 --> 00:04:28,240 the final one is crucially important as 146 00:04:28,240 --> 00:04:29,120 well 147 00:04:29,120 --> 00:04:30,479 end users aren't stupid and you 148 00:04:30,479 --> 00:04:31,600 shouldn't treat them like they are 149 00:04:31,600 --> 00:04:33,600 because they'll really resent that um 150 00:04:33,600 --> 00:04:35,120 they might not know as much about 151 00:04:35,120 --> 00:04:36,800 security as you and they might do things 152 00:04:36,800 --> 00:04:38,400 that give you anxiety but protecting 153 00:04:38,400 --> 00:04:39,919 them and enabling them to work in a 154 00:04:39,919 --> 00:04:41,120 secure way 155 00:04:41,120 --> 00:04:43,120 it's why you're there in the first place 156 00:04:43,120 --> 00:04:44,560 and so much of the groundwork for 157 00:04:44,560 --> 00:04:47,280 building a security program um is about 158 00:04:47,280 --> 00:04:49,040 establishing the relationships to people 159 00:04:49,040 --> 00:04:50,560 and if you just crash in and tell them 160 00:04:50,560 --> 00:04:51,759 that you know better it's not going to 161 00:04:51,759 --> 00:04:52,880 make you any friends stolen it's going 162 00:04:52,880 --> 00:04:56,680 to make your job a lot harder 163 00:04:58,720 --> 00:04:59,600 so 164 00:04:59,600 --> 00:05:01,280 once you've accepted all that the first 165 00:05:01,280 --> 00:05:02,960 thing you need to do is work out where 166 00:05:02,960 --> 00:05:04,560 you fit within the business that you're 167 00:05:04,560 --> 00:05:05,759 part of 168 00:05:05,759 --> 00:05:06,560 so 169 00:05:06,560 --> 00:05:07,600 if you're lucky enough to be in an 170 00:05:07,600 --> 00:05:09,039 organization that really does care about 171 00:05:09,039 --> 00:05:10,960 security and other than one that just 172 00:05:10,960 --> 00:05:12,720 sees it's a tick box or a formality this 173 00:05:12,720 --> 00:05:14,639 is going to be a lot easier 174 00:05:14,639 --> 00:05:16,240 now the goal here is basically to work 175 00:05:16,240 --> 00:05:18,320 out what the business or the exact team 176 00:05:18,320 --> 00:05:20,000 or whoever's in charge actually think 177 00:05:20,000 --> 00:05:21,680 that you're here to do 178 00:05:21,680 --> 00:05:23,039 because once you understand what their 179 00:05:23,039 --> 00:05:25,360 priorities are um you can then work out 180 00:05:25,360 --> 00:05:26,880 what security measures or controls help 181 00:05:26,880 --> 00:05:28,479 support those aims and that's the best 182 00:05:28,479 --> 00:05:30,639 way to start because if you kick off by 183 00:05:30,639 --> 00:05:32,400 solving existing problems that people in 184 00:05:32,400 --> 00:05:34,320 the business have it's really obvious 185 00:05:34,320 --> 00:05:36,160 that you're providing value not doing a 186 00:05:36,160 --> 00:05:37,360 good job 187 00:05:37,360 --> 00:05:38,880 and this is arguably the most important 188 00:05:38,880 --> 00:05:40,479 part of starting off your program as 189 00:05:40,479 --> 00:05:41,280 well 190 00:05:41,280 --> 00:05:42,800 um because this is where you engage with 191 00:05:42,800 --> 00:05:44,560 people to find out what the problems are 192 00:05:44,560 --> 00:05:45,840 and you make friends that will help you 193 00:05:45,840 --> 00:05:48,080 further down the line and you really 194 00:05:48,080 --> 00:05:50,240 important to start off by being the team 195 00:05:50,240 --> 00:05:52,160 that solves problems for people rather 196 00:05:52,160 --> 00:05:54,080 than the team that enforces controls and 197 00:05:54,080 --> 00:05:57,199 makes people's jobs harder 198 00:05:57,840 --> 00:05:59,600 so part of this is working out your 199 00:05:59,600 --> 00:06:01,280 business's threat model and your risk 200 00:06:01,280 --> 00:06:02,560 profile 201 00:06:02,560 --> 00:06:04,720 so if you go into a small org where the 202 00:06:04,720 --> 00:06:06,240 main concerns phishing or password 203 00:06:06,240 --> 00:06:08,400 security don't start off with reverse 204 00:06:08,400 --> 00:06:09,600 engineering malware you found in 205 00:06:09,600 --> 00:06:10,720 assuming that they need to defend 206 00:06:10,720 --> 00:06:12,160 themselves against like nation state 207 00:06:12,160 --> 00:06:13,680 epts 208 00:06:13,680 --> 00:06:15,520 this could be fun sure but you're not 209 00:06:15,520 --> 00:06:16,720 going to last very long because you 210 00:06:16,720 --> 00:06:18,400 haven't understood the problems the 211 00:06:18,400 --> 00:06:20,160 concerns of the business and that they 212 00:06:20,160 --> 00:06:22,880 are paying you to mitigate and solve 213 00:06:22,880 --> 00:06:23,600 so 214 00:06:23,600 --> 00:06:25,280 make sure that you start off at the 215 00:06:25,280 --> 00:06:28,000 level the business is already at um 216 00:06:28,000 --> 00:06:29,520 for a lot of organizations that does 217 00:06:29,520 --> 00:06:30,479 mean that you're going to be kind of 218 00:06:30,479 --> 00:06:32,000 hand holding them through rudimentary 219 00:06:32,000 --> 00:06:34,800 basics as first steps but the first 220 00:06:34,800 --> 00:06:36,880 steps are what you need to begin with to 221 00:06:36,880 --> 00:06:38,880 be able to build towards a mature 222 00:06:38,880 --> 00:06:41,759 security posture 223 00:06:45,039 --> 00:06:46,000 so 224 00:06:46,000 --> 00:06:47,520 this brings us to the foundations of 225 00:06:47,520 --> 00:06:49,120 actually starting your program of which 226 00:06:49,120 --> 00:06:50,560 there's kind of four key areas 227 00:06:50,560 --> 00:06:54,400 communication tools processes 228 00:06:54,560 --> 00:06:56,560 so the idea of communication is to be 229 00:06:56,560 --> 00:06:58,560 approachable make sure other teams know 230 00:06:58,560 --> 00:06:59,919 what you can help with what you're there 231 00:06:59,919 --> 00:07:02,319 for and i can't stress enough that other 232 00:07:02,319 --> 00:07:04,639 teams need to see you as a helpful team 233 00:07:04,639 --> 00:07:05,840 rather than one who hinders your 234 00:07:05,840 --> 00:07:07,120 progress and if you can achieve that 235 00:07:07,120 --> 00:07:08,800 early on it makes everything else that 236 00:07:08,800 --> 00:07:11,599 you're going to do a lot easier 237 00:07:11,599 --> 00:07:12,639 you're going to need some standard 238 00:07:12,639 --> 00:07:14,639 processes and playbooks that define how 239 00:07:14,639 --> 00:07:16,080 security works for you it might sound 240 00:07:16,080 --> 00:07:18,560 like a very kind of enterprise way um to 241 00:07:18,560 --> 00:07:20,240 start off but it doesn't have to be your 242 00:07:20,240 --> 00:07:21,919 company's infosec policy could literally 243 00:07:21,919 --> 00:07:24,080 just be a single side of it for um if 244 00:07:24,080 --> 00:07:25,919 you wanted 245 00:07:25,919 --> 00:07:27,280 you're obviously gonna need tools to 246 00:07:27,280 --> 00:07:28,720 help you out and but it doesn't 247 00:07:28,720 --> 00:07:30,000 necessarily mean you need to spend 248 00:07:30,000 --> 00:07:32,400 hundreds of thousands on like um big 249 00:07:32,400 --> 00:07:34,560 vendors um a lot of what you need can be 250 00:07:34,560 --> 00:07:36,080 found into open source or done on a 251 00:07:36,080 --> 00:07:37,759 budget i'll talk a bit later about what 252 00:07:37,759 --> 00:07:39,520 kind of tools you might wanna you might 253 00:07:39,520 --> 00:07:41,120 wanna look at deploy 254 00:07:41,120 --> 00:07:43,440 and last but not least as a team 255 00:07:43,440 --> 00:07:44,720 you're not necessarily in fact you're 256 00:07:44,720 --> 00:07:45,919 probably not going to end up with a huge 257 00:07:45,919 --> 00:07:47,280 team you might not end up with any team 258 00:07:47,280 --> 00:07:48,720 it might just be you 259 00:07:48,720 --> 00:07:50,960 um but kind of knowing what skill sets 260 00:07:50,960 --> 00:07:52,560 are available and how they could help 261 00:07:52,560 --> 00:07:53,520 with the things that you're going to 262 00:07:53,520 --> 00:07:55,440 work on is really important 263 00:07:55,440 --> 00:07:56,720 and there are more kind of roles and 264 00:07:56,720 --> 00:07:58,240 specializations within security that 265 00:07:58,240 --> 00:07:59,759 most people realize especially as you're 266 00:07:59,759 --> 00:08:02,560 kind of starting out your career 267 00:08:02,560 --> 00:08:04,240 so i'm not sure how well this has shown 268 00:08:04,240 --> 00:08:06,240 up for the people at the back um 269 00:08:06,240 --> 00:08:07,680 but this is a really good illustration 270 00:08:07,680 --> 00:08:09,680 of just kind of how varied and extensive 271 00:08:09,680 --> 00:08:11,440 the areas of responsibility within 272 00:08:11,440 --> 00:08:13,120 security are 273 00:08:13,120 --> 00:08:14,720 if you're going to be leading a security 274 00:08:14,720 --> 00:08:16,560 function you need to be aware of all 275 00:08:16,560 --> 00:08:17,759 these you don't need to know them all 276 00:08:17,759 --> 00:08:19,120 you don't need to be an expert them all 277 00:08:19,120 --> 00:08:20,720 but you need to know that these things 278 00:08:20,720 --> 00:08:23,199 exist 279 00:08:23,199 --> 00:08:26,080 so that when it comes time that you need 280 00:08:26,080 --> 00:08:27,440 something from from one of these other 281 00:08:27,440 --> 00:08:29,599 areas or or you can recognize the kind 282 00:08:29,599 --> 00:08:31,360 of the points where these things start 283 00:08:31,360 --> 00:08:34,320 to become important or relevant 284 00:08:34,320 --> 00:08:35,440 i'm not going to go over this whole 285 00:08:35,440 --> 00:08:36,719 diagram in depth because that's going to 286 00:08:36,719 --> 00:08:39,200 take up the whole hour um but once you 287 00:08:39,200 --> 00:08:40,399 understand the environment that your 288 00:08:40,399 --> 00:08:41,919 business is operating in and what the 289 00:08:41,919 --> 00:08:43,839 security needs are 290 00:08:43,839 --> 00:08:44,800 um 291 00:08:44,800 --> 00:08:47,680 look back at this and kind of it will be 292 00:08:47,680 --> 00:08:49,760 more obvious as to what areas you can 293 00:08:49,760 --> 00:08:51,920 pick out as the key priorities and the 294 00:08:51,920 --> 00:08:54,640 places that you need to focus on first 295 00:08:54,640 --> 00:08:56,240 in general i'd suggest that a lot of the 296 00:08:56,240 --> 00:08:58,000 kind of enterprise risk management and 297 00:08:58,000 --> 00:08:59,360 governance stuff down at the bottom 298 00:08:59,360 --> 00:09:02,000 right is not a great way to start off 299 00:09:02,000 --> 00:09:03,760 and it quickly becomes kind of really 300 00:09:03,760 --> 00:09:06,240 bureaucratic time sync and you deliver 301 00:09:06,240 --> 00:09:08,560 more value more quickly by focusing on 302 00:09:08,560 --> 00:09:12,000 things like access control and 2fa 303 00:09:12,000 --> 00:09:14,080 but overall in in a situation where 304 00:09:14,080 --> 00:09:15,200 you're kind of just starting off your 305 00:09:15,200 --> 00:09:17,120 program if you're if you're going to um 306 00:09:17,120 --> 00:09:18,959 grow your team you want to try and find 307 00:09:18,959 --> 00:09:20,959 a really good security generalist 308 00:09:20,959 --> 00:09:22,959 to help you who can focus on any of 309 00:09:22,959 --> 00:09:24,640 these tasks based on kind of the 310 00:09:24,640 --> 00:09:26,959 priorities of the business um security 311 00:09:26,959 --> 00:09:28,640 engineering security ops those sorts of 312 00:09:28,640 --> 00:09:30,480 areas um 313 00:09:30,480 --> 00:09:31,760 and that will help you focus on the 314 00:09:31,760 --> 00:09:33,120 first task which is securing the 315 00:09:33,120 --> 00:09:35,440 organization because if you're an 316 00:09:35,440 --> 00:09:37,040 that builds product an insecure 317 00:09:37,040 --> 00:09:38,800 organization cannot ship a secure 318 00:09:38,800 --> 00:09:40,240 product so you need to focus on the 319 00:09:40,240 --> 00:09:43,030 organization first 320 00:09:43,030 --> 00:09:45,519 [Music] 321 00:09:45,519 --> 00:09:46,480 so 322 00:09:46,480 --> 00:09:47,519 we've got some idea of the kind of 323 00:09:47,519 --> 00:09:48,640 business environment that you'll be 324 00:09:48,640 --> 00:09:51,200 operating in now um and it's always 325 00:09:51,200 --> 00:09:52,959 worth clearing this in mind because 326 00:09:52,959 --> 00:09:54,399 thinking about what you're doing in the 327 00:09:54,399 --> 00:09:56,160 context of the business it's going to 328 00:09:56,160 --> 00:09:58,160 make you a more valuable employee and 329 00:09:58,160 --> 00:09:59,519 it's going to find it you're going to 330 00:09:59,519 --> 00:10:00,959 find that it makes it easier for you to 331 00:10:00,959 --> 00:10:02,480 make progress 332 00:10:02,480 --> 00:10:04,720 through your career so i'm going to move 333 00:10:04,720 --> 00:10:06,480 on to the practical side so actually 334 00:10:06,480 --> 00:10:09,120 implementing the program there as well 335 00:10:09,120 --> 00:10:11,519 so your security roadmap is again a 336 00:10:11,519 --> 00:10:13,600 long-term vision of where you see the 337 00:10:13,600 --> 00:10:15,760 security posture of your company going 338 00:10:15,760 --> 00:10:17,600 and long-term how you expect to get 339 00:10:17,600 --> 00:10:19,120 there 340 00:10:19,120 --> 00:10:20,480 so for the kind of company i'm talking 341 00:10:20,480 --> 00:10:22,399 about which is a kind of large 342 00:10:22,399 --> 00:10:24,079 engineering team you ship a product to 343 00:10:24,079 --> 00:10:26,000 customers and i split it into three 344 00:10:26,000 --> 00:10:28,000 broad themes and you can categorize most 345 00:10:28,000 --> 00:10:29,519 kind of initiatives and controls under 346 00:10:29,519 --> 00:10:30,320 these 347 00:10:30,320 --> 00:10:32,320 and they are the organization product 348 00:10:32,320 --> 00:10:33,839 and the infrastructure 349 00:10:33,839 --> 00:10:35,360 so the org pillar covers things that 350 00:10:35,360 --> 00:10:37,040 affect all the staff and act across all 351 00:10:37,040 --> 00:10:38,160 the business 352 00:10:38,160 --> 00:10:39,600 so this is things like policies 353 00:10:39,600 --> 00:10:42,480 processes password managers and actually 354 00:10:42,480 --> 00:10:43,839 kind of establishing the security 355 00:10:43,839 --> 00:10:46,480 culture for the business as well the 356 00:10:46,480 --> 00:10:48,560 product pillar covers all aspects of 357 00:10:48,560 --> 00:10:50,320 security that relate directly to the 358 00:10:50,320 --> 00:10:52,000 product that you build 359 00:10:52,000 --> 00:10:53,440 so this is things like application 360 00:10:53,440 --> 00:10:54,560 security 361 00:10:54,560 --> 00:10:57,600 tooling for developers and code scan 362 00:10:57,600 --> 00:10:59,120 and then the infrastructure pillar 363 00:10:59,120 --> 00:11:00,800 covers any kind of on-prem equipment 364 00:11:00,800 --> 00:11:02,640 that you might have cloud services 365 00:11:02,640 --> 00:11:04,320 making sure that you're aware of your 366 00:11:04,320 --> 00:11:05,680 overall attack surface and that you're 367 00:11:05,680 --> 00:11:07,519 monitoring it as well 368 00:11:07,519 --> 00:11:09,040 and breaking the initiatives down like 369 00:11:09,040 --> 00:11:11,040 this and can help you plan and 370 00:11:11,040 --> 00:11:13,120 prioritize what's required 371 00:11:13,120 --> 00:11:14,959 to build your security program 372 00:11:14,959 --> 00:11:16,399 so for the rest of talk i'm going to 373 00:11:16,399 --> 00:11:17,519 discuss the kind of things you might 374 00:11:17,519 --> 00:11:19,519 want to put in your roadmap and then 375 00:11:19,519 --> 00:11:20,800 we'll wrap up with what you should do 376 00:11:20,800 --> 00:11:22,160 with your finished roadmap and how to 377 00:11:22,160 --> 00:11:25,360 proceed on from there 378 00:11:25,680 --> 00:11:28,720 i'm going to start with policies and 379 00:11:28,720 --> 00:11:30,560 processes because 380 00:11:30,560 --> 00:11:32,160 it's the most boring one 381 00:11:32,160 --> 00:11:33,680 and i know for certain a lot of people 382 00:11:33,680 --> 00:11:35,040 here are going to think that it's kind 383 00:11:35,040 --> 00:11:36,240 of a thing you only need to care about 384 00:11:36,240 --> 00:11:37,680 if you work for big banks but it's 385 00:11:37,680 --> 00:11:40,719 unfortunately not the case 386 00:11:40,839 --> 00:11:42,959 so you need to be aware of this for 387 00:11:42,959 --> 00:11:44,560 companies of all sizes it's not just an 388 00:11:44,560 --> 00:11:45,920 enterprise thing 389 00:11:45,920 --> 00:11:47,600 and if your company sells to other 390 00:11:47,600 --> 00:11:49,680 businesses you really quickly find out 391 00:11:49,680 --> 00:11:50,480 that these things are just 392 00:11:50,480 --> 00:11:52,639 non-negotiable and that you have to 393 00:11:52,639 --> 00:11:54,639 answer security questions about your 394 00:11:54,639 --> 00:11:56,480 products and your processes and if you 395 00:11:56,480 --> 00:11:58,160 have docs and policies that you can pull 396 00:11:58,160 --> 00:11:59,519 out to answer these questions it makes 397 00:11:59,519 --> 00:12:01,040 things much smoother and much more 398 00:12:01,040 --> 00:12:02,320 seamless 399 00:12:02,320 --> 00:12:03,360 so 400 00:12:03,360 --> 00:12:04,720 what kind of policies you actually need 401 00:12:04,720 --> 00:12:06,000 to start with 402 00:12:06,000 --> 00:12:07,920 um at a minimum you want to have a kind 403 00:12:07,920 --> 00:12:09,440 of general infosight policy that 404 00:12:09,440 --> 00:12:10,880 basically defines 405 00:12:10,880 --> 00:12:12,560 what you expect and require for your 406 00:12:12,560 --> 00:12:13,920 employees this could be things like 407 00:12:13,920 --> 00:12:16,000 using 2fa enforcing 408 00:12:16,000 --> 00:12:17,760 disk encryption on devices password 409 00:12:17,760 --> 00:12:20,000 managers things like that 410 00:12:20,000 --> 00:12:21,440 and this should be a readable document 411 00:12:21,440 --> 00:12:22,880 it shouldn't be long it shouldn't be in 412 00:12:22,880 --> 00:12:24,399 legalese it should be straightforward 413 00:12:24,399 --> 00:12:27,200 and simple for people to understand 414 00:12:27,200 --> 00:12:28,560 you're also probably going to want some 415 00:12:28,560 --> 00:12:30,320 kind of data protection policy that 416 00:12:30,320 --> 00:12:32,320 outlines like the kind of controls that 417 00:12:32,320 --> 00:12:34,079 you have to protect data the fact that 418 00:12:34,079 --> 00:12:35,600 you use these privilege 419 00:12:35,600 --> 00:12:37,200 controls 420 00:12:37,200 --> 00:12:38,880 to manage data access and things like 421 00:12:38,880 --> 00:12:40,959 that uh requiring encryption for 422 00:12:40,959 --> 00:12:42,639 personal data and who to go to if 423 00:12:42,639 --> 00:12:44,639 there's a problem or a data breach 424 00:12:44,639 --> 00:12:46,000 and when you're working out which of 425 00:12:46,000 --> 00:12:47,279 these policies you need and which ones 426 00:12:47,279 --> 00:12:48,800 to work on first 427 00:12:48,800 --> 00:12:49,760 one of the first things you should 428 00:12:49,760 --> 00:12:51,839 consider is if your business has to 429 00:12:51,839 --> 00:12:53,200 comply with any kind of compliance 430 00:12:53,200 --> 00:12:56,079 regimes like gdpr and things like that 431 00:12:56,079 --> 00:12:57,600 this depends on what you do and what 432 00:12:57,600 --> 00:12:59,839 kind of data that you process 433 00:12:59,839 --> 00:13:01,279 but it's a really good way to direct 434 00:13:01,279 --> 00:13:02,560 your attention to kind of the most 435 00:13:02,560 --> 00:13:04,720 important and impactful things to work 436 00:13:04,720 --> 00:13:07,120 on first um 437 00:13:07,120 --> 00:13:08,240 if you don't need to comply with 438 00:13:08,240 --> 00:13:10,480 anything specific think about maybe your 439 00:13:10,480 --> 00:13:12,160 customers that you're selling things on 440 00:13:12,160 --> 00:13:14,240 to do um 441 00:13:14,240 --> 00:13:16,240 if you're selling to any other business 442 00:13:16,240 --> 00:13:17,519 you're they're going to want to know how 443 00:13:17,519 --> 00:13:19,120 you comply with gdpr even if you don't 444 00:13:19,120 --> 00:13:20,720 think it's relevant even if you think 445 00:13:20,720 --> 00:13:22,880 it's interesting not that interesting 446 00:13:22,880 --> 00:13:24,079 and 447 00:13:24,079 --> 00:13:25,600 you have to have documentation that 448 00:13:25,600 --> 00:13:27,200 explains how you deal with this because 449 00:13:27,200 --> 00:13:28,639 they need that to be able to pass on to 450 00:13:28,639 --> 00:13:31,279 their customers 451 00:13:31,360 --> 00:13:33,519 it's really difficult to sell products 452 00:13:33,519 --> 00:13:35,120 to other businesses now without having 453 00:13:35,120 --> 00:13:36,880 shown that you've thought about privacy 454 00:13:36,880 --> 00:13:38,160 you've thought about data protection 455 00:13:38,160 --> 00:13:39,839 data security 456 00:13:39,839 --> 00:13:41,600 and if you're able to answer sales 457 00:13:41,600 --> 00:13:42,800 questions with things like yeah we've 458 00:13:42,800 --> 00:13:44,800 got a policy for that here it is it's 459 00:13:44,800 --> 00:13:46,560 much easier and it just makes things go 460 00:13:46,560 --> 00:13:48,480 a lot quicker 461 00:13:48,480 --> 00:13:50,480 but also don't go nuts with it you don't 462 00:13:50,480 --> 00:13:52,240 need policies to cover every possible 463 00:13:52,240 --> 00:13:53,279 scenario 464 00:13:53,279 --> 00:13:55,600 or every possible compliance regime 465 00:13:55,600 --> 00:13:58,000 the aim of the policies are to make 466 00:13:58,000 --> 00:14:00,079 things easier and to be useful and help 467 00:14:00,079 --> 00:14:01,839 with answering people's questions not to 468 00:14:01,839 --> 00:14:03,440 kind of drown you in pointless paperwork 469 00:14:03,440 --> 00:14:06,399 and bureaucracy 470 00:14:08,079 --> 00:14:09,279 so 471 00:14:09,279 --> 00:14:10,480 now that you know what policies do you 472 00:14:10,480 --> 00:14:11,760 need how do you actually start writing 473 00:14:11,760 --> 00:14:12,800 because that seems like quite an 474 00:14:12,800 --> 00:14:14,240 overwhelming thing to have to do to 475 00:14:14,240 --> 00:14:17,839 begin with how much detail you put in 476 00:14:17,839 --> 00:14:19,440 luckily there's a bunch of frameworks 477 00:14:19,440 --> 00:14:21,040 and industry bodies that can help with 478 00:14:21,040 --> 00:14:22,240 that 479 00:14:22,240 --> 00:14:23,920 so there's nist who are an american 480 00:14:23,920 --> 00:14:25,920 government body they publish a huge 481 00:14:25,920 --> 00:14:28,079 amount of documentation and standards on 482 00:14:28,079 --> 00:14:29,920 building security programs and even kind 483 00:14:29,920 --> 00:14:31,440 of down to technical controls like 484 00:14:31,440 --> 00:14:33,120 encryption specifications and the kind 485 00:14:33,120 --> 00:14:36,000 of thing you should use 486 00:14:36,000 --> 00:14:38,160 there is sans who most people here will 487 00:14:38,160 --> 00:14:39,920 probably have heard of um a training 488 00:14:39,920 --> 00:14:41,760 body and they provide a lot of sample 489 00:14:41,760 --> 00:14:44,000 templates and that are kind of just like 490 00:14:44,000 --> 00:14:46,079 basic boilerplate and that you can slap 491 00:14:46,079 --> 00:14:47,279 your company name on and you can make 492 00:14:47,279 --> 00:14:49,040 little tweaks here and there and to 493 00:14:49,040 --> 00:14:51,680 match the context that you're in 494 00:14:51,680 --> 00:14:54,000 there's cyber essentials um now this is 495 00:14:54,000 --> 00:14:56,079 a uk government effort who's out of 496 00:14:56,079 --> 00:14:56,839 cyber 497 00:14:56,839 --> 00:14:59,199 essentials most people 498 00:14:59,199 --> 00:15:00,480 um 499 00:15:00,480 --> 00:15:01,920 so it's not 500 00:15:01,920 --> 00:15:04,240 policies in itself but the kind of the 501 00:15:04,240 --> 00:15:06,560 controls that they recommend and and 502 00:15:06,560 --> 00:15:09,279 require are a really good way for you to 503 00:15:09,279 --> 00:15:10,720 kind of direct 504 00:15:10,720 --> 00:15:12,880 what you want to focus on first 505 00:15:12,880 --> 00:15:14,079 because these are kind of the main 506 00:15:14,079 --> 00:15:15,120 things that other companies will be 507 00:15:15,120 --> 00:15:16,399 looking for 508 00:15:16,399 --> 00:15:18,639 and cis benchmarks again they're not 509 00:15:18,639 --> 00:15:20,320 policies as such but they're kind of 510 00:15:20,320 --> 00:15:23,760 like the authoritative standards on 511 00:15:23,760 --> 00:15:25,440 controls and configurations for 512 00:15:25,440 --> 00:15:26,800 basically any kind of system you can 513 00:15:26,800 --> 00:15:28,320 imagine operating systems cloud 514 00:15:28,320 --> 00:15:30,000 providers um 515 00:15:30,000 --> 00:15:31,440 that define kind of the controls you 516 00:15:31,440 --> 00:15:32,880 should have the configuration you should 517 00:15:32,880 --> 00:15:35,839 have for best practices um and again use 518 00:15:35,839 --> 00:15:37,680 these benchmarks to inform the technical 519 00:15:37,680 --> 00:15:40,560 content of the policies that you write 520 00:15:40,560 --> 00:15:43,040 and also gitlab um so they can their 521 00:15:43,040 --> 00:15:44,160 stuff can be really useful when you're 522 00:15:44,160 --> 00:15:46,160 working out what they need um 523 00:15:46,160 --> 00:15:48,959 because gitlab publish online publicly 524 00:15:48,959 --> 00:15:50,560 all of their internal policies their 525 00:15:50,560 --> 00:15:52,320 employee handbook everything and they 526 00:15:52,320 --> 00:15:54,399 have a really mature security posture 527 00:15:54,399 --> 00:15:56,639 and so it's really easy to kind of see 528 00:15:56,639 --> 00:15:58,560 where you want to end up by using some 529 00:15:58,560 --> 00:16:00,720 of their content and to help inform kind 530 00:16:00,720 --> 00:16:02,160 of things that you're writing as well 531 00:16:02,160 --> 00:16:03,839 and you can write them from scratch if 532 00:16:03,839 --> 00:16:05,600 you want but it's difficult to know 533 00:16:05,600 --> 00:16:08,639 where to begin um so i kind of recommend 534 00:16:08,639 --> 00:16:09,920 just starting off with a sample one that 535 00:16:09,920 --> 00:16:11,519 someone else has written like the sans 536 00:16:11,519 --> 00:16:13,199 ones and just making little tweaks to 537 00:16:13,199 --> 00:16:15,199 suit your business and the controls that 538 00:16:15,199 --> 00:16:18,079 you want to introduce 539 00:16:19,279 --> 00:16:21,759 um i'm gonna mention a lot of tools in 540 00:16:21,759 --> 00:16:23,920 the rest of my slides but first a little 541 00:16:23,920 --> 00:16:25,600 bit about how you could go about picking 542 00:16:25,600 --> 00:16:28,240 any of these tools um 543 00:16:28,240 --> 00:16:30,000 that you might have on your radar so 544 00:16:30,000 --> 00:16:31,839 this is a controversial one 545 00:16:31,839 --> 00:16:34,079 and it's specifically aimed at the kind 546 00:16:34,079 --> 00:16:37,600 of startup or up environment and 547 00:16:37,600 --> 00:16:39,199 where you don't have a lot of time you 548 00:16:39,199 --> 00:16:40,320 don't have a lot of people to help 549 00:16:40,320 --> 00:16:42,399 maintain things um 550 00:16:42,399 --> 00:16:43,920 so wherever possible if you're buying 551 00:16:43,920 --> 00:16:46,560 security tooling prefer options that are 552 00:16:46,560 --> 00:16:49,120 sas or managed by a vendor 553 00:16:49,120 --> 00:16:50,399 and the main reason for this is if 554 00:16:50,399 --> 00:16:53,040 you're self-hosting an important tool 555 00:16:53,040 --> 00:16:54,240 there's now loads of other costs 556 00:16:54,240 --> 00:16:55,600 associated with that that weren't 557 00:16:55,600 --> 00:16:57,680 immediately obvious um necessarily which 558 00:16:57,680 --> 00:16:59,199 i'll go over in a second 559 00:16:59,199 --> 00:17:00,959 but at high level the main reason that 560 00:17:00,959 --> 00:17:02,240 you're employed 561 00:17:02,240 --> 00:17:03,680 is to provide value to the business 562 00:17:03,680 --> 00:17:04,799 right 563 00:17:04,799 --> 00:17:07,039 your value with the two comes with your 564 00:17:07,039 --> 00:17:08,959 ability to operate and interpret the 565 00:17:08,959 --> 00:17:10,959 results and the alerts and act on on 566 00:17:10,959 --> 00:17:13,119 things from that tool it doesn't come 567 00:17:13,119 --> 00:17:14,720 from adding another system that you have 568 00:17:14,720 --> 00:17:16,160 to patch and maintain and backup and 569 00:17:16,160 --> 00:17:17,520 things like that because that's not what 570 00:17:17,520 --> 00:17:19,280 you're there for 571 00:17:19,280 --> 00:17:20,319 um 572 00:17:20,319 --> 00:17:23,119 one tip for the process here 573 00:17:23,119 --> 00:17:24,959 is when you're speaking to vendors ask 574 00:17:24,959 --> 00:17:26,000 if they have other security 575 00:17:26,000 --> 00:17:28,480 documentation or compliance certs or pen 576 00:17:28,480 --> 00:17:29,760 test reports and things that they'll 577 00:17:29,760 --> 00:17:31,520 only disclose to you 578 00:17:31,520 --> 00:17:33,840 with a non-disclosure agreement so most 579 00:17:33,840 --> 00:17:35,200 companies will have kind of the security 580 00:17:35,200 --> 00:17:36,480 and privacy page on their website 581 00:17:36,480 --> 00:17:38,960 there's nothing exciting there usually 582 00:17:38,960 --> 00:17:40,799 the juicy stuff is the one that you have 583 00:17:40,799 --> 00:17:44,000 to sign the nda for to be able to see 584 00:17:44,000 --> 00:17:45,679 they won't announce that to you probably 585 00:17:45,679 --> 00:17:47,440 but if you ask for it they're usually 586 00:17:47,440 --> 00:17:49,200 more than happy to give you this kind of 587 00:17:49,200 --> 00:17:51,039 stuff and that gives you a really good 588 00:17:51,039 --> 00:17:52,799 idea as to what their internal security 589 00:17:52,799 --> 00:17:54,720 posture is like and it gives you an idea 590 00:17:54,720 --> 00:17:56,160 how they look for vulnerabilities and 591 00:17:56,160 --> 00:17:58,720 issues and how they resolve them as well 592 00:17:58,720 --> 00:18:00,320 a vendor who can't give you information 593 00:18:00,320 --> 00:18:02,480 like that is a bit of a red flag um so 594 00:18:02,480 --> 00:18:04,320 when i say use sas meaning like use it 595 00:18:04,320 --> 00:18:06,160 safely don't just buy anything you can 596 00:18:06,160 --> 00:18:07,600 find because someone else is running it 597 00:18:07,600 --> 00:18:09,918 for you 598 00:18:11,440 --> 00:18:13,600 i also want to quickly go into 599 00:18:13,600 --> 00:18:14,640 some of the things that are kind of 600 00:18:14,640 --> 00:18:16,320 often overlooked when you're working out 601 00:18:16,320 --> 00:18:17,919 whether to go with sas or whether you're 602 00:18:17,919 --> 00:18:20,320 going to self-host a tool 603 00:18:20,320 --> 00:18:21,840 and explain a little bit more about why 604 00:18:21,840 --> 00:18:23,440 i lean towards the idea of sas being the 605 00:18:23,440 --> 00:18:25,120 way to go for your growing business with 606 00:18:25,120 --> 00:18:26,799 quite kind of lean team for operating 607 00:18:26,799 --> 00:18:29,200 things so when you've done your initial 608 00:18:29,200 --> 00:18:31,200 comparison you've probably looked at the 609 00:18:31,200 --> 00:18:32,720 slightly cheaper license fee and the 610 00:18:32,720 --> 00:18:34,799 cost of running a vm on a cloud provider 611 00:18:34,799 --> 00:18:36,320 and you're like that's how much it would 612 00:18:36,320 --> 00:18:38,400 cost us to self-host it 613 00:18:38,400 --> 00:18:39,919 but it's not really as simple as that 614 00:18:39,919 --> 00:18:41,440 and there's a whole bunch of other 615 00:18:41,440 --> 00:18:43,039 things you need to factor in that the 616 00:18:43,039 --> 00:18:45,120 vendor is probably our competent vendor 617 00:18:45,120 --> 00:18:47,440 is probably running for you um 618 00:18:47,440 --> 00:18:49,360 transparently to you as part of the sas 619 00:18:49,360 --> 00:18:50,400 service 620 00:18:50,400 --> 00:18:51,440 so there's a few things you need to 621 00:18:51,440 --> 00:18:52,640 think about 622 00:18:52,640 --> 00:18:54,880 uh your time which is as a security 623 00:18:54,880 --> 00:18:57,600 person expensive and 624 00:18:57,600 --> 00:18:59,360 patching the west patching the product 625 00:18:59,360 --> 00:19:00,960 itself ensuring that everything's up to 626 00:19:00,960 --> 00:19:02,640 date and 627 00:19:02,640 --> 00:19:04,480 backing up any data that it has 628 00:19:04,480 --> 00:19:06,480 scheduling it the extra storage costs 629 00:19:06,480 --> 00:19:07,840 that come from that checking whether 630 00:19:07,840 --> 00:19:09,600 they're working or not 631 00:19:09,600 --> 00:19:10,480 and 632 00:19:10,480 --> 00:19:12,320 reliability and uptime 633 00:19:12,320 --> 00:19:14,160 if the sas version runs across like 634 00:19:14,160 --> 00:19:15,840 multiple aws regions and there's 635 00:19:15,840 --> 00:19:17,840 failover and things like that and you're 636 00:19:17,840 --> 00:19:19,600 running it on an old pc in a cupboard 637 00:19:19,600 --> 00:19:21,120 you're not comparing like for like there 638 00:19:21,120 --> 00:19:22,640 that's not the same thing 639 00:19:22,640 --> 00:19:23,679 um 640 00:19:23,679 --> 00:19:25,120 if that collects lots of data do you 641 00:19:25,120 --> 00:19:26,640 need to manage load balancing or things 642 00:19:26,640 --> 00:19:29,520 like ssl termination um are they doing 643 00:19:29,520 --> 00:19:31,280 things for you like a web application 644 00:19:31,280 --> 00:19:33,360 firewall or ddos prevention 645 00:19:33,360 --> 00:19:34,799 and then finally think about how the 646 00:19:34,799 --> 00:19:36,960 environment you would deploy into 647 00:19:36,960 --> 00:19:38,799 actually compares to the sas vendors so 648 00:19:38,799 --> 00:19:40,960 if you're deploying a security tool 649 00:19:40,960 --> 00:19:42,400 um 650 00:19:42,400 --> 00:19:44,400 where integrity of the data is important 651 00:19:44,400 --> 00:19:46,080 if you're going to deploy that into a 652 00:19:46,080 --> 00:19:47,440 cloud account that's shared with a bunch 653 00:19:47,440 --> 00:19:48,720 of developers where they would have 654 00:19:48,720 --> 00:19:50,480 access to that tool that's not really 655 00:19:50,480 --> 00:19:52,640 that great so there's just a few 656 00:19:52,640 --> 00:19:54,960 examples but my point is main point your 657 00:19:54,960 --> 00:19:56,799 time's valuable and you should consider 658 00:19:56,799 --> 00:19:58,400 whether self-hosting something is really 659 00:19:58,400 --> 00:20:00,559 the right choice for you and whether you 660 00:20:00,559 --> 00:20:02,720 can do it well enough for for the 661 00:20:02,720 --> 00:20:06,360 purpose of the two 662 00:20:08,240 --> 00:20:10,080 so one of the first things that you 663 00:20:10,080 --> 00:20:11,679 should consider introducing is password 664 00:20:11,679 --> 00:20:13,679 manager 665 00:20:13,679 --> 00:20:14,799 i don't think i need to sell the 666 00:20:14,799 --> 00:20:16,080 benefits of a password manager to 667 00:20:16,080 --> 00:20:17,919 anybody here but you might have to sell 668 00:20:17,919 --> 00:20:20,480 it to the people with the money 669 00:20:20,480 --> 00:20:22,159 in your company especially if the 670 00:20:22,159 --> 00:20:24,080 concept's new to them 671 00:20:24,080 --> 00:20:25,200 so 672 00:20:25,200 --> 00:20:26,960 one way to approach this is to focus on 673 00:20:26,960 --> 00:20:28,559 how it helps the business because that's 674 00:20:28,559 --> 00:20:30,400 what they really want to know about um 675 00:20:30,400 --> 00:20:32,400 an executive with budget 676 00:20:32,400 --> 00:20:33,919 they don't care about the intricacies of 677 00:20:33,919 --> 00:20:36,080 credential stuff right they just don't 678 00:20:36,080 --> 00:20:38,080 um but they do understand the concept of 679 00:20:38,080 --> 00:20:40,320 reducing risk for the business 680 00:20:40,320 --> 00:20:42,080 so if you can find kind of recent or 681 00:20:42,080 --> 00:20:43,679 relevant examples 682 00:20:43,679 --> 00:20:45,919 um around like data breaches or attacks 683 00:20:45,919 --> 00:20:47,600 where the entry point was pure quality 684 00:20:47,600 --> 00:20:49,760 or reuse credentials and that's really 685 00:20:49,760 --> 00:20:52,480 helpful to support your case um same 686 00:20:52,480 --> 00:20:53,679 with stats around phishing since 687 00:20:53,679 --> 00:20:55,600 password managers reduce the chances of 688 00:20:55,600 --> 00:20:57,200 a successful fish by only kind of 689 00:20:57,200 --> 00:20:58,880 autofilling credentials on sites with 690 00:20:58,880 --> 00:21:01,280 the right to me 691 00:21:01,280 --> 00:21:03,280 you've also got pick one 692 00:21:03,280 --> 00:21:05,120 um so there's a few criteria that you 693 00:21:05,120 --> 00:21:07,280 should look for here it needs to be easy 694 00:21:07,280 --> 00:21:09,520 for all of the staff to use not just 695 00:21:09,520 --> 00:21:12,320 techies um some weird self-hosted key 696 00:21:12,320 --> 00:21:14,400 pass installed that syncs with dropbox 697 00:21:14,400 --> 00:21:16,080 that isn't used it isn't usable for 698 00:21:16,080 --> 00:21:17,520 non-technical staff and it's a really 699 00:21:17,520 --> 00:21:20,080 bad way to start 700 00:21:20,080 --> 00:21:22,080 it should make it easy to share secrets 701 00:21:22,080 --> 00:21:24,240 between uh employees which might seem 702 00:21:24,240 --> 00:21:25,840 counter-intuitive but people are people 703 00:21:25,840 --> 00:21:27,520 are going to do this anyway 704 00:21:27,520 --> 00:21:28,960 and if you don't provide a secure way 705 00:21:28,960 --> 00:21:30,080 for them to do it they're going to use 706 00:21:30,080 --> 00:21:31,520 things like email or slack or text 707 00:21:31,520 --> 00:21:34,240 messages instead 708 00:21:34,559 --> 00:21:37,200 and finally the company that you go with 709 00:21:37,200 --> 00:21:38,880 should publish a lot of documentation 710 00:21:38,880 --> 00:21:40,640 that goes into significant detail about 711 00:21:40,640 --> 00:21:42,240 how their security works how they secure 712 00:21:42,240 --> 00:21:43,679 their infrastructure how they implement 713 00:21:43,679 --> 00:21:46,480 things and how they review it 714 00:21:46,480 --> 00:21:48,159 so one password for example they have a 715 00:21:48,159 --> 00:21:50,480 white paper that's a hundred pages long 716 00:21:50,480 --> 00:21:52,400 it details their infrastructure security 717 00:21:52,400 --> 00:21:55,200 how they manage keys and cryptography 718 00:21:55,200 --> 00:21:58,080 and it's a fascinating read um it's an 719 00:21:58,080 --> 00:22:00,159 insane amount of detail um and it helps 720 00:22:00,159 --> 00:22:01,760 you kind of 721 00:22:01,760 --> 00:22:03,120 appreciate the security posture that 722 00:22:03,120 --> 00:22:04,480 goes into these things and verifying 723 00:22:04,480 --> 00:22:05,840 whether that's enough for the kind of 724 00:22:05,840 --> 00:22:07,760 data that you're putting into 725 00:22:07,760 --> 00:22:08,720 um 726 00:22:08,720 --> 00:22:10,000 it's also worth considering if there's 727 00:22:10,000 --> 00:22:11,600 any secondary benefits to password 728 00:22:11,600 --> 00:22:13,760 manager um so 729 00:22:13,760 --> 00:22:15,520 the largest vendors people like one 730 00:22:15,520 --> 00:22:17,919 password or lastpass if you buy business 731 00:22:17,919 --> 00:22:20,000 accounts from them they come with free 732 00:22:20,000 --> 00:22:21,280 personal accounts that you can then give 733 00:22:21,280 --> 00:22:23,120 your staff and the benefit of that is 734 00:22:23,120 --> 00:22:24,880 that you are then showing your staff 735 00:22:24,880 --> 00:22:26,320 that you're not just caring about 736 00:22:26,320 --> 00:22:28,159 security for the business you're giving 737 00:22:28,159 --> 00:22:29,600 them the capability to help secure 738 00:22:29,600 --> 00:22:31,520 themselves and help improve the online 739 00:22:31,520 --> 00:22:33,600 safety for their family as well 740 00:22:33,600 --> 00:22:35,600 which can be a really good start to help 741 00:22:35,600 --> 00:22:37,440 kind of build out that security culture 742 00:22:37,440 --> 00:22:40,919 among your employees 743 00:22:45,080 --> 00:22:48,099 [Music] 744 00:22:50,210 --> 00:22:53,309 [Music] 745 00:23:07,440 --> 00:23:09,679 sure so the question is um 746 00:23:09,679 --> 00:23:11,919 how much do kind of vendor policies and 747 00:23:11,919 --> 00:23:13,360 information from them inform the 748 00:23:13,360 --> 00:23:15,360 security controls at rasa and the answer 749 00:23:15,360 --> 00:23:16,799 is hugely yeah 750 00:23:16,799 --> 00:23:17,600 um 751 00:23:17,600 --> 00:23:19,360 this kind of thing is 752 00:23:19,360 --> 00:23:20,799 really beneficial because you're seeing 753 00:23:20,799 --> 00:23:22,320 how security works at other companies 754 00:23:22,320 --> 00:23:23,679 and you can steal all their good ideas 755 00:23:23,679 --> 00:23:25,200 and incorporate them into what you're 756 00:23:25,200 --> 00:23:26,799 doing business yeah 757 00:23:26,799 --> 00:23:28,320 it's a it's a really good source of kind 758 00:23:28,320 --> 00:23:30,000 of knowledge and information about how 759 00:23:30,000 --> 00:23:30,960 how 760 00:23:30,960 --> 00:23:32,640 successful and large security 761 00:23:32,640 --> 00:23:34,480 enterprises run stuff and if you can 762 00:23:34,480 --> 00:23:37,840 cherry pick ideas for them absolutely 763 00:23:39,520 --> 00:23:40,559 um 764 00:23:40,559 --> 00:23:42,240 so hot and heals password managers 765 00:23:42,240 --> 00:23:44,080 single sign-on um 766 00:23:44,080 --> 00:23:45,919 the idea here is that you only have one 767 00:23:45,919 --> 00:23:47,520 system where you manage all your users 768 00:23:47,520 --> 00:23:49,120 and then your tools can integrate with 769 00:23:49,120 --> 00:23:52,799 this um to authenticate users to it 770 00:23:52,799 --> 00:23:54,000 it's really useful because it makes 771 00:23:54,000 --> 00:23:55,679 onboarding and off-boarding users much 772 00:23:55,679 --> 00:23:57,440 easier and because you only have a 773 00:23:57,440 --> 00:23:58,720 single source of trade for who's 774 00:23:58,720 --> 00:24:00,240 employed and you only have one place to 775 00:24:00,240 --> 00:24:02,559 remove users from when they leave 776 00:24:02,559 --> 00:24:04,000 you might already have access to an 777 00:24:04,000 --> 00:24:06,000 identity provider without realizing it 778 00:24:06,000 --> 00:24:08,000 uh if you pay for google workspace or g 779 00:24:08,000 --> 00:24:09,679 suite or whatever it's called this week 780 00:24:09,679 --> 00:24:10,799 um 781 00:24:10,799 --> 00:24:12,400 that can function as one if you have 782 00:24:12,400 --> 00:24:14,240 azure or aws accounts there's stuff 783 00:24:14,240 --> 00:24:16,320 built in there as well and it's not 784 00:24:16,320 --> 00:24:17,360 always something that you have to pay 785 00:24:17,360 --> 00:24:18,799 another vendor for you might already 786 00:24:18,799 --> 00:24:21,919 have this without realizing it 787 00:24:21,919 --> 00:24:24,320 another kind of more niche benefit is 788 00:24:24,320 --> 00:24:26,240 that you can use single sign-on to 789 00:24:26,240 --> 00:24:28,159 strengthen the security posture of other 790 00:24:28,159 --> 00:24:29,600 third-party tools that you integrate 791 00:24:29,600 --> 00:24:31,600 with and there's quite a few tools out 792 00:24:31,600 --> 00:24:33,039 there that support single center 793 00:24:33,039 --> 00:24:34,480 integration but they don't natively 794 00:24:34,480 --> 00:24:37,360 support their own 2fa and 795 00:24:37,360 --> 00:24:39,520 so if you can restrict sign into those 796 00:24:39,520 --> 00:24:41,120 apps to your single sign-on tool you've 797 00:24:41,120 --> 00:24:42,720 kind of brought with you the 2fa 798 00:24:42,720 --> 00:24:44,480 benefits from your identity provider 799 00:24:44,480 --> 00:24:45,760 over to this other tool that didn't 800 00:24:45,760 --> 00:24:48,240 support it and 801 00:24:48,240 --> 00:24:49,520 so 802 00:24:49,520 --> 00:24:51,679 this all sounds great it is you should 803 00:24:51,679 --> 00:24:53,520 use it wherever you can um but kind of 804 00:24:53,520 --> 00:24:55,200 accept that not all tools or third-party 805 00:24:55,200 --> 00:24:56,799 services are going to offer it so you're 806 00:24:56,799 --> 00:24:57,919 probably going to need a password 807 00:24:57,919 --> 00:25:00,159 manager as well 808 00:25:00,159 --> 00:25:01,520 but there's one major flow of a single 809 00:25:01,520 --> 00:25:02,880 sign-on and that's usually whether or 810 00:25:02,880 --> 00:25:04,720 not you can actually afford it 811 00:25:04,720 --> 00:25:07,919 um the provider isn't usually expensive 812 00:25:07,919 --> 00:25:09,520 and we just discussed you might already 813 00:25:09,520 --> 00:25:11,760 have one without realizing it 814 00:25:11,760 --> 00:25:13,440 but paying for single sign-on support 815 00:25:13,440 --> 00:25:16,240 within your tools themselves is often 816 00:25:16,240 --> 00:25:17,840 very expensive 817 00:25:17,840 --> 00:25:19,120 um so this is a screenshot from a 818 00:25:19,120 --> 00:25:21,600 website called sso.tax 819 00:25:21,600 --> 00:25:23,360 which collects examples of vendors that 820 00:25:23,360 --> 00:25:24,880 are charging particularly ludicrous 821 00:25:24,880 --> 00:25:26,480 amounts for single sign-on support as 822 00:25:26,480 --> 00:25:28,880 part of their kind of enterprise package 823 00:25:28,880 --> 00:25:30,000 and 824 00:25:30,000 --> 00:25:31,279 they do this because they can and they 825 00:25:31,279 --> 00:25:33,440 get away with it you know um 826 00:25:33,440 --> 00:25:35,760 vendors know that companies where big 827 00:25:35,760 --> 00:25:37,840 companies where sso is kind of mandated 828 00:25:37,840 --> 00:25:40,400 will pay whatever they ask um 829 00:25:40,400 --> 00:25:42,480 to be able to meet those requirements 830 00:25:42,480 --> 00:25:44,400 so while you should use single sign on 831 00:25:44,400 --> 00:25:46,400 wherever you can there will be some 832 00:25:46,400 --> 00:25:47,840 places especially if you're a small 833 00:25:47,840 --> 00:25:49,600 company or a startup where it just 834 00:25:49,600 --> 00:25:51,039 doesn't make the financial sense to 835 00:25:51,039 --> 00:25:53,279 upgrade to a plan um that will allow you 836 00:25:53,279 --> 00:25:56,480 to the most egregious example is hubspot 837 00:25:56,480 --> 00:25:58,559 who have a six thousand three hundred 838 00:25:58,559 --> 00:26:00,960 percent markup between their normal user 839 00:26:00,960 --> 00:26:02,559 tier and the first tier that allows you 840 00:26:02,559 --> 00:26:04,559 to integrate and single sign-on which is 841 00:26:04,559 --> 00:26:07,120 just crazy 842 00:26:08,640 --> 00:26:10,480 and another thing i don't need to 843 00:26:10,480 --> 00:26:12,159 convince anyone up here is the value of 844 00:26:12,159 --> 00:26:13,360 tfa 845 00:26:13,360 --> 00:26:15,919 um but you should um as a kind of admin 846 00:26:15,919 --> 00:26:17,520 for from apps across your business and 847 00:26:17,520 --> 00:26:19,679 force it wherever you can 848 00:26:19,679 --> 00:26:21,520 um as i mentioned earlier even if a 849 00:26:21,520 --> 00:26:23,360 service doesn't natively enforce it see 850 00:26:23,360 --> 00:26:24,799 if there's other ways that you can 851 00:26:24,799 --> 00:26:26,320 enable it like integrating the single 852 00:26:26,320 --> 00:26:28,000 sign off 853 00:26:28,000 --> 00:26:30,000 and at risk of starting another classic 854 00:26:30,000 --> 00:26:32,480 infosec twitter flamewar um 855 00:26:32,480 --> 00:26:35,679 any 2fa is better than no 2f8 right 856 00:26:35,679 --> 00:26:37,760 so you can get upset about sms-2a as 857 00:26:37,760 --> 00:26:40,080 much as you like and because it's not 858 00:26:40,080 --> 00:26:41,679 perfect but it's better than not having 859 00:26:41,679 --> 00:26:43,679 any 2f8 at all 860 00:26:43,679 --> 00:26:45,360 you shouldn't pick it over other methods 861 00:26:45,360 --> 00:26:47,200 but it's better than not having anything 862 00:26:47,200 --> 00:26:48,799 at all and you should always use the 863 00:26:48,799 --> 00:26:51,600 strongest method that's available to you 864 00:26:51,600 --> 00:26:52,799 um 865 00:26:52,799 --> 00:26:55,279 so here's the kind of spectrum of how 866 00:26:55,279 --> 00:26:56,960 secure an authentication mechanism is 867 00:26:56,960 --> 00:26:58,400 from kind of least secure at the bottom 868 00:26:58,400 --> 00:27:00,000 up to more secure at the top i'm pretty 869 00:27:00,000 --> 00:27:01,360 sure that's not going to be legible past 870 00:27:01,360 --> 00:27:03,679 like the first three rows um you're 871 00:27:03,679 --> 00:27:05,679 gonna have to take my word for it so 872 00:27:05,679 --> 00:27:07,760 this is a really valuable graphic um not 873 00:27:07,760 --> 00:27:08,720 only does it give you a kind of 874 00:27:08,720 --> 00:27:11,360 unambiguous ordering of um 875 00:27:11,360 --> 00:27:13,440 what methods are strongest it also lays 876 00:27:13,440 --> 00:27:14,960 out what each of those methods are 877 00:27:14,960 --> 00:27:16,320 vulnerable to in terms of kind of 878 00:27:16,320 --> 00:27:19,760 attacks that can work against them 879 00:27:19,760 --> 00:27:21,039 i've added the triangle on the right 880 00:27:21,039 --> 00:27:22,399 that kind of illustrates the volume of 881 00:27:22,399 --> 00:27:23,840 attacks as well so the higher you 882 00:27:23,840 --> 00:27:26,320 progress on this maturity model the 883 00:27:26,320 --> 00:27:28,320 fewer automated attacks you're going to 884 00:27:28,320 --> 00:27:30,480 have that can be successful against you 885 00:27:30,480 --> 00:27:32,080 and the fewer adversaries that are going 886 00:27:32,080 --> 00:27:33,200 to be out there that actually have the 887 00:27:33,200 --> 00:27:35,440 capability and 888 00:27:35,440 --> 00:27:38,480 to take on and controls like that 889 00:27:38,480 --> 00:27:40,480 and as i mentioned earlier this helps 890 00:27:40,480 --> 00:27:42,240 you work out what's suitable for your 891 00:27:42,240 --> 00:27:43,919 threat model in the context that you're 892 00:27:43,919 --> 00:27:45,600 in so the best option will be right at 893 00:27:45,600 --> 00:27:48,080 the top um hardware back passwordless 894 00:27:48,080 --> 00:27:50,000 authentication but if your company's 895 00:27:50,000 --> 00:27:51,360 right down here at the bottom you're 896 00:27:51,360 --> 00:27:53,279 still on kind of stage two or maybe even 897 00:27:53,279 --> 00:27:55,200 stage three it's a big leap to get 898 00:27:55,200 --> 00:27:57,600 everybody right up to the top um 899 00:27:57,600 --> 00:28:00,960 in one go and improving the maturity of 900 00:28:00,960 --> 00:28:02,640 security across your organization is a 901 00:28:02,640 --> 00:28:04,399 journey and you have to make sure that 902 00:28:04,399 --> 00:28:06,480 you bring everybody with you as well you 903 00:28:06,480 --> 00:28:08,880 can't just kind of one-up other teams 904 00:28:08,880 --> 00:28:11,919 and leave folk behind 905 00:28:11,919 --> 00:28:13,919 so based on that it's okay to make 906 00:28:13,919 --> 00:28:15,840 incremental improvements and if you can 907 00:28:15,840 --> 00:28:17,679 do that quicker than waiting to make a 908 00:28:17,679 --> 00:28:19,600 big change it's worth doing so if you 909 00:28:19,600 --> 00:28:21,840 can enable sms to pay for stuff that's 910 00:28:21,840 --> 00:28:23,279 an incremental improvement you shouldn't 911 00:28:23,279 --> 00:28:25,360 wait until everybody's got ub keys to be 912 00:28:25,360 --> 00:28:27,039 able to to do stuff like this make 913 00:28:27,039 --> 00:28:28,399 incremental improvements wherever you 914 00:28:28,399 --> 00:28:32,959 can and because they're still beneficial 915 00:28:34,000 --> 00:28:34,880 um 916 00:28:34,880 --> 00:28:36,559 so carrying on from the theme of 2fa i 917 00:28:36,559 --> 00:28:38,240 want to specifically touch on hardware 918 00:28:38,240 --> 00:28:40,320 security keys 919 00:28:40,320 --> 00:28:41,679 most of the keys that you'll see are 920 00:28:41,679 --> 00:28:44,320 made by ubico um but other manufacturers 921 00:28:44,320 --> 00:28:45,760 are available 922 00:28:45,760 --> 00:28:47,440 and there's a lot you can do with them 923 00:28:47,440 --> 00:28:49,279 but there's kind of a few main themes as 924 00:28:49,279 --> 00:28:51,520 to why you might want to roll them out 925 00:28:51,520 --> 00:28:53,200 and they're basically the gold standard 926 00:28:53,200 --> 00:28:55,760 for authentication at this point and 927 00:28:55,760 --> 00:28:57,039 some of you might have used them before 928 00:28:57,039 --> 00:28:59,200 when you're prompted for 2fa you tap the 929 00:28:59,200 --> 00:29:00,640 local dot in the key and that's your 930 00:29:00,640 --> 00:29:03,360 authenticated and the process that's 931 00:29:03,360 --> 00:29:04,720 going on under the hood there is 932 00:29:04,720 --> 00:29:06,640 actually really sophisticated and more 933 00:29:06,640 --> 00:29:09,120 so that people might realize 934 00:29:09,120 --> 00:29:10,960 you can't fish or man in the middle 935 00:29:10,960 --> 00:29:13,039 credentials for a site that's using 936 00:29:13,039 --> 00:29:14,880 these keys with a modern algorithm like 937 00:29:14,880 --> 00:29:16,159 weapon 938 00:29:16,159 --> 00:29:17,840 or something like that and for these 939 00:29:17,840 --> 00:29:20,320 sites the authentication 940 00:29:20,320 --> 00:29:22,240 is is pretty pretty substantial under 941 00:29:22,240 --> 00:29:24,799 the hood but it's done in a way and that 942 00:29:24,799 --> 00:29:26,240 it's kind of transparent to the user and 943 00:29:26,240 --> 00:29:27,760 you make things easier for the user 944 00:29:27,760 --> 00:29:29,760 whilst also making things more secure 945 00:29:29,760 --> 00:29:31,840 and so for sites like this the site 946 00:29:31,840 --> 00:29:33,840 authenticates you with the key 947 00:29:33,840 --> 00:29:36,080 um but the key authenticates the site at 948 00:29:36,080 --> 00:29:38,240 the same time as well um with a special 949 00:29:38,240 --> 00:29:39,840 handshake which which eliminates whole 950 00:29:39,840 --> 00:29:41,919 classes of attack so not only is there a 951 00:29:41,919 --> 00:29:44,640 second factor but it can be fished and 952 00:29:44,640 --> 00:29:46,000 it can't be stolen like a kind of six 953 00:29:46,000 --> 00:29:48,000 digit code for an app from an app or a 954 00:29:48,000 --> 00:29:50,080 text and used kind of out of band 955 00:29:50,080 --> 00:29:51,760 without your knowledge the key 956 00:29:51,760 --> 00:29:53,200 physically has to be involved in that 957 00:29:53,200 --> 00:29:56,720 transaction to be able to authenticate 958 00:29:56,720 --> 00:29:58,080 you can use some different functionality 959 00:29:58,080 --> 00:29:59,679 on these keys as well you can use them 960 00:29:59,679 --> 00:30:02,399 for ssh authentication or you can use 961 00:30:02,399 --> 00:30:04,240 them for signing git commits by your 962 00:30:04,240 --> 00:30:07,039 developers to show that once a commit 963 00:30:07,039 --> 00:30:09,520 has been made to your product repo um 964 00:30:09,520 --> 00:30:11,279 that that developer physically had 965 00:30:11,279 --> 00:30:12,799 possession of that key which proves that 966 00:30:12,799 --> 00:30:14,960 it was them who made it who made that 967 00:30:14,960 --> 00:30:16,720 commit and that's a way to kind of help 968 00:30:16,720 --> 00:30:18,960 reduce the the impact of the likelihood 969 00:30:18,960 --> 00:30:21,120 of like supply chain attacks or stolen 970 00:30:21,120 --> 00:30:24,399 get credentials being being used to put 971 00:30:24,399 --> 00:30:26,960 things into your product 972 00:30:26,960 --> 00:30:28,320 and you should consider starting this by 973 00:30:28,320 --> 00:30:29,600 rolling them out to your highest risk 974 00:30:29,600 --> 00:30:32,240 users which is people like admins and 975 00:30:32,240 --> 00:30:35,360 it's also your exec team and once you've 976 00:30:35,360 --> 00:30:36,640 got them kind of rolled out to everyone 977 00:30:36,640 --> 00:30:38,159 you can start to slowly enforce their 978 00:30:38,159 --> 00:30:39,919 usage across systems until everything 979 00:30:39,919 --> 00:30:41,679 gets covered by strong hardware backed 980 00:30:41,679 --> 00:30:43,760 authentication and enforcing them on 981 00:30:43,760 --> 00:30:45,279 your single sign-on provider alone is a 982 00:30:45,279 --> 00:30:46,799 big win because that should then impact 983 00:30:46,799 --> 00:30:50,640 multiple products and accounts as well 984 00:30:50,640 --> 00:30:51,679 uh 985 00:30:51,679 --> 00:30:53,200 lastly the org level i want to talk 986 00:30:53,200 --> 00:30:54,960 about device management and kind of for 987 00:30:54,960 --> 00:30:56,240 all like the laptops that you hand out 988 00:30:56,240 --> 00:30:59,200 to employees as well 989 00:30:59,840 --> 00:31:01,600 so some small companies don't roll out 990 00:31:01,600 --> 00:31:02,960 device management right at the start 991 00:31:02,960 --> 00:31:04,320 thinking there's only a few devices so 992 00:31:04,320 --> 00:31:05,760 it's not that important 993 00:31:05,760 --> 00:31:08,080 um but in reality this is the easiest 994 00:31:08,080 --> 00:31:10,399 time to roll it out um and kind of 995 00:31:10,399 --> 00:31:12,080 secure the devices that you have and 996 00:31:12,080 --> 00:31:13,919 establish like a baseline configuration 997 00:31:13,919 --> 00:31:16,080 that you know works across them all 998 00:31:16,080 --> 00:31:16,960 um 999 00:31:16,960 --> 00:31:18,880 you can't secure the assets and devices 1000 00:31:18,880 --> 00:31:20,880 that you don't know about so making sure 1001 00:31:20,880 --> 00:31:22,399 you have kind of a single console you 1002 00:31:22,399 --> 00:31:23,519 can view the status and the 1003 00:31:23,519 --> 00:31:25,039 configuration of all your devices is 1004 00:31:25,039 --> 00:31:26,320 really valuable 1005 00:31:26,320 --> 00:31:28,240 so there's a few benefits to that 1006 00:31:28,240 --> 00:31:30,640 um like i said you easily enforce 1007 00:31:30,640 --> 00:31:32,399 baseline security controls across all 1008 00:31:32,399 --> 00:31:34,240 your devices so things like disk 1009 00:31:34,240 --> 00:31:35,360 encryption 1010 00:31:35,360 --> 00:31:37,279 you can see if devices have deviated 1011 00:31:37,279 --> 00:31:39,840 from that and and 1012 00:31:39,840 --> 00:31:41,840 map the policies that you wrote right at 1013 00:31:41,840 --> 00:31:43,440 the start onto the controls that you 1014 00:31:43,440 --> 00:31:46,799 then apply across all your devices 1015 00:31:46,799 --> 00:31:48,399 you can enable automated software 1016 00:31:48,399 --> 00:31:50,080 patching across all your devices which 1017 00:31:50,080 --> 00:31:52,000 is such a basic security wind that's 1018 00:31:52,000 --> 00:31:54,559 often kind of overlooked and but 1019 00:31:54,559 --> 00:31:56,960 combining this with mdm software the in 1020 00:31:56,960 --> 00:31:58,559 kind of inventories everything that's on 1021 00:31:58,559 --> 00:32:00,559 your devices gives you a really powerful 1022 00:32:00,559 --> 00:32:02,399 tool because then if some new software 1023 00:32:02,399 --> 00:32:04,399 vulnerability comes out you can check 1024 00:32:04,399 --> 00:32:06,399 very very quickly which of your users 1025 00:32:06,399 --> 00:32:08,159 are affected and if any of them need to 1026 00:32:08,159 --> 00:32:10,480 be patched 1027 00:32:10,480 --> 00:32:12,399 also it lets you lock or raise devices 1028 00:32:12,399 --> 00:32:14,080 that get lost which is especially useful 1029 00:32:14,080 --> 00:32:15,519 if you have staff for execs that are 1030 00:32:15,519 --> 00:32:16,720 travelling 1031 00:32:16,720 --> 00:32:18,640 um it also sounds like a thing that 1032 00:32:18,640 --> 00:32:20,720 would be expensive but it's actually not 1033 00:32:20,720 --> 00:32:23,360 weirdly um a basic kind of cloud-based 1034 00:32:23,360 --> 00:32:25,679 ndm platform that you update things and 1035 00:32:25,679 --> 00:32:27,760 apply controls to devices is usually 1036 00:32:27,760 --> 00:32:29,519 like a few pounds per device per month 1037 00:32:29,519 --> 00:32:31,679 it's really not an expensive thing um to 1038 00:32:31,679 --> 00:32:34,000 roll out 1039 00:32:35,679 --> 00:32:36,799 so 1040 00:32:36,799 --> 00:32:39,120 um i'm going to move on to securing the 1041 00:32:39,120 --> 00:32:41,919 product that you're building there 1042 00:32:41,919 --> 00:32:43,519 so the obvious place to start for this 1043 00:32:43,519 --> 00:32:45,760 would presumably be a pen test and seems 1044 00:32:45,760 --> 00:32:47,360 sensible lets you inventory all the 1045 00:32:47,360 --> 00:32:49,279 issues that you might be having 1046 00:32:49,279 --> 00:32:50,799 yeah with the product and crack on with 1047 00:32:50,799 --> 00:32:53,919 solving them but if the pen test is the 1048 00:32:53,919 --> 00:32:55,360 first interaction you have with the 1049 00:32:55,360 --> 00:32:57,440 engineering team it's not really a great 1050 00:32:57,440 --> 00:32:59,440 idea it's not the best idea 1051 00:32:59,440 --> 00:33:00,960 unless you have an urgent business need 1052 00:33:00,960 --> 00:33:02,480 for one like a customer who isn't going 1053 00:33:02,480 --> 00:33:03,760 to buy your product until they get a 1054 00:33:03,760 --> 00:33:06,240 report on this stuff 1055 00:33:06,240 --> 00:33:08,000 now that might seem counterintuitive but 1056 00:33:08,000 --> 00:33:09,440 the reason for that 1057 00:33:09,440 --> 00:33:11,039 is that if you're new and you come into 1058 00:33:11,039 --> 00:33:13,600 a dev team and you slap down a report of 1059 00:33:13,600 --> 00:33:15,120 vulnerabilities some of them are going 1060 00:33:15,120 --> 00:33:17,200 to take that personally and 1061 00:33:17,200 --> 00:33:18,720 some of them are going to see you as the 1062 00:33:18,720 --> 00:33:20,159 person who doesn't know the background 1063 00:33:20,159 --> 00:33:21,519 or doesn't know what what they've been 1064 00:33:21,519 --> 00:33:23,679 up to and how hard they've working and 1065 00:33:23,679 --> 00:33:25,039 coming in and telling them they've done 1066 00:33:25,039 --> 00:33:26,320 a bad job they've introduced all these 1067 00:33:26,320 --> 00:33:28,880 vulnerabilities and and if you do that 1068 00:33:28,880 --> 00:33:30,480 you're then going to find it really hard 1069 00:33:30,480 --> 00:33:32,240 and it's going to take a lot longer to 1070 00:33:32,240 --> 00:33:33,840 kind of rebuild that trust and get the 1071 00:33:33,840 --> 00:33:36,159 engineering team on your site 1072 00:33:36,159 --> 00:33:37,200 so 1073 00:33:37,200 --> 00:33:38,960 instead it's a much better strategy to 1074 00:33:38,960 --> 00:33:40,720 kind of delay that for a couple of weeks 1075 00:33:40,720 --> 00:33:42,480 or a few months to focus on building 1076 00:33:42,480 --> 00:33:44,320 relationships with the engineers and 1077 00:33:44,320 --> 00:33:47,600 showing them that you are there to help 1078 00:33:47,600 --> 00:33:49,200 find out what their security problems 1079 00:33:49,200 --> 00:33:51,120 are 1080 00:33:51,120 --> 00:33:53,120 so maybe there's vulnerabilities that 1081 00:33:53,120 --> 00:33:54,559 they think are issues and but they 1082 00:33:54,559 --> 00:33:55,760 aren't getting the time to fix that you 1083 00:33:55,760 --> 00:33:57,360 could lend your voice to to kind of help 1084 00:33:57,360 --> 00:33:59,200 increase the priority of that 1085 00:33:59,200 --> 00:34:00,159 and 1086 00:34:00,159 --> 00:34:01,919 maybe they're having security relevant 1087 00:34:01,919 --> 00:34:03,279 problems and that you can help to 1088 00:34:03,279 --> 00:34:04,960 automate like updating dependencies 1089 00:34:04,960 --> 00:34:06,960 across code and things like that and 1090 00:34:06,960 --> 00:34:08,079 maybe they just don't have much 1091 00:34:08,079 --> 00:34:10,480 background security knowledge 1092 00:34:10,480 --> 00:34:12,480 providing kind of training and 1093 00:34:12,480 --> 00:34:15,280 background knowledge for devs around 1094 00:34:15,280 --> 00:34:16,480 secure coding and application 1095 00:34:16,480 --> 00:34:18,639 vulnerabilities helps them connect what 1096 00:34:18,639 --> 00:34:20,079 they are doing day-to-day with the 1097 00:34:20,079 --> 00:34:21,359 impact of vulnerabilities that they 1098 00:34:21,359 --> 00:34:24,560 could introduce um and making that link 1099 00:34:24,560 --> 00:34:26,879 is really key for a lot of devs and it 1100 00:34:26,879 --> 00:34:28,000 will kind of 1101 00:34:28,000 --> 00:34:29,839 help them click that what they are doing 1102 00:34:29,839 --> 00:34:32,960 day to day has security impacts and 1103 00:34:32,960 --> 00:34:34,800 and ideally you make at least a few of 1104 00:34:34,800 --> 00:34:36,320 them kind of more enthusiastic about 1105 00:34:36,320 --> 00:34:38,159 security as well 1106 00:34:38,159 --> 00:34:40,079 and then once you've achieved that a pen 1107 00:34:40,079 --> 00:34:42,320 test changes from being perceived as a 1108 00:34:42,320 --> 00:34:44,719 report about their feelings to a report 1109 00:34:44,719 --> 00:34:46,159 containing new challenges that they can 1110 00:34:46,159 --> 00:34:47,359 work on because they understand the 1111 00:34:47,359 --> 00:34:49,280 context behind it they understand the 1112 00:34:49,280 --> 00:34:52,079 importance of fixing things um 1113 00:34:52,079 --> 00:34:53,679 and the kind of motivation behind 1114 00:34:53,679 --> 00:34:56,320 resolving them 1115 00:34:56,320 --> 00:34:58,079 uh as i mentioned earlier you're gonna 1116 00:34:58,079 --> 00:35:00,160 need to provide some training to your 1117 00:35:00,160 --> 00:35:02,160 devs and specifically focus around 1118 00:35:02,160 --> 00:35:04,160 secure coding 1119 00:35:04,160 --> 00:35:05,760 the worst way you can do this is to give 1120 00:35:05,760 --> 00:35:06,960 them just screens and screens of 1121 00:35:06,960 --> 00:35:09,200 documentation and for them to read 1122 00:35:09,200 --> 00:35:10,880 they like to code so get them into 1123 00:35:10,880 --> 00:35:12,240 practical activities and kind of 1124 00:35:12,240 --> 00:35:14,160 gamified 1125 00:35:14,160 --> 00:35:15,839 platforms as quickly as possible so 1126 00:35:15,839 --> 00:35:18,320 there's one called secure code warrior 1127 00:35:18,320 --> 00:35:20,720 um where you learn about application 1128 00:35:20,720 --> 00:35:22,480 security by finding vulnerabilities in 1129 00:35:22,480 --> 00:35:24,320 code snippets and fixing them and seeing 1130 00:35:24,320 --> 00:35:26,240 how they can be exploited 1131 00:35:26,240 --> 00:35:28,800 and understanding the kind of end-to-end 1132 00:35:28,800 --> 00:35:30,560 chain from them writing vulnerable codes 1133 00:35:30,560 --> 00:35:32,240 to it being exploited and they're being 1134 00:35:32,240 --> 00:35:35,440 like a data leak or something like that 1135 00:35:35,440 --> 00:35:36,720 and that kind of thing really helps 1136 00:35:36,720 --> 00:35:38,240 people build that mental model where 1137 00:35:38,240 --> 00:35:40,240 they see the effects and the kind of 1138 00:35:40,240 --> 00:35:44,598 impacts of their implementation choices 1139 00:35:45,200 --> 00:35:47,599 um most coding training focuses around 1140 00:35:47,599 --> 00:35:49,599 the obos top 10 which is a list of kind 1141 00:35:49,599 --> 00:35:51,839 of the most commonly seen types 1142 00:35:51,839 --> 00:35:54,079 of software vulnerabilities and this is 1143 00:35:54,079 --> 00:35:55,839 a really good place to start and you'll 1144 00:35:55,839 --> 00:35:57,200 probably cover like 1145 00:35:57,200 --> 00:35:58,480 ninety five percent of the volumes in 1146 00:35:58,480 --> 00:36:00,400 your application um 1147 00:36:00,400 --> 00:36:04,040 by teaching your divs 1148 00:36:06,990 --> 00:36:13,440 [Music] 1149 00:36:13,440 --> 00:36:15,599 cool 1150 00:36:15,599 --> 00:36:17,920 does anybody have an issue 1151 00:36:17,920 --> 00:36:20,560 cool all right 1152 00:36:20,880 --> 00:36:22,800 um 1153 00:36:22,800 --> 00:36:25,359 so obos produces um cheat sheets that 1154 00:36:25,359 --> 00:36:28,079 helps dev to kind of securely implement 1155 00:36:28,079 --> 00:36:29,839 like common functionality like password 1156 00:36:29,839 --> 00:36:32,720 storage or api security um 1157 00:36:32,720 --> 00:36:34,240 and these are really valuable resources 1158 00:36:34,240 --> 00:36:36,400 for devs to know about because they're 1159 00:36:36,400 --> 00:36:39,040 written to kind of um to be aimed at 1160 00:36:39,040 --> 00:36:40,240 devs they're written in language they 1161 00:36:40,240 --> 00:36:41,599 understand they have code snippets and 1162 00:36:41,599 --> 00:36:44,240 things through them um and one steps 1163 00:36:44,240 --> 00:36:45,920 know about them and know that they exist 1164 00:36:45,920 --> 00:36:47,040 and know that there's this kind of 1165 00:36:47,040 --> 00:36:48,320 trusted location where they can have 1166 00:36:48,320 --> 00:36:50,000 their security questions answered 1167 00:36:50,000 --> 00:36:53,599 they'll start to use them naturally 1168 00:36:53,599 --> 00:36:55,280 finally if you're not in a position 1169 00:36:55,280 --> 00:36:57,040 where you can hire actual application 1170 00:36:57,040 --> 00:36:59,040 security engineers for whatever reason 1171 00:36:59,040 --> 00:37:01,119 um you can try starting a security 1172 00:37:01,119 --> 00:37:03,119 champions program where basically each 1173 00:37:03,119 --> 00:37:04,560 team 1174 00:37:04,560 --> 00:37:06,320 or engineering squad has like a person 1175 00:37:06,320 --> 00:37:08,480 with a particular interest in security 1176 00:37:08,480 --> 00:37:10,640 and they get a little bit more training 1177 00:37:10,640 --> 00:37:12,000 and become like the subject matter 1178 00:37:12,000 --> 00:37:13,599 expert to kind of disseminate security 1179 00:37:13,599 --> 00:37:15,520 knowledge among the team and also act as 1180 00:37:15,520 --> 00:37:17,040 a point of contact who can escalate 1181 00:37:17,040 --> 00:37:20,320 things if they spot security um issues 1182 00:37:20,320 --> 00:37:22,160 that could end up having an impact to 1183 00:37:22,160 --> 00:37:24,319 you 1184 00:37:24,400 --> 00:37:26,400 uh you also want to have code security 1185 00:37:26,400 --> 00:37:27,920 scanning done as part of your build 1186 00:37:27,920 --> 00:37:30,880 process uh it's not like a substitution 1187 00:37:30,880 --> 00:37:32,720 for having a person do it or having a 1188 00:37:32,720 --> 00:37:34,800 pen test but it's like another layer to 1189 00:37:34,800 --> 00:37:36,640 help catch more things before they end 1190 00:37:36,640 --> 00:37:39,680 up in the product that you ship 1191 00:37:39,839 --> 00:37:41,440 application security is a whole 1192 00:37:41,440 --> 00:37:43,599 discipline in itself um but there's a 1193 00:37:43,599 --> 00:37:44,880 few tips that are clickable kind of 1194 00:37:44,880 --> 00:37:46,400 regardless of what your tech stack looks 1195 00:37:46,400 --> 00:37:48,839 like or what stage you're at 1196 00:37:48,839 --> 00:37:51,680 um shift left is a phrase that you you 1197 00:37:51,680 --> 00:37:52,800 might have heard before it's become a 1198 00:37:52,800 --> 00:37:54,560 bit of a slogan for a lot of appsec 1199 00:37:54,560 --> 00:37:55,920 vendors 1200 00:37:55,920 --> 00:37:58,320 essentially what this means is that you 1201 00:37:58,320 --> 00:38:00,880 need to shift um 1202 00:38:00,880 --> 00:38:04,480 scan results and security information um 1203 00:38:04,480 --> 00:38:07,040 as close to where devs write the code as 1204 00:38:07,040 --> 00:38:09,200 possible you need to kind of shorten the 1205 00:38:09,200 --> 00:38:10,640 cycle between them writing code and 1206 00:38:10,640 --> 00:38:12,480 getting security feedback on that to be 1207 00:38:12,480 --> 00:38:14,560 as small as possible 1208 00:38:14,560 --> 00:38:16,320 and that means it's easier for them to 1209 00:38:16,320 --> 00:38:17,839 kind of integrate fixes as they're 1210 00:38:17,839 --> 00:38:20,079 writing um 1211 00:38:20,079 --> 00:38:21,040 and 1212 00:38:21,040 --> 00:38:22,320 they don't see it as like a kind of 1213 00:38:22,320 --> 00:38:23,920 annoying chore that's tacked on right at 1214 00:38:23,920 --> 00:38:24,880 the end 1215 00:38:24,880 --> 00:38:25,920 um 1216 00:38:25,920 --> 00:38:27,280 you want to have security in bed at 1217 00:38:27,280 --> 00:38:28,640 every stage of the development life 1218 00:38:28,640 --> 00:38:30,160 cycle um 1219 00:38:30,160 --> 00:38:31,760 but it's really crucial to get the 1220 00:38:31,760 --> 00:38:33,760 actionable results delivered right to 1221 00:38:33,760 --> 00:38:35,359 the devs as they're working as quickly 1222 00:38:35,359 --> 00:38:37,440 as possible um 1223 00:38:37,440 --> 00:38:39,200 as soon as you can after they've written 1224 00:38:39,200 --> 00:38:40,240 the code 1225 00:38:40,240 --> 00:38:41,760 so this is why a lot of code scanning 1226 00:38:41,760 --> 00:38:43,920 tools offer like extensions for id's or 1227 00:38:43,920 --> 00:38:45,920 text editors that developers use and 1228 00:38:45,920 --> 00:38:47,359 this is a really good way to introduce 1229 00:38:47,359 --> 00:38:48,640 it because literally as soon as they 1230 00:38:48,640 --> 00:38:50,000 write the code they can get feedback on 1231 00:38:50,000 --> 00:38:52,240 whether that could have introduced um 1232 00:38:52,240 --> 00:38:55,280 security issues as well 1233 00:38:55,280 --> 00:38:57,200 another thing you shouldn't do is enable 1234 00:38:57,200 --> 00:38:58,480 a whole bunch of different security 1235 00:38:58,480 --> 00:39:00,000 scanning tools that can like feel your 1236 00:39:00,000 --> 00:39:02,960 build pipeline and without having tuned 1237 00:39:02,960 --> 00:39:04,400 them or looked at the kind of results 1238 00:39:04,400 --> 00:39:06,000 that you're getting out of them 1239 00:39:06,000 --> 00:39:07,680 there's hate this and they'll just work 1240 00:39:07,680 --> 00:39:09,599 around the scans and the results that 1241 00:39:09,599 --> 00:39:11,520 you have and 1242 00:39:11,520 --> 00:39:12,720 ignore the results because they don't 1243 00:39:12,720 --> 00:39:15,200 see the value in it so before you get to 1244 00:39:15,200 --> 00:39:16,480 the point where some of your scanning 1245 00:39:16,480 --> 00:39:18,560 tools should be able to fail bills 1246 00:39:18,560 --> 00:39:20,000 and kind of get the code sent back to 1247 00:39:20,000 --> 00:39:21,359 devs to fix 1248 00:39:21,359 --> 00:39:22,640 you want to make sure you've reviewed 1249 00:39:22,640 --> 00:39:24,160 the kind of findings that it has and 1250 00:39:24,160 --> 00:39:26,000 tuned it to make sure that they are 1251 00:39:26,000 --> 00:39:29,680 sensible and they're valuable 1252 00:39:29,680 --> 00:39:33,680 scanning also isn't just for source code 1253 00:39:33,760 --> 00:39:35,440 and you get like linters and scanners 1254 00:39:35,440 --> 00:39:37,839 for a whole bunch of other things too 1255 00:39:37,839 --> 00:39:40,960 config files and yandex make a scanner 1256 00:39:40,960 --> 00:39:43,359 for nginx the web server their config 1257 00:39:43,359 --> 00:39:45,520 files and they can identify like 1258 00:39:45,520 --> 00:39:47,200 vulnerable configurations or common 1259 00:39:47,200 --> 00:39:49,359 mistakes that you can write with these 1260 00:39:49,359 --> 00:39:51,200 files that can then lead to exploitable 1261 00:39:51,200 --> 00:39:54,079 vulnerabilities in your app 1262 00:39:54,079 --> 00:39:56,320 you can scan docker files that kind of 1263 00:39:56,320 --> 00:39:58,079 define the containers that you you 1264 00:39:58,079 --> 00:40:00,079 produce to deploy your product 1265 00:40:00,079 --> 00:40:01,760 and you can scan the images that are 1266 00:40:01,760 --> 00:40:04,079 produced as well um to kind of help you 1267 00:40:04,079 --> 00:40:06,000 stick to best practices and identify if 1268 00:40:06,000 --> 00:40:07,520 you're shipping any vulnerabilities in 1269 00:40:07,520 --> 00:40:09,359 like os packages or dependencies that 1270 00:40:09,359 --> 00:40:11,760 aren't directly related to your product 1271 00:40:11,760 --> 00:40:13,599 code 1272 00:40:13,599 --> 00:40:15,200 and finally you want to automate as much 1273 00:40:15,200 --> 00:40:17,280 of this as possible it takes time to do 1274 00:40:17,280 --> 00:40:18,960 but the most desirable end state to get 1275 00:40:18,960 --> 00:40:20,720 to is where all of these kind of things 1276 00:40:20,720 --> 00:40:23,359 are automated and a dev is only involved 1277 00:40:23,359 --> 00:40:25,359 if they really need to be um so for 1278 00:40:25,359 --> 00:40:26,800 example if you have a thing that's 1279 00:40:26,800 --> 00:40:29,599 updating uh vulnerable dependencies and 1280 00:40:29,599 --> 00:40:31,520 packages in your code a dev doesn't need 1281 00:40:31,520 --> 00:40:33,280 to do that it's like i'm 1282 00:40:33,280 --> 00:40:34,800 changing a couple of numbers in a config 1283 00:40:34,800 --> 00:40:36,319 file like it's not a 1284 00:40:36,319 --> 00:40:39,040 valuable use of their type so instead 1285 00:40:39,040 --> 00:40:40,880 try and fix automatically run it through 1286 00:40:40,880 --> 00:40:42,640 all your tests and if something fails 1287 00:40:42,640 --> 00:40:44,560 then and it hasn't worked then a dev can 1288 00:40:44,560 --> 00:40:46,800 step in and do it but otherwise um the 1289 00:40:46,800 --> 00:40:48,560 happy path is that a lot of these things 1290 00:40:48,560 --> 00:40:50,960 can kind of be automated away and you 1291 00:40:50,960 --> 00:40:53,040 get better security and your devs have 1292 00:40:53,040 --> 00:40:57,359 less kind of boring tasks and to work on 1293 00:40:57,599 --> 00:40:59,680 um a nice segue between product and 1294 00:40:59,680 --> 00:41:01,359 infrastructure is infrastructure is 1295 00:41:01,359 --> 00:41:03,520 closed which kind of spans both 1296 00:41:03,520 --> 00:41:04,839 so if you played around with cloud stuff 1297 00:41:04,839 --> 00:41:07,839 before probably click through a web ui 1298 00:41:07,839 --> 00:41:09,760 and or maybe run some cli commands and 1299 00:41:09,760 --> 00:41:11,359 you've ended up creating specific 1300 00:41:11,359 --> 00:41:13,760 infrastructure that you form 1301 00:41:13,760 --> 00:41:15,680 now the idea behind infrastructure's 1302 00:41:15,680 --> 00:41:16,960 code is that you define the 1303 00:41:16,960 --> 00:41:18,800 infrastructure you want usually in 1304 00:41:18,800 --> 00:41:20,240 something that looks kind of like a json 1305 00:41:20,240 --> 00:41:22,000 or a yaml type file 1306 00:41:22,000 --> 00:41:23,760 and then a tool handles the deployment 1307 00:41:23,760 --> 00:41:25,760 part for you to to achieve that end 1308 00:41:25,760 --> 00:41:27,040 state 1309 00:41:27,040 --> 00:41:28,720 it's a good idea for ops and security 1310 00:41:28,720 --> 00:41:31,599 purposes really um firstly it makes your 1311 00:41:31,599 --> 00:41:33,839 infrastructure deployments repeatable 1312 00:41:33,839 --> 00:41:35,520 and consistent so it's really easy for 1313 00:41:35,520 --> 00:41:36,960 you to spin up another environment if 1314 00:41:36,960 --> 00:41:38,240 you want to do some testing or you want 1315 00:41:38,240 --> 00:41:39,920 to audit things 1316 00:41:39,920 --> 00:41:41,280 um 1317 00:41:41,280 --> 00:41:43,440 because they're code you can now review 1318 00:41:43,440 --> 00:41:45,200 infrastructure changes as part of like a 1319 00:41:45,200 --> 00:41:48,319 normal code review process um but you're 1320 00:41:48,319 --> 00:41:49,920 no longer asking people to review like 1321 00:41:49,920 --> 00:41:52,160 big bash scripts that kind of eventually 1322 00:41:52,160 --> 00:41:53,520 end up having some infrastructure 1323 00:41:53,520 --> 00:41:55,839 deployed you get them to review the 1324 00:41:55,839 --> 00:41:58,160 desired end state and the tool handles 1325 00:41:58,160 --> 00:42:00,240 the deployment of that for you and so 1326 00:42:00,240 --> 00:42:01,520 it's much easier to review because 1327 00:42:01,520 --> 00:42:03,680 you're reviewing the the what rather 1328 00:42:03,680 --> 00:42:05,200 than the how 1329 00:42:05,200 --> 00:42:06,640 um 1330 00:42:06,640 --> 00:42:09,119 and because they're just code files you 1331 00:42:09,119 --> 00:42:11,520 can run um security scanners against 1332 00:42:11,520 --> 00:42:13,040 them you could scan for like security 1333 00:42:13,040 --> 00:42:14,640 best practices or you can enforce your 1334 00:42:14,640 --> 00:42:16,560 own rules like 1335 00:42:16,560 --> 00:42:18,000 vms shouldn't be deployed that don't 1336 00:42:18,000 --> 00:42:20,400 have encrypted disks or port 22 should 1337 00:42:20,400 --> 00:42:21,839 be open to the internet and things like 1338 00:42:21,839 --> 00:42:24,000 that 1339 00:42:24,000 --> 00:42:25,520 and because you've defined that 1340 00:42:25,520 --> 00:42:28,319 preferred end state you can also use 1341 00:42:28,319 --> 00:42:30,319 tools to enforce that in your deployment 1342 00:42:30,319 --> 00:42:32,319 so if you have a maybe like a product 1343 00:42:32,319 --> 00:42:35,119 that you've deployed and a dev goes in 1344 00:42:35,119 --> 00:42:37,119 and makes changes to how that deployment 1345 00:42:37,119 --> 00:42:38,720 is done you can have tooling that 1346 00:42:38,720 --> 00:42:40,560 constantly inspects your deployed state 1347 00:42:40,560 --> 00:42:42,480 your desired state and undoes the 1348 00:42:42,480 --> 00:42:44,000 changes that they've made to make sure 1349 00:42:44,000 --> 00:42:45,359 that you always know exactly what 1350 00:42:45,359 --> 00:42:48,720 configuration you have deployed 1351 00:42:49,119 --> 00:42:51,119 um so onto infrastructure and 1352 00:42:51,119 --> 00:42:52,800 particularly cloud infrastructure since 1353 00:42:52,800 --> 00:42:54,560 that's where most companies are heading 1354 00:42:54,560 --> 00:42:55,839 it's quite reasonable that you might end 1355 00:42:55,839 --> 00:42:57,839 up working somewhere and that only has 1356 00:42:57,839 --> 00:42:59,119 cloud infrastructure where all of their 1357 00:42:59,119 --> 00:43:02,400 infrastructure is in public clouds 1358 00:43:02,400 --> 00:43:03,359 um 1359 00:43:03,359 --> 00:43:05,839 i'm going to focus on aws as your google 1360 00:43:05,839 --> 00:43:07,119 cloud because that's probably what 1361 00:43:07,119 --> 00:43:09,040 you're going to end up using 1362 00:43:09,040 --> 00:43:10,400 um but don't forget about the kind of 1363 00:43:10,400 --> 00:43:12,400 more niche clouds like digit lotion or 1364 00:43:12,400 --> 00:43:15,200 heroku or oracle 1365 00:43:15,200 --> 00:43:16,319 um 1366 00:43:16,319 --> 00:43:18,160 first challenge is to work out what 1367 00:43:18,160 --> 00:43:19,680 clouds you're actually using which is 1368 00:43:19,680 --> 00:43:22,160 harder than it sounds um a really good 1369 00:43:22,160 --> 00:43:23,760 place to start for this is the finance 1370 00:43:23,760 --> 00:43:25,440 team or whoever pays the bills and does 1371 00:43:25,440 --> 00:43:26,800 the invoices 1372 00:43:26,800 --> 00:43:28,480 um because they'll be able to tell you 1373 00:43:28,480 --> 00:43:30,640 what clouds your company is paying for 1374 00:43:30,640 --> 00:43:32,079 and who's expensing them to help you 1375 00:43:32,079 --> 00:43:33,920 find out who the account owners are and 1376 00:43:33,920 --> 00:43:36,160 get access to them to secure them 1377 00:43:36,160 --> 00:43:38,400 um also another tip is that if you've 1378 00:43:38,400 --> 00:43:39,839 got quite a kind of sprawling cloud 1379 00:43:39,839 --> 00:43:42,480 estate and you have a lot of accounts um 1380 00:43:42,480 --> 00:43:44,319 account managers for the cloud provider 1381 00:43:44,319 --> 00:43:46,960 like aws can usually help you to find 1382 00:43:46,960 --> 00:43:48,319 all of the accounts that are registered 1383 00:43:48,319 --> 00:43:50,079 with like your works domain and that 1384 00:43:50,079 --> 00:43:51,920 will help you get a better view of what 1385 00:43:51,920 --> 00:43:54,640 you have as well 1386 00:43:54,640 --> 00:43:57,280 then once you're in the the best way to 1387 00:43:57,280 --> 00:43:58,880 actually identify everything you have 1388 00:43:58,880 --> 00:44:00,160 across all your regions and all your 1389 00:44:00,160 --> 00:44:02,240 services is to use the billing 1390 00:44:02,240 --> 00:44:04,800 functionality and most providers make it 1391 00:44:04,800 --> 00:44:06,640 quite hard to get like a full overview 1392 00:44:06,640 --> 00:44:08,000 of all the infrastructure you have 1393 00:44:08,000 --> 00:44:09,599 across different regions and things like 1394 00:44:09,599 --> 00:44:10,480 that 1395 00:44:10,480 --> 00:44:12,720 um so usually the only 1396 00:44:12,720 --> 00:44:13,599 kind of 1397 00:44:13,599 --> 00:44:14,400 true 1398 00:44:14,400 --> 00:44:16,319 um consistent place that you can find 1399 00:44:16,319 --> 00:44:18,240 out everything you're using is in like 1400 00:44:18,240 --> 00:44:20,319 the build pdf which could be like a 200 1401 00:44:20,319 --> 00:44:23,040 page pdf from from aws but it at least 1402 00:44:23,040 --> 00:44:24,560 lets you see kind of how much you're 1403 00:44:24,560 --> 00:44:26,960 spending and what locations and it lets 1404 00:44:26,960 --> 00:44:30,640 you prioritize based on on that 1405 00:44:30,880 --> 00:44:33,119 um another piece of really invaluable 1406 00:44:33,119 --> 00:44:35,280 cloud tooling is cloud security posture 1407 00:44:35,280 --> 00:44:36,880 management 1408 00:44:36,880 --> 00:44:40,160 or cspm tools 1409 00:44:40,640 --> 00:44:41,680 so 1410 00:44:41,680 --> 00:44:43,200 these get connected to cloud accounts 1411 00:44:43,200 --> 00:44:44,880 and monitor the configuration of all 1412 00:44:44,880 --> 00:44:46,960 your resources um in accordance with 1413 00:44:46,960 --> 00:44:49,040 like best practices 1414 00:44:49,040 --> 00:44:50,640 they can either be taken from standards 1415 00:44:50,640 --> 00:44:52,160 like the cis benchmarks that i mentioned 1416 00:44:52,160 --> 00:44:53,599 during the start 1417 00:44:53,599 --> 00:44:55,359 um or they can be rules that you've 1418 00:44:55,359 --> 00:44:57,359 defined for your own environment 1419 00:44:57,359 --> 00:44:59,119 and basically these give you a single 1420 00:44:59,119 --> 00:45:01,040 dashboard where you can view exposure 1421 00:45:01,040 --> 00:45:02,640 status and risks across all of your 1422 00:45:02,640 --> 00:45:04,640 cloud accounts in one place so they're 1423 00:45:04,640 --> 00:45:06,800 really valuable and some of the more 1424 00:45:06,800 --> 00:45:09,280 advanced and usually expensive tools can 1425 00:45:09,280 --> 00:45:11,599 also automate the remediation and fixing 1426 00:45:11,599 --> 00:45:12,960 issues that they find as well so you 1427 00:45:12,960 --> 00:45:14,960 could say that across all of my aws 1428 00:45:14,960 --> 00:45:16,000 environments 1429 00:45:16,000 --> 00:45:18,079 port 22 for ssh should never be open to 1430 00:45:18,079 --> 00:45:19,920 the internet um and you can have tooling 1431 00:45:19,920 --> 00:45:22,000 that will wait to see one that is and 1432 00:45:22,000 --> 00:45:23,680 immediately just close it again as well 1433 00:45:23,680 --> 00:45:26,799 so it's kind of like the infrastructure 1434 00:45:28,560 --> 00:45:30,720 as well as having cspm tooling you 1435 00:45:30,720 --> 00:45:32,160 should take advantage of the cloud 1436 00:45:32,160 --> 00:45:34,480 provider's own native security tooling 1437 00:45:34,480 --> 00:45:36,319 as well 1438 00:45:36,319 --> 00:45:39,280 so while cspm usually focuses on 1439 00:45:39,280 --> 00:45:41,200 like configuration the native tooling 1440 00:45:41,200 --> 00:45:42,720 can focus on threat detection and 1441 00:45:42,720 --> 00:45:44,800 runtime things 1442 00:45:44,800 --> 00:45:46,160 through behavior because they get 1443 00:45:46,160 --> 00:45:48,000 visibility into metrics or logs or 1444 00:45:48,000 --> 00:45:49,599 telemetry that's not kind of available 1445 00:45:49,599 --> 00:45:51,359 to you or other products out with the 1446 00:45:51,359 --> 00:45:52,960 cloud provider 1447 00:45:52,960 --> 00:45:54,240 um 1448 00:45:54,240 --> 00:45:55,760 so the types of tools i'm talking about 1449 00:45:55,760 --> 00:45:59,200 are things like aws guard duty or um 1450 00:45:59,200 --> 00:46:01,280 security command center uh on google 1451 00:46:01,280 --> 00:46:03,359 cloud um depending on the cloud and what 1452 00:46:03,359 --> 00:46:04,960 your state looks like they can be quite 1453 00:46:04,960 --> 00:46:06,800 expensive but they also provide a really 1454 00:46:06,800 --> 00:46:09,680 valuable level um of insight into what's 1455 00:46:09,680 --> 00:46:10,960 happening in your environment the kind 1456 00:46:10,960 --> 00:46:13,040 of behavioral threat detection type 1457 00:46:13,040 --> 00:46:15,359 piece so 1458 00:46:15,359 --> 00:46:17,680 these work by essentially processing and 1459 00:46:17,680 --> 00:46:20,240 collating logs from from all across your 1460 00:46:20,240 --> 00:46:23,760 environment and dns logs um 1461 00:46:23,760 --> 00:46:25,440 user activity logs across the cloud 1462 00:46:25,440 --> 00:46:28,079 provider um and hypervisor telemetry as 1463 00:46:28,079 --> 00:46:29,920 well and this gets fed in and it gets 1464 00:46:29,920 --> 00:46:32,400 combined with um iocs from a whole bunch 1465 00:46:32,400 --> 00:46:34,480 of security vendors usually 1466 00:46:34,480 --> 00:46:35,280 um 1467 00:46:35,280 --> 00:46:37,119 and the scale of data that these tools 1468 00:46:37,119 --> 00:46:38,800 are processing across like all of a 1469 00:46:38,800 --> 00:46:41,119 cloud provider's accounts um 1470 00:46:41,119 --> 00:46:42,560 means that they're quite capable of 1471 00:46:42,560 --> 00:46:44,319 detecting patterns that are affecting 1472 00:46:44,319 --> 00:46:46,000 kind of distinct customers that you 1473 00:46:46,000 --> 00:46:47,440 wouldn't see yourself if you were just 1474 00:46:47,440 --> 00:46:49,040 looking at your own estate 1475 00:46:49,040 --> 00:46:50,720 um and the volume of data they collect 1476 00:46:50,720 --> 00:46:52,160 means their machine learning detections 1477 00:46:52,160 --> 00:46:55,200 are usually quite accurate as well 1478 00:46:55,200 --> 00:46:56,319 so they do the kind of things you would 1479 00:46:56,319 --> 00:46:58,160 expect they can detect like malware 1480 00:46:58,160 --> 00:47:00,480 brute force attempts or the exfiltration 1481 00:47:00,480 --> 00:47:02,160 by looking at the network in the dns 1482 00:47:02,160 --> 00:47:05,119 logs and uvms and things like that 1483 00:47:05,119 --> 00:47:07,040 um but they can also employ some kind of 1484 00:47:07,040 --> 00:47:08,720 other methods that are quite interesting 1485 00:47:08,720 --> 00:47:10,480 and not something that you would be able 1486 00:47:10,480 --> 00:47:12,880 to build yourself or using non-native 1487 00:47:12,880 --> 00:47:14,240 tooling 1488 00:47:14,240 --> 00:47:16,800 so guard duty for example in aws 1489 00:47:16,800 --> 00:47:19,839 aws can monitor for api credentials that 1490 00:47:19,839 --> 00:47:22,240 are created in your account but then 1491 00:47:22,240 --> 00:47:24,160 used in another account somewhere else 1492 00:47:24,160 --> 00:47:26,000 um which can be an indicator that 1493 00:47:26,000 --> 00:47:26,960 there's kind of been some kind of 1494 00:47:26,960 --> 00:47:28,559 credential theft and your credentials 1495 00:47:28,559 --> 00:47:30,319 have been used by someone else 1496 00:47:30,319 --> 00:47:31,599 and 1497 00:47:31,599 --> 00:47:32,960 google cloud they announced the thing 1498 00:47:32,960 --> 00:47:35,680 just on monday and they built a way to 1499 00:47:35,680 --> 00:47:37,440 use their threat detection tooling to 1500 00:47:37,440 --> 00:47:39,760 detect cryptocurrency mining 1501 00:47:39,760 --> 00:47:42,079 on a vm without having any presence on 1502 00:47:42,079 --> 00:47:43,839 the vm or without actually looking at 1503 00:47:43,839 --> 00:47:45,200 the network traffic or anything it's 1504 00:47:45,200 --> 00:47:47,680 purely by looking at hypervisor metrics 1505 00:47:47,680 --> 00:47:49,200 and so kind of the underlying 1506 00:47:49,200 --> 00:47:50,800 infrastructure 1507 00:47:50,800 --> 00:47:54,000 that runs their servers they can detect 1508 00:47:54,000 --> 00:47:55,119 the patterns that indicate 1509 00:47:55,119 --> 00:47:57,440 cryptocurrency mining um 1510 00:47:57,440 --> 00:47:59,520 without having access to the processes 1511 00:47:59,520 --> 00:48:00,960 without having any visibility into the 1512 00:48:00,960 --> 00:48:02,319 memory or the network traffic or 1513 00:48:02,319 --> 00:48:04,800 anything um so it's a really powerful 1514 00:48:04,800 --> 00:48:08,880 piece of tech to have access to 1515 00:48:10,559 --> 00:48:11,440 so 1516 00:48:11,440 --> 00:48:12,640 obviously you don't want to have all 1517 00:48:12,640 --> 00:48:14,400 your cloud infrastructure directly sat 1518 00:48:14,400 --> 00:48:17,760 on the internet so anyone can access 1519 00:48:17,760 --> 00:48:19,440 if you've already got vpn in place it 1520 00:48:19,440 --> 00:48:21,839 gives you like a static ip to exit from 1521 00:48:21,839 --> 00:48:24,079 um it's a totally sound strategy to 1522 00:48:24,079 --> 00:48:26,880 restrict your your cloud 1523 00:48:26,880 --> 00:48:28,400 infrastructure to have access only to 1524 00:48:28,400 --> 00:48:29,839 that ip 1525 00:48:29,839 --> 00:48:31,599 if you're going to do this make sure you 1526 00:48:31,599 --> 00:48:33,599 enforce the fa it's really important to 1527 00:48:33,599 --> 00:48:35,920 keep your vpn box patched and don't 1528 00:48:35,920 --> 00:48:37,520 forget to remove user accounts from it 1529 00:48:37,520 --> 00:48:40,160 when people leave as well 1530 00:48:40,160 --> 00:48:41,599 but i will say that's not the best 1531 00:48:41,599 --> 00:48:44,000 option to deploy now if you don't have 1532 00:48:44,000 --> 00:48:45,520 anything in place at the moment and 1533 00:48:45,520 --> 00:48:47,520 there's a few reasons for that 1534 00:48:47,520 --> 00:48:50,079 so vpn providers don't have a great 1535 00:48:50,079 --> 00:48:53,200 track record um at security and this is 1536 00:48:53,200 --> 00:48:55,200 a really critical device for security so 1537 00:48:55,200 --> 00:48:57,760 in in the last year alone um 1538 00:48:57,760 --> 00:49:00,400 fortinet f5 pulse secure palo alto all 1539 00:49:00,400 --> 00:49:03,200 the major vendors for this um have had 1540 00:49:03,200 --> 00:49:05,200 really serious problems with the with 1541 00:49:05,200 --> 00:49:06,960 their vpn 1542 00:49:06,960 --> 00:49:08,880 products and these are really heavily 1543 00:49:08,880 --> 00:49:11,040 exploited by actors of kind of all skill 1544 00:49:11,040 --> 00:49:13,920 levels and it's quite it's quite common 1545 00:49:13,920 --> 00:49:16,960 to see this um they're also not great if 1546 00:49:16,960 --> 00:49:18,160 you're a small company that's fully 1547 00:49:18,160 --> 00:49:19,520 remote if your staff are quite 1548 00:49:19,520 --> 00:49:21,839 geographically distributed um 1549 00:49:21,839 --> 00:49:23,040 realistically you're probably going to 1550 00:49:23,040 --> 00:49:25,040 end up needing to deploy multiple vpn 1551 00:49:25,040 --> 00:49:27,680 boxes in different countries um which is 1552 00:49:27,680 --> 00:49:29,040 really quickly kind of balloons and 1553 00:49:29,040 --> 00:49:31,359 multiplies the cost and maintenance and 1554 00:49:31,359 --> 00:49:33,040 budgets for them 1555 00:49:33,040 --> 00:49:34,640 and then finally 1556 00:49:34,640 --> 00:49:37,200 the the kind of operating model of a vpn 1557 00:49:37,200 --> 00:49:38,400 kind of just isn't really that good 1558 00:49:38,400 --> 00:49:40,640 anymore uh it creates a gateway where 1559 00:49:40,640 --> 00:49:42,319 basically once you've authenticated with 1560 00:49:42,319 --> 00:49:44,160 it anything behind that is fair game 1561 00:49:44,160 --> 00:49:45,680 you've authenticated once you've kind of 1562 00:49:45,680 --> 00:49:47,119 got access you're behind the castle 1563 00:49:47,119 --> 00:49:49,680 walls at that point 1564 00:49:49,680 --> 00:49:50,800 but nowadays you should really be 1565 00:49:50,800 --> 00:49:52,800 looking to control and restrict access 1566 00:49:52,800 --> 00:49:54,880 on on a more granular level which is 1567 00:49:54,880 --> 00:49:57,520 where the alternative comes in 1568 00:49:57,520 --> 00:49:58,559 um 1569 00:49:58,559 --> 00:50:00,079 the alternative is kind of at the peak 1570 00:50:00,079 --> 00:50:01,839 of its hype cycle right now so there's 1571 00:50:01,839 --> 00:50:04,640 some truly insane vendor marketing um 1572 00:50:04,640 --> 00:50:06,240 about it but as long as you just kind of 1573 00:50:06,240 --> 00:50:08,160 dig through it um there's some really 1574 00:50:08,160 --> 00:50:10,559 solid options available in the 1575 00:50:10,559 --> 00:50:13,200 in the space um essentially the idea is 1576 00:50:13,200 --> 00:50:15,280 that instead of authenticating once and 1577 00:50:15,280 --> 00:50:17,040 getting access to everything 1578 00:50:17,040 --> 00:50:19,119 like a vpn does nothing is trusted by 1579 00:50:19,119 --> 00:50:20,720 default so every request gets 1580 00:50:20,720 --> 00:50:23,359 authenticated and users and devices need 1581 00:50:23,359 --> 00:50:24,960 to authenticate themselves to your 1582 00:50:24,960 --> 00:50:26,480 identity provider 1583 00:50:26,480 --> 00:50:27,680 and 1584 00:50:27,680 --> 00:50:29,359 before they're allowed to do anything at 1585 00:50:29,359 --> 00:50:30,880 all um 1586 00:50:30,880 --> 00:50:32,559 i'm using cloudflare as an example here 1587 00:50:32,559 --> 00:50:33,599 because they've got a particularly 1588 00:50:33,599 --> 00:50:35,359 mature offering but the kind of concepts 1589 00:50:35,359 --> 00:50:36,240 apply 1590 00:50:36,240 --> 00:50:39,040 regardless of vendor 1591 00:50:39,040 --> 00:50:40,640 the kind of identity broker that you 1592 00:50:40,640 --> 00:50:42,880 pick um authenticates you like you'd 1593 00:50:42,880 --> 00:50:45,119 expect but then it can also check things 1594 00:50:45,119 --> 00:50:46,240 like whether your device is fully 1595 00:50:46,240 --> 00:50:47,680 patched and whether you have up-to-date 1596 00:50:47,680 --> 00:50:50,960 anti-malware um and things like that 1597 00:50:50,960 --> 00:50:53,359 um so basically we've gone from the vpn 1598 00:50:53,359 --> 00:50:55,200 model of you're allowed because you're 1599 00:50:55,200 --> 00:50:57,040 coming from the right place and to 1600 00:50:57,040 --> 00:50:58,880 making a decision using multiple 1601 00:50:58,880 --> 00:51:00,720 different pieces of evidence and making 1602 00:51:00,720 --> 00:51:02,079 a dynamic decision about whether to 1603 00:51:02,079 --> 00:51:04,640 approve or deny based on that context so 1604 00:51:04,640 --> 00:51:06,000 if you're going to bring in some kind of 1605 00:51:06,000 --> 00:51:07,280 secure networking solution to a 1606 00:51:07,280 --> 00:51:08,720 high-tech company 1607 00:51:08,720 --> 00:51:10,480 this is definitely a reasonably early 1608 00:51:10,480 --> 00:51:12,079 stages technology that's worth looking 1609 00:51:12,079 --> 00:51:14,480 at introducing 1610 00:51:14,480 --> 00:51:17,200 so to begin wrapping up um 1611 00:51:17,200 --> 00:51:18,720 use the things i mentioned here as the 1612 00:51:18,720 --> 00:51:20,720 basis to create your own security 1613 00:51:20,720 --> 00:51:22,720 roadmap for the problems that your 1614 00:51:22,720 --> 00:51:24,720 organization has and 1615 00:51:24,720 --> 00:51:26,319 you're there to be the expert so it's on 1616 00:51:26,319 --> 00:51:27,920 you to work out what's actually needed 1617 00:51:27,920 --> 00:51:30,000 and what's a nice to have and you want 1618 00:51:30,000 --> 00:51:31,280 to be sure that you can justify 1619 00:51:31,280 --> 00:51:32,559 everything on your roadmap in a way 1620 00:51:32,559 --> 00:51:34,839 where it makes sense to the 1621 00:51:34,839 --> 00:51:36,880 business you want to work out who can 1622 00:51:36,880 --> 00:51:38,160 sign off on it who's going to have you 1623 00:51:38,160 --> 00:51:39,839 the money to pay for it and which might 1624 00:51:39,839 --> 00:51:41,119 not always be the same person so you 1625 00:51:41,119 --> 00:51:42,400 should be prepared to have like a few 1626 00:51:42,400 --> 00:51:45,040 rounds of kind of reprioritization and 1627 00:51:45,040 --> 00:51:46,559 iterating to get to a state where 1628 00:51:46,559 --> 00:51:48,000 everyone's happy with it 1629 00:51:48,000 --> 00:51:49,359 and then finally once you've got it 1630 00:51:49,359 --> 00:51:50,720 signed off make sure that you 1631 00:51:50,720 --> 00:51:52,720 communicate openly um to everyone who 1632 00:51:52,720 --> 00:51:55,040 could be affected by it um 1633 00:51:55,040 --> 00:51:56,160 hopefully you'll have a lot in there 1634 00:51:56,160 --> 00:51:57,599 that's come from solving other team's 1635 00:51:57,599 --> 00:51:58,880 problems and people will be happy with 1636 00:51:58,880 --> 00:52:01,680 it and but it helps adoption and it 1637 00:52:01,680 --> 00:52:03,200 helps people be on board if you're 1638 00:52:03,200 --> 00:52:04,559 transparent about what you're doing and 1639 00:52:04,559 --> 00:52:06,000 why you're doing it 1640 00:52:06,000 --> 00:52:08,160 because for for most people it's easier 1641 00:52:08,160 --> 00:52:12,000 for them to support it if you do so 1642 00:52:12,000 --> 00:52:14,000 so finally um 1643 00:52:14,000 --> 00:52:15,680 make sure that everything you're 1644 00:52:15,680 --> 00:52:17,280 thinking about doing you consider in the 1645 00:52:17,280 --> 00:52:19,680 context of your business not every cyber 1646 00:52:19,680 --> 00:52:21,839 crisis is truly going to have an impact 1647 00:52:21,839 --> 00:52:23,760 on what you're doing and so make sure 1648 00:52:23,760 --> 00:52:25,359 you don't go too hardcore too quickly 1649 00:52:25,359 --> 00:52:26,800 take care of the basics and have a 1650 00:52:26,800 --> 00:52:30,000 strong foundation to build up 1651 00:52:30,160 --> 00:52:31,760 if you're proposing new controls or 1652 00:52:31,760 --> 00:52:33,839 things that need money spent um you have 1653 00:52:33,839 --> 00:52:35,040 to be able to explain the business 1654 00:52:35,040 --> 00:52:36,800 impact of that it's not enough to say 1655 00:52:36,800 --> 00:52:38,160 that you want to roll out uv keys 1656 00:52:38,160 --> 00:52:40,480 because it's good for security and you 1657 00:52:40,480 --> 00:52:41,440 need to be able to explain the 1658 00:52:41,440 --> 00:52:43,520 consequences of not doing that what 1659 00:52:43,520 --> 00:52:45,200 impacts it could have 1660 00:52:45,200 --> 00:52:46,960 and and why that would impact the 1661 00:52:46,960 --> 00:52:50,000 continued success of your organization 1662 00:52:50,000 --> 00:52:52,400 and then finally put users at the center 1663 00:52:52,400 --> 00:52:54,240 of everything that you do 1664 00:52:54,240 --> 00:52:56,559 um don't you like idiots don't tell them 1665 00:52:56,559 --> 00:52:58,079 no every time they be they ask to be 1666 00:52:58,079 --> 00:52:59,760 able to do something because if you do 1667 00:52:59,760 --> 00:53:01,119 they won't stop doing bad things they'll 1668 00:53:01,119 --> 00:53:03,680 just stop telling you about um your job 1669 00:53:03,680 --> 00:53:05,359 isn't to be the kind of master keeper of 1670 00:53:05,359 --> 00:53:06,960 everything that's secure or not is to 1671 00:53:06,960 --> 00:53:08,880 enable everybody else to do their job in 1672 00:53:08,880 --> 00:53:11,680 the most secure way 1673 00:53:12,000 --> 00:53:15,440 that's me thanks very much 1674 00:53:15,440 --> 00:53:22,400 [Applause] 1675 00:53:22,400 --> 00:53:24,160 i think we have very brief time for 1676 00:53:24,160 --> 00:53:25,280 questions 1677 00:53:25,280 --> 00:53:26,960 yeah 1678 00:53:26,960 --> 00:53:30,000 it do you um any benchmarking security 1679 00:53:30,000 --> 00:53:32,880 capabilities 1680 00:53:37,440 --> 00:53:39,520 great set of questions um so the first 1681 00:53:39,520 --> 00:53:41,760 part was about um do you benchmark your 1682 00:53:41,760 --> 00:53:44,400 security team's capabilities um 1683 00:53:44,400 --> 00:53:46,160 and the second part i've already 1684 00:53:46,160 --> 00:53:47,599 forgotten it was about how did you 1685 00:53:47,599 --> 00:53:49,760 prioritize it 1686 00:53:49,760 --> 00:53:50,960 yeah um 1687 00:53:50,960 --> 00:53:52,640 not yet um 1688 00:53:52,640 --> 00:53:54,000 like i say that's that's kind of 1689 00:53:54,000 --> 00:53:56,960 something that is a more more mature 1690 00:53:56,960 --> 00:53:59,359 process than where we are right now 1691 00:53:59,359 --> 00:54:00,800 so yeah that's something that you'd like 1692 00:54:00,800 --> 00:54:04,920 to get to but we're not here