Ben Johnson gave a presentation on lessons learned from his experience in cybersecurity. He discussed focusing security efforts inward by prioritizing people, processes, and technology. For people, he emphasized hiring for passion and focusing on high-performing teams. For processes, he recommended threat modeling, security hunting, and integrating red and blue teams. For technology, he suggested automation, orchestration, and focusing on capabilities over individual tools. He also advised approaching vendors, resellers, and analysts carefully by understanding their incentives and verifying solutions meet needs. Finally, he outlined responsibilities in cloud security and emphasized the importance of security fundamentals.
What's New in Teams Calling, Meetings and Devices March 2024
Focus Your Humans Where They Should Focus
1. Ben Johnson | Co-Founder & CTO
March 7th, 2018
Practical Cyber
Lessons from 500,000 Miles of Security Evangelism
2. @chicagoben | @obsidiansec
Background Check // Ben Johnson
Co-Founder and CTO, Obsidian
Co-Founder and Former CTO, Carbon Black
Former CNO/Cyber // NSA, CIA, DoD
9. @chicagoben | @obsidiansec
People - Recruiting & Retaining
“Hire for Passion, Train for Skill, Coach for Performance”
“Passion, Capacity, Humility”
Considerations:
• Security Teams Need a Leader…and a Shield
• Don’t hire just based on tool experience!!
“Capacity” ... “Hire a bartender”
• Mentoring & Growth
Creative perks? New data? Coding to APIs?
• Talent Density and Solving Challenging Problems
https://venturebeat.com/2017/10/21/how-to-build-your-dynasty-hire-for-passion-train-for-skill-coach-for-performance/
11. @chicagoben | @obsidiansec
People - Essentialism
“It is about making the wisest possible
investment of your time and energy in
order to operate at our highest point of
contribution by doing only what is
essential."”
– Greg McKeown, Author of Essentialism
12. @chicagoben | @obsidiansec
People - Journey vs. Destination
Security teams focus where they
have autonomy.
They get comfortable in this
never-ending journey vs. driving
toward new destinations.
16. @chicagoben | @obsidiansec
Processes - Adversarial & Threat Modeling
Cybercriminals
• Broad-based and
targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by data
collection
• Highly sophisticated
with endless
resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication varies
17. @chicagoben | @obsidiansec
Processes - Hunting
▪ ALLOW FOR CREATIVITY. ALLOW HUNTERS TO ‘EXPLORE’
▪ LOOK FOR RISK. LOOK FOR THREATS.
▪ EXCHANGE INFORMATION QUICKLY
▪ LOOK ACROSS THE STACK – CONTEXT
▪ DON’T WAIT FOR MACHINES
▪ MAKE SURE THERE ARE LESSONS LEARNED FROM EACH HUNT
18. @chicagoben | @obsidiansec
Processes - Hunting Outcomes
▪ NOT ALWAYS MALWARE OR APT OR MALICIOUS ACTIVITY.
▪ WHERE TO HUNT?
▪ WHAT TO HUNT?
▪ WHERE ARE MY GAPS?
▪ WHERE ARE MY STRENGTHS?
▪ WHERE DO I NEED MORE CARE AND FEEDING?
19. @chicagoben | @obsidiansec
Processes - Red + Blue = Purple
• Sit red team next to blue team!
• Once an attack or a technique works, have
the blue team fix it (or update detection
rules, etc), then immediately try again to
make sure it is now prevented or detected
• Drive Immediate Improvements
24. @chicagoben | @obsidiansec
Technology: Prioritize Collection
Compromised
(attacker present)
Recovered
(attacker expelled)
Breach Discovered
(attacker identified)
DWELL TIME
Proactively collecting data here is
automated, efficient & conclusive
Reactively collecting data here is time
consuming, expensive & incomplete
Compromised
(attacker present)
Recovered
(attacker expelled)
Breach Discovered
(attacker identified)
DWELL TIME
You know what questions you’ll have…
Make sure you can answer them!
Setup the video camera before the robbery.
Move Fast, Don’t Wait on Technology!
31. @chicagoben | @obsidiansec
Technology: Orchestration Case Study
• 2 Security Engineers
• 20 alerts a day
• Manually processed 5 alerts (25%)
• Data aggregation ~2 hours
• Time to resolution ~7 days
• 2 Security Engineers
• 200 alerts day
• Automatically process 100% of alerts
• Data aggregation ~10 mins
• Time to resolution is <1hr
“Orchestration allowed us to add additional pieces to the
stack to cover more gaps without an increase in headcount
Today it is easier to install new security technology than hire
people to run it, therefore, orchestration alleviates lack of
available security talent.”
Pre-Orchestration Post-Orchestration
33. @chicagoben | @obsidiansec
Looking Inward: Quick Wins
• Whitelist domains (top 10k?)
• Disable Java & Flash!!
• Or Patch (Java => 70% of alerts disappeared overnight)
• Restrict Powershell to particular times of day!
• Disable/Expire Admin Accounts Until You Need Them
• Log every command line for common utilities
• Can you “lock down” a particular division, group, etc?
• Give your HVTs/VIPs iPads!
37. @chicagoben | @obsidiansec
Vendors: Competing Priorities & Incentives
• Big Guys vs. Small Guys
• Terminology War; Press Coverage
• Hard to Measure Effectiveness
• Don’t fall for ‘competitive traps’
• YOUR PROBLEMS vs. product features
• Force interoperability/integration
• Partner w/ Early Stage Companies: best
time to capture innovation and value
38. @chicagoben | @obsidiansec
Resellers: Competing Priorities & Incentives
• Margins & Relationships
• Comfortable or Easy
• Large Packages vs. Niche Deals
• Verify that solutions match needs
• Ask for new or holistic approaches
• Get personal with resellers
39. @chicagoben | @obsidiansec
Analysts: Competing Priorities & Incentives
• Pay to Play
• Scoring Based on Discussions
• Gamed / Sponsored Evaluations
• Not Operators
• Understand the ‘why’ behind scoring
• Ask which non-customer they like
• Blogs vs. Reports
42. @chicagoben | @obsidiansec
Cloud Security Responsibility
Cloud Service Provider:
responsible for security OF the cloud
Customer:
responsible for security IN the cloud
45. @chicagoben | @obsidiansec
Take-Aways: Looking Inward
• People
Hire for passion, train for skill, coach for performance
Focus on ROI of Time
• Processes
Approach as an engineering problem
Work with IT
Concentrate on capabilities
• Technology
Integrate, Automate, and Orchestrate
Blend Open Source & Commercial
Focus on how technology enhances humans
46. @chicagoben | @obsidiansec
Take-Aways: Looking Outward
• Interacting with Vendors
Don’t fall for competitive traps
Partner w/ Early Stage Companies
• Interacting with Resellers
Verify that solutions match needs
Get personal
• Interacting with Analysts
Understand the ‘why’
Utilize their relationships for introductions
47. @chicagoben | @obsidiansec
Take-Aways: Cloud Call-Out
Understand where, how, and why you are using cloud.
Understand who is responsible.
Providers need to do more. They could reduce users shooting themselves in
the foot, improve default security levels, and better show surface area.
(Please encourage them to do more!)
The rest is on you:
(Awareness, Auditing, Adaptation, Automation)!
(and don’t forget hygiene.)
48. @chicagoben | @obsidiansec
COMPROMISE IS INEVITABLE
Attacker only has to be successful once, but
defender has to stop 100% of attacks
Once the attacker is in your environment,
they should have to be 100% perfect.
49. @chicagoben | @obsidiansec
What About Top 5?
• Approach Security (Risk Management) as an Engineering Problem
• Fix “Provision-and-Forget” and “Deploy-and-Decay”
▪ Reduce Entropy, Reduce Risk (I.T. is your best friend)
▪ Treat Your Users as Smart (Enable Your National Guard)
▪ Make it Fun