BSidesSF 2020 - So You’re the First Security Hire (Bryan Zimmer)

00:00

please join me in welcoming Brian from

00:02

whom ooh so Who am I this one goes out

00:11

to all the dr. Seuss fans in the

00:12

audience at the far out of town where

00:13

the Grieco grass grows I began my career

00:15

in security protecting ones and zeros

00:17

back in 2002 before cyber was a thing

00:19

and clouds were just something about

00:20

what you might sing from the Department

00:22

of Defense to banks and universities

00:23

then on to Netflix to get paid to watch

00:25

movies

00:25

I led Netflix's implementation of Xero

00:27

trust for which most people think beyond

00:29

Corpse a must now sit back and get comfy

00:31

I'll spin you a yarn of how to use one

00:32

pair of hands to protect your business

00:34

from harm oh thank you

00:39

so what have you gotten yourself into

00:40

let's say you're taking over a security

00:42

program we're starting the security

00:43

program from scratch of a small company

00:45

or maybe a security engineer leveling up

00:46

maybe your manager whose role is

00:48

expanded or maybe you're the poor IT guy

00:50

or girl that drew the short straw so

00:52

first congratulations also second I'm

00:54

sorry so on the plus side you get to do

00:56

things from scratch quote-unquote do it

00:58

the right way but just remember that the

01:00

right way is very subjective so two

01:01

years from now people could be looking

01:02

back and think well what idiot did this

01:03

and you'll have to own up and say oh

01:04

sorry that was me be ready to wear many

01:07

hats at a startup you're definitely

01:08

gonna do ton of different roles

01:10

definitely outside of securities so

01:11

don't don't scope your role too narrowly

01:13

at first it'll definitely narrow

01:14

naturally over time for example I'm kind

01:16

of Handy so I spent a lot of time fixing

01:18

coffee machine luckily now we have a

01:20

third party that does that

01:21

let's see ideally you're not gonna want

01:23

to be just a heads down security

01:25

engineer you're definitely to need those

01:26

skills but you also want critical social

01:28

skills shall we say because you're gonna

01:30

be interacting with a lot of different

01:31

teams around the company engineering IT

01:33

legal sales leadership ideally so

01:37

remember that you're not just setting up

01:39

security controls and all the techie

01:40

stuff you definitely have to start

01:41

setting security culture how do you want

01:44

your security team to interact with

01:45

people how do you want them to interact

01:46

with you how do you want security to be

01:47

valued in the company so why do you

01:50

exist as the wu-tang clan says cream or

01:52

cash rules everything around me you need

01:55

to help that the business get that dolla

01:56

dolla bill y'all so the three most

01:58

important things I do for the business

01:59

are making sure we don't get hacked

02:01

dealing with compliance and filling out

02:03

secured incoming security questionnaires

02:05

they all either directly or indirectly

02:06

bring in money so you're either winning

02:08

customers are you closing those deals

02:10

your media legal requirements to stay in

02:12

business or your

02:13

keeping the lights on and by the way

02:15

just because I didn't directly bring

02:16

money always remember to protect your

02:17

customers data because it's the right

02:19

thing to do keep in mind that you're an

02:21

advisor you're not the police people the

02:23

people can in the business can take your

02:25

advice or just leave it you need to

02:26

understand what's important for the

02:27

business and not just you so maybe you

02:29

have an urgent phone to fix or maybe

02:31

gotten shiny a new tool to buy but the

02:33

business might weigh the risk benefit

02:34

and cost benefit and say and it's really

02:36

not worth it sorry you have to be okay

02:38

with that and move on you might think

02:40

steered you to start but really that big

02:41

of a deal because we're too small to get

02:43

attacked but no there's I mean as we

02:45

know there spray-and-pray attacks but

02:46

also even just on LinkedIn there's

02:47

plenty of information to launch spear

02:49

phishing attacks against you we've seen

02:51

that definitely we're a small company

02:52

depending on your customer data and the

02:54

industry you're in you may start getting

02:55

more targeted attacks from I like to put

02:59

out the equation of startup - security

03:02

equals easy money for attackers because

03:04

you're gonna space you're gonna face all

03:05

the same attacks like ransomware

03:07

extortion data theft all the sort of

03:09

stuff that the big companies do but

03:10

attackers know that you do not have a

03:12

security team or maybe if you're lucky

03:13

one person so strategy the first part

03:17

here so first step is finding a company

03:19

with management support security you

03:20

definitely need buy-in from the top to

03:22

get anything done otherwise you are

03:23

gonna start crying very soon ask you

03:26

know during the interview process start

03:28

asking some questions like who's the

03:29

position report to can you talk to CEO

03:30

about your strategy what's the budget

03:32

what's the timeline for like how big

03:34

does the team want to get and and what

03:36

are the goals and what's the timeline

03:37

that sort of thing because you're trying

03:39

to figure out are they trying to check a

03:40

box for security or do they actually

03:41

deeply care about security ideally the

03:43

company wants to start caring about

03:44

security early because as we all know

03:46

bolting on security at the end for

03:48

either the business or the product is

03:49

going to take a lot more time and effort

03:50

and money example would be like see

03:53

becoming see see see CPA and JP are

03:55

compliant trying to both those features

03:58

onto a product after the fact are gonna

03:59

be a big huge pain and then before

04:02

putting in the controls and processes

04:03

and procedures always ask why so take a

04:05

step back and think okay well what are

04:06

we trying to do here so what's the

04:08

reason behind it how will it actually

04:10

benefit us is there a new or a better

04:11

way to do it which is one of the

04:13

benefits of starting from scratch you

04:14

can you can do that so for example

04:16

traditionally people have said you know

04:17

hey we need a crazy long passwords that

04:18

are rotated every 90 days but then you

04:20

take a step back and you realize oh

04:21

actually we can take care of this issue

04:23

and we can take care of a bunch of

04:24

different attacks account takeover stuff

04:26

but just by requiring more memorable

04:28

passwords but 2fa you know you might

04:31

traditionally buy fancy was paying

04:32

firewall with a bunch of security

04:34

features I won't mention names but then

04:36

you take a step back and you realize oh

04:37

actually we can solve all these problems

04:39

and eliminate a whole bunch of other

04:40

problems by going with the encore and

04:42

just a simple firewall so now on to the

04:45

strategy or the the tote the the meat of

04:48

the strategy if you or the tofu if you

04:49

prefer if this Chromebook would scroll

04:51

oh there we go

04:53

so you've got one pair of hands so how

04:54

do you make sure that you are spending

04:56

your limited amount of time on the most

04:57

critical things so I've created one

04:59

simple you need to remember acronym

05:01

there for you first part is finding what

05:05

matters most to the business the

05:05

valuables the crown jewels talk to the

05:07

the founders the heads of each group

05:09

what data applications process this

05:11

procedures matter most to the to the

05:12

company into things like customer data

05:14

intellectual property bank accounts you

05:16

know internal apps blah blah blah blah

05:18

blah and then find what laws you have to

05:20

comply with and certifications that the

05:21

business's wants in addition to those

05:23

legal requirements that's going to

05:24

determine determine what frameworks you

05:25

have to use what controls you're gonna

05:27

put in place policies and generally how

05:29

fast and loose you can play with

05:30

security dealing with compliance might

05:32

be one of the reasons one of the big

05:33

reasons why your position was created in

05:35

the first place so a lot of people hate

05:36

to admit that but there will likely be

05:39

some some compliance parts of your job

05:41

my recommendation is outsource as much

05:43

of the compliance stuff as you can like

05:44

GAAP assessments and audits and getting

05:46

policies but realize you're still gonna

05:49

be doing a bunch of the heavy lifting

05:50

putting that in place and then find out

05:53

what level of risk the business is

05:54

comfortable accepting so getting a

05:56

general feel from the co founders like

05:57

do they want to move faster and accept

05:58

more risk or do they want to go move a

06:00

little more slowly and dot all the i's

06:02

and cross all the t's some basic

06:04

examples would be you know if there's a

06:05

medium risk of exposing customer data

06:07

with this new feature but the new

06:08

feature is gonna close a giant deal you

06:10

know do they want to move forward with

06:11

that or do they want to fix the issue

06:13

first before moving on or do you block

06:15

installation of software on employees

06:17

laptops or do you trust them to use

06:18

their best judgment and and let them

06:21

install whatever they want or do you

06:22

have air gap systems free most sensitive

06:24

a slight tangent here related to risk

06:28

third party risk do you really know

06:29

where your data is so you might think

06:30

you have a small AWS and GCV or GCP

06:33

footprint but your data could be going

06:34

to all kinds of places thanks to G suite

06:37

plug-ins slack plugins Chrome extensions

06:39

all that sort of

06:40

so I recommend turning on a lot

06:42

whitelisting from the beginning so you

06:43

can start getting a handle on this sort

06:44

of stuff especially things that have

06:46

access to G Drive because that's where a

06:47

ton of sensitive business information is

06:49

these days definitely don't take more

06:51

than like a day to answer those requests

06:52

otherwise you're gonna be holding up the

06:53

business which pisses off a lot of

06:55

people which I'll go into a little bit

06:56

later and then take an inventory of

06:58

applications and and integrations try to

07:00

gather some security information on them

07:02

good luck if you're a small company and

07:03

trying to get any sort of response out

07:04

of security at whatever company calm and

07:07

then create a basic risk spreadsheet so

07:08

you can track your assets and your risk

07:09

I do something basic like likelihood of

07:11

compromised times impact / remediation

07:13

effectiveness equals your risk just a

07:15

good basic idea you can get fancy or

07:17

something like cbss if you want remember

07:19

that third party and subprocessor

07:21

inventory is kind of important for GDP R

07:23

and C CPA you definitely need to know

07:24

where your data is going and who your

07:25

sub processors are back to little more

07:27

the strategy threats so finding your

07:29

your cyber threats and ideally your

07:31

physical threats as well you can use

07:32

miters attack framework for some ideas

07:34

you can also use Verizon's D bi report

07:36

shout out to Alex Pinto I know you're in

07:37

the audience riding a capybara somewhere

07:39

and then you can use this CB SS for

07:41

ranking them unauthorized access to data

07:43

data being held ransom using trusted

07:45

access to access your customer or attack

07:48

your customers those those are some of

07:49

the big ones

07:50

talk to the co-founders and get their

07:51

input see if they agree with you see if

07:53

they've got some other ideas see what

07:55

are the biggest threats next you're

07:56

gonna start setting culture because

07:58

security isn't just about technology

07:59

it's definitely the people - I'll get

08:00

more into that in a couple slides and

08:02

then good security culture makes it

08:04

easier to integrate into the business

08:06

start building trust and getting into

08:07

those important teams and workflows and

08:09

I'll get more into that too in a second

08:10

and the last part of the strategy here

08:13

so then comes every engineers favorite

08:16

part the policies you might be able to

08:19

actually skip these if you're lucky if

08:20

you don't have a bunch of laws and

08:21

certifications to comply with but you

08:23

may actually have large customers that

08:25

the man do you have certifications so

08:26

you're back to square one I recommend

08:28

getting templates from whoever you're

08:29

outsourcing compliance to also if you

08:31

want to go the cheap route which might

08:33

take a little more effort you can go to

08:34

most universities websites all their

08:35

policies are typically public work

08:37

smarter not harder harder copy and paste

08:39

and let's see then - of course tweak

08:42

them to fit your business so do you

08:43

really need that 10 page password policy

08:45

or you can just go with you know a

08:46

paragraph you don't really need to go

08:48

crazy and then lastly you start putting

08:50

the controls in place this is where all

08:51

of us engineering types are most

08:52

comfortable so

08:53

things like 2fa anti-malware inventory

08:55

access control yada yada yada you're

08:58

gonna select those controls based on

08:59

these inputs you've gotten in the

09:00

previous steps and select what's right

09:02

for the business so you know you're

09:03

probably not gonna have three FA on an

09:05

air-gap network with you're just selling

09:07

cad emojis so keep it simple that's one

09:09

of my guiding principles that I'll go

09:10

into in a minute and then iterate put

09:12

the basics in place and then improve as

09:13

you go along so if you haven't been in a

09:15

small company before you might be most

09:17

comfortable with like hey I need to get

09:19

this done 100% right the first time but

09:21

you're gonna realize that you know

09:24

you're gonna want to get like 80% there

09:26

at a startup cuz you're gonna be moving

09:27

in tons of directions with one pair of

09:28

hands and then come back and finish the

09:30

20% later remember that perfect is the

09:32

enemy the good guiding principles so

09:36

guardrails not gates is a saying I got

09:38

from Jason Shannon from my time at

09:39

Netflix so people hate hearing no it

09:41

definitely gets in their way prevents

09:42

them from doing their job yeah you

09:44

become a source of their anger so they

09:45

won't want to come work with you again

09:47

they'll definitely try to go around you

09:48

so don't hold up the business unless

09:49

it's something critical let people get

09:51

their jobs done and like I said you're

09:52

here to serve as an advisor you're not

09:54

the military and be wanted not feared

09:56

you know do you want to be this feared

09:57

security person or do you want to the

09:59

one that people love to work with which

10:00

one is going to get better results for

10:01

you definitely create an approachable

10:04

and positive security culture people are

10:05

gonna want to bring you their questions

10:07

and issues rather than you having to go

10:08

and dig them up which takes a lot a lot

10:10

more time

10:10

I'll go into that in a little bit and

10:11

then keep it simple like I mentioned

10:13

here so complex policies and procedures

10:15

are gonna be hard to maintain and there

10:18

we go scroll and they're definitely

10:20

gonna invite people to the point of

10:21

going around them so choose short

10:24

policies she's paying the security

10:25

reviews choose platforms of service

10:27

choose erode trust choose life choose

10:28

Trainspotting references keep it simple

10:31

and you're gonna remove an entire class

10:32

of security concerns like

10:33

platform-as-a-service has almost no

10:34

infrastructure to administer remained

10:36

IRB's insecure zero trust is gonna you

10:39

know eliminate a bunch of traditional

10:40

network security architecture and and

10:42

network security concerns so you've got

10:44

one pair hands so let AWS and GCP take

10:47

care of all those old school security

10:48

issues for you shameless plug for

10:50

minding my talk from a couple years ago

10:51

on zero trust and it flicks and then

10:54

make people self reliance so they can be

10:55

your hands your hand or sorry your eyes

10:57

and ears because you can't be everywhere

10:59

at once so give them the tools you know

11:01

to be on that paved path that's inside

11:03

the guardrails and the education to use

11:05

them because you won't

11:06

have the time de birria around and be

11:08

involved in every single security

11:09

decision

11:10

let me start getting the culture here

11:12

how well you integrate into the business

11:13

is Howie

11:15

well you integrate security into the

11:16

business is gonna depend on the

11:17

principles you set like the also the

11:19

culture and how your you and your future

11:22

team interact with people so be

11:24

transparent you know if you're gonna

11:25

install something on someone's laptop

11:26

the first thing they're gonna be like

11:27

what's what's going on here you've

11:28

spying on me it's like no we're this

11:30

thing is gonna catch malware for you

11:32

it's gonna it's gonna protect you

11:33

there's literally no way can spy on you

11:35

here's the manual if you want to double

11:36

check just having some some rapport with

11:38

the person showing them what's going on

11:40

and and being transparent on your

11:42

decisions I appreciate people so say

11:44

thank you it's simple but it goes a long

11:48

way just hearing thank you in the office

11:49

really goes really improves a lot of

11:51

things like a relationship with people

11:52

you know what I do is if someone that

11:55

has helped improve security some way or

11:57

they report a good phishing attack or

11:58

whatever I give a security shark award

12:00

at our All Hands meetings so it's like a

12:02

Amazon gift certificate I'll say hey

12:03

person X did this thank you very much

12:05

and give them a little reward gets gets

12:07

the word out there keep security in

12:09

people's minds and also says thank you

12:10

to the person and be humble so no one

12:12

works no one wants to work with a

12:13

brilliant jerk we've all worked with

12:14

brilliant jerks I do jujitsu and it's

12:17

taught me many things most importantly

12:19

is that you're gonna learn of course

12:20

from people above you and you know your

12:22

peers probably ideally but you're also

12:24

gonna learn from people below you so

12:25

treat everyone with respect to treat

12:27

everyone as a pro that you can learn

12:28

something from you know say like hey

12:31

this area is not my area of expertise

12:33

can you teach can you teach me how

12:34

something about this and we can work

12:35

together on this issue it's exactly what

12:37

I did with some apps egg phones we had I

12:38

can barely spell apps X so I went to our

12:42

head engineer was like hey we've got

12:44

this issue can you explain it to me can

12:46

we work together like how can we fix

12:47

this and the two of us worked on it

12:48

together which goes much better than

12:50

just like hey fix this for me feedback

12:53

so you can't improve and you definitely

12:55

should want to improve so you can't

12:57

improve in a vacuum ask people for

12:59

feedback see the conversation with

13:00

examples like hey we just rolled out

13:01

this tool would you think about it or

13:03

we're gonna do this what you think about

13:04

that or in this meeting I said this did

13:05

I sound like a jackass what do you think

13:07

how can i how can I improve empathy so

13:09

always assume good intent you know

13:11

people are just trying to get their jobs

13:12

done you know some traditional security

13:15

person might hear like oh hey person

13:16

comes up to you and says I need an FTP

13:18

server right now like I need to transfer

13:19

this file and you might go whoa

13:20

head explode but no take take a step

13:22

back and realize okay let's dig in a

13:24

little bit this person's trying to get

13:25

their job done okay they have this

13:27

important file for the CEO or whoever

13:28

they need to transfer it now they just

13:30

didn't realize that we've got a paved

13:31

path here to like get this transferred

13:33

security and quick it's securely and

13:34

quickly or maybe they don't have an

13:36

option right now so then you come up you

13:38

work with them to come up with a more

13:39

secure solution so I always assume good

13:41

intent the little things speak English

13:44

not techie either couple these points

13:47

were in some of the other talks as well

13:48

it definitely alienates people if you're

13:50

going to talk about the lithium crystals

13:51

and rotating your cables every hundred

13:53

thousand packets that sort of thing you

13:55

know if you're talking to legal they're

13:56

gonna be like what in the hell are you

13:57

talking about they're not gonna want to

13:57

come back and talk to you again so

13:59

tailor your your level of techie to the

14:02

audience and say hi in the hallway make

14:04

eye contact just basic interpersonal

14:07

skills I mean not just on your team but

14:09

like random people in the office it

14:11

definitely improves the the culture and

14:13

it helps get you get you integrated into

14:16

the company let's see and also try it

14:20

out in the real world it's nice and then

14:22

last thing on security culture is

14:23

setting the elevator back down so use

14:25

your position of power at the top to

14:26

help out others below you we're never

14:28

gonna increase diversity or fill hiring

14:30

gaps if you don't get out they like

14:31

spend some effort trying to get out

14:32

there finding women of minorities who

14:34

either work with you or outside the

14:35

office interns recent college graduates

14:37

we're trying to start their careers

14:38

invite them to conversations and

14:40

projects and write them to industry

14:42

events try to help them try to help them

14:43

build their network give them career

14:44

advice high school teachers definitely

14:46

need people to come talk and inspire

14:47

their students

14:48

you can skip fancy universities people

14:50

at community colleges high schools and

14:52

poor school districts are gonna

14:52

definitely appreciate it and use it a

14:54

lot more integrating the companies

14:57

socialize so start building

14:58

relationships and trust across the

15:00

business you know you you're gonna need

15:02

to work with engineering for production

15:04

type stuff IT for malware and corporate

15:06

type stuff legal for contract review

15:08

sales for incoming Security

15:09

questionnaires go talk the sales team

15:11

and ask how many deals if you we lost

15:13

because we didn't have security thing X

15:14

and that'll show that you're trying to

15:16

help out the security team you can also

15:17

take that number to leadership and say

15:19

hey we need to spend a bunch of money

15:20

and here's one of the reasons why we've

15:21

you know

15:22

trade-off of cost there times really

15:25

running out and then find that the major

15:28

stakeholders and the team leaders meet

15:30

with them regularly over lunch and

15:31

one-on-ones and then try to build a

15:33

relationship you like I talk

15:34

about increasing visibility so you want

15:37

to find the security issues and also

15:39

keep yourself visible in the eyes of the

15:41

rest of the company so you know have new

15:43

employee security training yearly

15:45

security training developer security

15:46

training go to the other teams all hands

15:48

it's like a fly on the wall to keep your

15:50

finger on the pulse and hear what's

15:51

going on security related there of

15:52

course don't over communicate because

15:53

people are gonna because people are

15:54

gonna get alert fatigue and just start

15:56

ignoring you after a while and remember

15:57

to tailor the content to the specific

15:59

audience don't blast out email to the

16:00

entire company if it only applies to

16:01

half the company and then recruit people

16:03

on the other teams who are interested in

16:05

securities to be your to be your eyes

16:06

and ears and potentially hands to help

16:07

you fix issues and report things

16:09

collaborate don't be a dictator don't

16:11

just throw stuff over the fence like I

16:12

mentioned earlier it's gonna go much

16:14

better if you could say hey how can we

16:15

work on this together rather than just

16:16

like here please fix this problem

16:19

[Music]

16:20

engagement so we all know security is a

16:23

dry topic like hey pick a strong

16:25

password don't share your password don't

16:26

do this don't do that I like to get

16:28

creative make a little fun here's the

16:30

security shark award that I hand out

16:33

with the Amazon gift certificate at the

16:34

All Hands meetings when I was at Netflix

16:37

did some security education posters

16:39

around the office in October this one

16:41

was pushing password managers who

16:43

doesn't love hedgehogs the head of legal

16:44

said she loved this one also two-factor

16:47

off I know somebody here was attending

16:49

had an icon of a sloth thank you

16:52

and then a little last one or a couple

16:55

more slides our white elephant Christmas

16:57

party a couple years ago my contribution

16:59

for the gift pile was a picture of

17:00

myself which people thought was

17:01

hilarious until I told them that there

17:04

was a hidden gift card in there so they

17:07

did the trading and then eventually

17:08

pulled apart they didn't find a gift

17:09

card so what they did they took awhile

17:11

but they eventually found out if you

17:12

held the picture over heat source the

17:14

Amazon gift card was written in lemon

17:15

juice and then it appeared the CEO loved

17:18

that so much that he now hides this

17:19

picture regularly around the office with

17:21

another card hidden in it a coffee card

17:22

and then if you find it you get to hide

17:24

it for the next person people love that

17:26

so much that they took my picture and

17:27

then put it on put on t-shirts for our

17:30

one of our Halloween costume competition

17:33

things and on the back you'll see

17:34

there's a bunch of letters and if you

17:35

unscramble that you found out where the

17:37

prize was now I have a picture a write

17:40

up a t-shirt with my picture on it which

17:42

is weird

17:44

anyway I love wearing it around it's

17:46

great make me look famous or something

17:48

and last thing oh good I think it's

17:50

gonna work out physical security why

17:52

would you care about physical security

17:53

you know maybe you want to learn

17:54

something new you know really who else

17:57

is gonna do it at startup so there's a

17:59

lot of similarities with InfoSec so

18:00

you've got badges and doors for

18:01

authentication and access controls you

18:03

got cameras facing ideally out the

18:06

external doors for after the fact

18:07

monitoring Remer do not face the cameras

18:09

in that tends to creep people out and

18:11

likely you're not gonna have alarms

18:12

because ideally people are taking their

18:13

laptops homes at home at the end of the

18:15

day you've gotta be on Corp Network so

18:16

if someone does plug into your network

18:17

whatever that's nice and then you know

18:21

people also forget to set alarms anyway

18:23

so they're kind of useless yes sir thank

18:25

you and then other things you know like

18:28

you're only gonna have to worry about

18:29

theft for really the first few years but

18:31

as you get bigger you might want to

18:32

start investing in guards and there

18:34

could be domestic violence issues is one

18:35

of the big ones that comes up targeted

18:37

attacks higher you know as you is your

18:41

leadership gets higher profile maybe

18:43

attacks against them that sort of stuff

18:45

you know I've heard of things like teams

18:47

of doing international extractions on

18:49

like big physical security teams but

18:50

don't worry about that really all you

18:51

have to worry about his theft keeping

18:53

the doors locked and then auditors to

18:55

satisfy cameras to satisfy the auditors

18:58

and potentially like tracking down what

18:59

got stolen and I went a little fast

19:02

because we lost some time with filling

19:04

the theater but I think I got in under

19:06

the wire I don't think I have any time

19:08

for questions but I'll take softball

19:10

questions outside and then if you want

19:14

to you can add me on LinkedIn I will be

19:16

happily answer any questions via

19:17

LinkedIn or just find me outside and ask

19:19

your questions thank you

19:21

[Applause]