Enterprise Security Leadership: Protection By Design

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

58 minutes
Video Transcription
I want to welcome everybody to. This is the sixth in our plan, the 1st 6 pack of courses on leadership.
And, um,
it's been a wonderful time. I really enjoyed working with with you all is been a good group and a chatty group. I've gotten a lot of life notes on
both I'm linked in and, um,
Twitter and, uh, you know, through other channels. So
So you know, we're going to go through some material today, but before we do, I just want to thank you all. It's just it's we're doing everything completely virtual. We don't get to see people a little bit like my advantage. And working with Cyber Eri is I've had a chance to meet the team and visit the facility. You know, we're virtually it's
just a extension of that physical connection, but
I sure wish I could meet all of you in person. You just seem like such a nice group of people who participated in this, uh, what we show. Well, so today
there's two things that I want to accomplish. One is I want to go through some design here as a little different. We're talking about all this career stuff. But this is still career because what I want to dio
show you the way
I would explain. Basically, cloud security toe aboard. Okay, so So I'm gonna take you through it. You're going to see there's no math, there's no code
and there's not a lot of words, but I can show you through some pictures how we go from ah busted broken perimeter
to something that I would propose would be a much better
design for enterprises. So people frequently asked me to come and speak to their management teams and always try to do it in pictures and diagrams and
and make things simple and show people that there's no steps. One of my favorite cartoons of all time is the two scientists. Is all this math
and then some more math? And in between the two Matthews, a circle that says, And then a miracle happens. You know, that connects one thing tonight like I think that's a funny get. So much of what we explain is that
and I'm gonna show you today how you convey get from broken perimeter Teoh, A distributed virtualized secure enterprise. Resilient, Modern. Exactly what I think
Fortune 1000 companies should be set up in terms of architecture just by clicking through some pictures. I've been doing this for years. When I was back at 18 t, I had the great opportunity work with some extremely creative folks there. Um,
we had a creative team that did this thing called Tech Channel Barb Lying ran thing. I loved working with that group,
and she and I had the idea of being a little flip book, Good paper book where we flip through some pictures on
transitioning, um, architecture. And I've always cut that idea in mind. This is a you know, 50 generations past what we were doing back in 2000 but I kind of think those were the earliest times anybody was talking about virtual izing to cloud.
there's an old old video floating around somewhere from a service that we've been building at Bell Labs back in the nineties. Early nineties
called Easy Link may be said that I think there's some 18 to people who have been listening on these clothes. Might remember that my boss,
Tom Curtis, remember his his spouse of the time. Audrey Curtis ran that thing and they made these commercials. It might be the biggest early early nineties that talked about Cloud. They said, Your email being the cloud and it's accessible into bickers and literally had pictures of fluffy clouds. And
you know so on. I remember thinking, Well, what I was incredibly cool way
describe things. I personally think that was the first time any group had ever really referenced cloud in that manner. But that you'll see today. I'm gonna take you through a couple of designs for something to say. Simple basic thing on defense, in depth. And then I want to take you through the cloud progression in what you have. Some time afterward, we'll do some rules and,
well, look, a couple of books that I might recommend weaken Skip over that. Here's how. A typical sort of way
that someone might go about, for example, explaining defense and death.
And I know a lot of your security experts. So you might, um,
you know, say that's right or wrong, but I just want to illustrate the point. If someone were to explain, you had a wafts, I PS is and firewalls work together in a defense in depth arrangement if your instinct goes toe a bullet list with a lot of words, I hope I can convince you
that there better ways to explain these things because most people don't, you know, don't absorb
lots and lots of words on PowerPoint charts. So this is the way I would do it. I would show, like if somebody asked me out of these three things a wife and I ps who are well, I draw these web APS, you know, or whatever. But in this case that drew them his web and show that a firewall
is put out here somewhere, or a gateway perimeters put out here to protect an enterprise of which these APS are part
and an I. P s is gonna probably compliment that maybe at a more local level, like looking at a network traffic within some segments. And then finally, a wife is going to focus on the specifics of a Web app. So what happens is anybody out here trying to get your Web app
is going to go through firewall?
It's gonna be watched by an I. P. S. And it's gonna have some waft that understands the handshake between the user and Web. You see the point like this simple cadence off picture picture picture
for me has always been a very effective means for communication. That look, you may decide that there's some other way you want to communicate, but promise me that you'll come up with something,
Need toe, have a way of simplifying our dialogue and and making its making it easier for someone to consume the ideas that you're sharing. How much have we spend time of? We spend
in the last five weeks just talking about communicating effectively and having others in jest and understand what we're trying to get across our point
and And I believe that pictures of the way to do that. But, you know, maybe you have some other way, but But the point is that the explaining defense in depth for me this is what I would do. You might do something else now,
but I'd like to show you is how I would propose to explain what I think is the central problem in cybersecurity. Certainly enterprise, cybersecurity. And that's that The way we've been set up has been a mess.
Nobody on the planet ever said this sentence. Nobody ever said, Gosh, I wish we had more cybersecurity vendors in technology
Nobody says that because we've got
Humpty on vendors
and more technology than we can even imagine or ever in a lifetime. Try to understand
the challenge is snapping it all together.
And that's a challenge because startups can't do that, you know, And consultants have trouble us come from you.
So building a clear picture of what you're trying to do
is part of the challenge of being a great leader. Like these pictures, the next 30 or 40 kliks here that I'm gonna take you through
would be the way I would show a team
how were moving. Architecturally, it's a way of showing somebody that future showing of visions for what I think makes sense and there's really no bullet points or sentences or anything. It's just labeled arrows and bubbles and lines, and you'll see what I mean. So let's go through it,
and it would be very interested to see which all thing, because it it's not so much that I'm suggesting that you do this,
but that's to do something that you have
a style or a way of
getting ideas across in a way that is not only compelling, but also maybe of entertaining and fun and creative
bullet lists on Power Point screams. I didn't have time to prepare for this. It just screams that if you, if your materials air dry or such as spreadsheets, it's just got it from somewhere you cut pasted from books.
Kick your time. If you're not good at doing the art, get someone on your team who can help you and work together but create things that
you'll be excited about shown. So here's how I would explain, say, two, aboard this protection by design point in the context of perimeter. We'd start with this idea that every auditor on the planet is lied Teoh,
because we all tell them that we've got a primary control called a perimeter firewall bunch firewalls that are making sure that there's a nice safe inside an unsafe outside. You all know that that's a bunch of hooey. But let's explain how
so we would say this is the presumption
that someone on the outside of filled in circle you're making some access to the perimeter is disallowed like this is our goal. This is what we wish we could do then This blob is all of our of either physical virtual or hybrid assets that we care about. But traditionally this has been a perimeter.
This is inside and out here is outside.
And we would say a bunch of internal things going on. We've got assets and here's a circle. This is an insider.
This is an example of somebody who has access story internal assets, and you can explain the inside problem as well. Look,
I'm trusting that an insider here is gonna touch these assets unabated trust, and you can use that in a sense, to explain the zero trust model like this is infinite trust because it's probably no authentication. It's just
direct East West
access from, ah, trusted insider to some
Microsoft SharePoint or files or directory or repository or whatever it is. I'm asset,
you just hitting it.
Where is out here again? I can't get access. But if this circle went away that I got a problem because this is someone who really should not be touching these assets. If the big oval here went away, then that, in a sense, is the definition of zero trust. When that goes away.
I got a problem. These assets don't know
if the the empty circle are the filled in circle are trusted. I don't know. Suddenly they have toe, provide some protection and do authentication. I don't know if this is this. So this is that its own zero trust is when the oval goes away, you get the point Like that's a way of explaining to someone
visually what zero trust is as we're on this journey
to demonstrate how the perimeter has dissolved. So here's the next sort of thing we could puts more trap on the inside. It's like Reese, this is just general internal asset, but here we put some raw meat on it.
So here's a user info data email product of obsolete zaroff. The labeled things that you might see in a company. Here's a user that's touching an outsourcing portal for whatever reason,
Um, and from there, as you know, sort of connecting through corporate sales and CFO to do something. There's some workflow. These could be emails being sent. They could be links being shared. They could be a number of people working together on a document, kind of whatever,
but all this stuff we would call trusted internal lateral reversal. And that's how you would explain east west
to a manager. You'd say this over we usually shape, you know, is as ah ah, long, flat thing, some immune here. We say it looks like a map where we're going. See outsourced infra data at East west. You know, you're traveling across this path
and then this allow coming through the perimeter sort of looks like you're going up.
We call that north south and again, that's how you can explain the parlance to somebody who doesn't understand what we do. Using a nice picture.
we all know that you let me go back here. All of these different things here are presumed to be within this circle.
But the reality
is they need access from the outside, right? I mean, email has to come in through some gateways. You need to open up the perimeter here, An outsourced gateway. If I've outsourced a bunch of companies, they have to hit their portal. Well, that has to come in through some opening in the perimeter.
And you want to work from home. It's cove it or it's a just normal weekend,
but I need a big remote access gate with it. Comes through there and obviously the Web before want my internal users to be able to touch http based resource is that I need access through Gateway. Similar partner access. You've got some
third party doing tear through tier three support for your routers or something. Then potentially you need some assistance there on. Do you do that through these openings? And then I put all these unknown ones that here because everybody knows the company is likely tohave Ah, lot of unknown gateway. So all these things air really
huts in that
and what they do is they enable this kind of thing
like here's a filled in circle, somebody dropping a fish or something,
then laterally traversing, finding some resource owned by marketing,
finding some records that air sitting in like SharePoint and then egress ing out to some hack site.
This is unfortunate because in this case of connected outside the outside through your enterprise, I basically rotated your tires here and we would call that a P T, which I'll show you the minute. So so this you can show somebody. Look, this is How
and Home Depot and OPM and Sony And on and on and on and on all these canonical references that people hear about they go. My God, how did that work?
This is how it works. This is
how you do it. This is the cadence of these types of attacks. As you can see here again, we just sort of highlighting mistake one.
Whatever reason, um, fish got in. Maybe was you don't doing the market Didn't have a good sag, or you will whatever. I don't know what you did, but you screwed up. The fish got through.
Um, and then somebody here sort of maybe clicks on something. Amuse lateral traverse, maze of active directory
weakness are Miss configure allows. You know the email to basically go hear what I'm assuming here is the email server is forwarding to somebody in marketing who clicks and then the clicking causes the malware to download onto the PC. That malware then goes off and finds, you know, these records,
and then it digresses. Maybe you're not running a reverse proxy,
and or maybe a reverse proxy is weak, and it's easy for me to just make out with the stolen goods. And this is a PT one A one.
So you can kind of show somebody
that this is the more honest view of what you've got. This is what we started with
that we showed the auditor and said, This is what a perimeter is supposed to be.
well, that's what it really is,
all these big holes in it.
And if I showed you Hey, here's how I Here's my philosophy for protecting our enterprise. We put all the good stuff on the inside here in all these holes.
And you say, Are there any questions? Even the most Luddite board member would notice that that doesn't look like a very good strategy.
And you can say then
like that's the point.
And this I'm going to show you now. I proposed to fix this, but you see how What have we We've been talking for 15 minutes. Yes,
I think
that in 15 minutes
this explains the perimeter challenge to anyone,
and it makes them want to see how you're going to solve it.
If you follow
like, you don't have to do it the way I'm doing it here. Dude, your own way.
But when you're explaining something in this case design protection by design,
it can't be just something that you did quickly. There's needs to be some time. Remember I told you, you know, the stuff back at 18 t the flip book and stuff
that was probably 15 years ago, and I've been working on this concept and how to explain this stuff
for that long. So it's not something that you just come to crew casually. It's a lifetime pursuit
of learning toe effectively communicate
with customers with your executives and with your boss and with your board and so on, so forth. So to keep that in mind that this is in a sense, is really
you know, one of the one of the techniques just in here looking at chat.
Um, Baba Baba bah Looks like what it was. Okay for people. Good
wire. Big companies failing to implement basic model. Well, Bangladesh, Let's see what happens. I'm gonna show you what I think
they should be doing, and I'm gonna warn you at the end. There's a couple little political jokes here that I can't resist, but I put him in there just for fun. Just keep on your toes. So let's look and let's try and decide what it is we'd like to do now. So let's let's embark on a solution. So first thing I'm gonna dio
it's just I'm just putting some assets in this crappy perimeter, remember I told you. And then a miracle happens. Well, we're never gonna have any miracle happen. Every time I click on the Power Point chart,
I'm gonna make sure you know exactly what we did. So there's no funny business anywhere. It's all one little step at a time. And then when we're done, you're not gonna believe where we get to. It's really quite interesting. But you see, all they did was here's what we had. I just put stuff inside it and I moved it over to the left. You give me a little scratch Bad here for working?
Does everybody follow?
These are all my assets sitting inside this broken perimeter. Now let's take one of the things here.
This, we said was, are outsourcing gateway. I picked that because, you know, target only if all these others got hit
by third parties that were coming into a portal.
So you'd outsource something or you had a supplier. I'm using outsourcing to include, you know, supply chain.
Whatever somebody's do, whether they're providing a H back or they're doing consulting, are they doing your contracting into nature? Whatever. It's some third party that you pay money to and they come to a port on, they get their, you know, the pios and they get paid. I've run a tight sybers, a small business.
I've accounts into all these different portals
for companies to get paid for the work we do. This is not uncommon.
Have an opening through which you visit a portal that sits in their enterprise. So what we did before we had before was this outsourcing blob this portal. It was sitting in the perimeter, and he usedto have to have the firewall that it would allow access to that.
The first thing I'm gonna do here. So watch this carefully.
Just gonna move that portal out to the cloud somewhere. Now I just put Cloud Virtual Data Center.
This may not be a public cloud, folks.
So this could be private cloud, in which case of active directory and other resource is air necessary for this outsourcing portal toe work. No problem. You just connect back. You see these little cut here from the virtual sort of hosting capability? Maybe it's local. Maybe it's a virtual data center.
Maybe it's freaking Amazon.
Whatever it is,
if their assets here in the enterprise that need to be ableto access this portal I'm bright. Vice versa. Then you do it through year,
but nothing else, right? I mean, if if this you've got email sitting over here, well, email is somewhere else. You don't email into this. This is a portal. So if and he's trying to email that I'd have presumably some sort of a micro segmented protection,
maybe like a docker containerized firewall.
Or maybe I p tables embedded in open stock or whatever, but I'll characterize the protection I do around here, this micro segment by just saying you're gonna you all know, there 2030 companies that are more than happy to help you secure workloads sitting in cloud. We all know how to do that.
The trick is making sure that you minimize the opening and and you maintain connectivity between this workload and other things that might remain back in the enterprise that they need to communicate with.
But this is something that you condone. Oh, and look what happened here.
You see this opening here? These, in a sense, are all
exceptions in your gateway thes air exception in the perimeter. When I outsources watch what happens to that little line it connects. I I've simplified the fireball rules,
so I moved something out to cloud.
This can be a project. Everyone on this call has been part of something like this. Were you virtualized a function to cloud? Most of you have probably done this with office 3 65 You might have done it with payroll. You might have died on whatever. I mean, that's how 80 p and gusto and all these companies
kind of do their business by by having all of that stuff
live is a SAS or cloud hosted capability. So that's the first step here as we simplify what sits in the primitive. Let's do it again. I'm addicted to this. Let's do another one. E mail.
We've got outlook servers sitting on our perimeter in a data center. That seems kind of dumb.
Uh, let's move it to Microsoft. Let's let's let Microsoft run office 3 65 for us. Let's turn on all the Microsoft Security Center stuff. And you know, you can certainly,
you know, by tools from any number of companies to really secure that workload that sits out in cloud. You could run virtual sag. You can 1,000,000 things you could do to make that nice and secure. And, yes, you can provide connectivity back
things like a D. In fact, Microsoft virtual eyes is the A D. So you can do it there.
But you can see how I couldn't move. I could certainly move my outsourcing portal somewhere, and I tell all my suppliers this is where we're going to do P. O's. This is where you're going to get your work orders. This is where you're gonna provide feedback. This is where we're gonna ask you sad satisfaction surveys and on and on and on,
and it's going to be hosted in some cloud.
And a bo, by the way, office 3 65 is the place that we're gonna be doing email or maybe do something else. You see how again? Notice.
See this, um, firewall rule that I had for email right here, where I had to allow extra outlook in exchange traffic. I'm running exchange servers here. Boom. I move them out, have simplified the perimeter.
The perimeter has gotten simpler. Got two workloads. Let's do another one. Partner Gateway. Very similar to outsourcing
where the partner comes in. And there's all kinds of other types of things that you're doing with your third party partners. It's my being em in a portal. So as you're working with, that might be your banking partner, where you're sharing documents. You've got a server with a clean room where you're sharing things and you're discussing it. Whatever it is,
you move the thing out. The cloud you've simplified perimeter
protect the micro segment. Are you kind of getting it like you can move these things to cloud? I mean, there's no miracle that happened here.
Now let's clean this up a little bit. I get three clouds and I've got this legacy perimeter, you know, with a we went from like, there's still five openings here. I don't mean anything, is just giving you an idea that there still problems, but I've closed a lot of them. I've made it much simpler, and I'm going to redraw it. Just this way.
I've got an internal asset here. It's got some openings. This has an opening that has an opening that has no, you have to still get to the portal. There has to be traffic into and out of that. That's what the openings mean. It means connectivity. It means connection.
Look at look at cool. This is I've got four blobs here. Now
let's just play with the picture a little bit, okay? First playing with the picture. Just do that. I don't need to show the clouds that just everything is a cloud here. Notice the Legacy enterprise is the cloud to those who use it. Do you follow?
Like if if in enterprises sitting on the Internet accessible by a number of different end users and whatever, then in my mind's will call it a cloud. But what's the difference? It may not be, you know, the ubiquitous virtualization embedded in the design, but it's still this resource that's Internet accessible,
that has services that get exported out
and and and usages imported in so I can draw it this way. We could even clean up the diagram a little bit more goods. Clean it up to look like this.
we're gonna put a policy controller in. Now, look,
these little these little holes here, these virtual are or physical rules
that the manage somehow. Right? So I've gotta clean up that the though these don't just happen by like some miracle there has to be something that's managing this stuff. So let's put a policy controller here in some cloud and of the policy controller basically touching these different rules. And again, let's sort of
get rid of that. We don't need to show the cloud. Here's everybody, see what we got.
Look, I'll go back. We win from
to that.
To we just picked outsourcing. I've virtualized that. That was a project that I did another project to move my email out than I did another project virtualized the partner Gateway. Just redraw things here a little bit and then acknowledged that I need some sort of a security tool like and
orchestration tool
a cloud platform. And this is how you would explain to your management why cloud vendors air doing so well
because if you have a cloud resident capability, you can touch lots of different resource is networks workloads that are not just hidden inside a perimeter. So when somebody goes hair you on Prem or in the cloud, this is policy management in the cloud. That's what that needs. Let's play with this a little bit.
It's given to that thing
just renaming things here. See Partner outsourcing email policy. I'm renaming Asset A, B, C and D, and I'm gonna call this command and control. Why not? Right? That's basically what it's doing. CNC
and watch this. Now
I'm just redrawing. The asset will look like these guys look sort of the same.
And And let's just calm nodes. Why not? The C and C is the control these air now computing nodes with access in and out with service interfaces that have been exported that are well known.
And let's play a little computer science. Now, see this picture?
If I said, Where's the weakness? You go? Oh my God, that's a horrible network.
If somebody takes this out, the whole thing breaks.
So the way you would do this, like with a baht net,
is you have a fast flux architecture where somebody else becomes the command and control, or I'd have multiple commanding controls. Whatever. Let's let's assume that command and control could be shifted easily. I can go back and forth. I'd have to design this. It just makes things more resilient.
Or I could just have multiple C and sees. You know, the security
products and services that I buy are hosted across the Internet on the cloud thing. So you get the idea. So I've fixed that, so we'll just draw it this way for now.
But I don't think we need these lines. Let's get rid of those.
Let's superimpose stuff onto a geography.
And now, let's put it in places that are meaningful, connect them up. And my friends, this is what I think every business on the planet
should USA's their architecture for their enterprise. This is a modern, secure, virtual enterprise architecture,
and it's these air just physical realizations of where you put the cloud workload hosting. You'd work with Amazon and
Microsoft and Google on your as a service vendors and a few overseas. You'd work with different providers that are local,
and you'd make sure that things were scattered geographically. The red nodes involved cybersecurity or network or system management functions that do control. The blue nodes are workloads and notice. There was never a miracle that happened here, guys. Right? We went from this thing.
I moved it. This we outsourced Put the cloud
e mail the cloud partner the cloud
move things around, but command and control in place show that it's robust.
Just represent thes things geographically. Movement the right place.
Connect them up. Welcome to the modern, secure virtual enterprise architecture. No words. No no, no bullet lists, no long explanations, no special cases. And any one of you who have 10 minutes of cybersecurity knowledge.
I can think of a 1,000,000 questions around this.
Is there encryption here? They're def. What's the size of these pipes? I get all that, but this is a model, and this show tells a story and gives you some sort of an understanding of where if you're the leader, this is what I want you guys to do. Let's go do this. And people then would use this is the basis
for what's gonna So it's my example.
But how someone would go about doing a design
at an appropriate level in a way of communicating information to people about the direction we like head
now a couple things here with this,
we can now play with the picture here and I'm going to get a little mischievous here. And I only do because it's kind of fun. And I love you. Go with me. No, nobody's offended by a couple little political jokes here, but whatever. So
first thing is that this thing is called an attack surface, right?
Like all these guys, when you when you put them together, it's an attack surface.
if in fact, this was a perimeter,
then this would not be secure. Let me make sure we understand
this workload. We see this little line here. That's the way you gain access to it.
It's not like all of these things air inside a firewall
that connects them because most of you have global networks. If these air nodes inside your perimeter, that is not secure. So in this diagram, if down here in Australia and up here in Toronto, if these things are laterally traversable, meaning this server
and that server trust each other.
And that's somewhere like, maybe this is your d M Z, these two firewalls and maybe maybe this one, too.
If you're running a traditional DMC and you just got global nodes that is not secure, that is a big perimeter.
So I want to ask you a question.
If this were the case
that this was a big perimeter,
what would you think about if I was really worried about securing this thing in Toronto? Could I do this
isolated off the cloud
like I'm just taking something that's in the perimeter and moving it out? Say,
I mean, remember, That's what I did back here.
I took like, Here's this partner Gateway
and I moved it out of the perimeter, right. I'm a moving sea goes out, it's in, it's out, it's in its out.
So now here
with this thing,
this server in Toronto, it's in, It's it's in. It's out, it's in. It's out. It's in its out. You follow. It's out.
So are you OK with saying
I could move that server out to be better off because it's outside that big untrusted blob of stuff. If there's an attack that breaks this attack surface, we got big the surfaces. See perimeter being attack surface. It's not gonna get the isolated server do you follow now?
In the United States, the Department of State
has about 300 embassies and consulates located all over the world.
And these air tough places to secure. I mean, an embassy is run by an ambassador That feels like, you know that that place is there, Um, you know, their their kingdom. And since I'm not defending, somebody might work in the U. S. State Department. But these are not easy places to secure.
I remember a story once that someone told me that they working in a consulate or embassy,
at the time it was, um,
H. W. Bush,
his wife, Barbara Bush.
So what wonderful lady did a lot of really nice, um, charity work. Apparently, she was visiting, and there was, like, a YouTube video or something that they were going to show of some charity work that she'd done.
Um, so you Balkan. Imagine the story. She's going to show up at this. I don't know. I assume it was an embassy going to show up there. They're all gonna low cocktail party or whatever. Then they all break and somebody gets up and says a few words. Welcomes the former first lady. She thanks them, says a few words.
And then a YouTube video shows up on the on the screen
showing this beautiful charity work that I guess she was supporting something like that, but a nice event. And then at the end, after video runs, everybody claps. Everyone who's listening to me right now has been in that situation 1000 times, right? So the story is, it was explained to me was
that apparently the I T team had problems in the couple hours before the event
with their WiFi.
So the network was down and everybody was freaking out
you're going to show you tube video and they're gonna connect to YouTube, Live to do it.
And they didn't want to have to tell this this wonderful dignitary.
We're so sorry we can't get to the Internet.
So a couple of the guys air noticed that there was a WiFi network that was that suddenly had appeared
that they could connect him, get to the Internet. They don't know what it waas, but they knew that it worked.
So the boss apparently said, go for it. So they connect up the event runs beautifully. They showed the YouTube video. Everybody's happy after the YouTube video runs, and after the events gone, they noticed that network has gone away in their original network. Connectivity has been restored.
So what just happened?
They got the clock's wrong. They go fix that. The network has been infiltrated. There was a nation state attack. They gain access, you connected to their WiFi, and now they're all over your network. But the point is, they're all over the entire network here,
like it's not just one embassy. It's all of them because they're connected together. This is what the Department of State's Network looks like,
and you can go look in any news source. Inspect what nation state has not infiltrated. This crappy never
switch brings me to Hillary Clinton's email server, and I remember watching three years ago as the Trump folks were destroying her
for having moved her email server out, and I didn't a guide thing. Look that Clinton folks at the time get an F minus. If you could get lower than in F, I would give them that for cybersecurity. I mean, John Podesta was sending his password around clear text over E mail. He asked for that.
You know, that was really bad.
And the fact that Hillary Clinton had done this moved her email server, isolated it out
into some basement in New Jersey or something.
They didn't do that for cybersecurity. They did that for politics. But the reality is, that's why the Russians couldn't get Clinton's email.
That's why, because she'd moved off the network that they own
isn't that interesting? So if you wanted to explain to somebody in Washington or whatever, why micro segmentation is good and why isolated servers are good and why a big blob perimeter for the State Department is not good
and that this idea that we didn't get everybody back onto the quote unquote approved network
is bad cybersecurity. You see how I've explained that here? You might not agree, but I think I've made myself rather clear. So look, here's the message here. We're about 40 minutes past one. Do a couple of book recommendations and some rules,
you get the point here. This is the kind of presentation
that I recommend you take the time to develop for your own ideas. It's your own roadmap with your team and do something that's fun to take people through That has pictures that tells a story that's a little mischievous that is captivating that controversial. Be nice
if people don't agree with you.
Good. Let's talk about it. Let's discuss it. What? Don't you agree? Well, I don't think isolating that email server was a good idea. Why?
Well, because they're probably not getting proper system administrative control. And you say you know what? You're right.
If you're gonna move this out here, you have an obligation to make sure that this is properly protected. You can't just move something out willy nilly. Leavitt unprotected. You see how the dialogue becomes very high,
high energy and and I think effective. So So I hope this little demonstration has been kind of useful for you. Now, on this issue of design is my favorite book, Um
on you know how you go about conveying and explaining and carrying out the design. Ah, Henry Petrovsky is written is beautiful books about engineering and about engineering errors. And you wrote this nice book about failure and successful design. It's just beautiful news. This Tacoma
Narrows Bridge that, you know, when
a little nuts and fell, and he explains it all
and shows it. So if you don't know this book and you have some interest in just generally and designed from an engineering perspective, it's an important one. But the most important book in the history of maybe ever
on the subject of getting design right and planning things despite Nater,
you know you may love him or hate him,
but when he wrote Unsafe at Any Speed, it demanded that we re think the design of automobiles. This why wear seat belt? Because a Ralph Nader,
that is a very cool thing. Think about maybe how Maney lives were saved by this.
I know he's not the only one who was squawking about it, but this was incredibly popular, an influential book,
and it really did change the automobile industry. I think you'd have to give Ralph Nader credit
with maybe saving as many human lives as you can possibly imagine. Think how many people are dying before seat belts? Air would have been dying since, and he was the one who really caused that change. So again, the title of this, the kind of imagery used in the book,
is all something that you, as a leader can learn from you, can change things
by being by being graphic in the way you describe things by being creative in the way you present them and recognizing, at least in the context of what we're talking about today,
that design is an important part of cybersecurity leadership planning thing. Jan is important. So let's go through just a few basic tenets that you absolutely should be sharing with your with your team, and we'll go through these quickly, leave a little bit of time where I can address some of the comments and chat questions that are coming in.
The first is you should make sure that your boss and your team and anyone around you
understands that retrofitting something after the fact never quite works.
Um, the sad thing is,
the whole Internet, in a sense, is a big retrofit
right when you look at the
the problems that emerged in cybersecurity
as a result of original design. Decisions in TSP I P
are are many. The most common Lee cited one is the idea that
source and destination I P addresses can be basically set by users.
If you grew up like I did in the old Bell system.
You know that the way telephony usedto work
is that you had these objects and destination point codes for telephony.
Like when you picked up the phone.
E went off. Hook
the fun. Nobody knew exactly what you did. Like a geo. I see it's designed to this circuit switched
they and fake that.
But the idea that with the Internet you can put a source I p address put anything you want
exciting but troublesome, right? And in 1970 Abbie Hoffman wrote this book
called The Steal This Book.
My My favorite books. I think I might have shown it to you guys last week or previous week. Anybody points out that problem of I P addresses where, But in that case, it was around the U. S. Postal Service, where you can flip
the from and to address on an envelope, don't put any postage, and boom, the mail will get returned to sender for free. Um, and think about that a little bit. That's not an easy thing to fix, So retrofit turns out to be a pretty significant problem.
Um, and it's it's one that with your team. You want to make sure that you as a leader, you help them understand that you shouldn't be retrofitting your rather boat. Do it by design.
Um, simple is always more secure,
and here's what that means
when you're evaluating a security solution from your team, that means you're sitting in the conference room and your team calls you in and says, Take boss, who want to take you through
a new thing we'd like to go by. It's called a breach, an attack simulation tool or it's called a continues validation tour. It's called a Next generation Wah for whatever the hell it is.
My observation, usually is that it's healthy
in your mind to think.
Whenever I'm adding something,
I'm probably making things inherently less secure. I know sometimes I have to. A network without a firewall is smaller and simpler than a network with a firewall, but I'd rather have the firewall. So I get that there are
cases where I have to add something to make it more secure. But usually simplifying and removing things
is a healthy thing.
just go back and think like in the last six months.
When was the last time anybody on your team and I know most of you do security for a living
securing something by taking a thing out
like yours. I proposed to do, boss. What? Let's retire these four things
and let or let's clean out and get rid of these things.
For example, if you went and had a campaign at work
where you you said to everybody for two hours on Friday, our entire company's gonna come to a grinding halt.
We've got a procedure here for secure delete.
We'd like you all to go to your laptops and he offline storage. Let's delete everything we think we don't need.
Old performance reviews, Old President. Let's get rid of it all.
And if you've got 1000 people in the company
and each
each person gets rid of 100 gig of stuff minute, that's a maybe 10 gauge. Would be may be more likely.
That's 10 gig done. 2000. You much stuff. Have you got rid of you clean like cleaning the garage. So So simplifying is something that should be on the tip of your tongue is a manager and as a leader,
the more more secure results from simplifications should always be thinking about that, as opposed to making things more complicated.
Layers in are definitely more secure. So notice
this, said Simplify. This maybe says, don't simplify. But the reality is that defense in depth really is a better approach. So if you are gonna have security, having won control is not as good as having multiple.
They should be simple. They should work together,
and they do need to be diverse. But
this is another, I think, in a sense designed tool that you can use a conceptual design tool
when you're looking at a proposal a a new vendor, an idea that somebody's bringing to use again. Use the leader
you'd have in your mind like these 1st 3 you think.
Was this retrofit yes or no? If it's not, that's good,
all right, we're designing it. It
is this simplifying things, yes or no? This does seem to simplify things that's good.
Is this a single layer of protection,
or is there some multiple layers or multiple that you get the point like these air conceptual devices you have in your mind is a leader that you use to evaluate different types of things that are bringing to you. Now, if you're going to say that,
um, retrofits bad, then the best thing of all the concept phase that's the best time
to start thinking about security that challenges. It's not always so
clear that you ever have a chance in your whole life
to conceptualize something new, right? Everything is this
continual dev ops thing
where everything exists and everything new is a descendant of stuff that exists. It's kind of this depressing,
but it's even in even in that in that case, the idea that you can use your conceptualizing a new feature and function platform in product.
That's the time to think through how you're gonna be enforcing policy and doing mitigation and generating telemetry. Whatever it is that you want to dio, you do it from the inside out at conceptualization time.
Um, everything's happening so quickly now
that if a design is presented to you and it's reliant on some manual process,
that could be a problem like that's not going to scale, and that's going to slow you down.
For example, suppose I proposed to you the way we're going to keep people off inappropriate websites is I'm gonna but 20 people in a room
and they're going to go poking around looking for bad sites. And then they're gonna make a list printed out. They're going to come into my office every morning. We're gonna read through the list. We're going to see what it looks like. And then, yeah, most of them will go ahead and CO to rule and to keep people off. We'll spend that time doing that manually.
Compare that to the way reverse proxies work right where you're doing. You're all filtering,
um, pioneered by, of course, blue code. And you know
so on so forth. Um,
the way they do it is is a threat. Feed its automated the update. Your Elle's air provided, like Ziese calorie, might be using. You get your threat feed and it goes into the device and it's using a protocol or nice protocols for threat information sharing. Government uses, sticks and taxi.
This automation, if it's done right, is definitely more secure than people. You're gonna make mistakes. If you're humans, you're gonna skip days. They're gonna be delays. They're gonna be problems. Automation could be quick.
Could be dependable. It could be ongoing and continuous these air, all nice things. So again, and evaluating an idea or design automation is a really nice type of thing that have
Onda and the compliment. Here
is manual if you trying to scale is definitely less secure. But I do want to point out the Ukrainian power hack that a lot of you know about from a few years ago, the reason they were able to recover from that it's because they had a manual back,
and I think that deserves a little bit of an Asterix here.
Sometimes when technology is perceived as being undependable,
having diverse means for managing it is good.
So it's not so much that the manual was so good in that case because you remember the Ukraine ING power companies. God,
Uh huh.
It caused some big outages. And the Ukrainian power companies, I can never pronounce the names of the longest names of companies I've ever seen in my life.
They got the technicians in trucks and they drove to a bunch of different power stations and took that big handle, you know, turn the power back on manually and they were able to keep people alive because it was winter time Ukraine.
But it is the diversity that was interesting. There wasn't so much that it was manual.
So if the only diversity you can come up with if you have automation in places manual, then fine to make sure you have something
but recognize that inherently manual procedures are going to be less secure because they're gonna be the less dependable they could introduce delays. And, you know, it's just a much more ad hoc means to get things done.
The last rule here is around virtualization. I do think that virtual, if done right, is more secure now. Recognize
the difference with automation and virtual is virtual. Is this
this concept that allows us to create computing
through provisioning? That's really when I think of virtual ization, I think of that.
It means if I've got a hunk of hardware
instead of creating an instance hating one instance of computing on that hardware, I can maybe do multiple. I can expand. I could blow up the balloon
accordingly. Here's an example
for something like a denial of service security, where you're trying to block attacks,
something I've never seen. But I think we should start to see.
There's an example of a proposed design proposals might see Is that the way we stopped denial of service attacks right now, as we deflect
the B G P allows us to deflect routes off to these
scrubbing centers.
Your service provider or, you know, aka Myers like that will do that for you.
That is not easy to do, believe me. And those companies don't get paid enough money. But the those air harder things to do than you can imagine.
But we deflect but one possibility. Think about this. What if you had a virtual front end
with a little bit of deception when you saw something that purported to be denial of service?
Just start creating tarp. It's fake infrastructure using virtualization by creating virtual networks that'll catch the thing into a web of deception. There there are companies that do this that's in some sense had deception works, but you could maybe do it to expand like a balloon
and absorbed all the energy of a denial of service attack
and then gradually retire. It deflate the balloon so you have these limp balloons hanging in every gateway as Adidas attack comes in the balloon expands to absorb all the energy
reached contracts. As the energy is killed as all the traffic activity, it dies down and so on.
What do you think of that? Like you can see how. Wow, that's simple. Its automated. That's virtual, blah, blah. But you could see how that could be the basis for trying Teoh evaluate A particular designing could use a mental tools that allow you to think through,
um what what we're dealing with. So bottom line here is in. In this sixth of six sessions, we've looked a little bit at some design tools. We looked a little bit of how we do protection, and I've shown you some examples of how you can maybe communicate these ideas more effectively using
some concepts. Now, I'm looking at some of the questions here that a lot of you guys have like what if cloud gets hacked? Well, here's one thing to keep in mind.
You started with the perimeter, and then we moved to multiple clouds. So my question is,
who do you think is
more likely to get hack you or Microsoft
Now, before you just say, Well, I guess you had me don't say that so quickly because Microsoft's a bigger target.
So it's not perfect.
You do have to accept that you're putting some faith in the cloud providers to do things properly, so that's it's excellent that you guys noticed that. So that's a good example. I see a couple of them are commenting about the political jokes. Hope you don't mind. I just couldn't resist
because I saw so much commentary around what a bad idea was to move email out of the State Department network, that I was literally jumping up and down, screaming at the TV, saying, No, that's wrong. Micro segmentation is good, it's not
so that's why I wanted to show you that. Now
we've got literally four minutes here. I want to give you one final pep talk before we send your first off. We will be doing some more sessions in September on different topics, but check in with leaf in the library team and they can get you information on that. Second, the case studies that we gave you those air for you,
like, used them with your team, used them with your
staff, used them at the town halls, drop us a note and let us know if they're useful. Let us know if we can help you. Somehow. As you go through these different case studies with your teams, that's what they're there for.
They're there to spur discussion. Teoh develop insights for your team to give everybody a good idea of. You know, some of these ideas that we were these concepts we've covered during the course. But the last thing I wanted to say is I just want to thank you guys for ah for doing what you do like if you're a hacker
and you go to the offensive conferences, you get a black cat and you go toe
a def con. If there's a great celebrations of of hacking
and people feel like they're part of a community and it's exciting, it's fun and it's mischievous. If you're part of that,
it is quite fun. I've presented a couple of times at Def Con and it's fun. I always feel like the old guy there
and I always think it's I have disorganized, but it's really exciting and the offensive community than wonderful job
at creating a thing you feel part of, but in our community on the defensive side. Not so good, right? Seems like we have our heads held down what was kind of beaten up
and our conferences air boring. And we don't work together as a group. We all have sort of mutual, non nd a is and you know, lawyers, Thomas. We can't share,
but I just want to thank you. What you do is important. You hold your head up. The defense's justus importance the offense and I think anybody looks with this from more than three seconds
would realize that what we dio in defense is 100 times more difficult on stopping, then starting an attack. Stopping and preventing a cyber attack is way more difficult than you know, just launching one and making it work one. So keep that in mind again.
Congratulations on your fine careers. I hope you're all doing well.
I hope this has been helpful leaf to you and to the team that Sai Buri want to thank you for really very smooth six sessions and, um and I want to thank everybody again for participating. So with that, I think we'll go ahead and shut down our final session leave for the library folks. Any final words before we drop?
No. Just thank you so much. And thank you, everyone for coming in and offering your ideas and insights really appreciated. Looking forward to the next one.
Very good. We'll see you all later.