[00:00:10]
>> So the other thing that is very important about people is how do you communicate with the rest of the company about security you know I'm coming from an engineering background so it's very easy for me to talk about code and how to pack stuff but eventually when you go to a town hall of a company and we do those every week you need to change the language and I know that my accent is not American so it's really changing the way that you communicate stuff to the company so we started with the with the foundation's you know how many of you heard about that the thing Raise your hand.

[00:00:54]
Let us do differently how many of you didn't hear about that OK awesome so you understand the problem obviously phishing people it's you know the social engineering of getting into a company there's one thing that technology can't fix stupid people you know people click on links you can do anything about it but the thing that that I did in my 1st 2 months is actually generating this attack against the people in the company so what I did is just integrated a system and it was a phishing complaint system that sounds a lot of phishing emails to the employees in the company and if someone clicks it gets them to a page that records who they are based on the unique link that they received and also provides them a training 90 seconds training on what is fishing and you know it tells them hates not real but it could be real so when we when we're done with the 1st.

[00:02:02]
So the question is how was how I refer those people going forward 1st of all I notified all people that clicked those links. But I also spoke about it in the town hall so I didn't do any. Of you want to know I did not come on I didn't do any shaming.

[00:02:20]
But I mean OK I'll correct what I said I didn't do any personal shaming I did shaming for departments so. For instance our accounting department there are serial clickers. So I just put them as the serial clickers and everyone you know looked at them differently so. So that was a pretty nice case study of you know how can you educate people about fishing with a simple trick just run fishing companies by yourself and people get it so in case you wonder if the clickers rate has been decreased since then the additional thing that we do and this is something that.

[00:03:17]
You should consider it's all about the culture you know. The fact that people even laugh about security it's a good thing about security so let's say if someone goes and leaves his laptop unlocked then we have a slack channel. We just you know. And people just get them if occasion that someone is.

[00:03:41]
Which means you know you left your computer on locked the other photo here is our C.E.O. and he does those tricks as well so even you know. He did that to me I just looked around and the moment I'm looking back I saw that he already sent the email to the entire company that I didn't lock my computer which is kind of embarrassing.

[00:04:07]
So let's talk about the process you know. The process I think this is the Morse the most challenging part. With a startup company. Because. When you come to a startup company they usually start with compliance So let's say your company you're trying to align with F.D.A. c Or if you do payments you try to align with P.C. ideas or if you are a.

[00:04:38]
Health care company you'll do a HIPAA. So all of those compliance foundations are good how can you how many of you think that compliance equal security I'm in the right class. So. Good thing that I saw when I joined the companies that. The council already engaged a 3rd party company that did a risk assessment obviously the Pence what is the scope of the risk assessment sometimes you can do a risk assessment on a product you can do a risk assessment on a specific line of business of the start up or you can do it across the company so I received this report while I was learning about the company and I realized that we actually did a security assessment to identify the security risks which was kind of very surprising.

[00:05:31]
Because they didn't have any full time security employees and by looking at this report I realized that those are the things that I need to focus on obviously I did my own due diligence and I you know spoke with a lot of people to understand what are the key risks that we have in the company and eventually it almost matched up to the risk assessment.

[00:05:54]
So the conversations that we have today yes of course they are about compliance but they're also about the partners that we have about how customers see. Security and eventually how do we reflect a better poster of security externally which is the reason why I'm speaking here right. So here's here's a cliche how many times you hear about being an enabler for the business going to someone who comes from security it can be someone that comes from a quality domain it doesn't matter anything that is nonfunctional like security.

[00:06:37]
It's something that is considered as difficult to communicate to the business so. In my case being a business and there was a target I really wanted to be the one that can actually say that he did it very well and one of the things that's just an example that happened recently so we decided to launch a new product it was a payments product with payments do you need a certification that's who said Yes yes but you know that with payment you need a certification you need in order to be able processing credit cards while I saw one or 2 certifications when I was working at least in N.C.R. it takes a long time to get a P.C.I. certification or especially P.C. ideas or vacation days between 3 to 4 months to get there even with the fastest teams and you know working start a company and I told you that it's a team game we ended up getting this sort of creation within 5 weeks and it's not because we're awesome because people want to get the things done and in that case security was an enabler otherwise we couldn't process any transactions.

[00:07:56]
So. This is something called good bounty I coined it as Bunky but how many of you heard about the programs. Approximately half so let me give you a synopsis about what it is and then we'll get to the stop it so the program is a program that companies can establish or run through 3rd parties that we Ward researchers if they find any vulnerabilities or it can be.

[00:08:31]
In this case it's a security bugs bunny Facebook Google e Bay and ever smaller companies they have bugs bunny programs that we board researchers if they find a vulnerability those bugs bunny programs you can you can look it up with Hacker one or bug or just look for security hole thing and you will find a lot of security Hall of Fames programs so many startups are not ready for Bugs Bunny program you know why they don't have so many security people and it will be very costly for them to run about one program so what can you do you 2 on one side and hand sort of security and on the other side of paying big fees to external researchers.

[00:09:19]
And. The idea you can actually from from my sister my sister works for Motorola and one day she said hey someone from the security department those bad guys they they schedule the penetration testing going on my product so sure let's go on do that have fun you'll see the findings a little added to your backlog these are not supported in security everything will be fine said No no I want to be prepared for this point this I don't want to be surprised so I said you only get 2 of your most senior engineers into a room for 30 minutes have a white board and let them draw the threats that can be against your system what can be exploited.

[00:10:03]
Guess what they knocked it down they found everything that they depend us respond because they know there will be code we don't have the same situation it's a pretty broad product we have so many contributions for this product so what can we do in that case how can we scale security in the company the best thing to do is just establish maternal program communicate that in that town hall and reward people if they tell you about something obviously you know if you're a developer and you're reporting on a bug that you developed or the new bug that you created your own dog food eventually.

[00:10:45]
But this is the only rule if you have any vulnerabilities in the operating system I don't know if you have any local admins or you have any permission issues in the database I don't care but this is something that I would never find if I would go and look at all by myself so yes we have a whole thing we have people that report that we have people that get you know some.

[00:11:09]
Some money for that it's not expensive and it's scalable this is the big the big thing about it all right so. The last portion is the technology which I believe. Can interest you so with technology you know when you get into a start up company you realize that you can't really talk about the latest and greatest products from day one you need to think about the phone nations 1st it's the 1st year so I divided it into 4 pieces which eventually ended up going into 3 pieces of cabbage but the 1st piece is the corporate 80 and the other piece is how do I see how many of you heard about the term shadow 81 the one that actually.

[00:12:02]
Knows that I know that he knows. So subtly is a is an. Infrastructure that is not menaced by the corporate guys I'll give you an example let's say that the marketing guys decided to spin up the proof of concept environment on Amazon it's not under I T. but it's there and it's company's assets this is a satellite.

[00:12:33]
And it's usually something that you can't really identify from day one or Usually you know from bigger companies you can actually spend years on that process because you need to work with accounting and you know how difficult is it is to work with accounting I'm not saying it's difficult I'm just asking the question hypothetically of course.

[00:12:54]
So and the other 2 is production or ops which eventually manage our SAS operations and lastly are the engineering folks. How many of you heard about dev ops awesome So Deb UPS is a mix of these 2 guys centrally these 2 groups so the way that I'm looking at that cabbage is that I'm just looking at these 2.

[00:13:22]
You know in the same breath so again when I'm looking at those domains I'm looking mainly about the I'm looking at the products that need to be there not from compliance perspective but actually to get something I'll give you an example. Training you're familiar with but. We need to have logging How would you know that you have a security breach if you don't have the logic you don't where you have a way to do that unless you go and talk with someone who's more you know less technical and more spiritual You also have privacy privacy is a big driver for security today.

[00:14:10]
You know when you when you talk about data and privacy you usually need to encrypt the database pressed in transit sometimes even in a memory and the big the big challenge with data. Especially for a company that does Big Data. Or are they to science in our case is identifying the entire data we have approximately 35000 columns across our database It's haven't tried to do union between tables in that size or with those with those columns it's almost impossible to do that so.

[00:14:58]
In order to do that you need to have the process in place which is right but you also must have a technology and one of the things that we look at is a product that can actually connect to all of our data sources and by using data sources it is our our sequels are no sequels it's our.

[00:15:19]
You know storage all i installer of storage going to be box it can be Google Google Drive S 3 on Amazon all of that must be mapped it doesn't matter if you have configuration files on S 3 or you have the entire database you want to be diligent about what you do with regards to privacy.

[00:15:38]
And you don't you don't want to violate the law because you know one day the authorities will come to you you want to show that you actually did the right thing. With regards to products there is no one product or one product category that fits a everything it's very difficult to classify that so we need to divide where we want to put our money $1.00 of the things.

[00:16:06]
That's a M.F.A. or multi-factor authentication should be factor authentication on engineering environment. I don't know if I'll be able to show the return on investment of that but if I put that on the production environment I'll definitely vestment which is very critical. With regards to engineering you know.

[00:16:30]
Have you heard about the facts breach. How many of you have a social security number OK so. So one of the one of the biggest issues and applications security is 3rd party code let's say you have your Open S.S.L. older version and it contains a vulnerability you deploy that to production any can be exploited it's irrelevant you can water secure code or not the only thing that relevant is whether this library is used by your code and if it's used it can be exploited in most cases so.

[00:17:11]
Those are the things that death need to look at but if you look at the majority going forward you'll need to see if you can add like static chord analysis and I'm talking about not quality study code analysis that will show you if you free the memory but a security code analysis that can assist you to identify like injection flaw with all of that said Nothing provides 100 percent and this is a cliche but it's right you just need to tweak the money towards the right product and the right the main centrally so given given the background about the one year technology overview there are things that are must haves no matter what I already know to.

[00:17:56]
Mention that phase a key with M.F.A.. I personally saw that we blocked a lot of attacks you know your passwords can be compromised regardless if it's your company laptop it's your mobile device especially. And any can be just any channel that you use your credentials so assume that credentials can be stolen me personally everywhere where I can enable multi-factor authentication my bank my G.-Mail my Facebook Twitter everything is M.F. aid so why shouldn't we put that as a policy for the company so we did M.F.A. for everything you want to go to your juror you want to go to confluence it doesn't matter you go to H.R. systems everything is and fade.

[00:18:55]
And the thing that I saw is that when we see compromised credentials and sometimes it happens if someone tells you that it doesn't happen in this company he probably lies or he does know about it one of the 2 so I'm happy that I know about it and what I saw is that in our case when we saw a compromise credentials we saw only the log for logging in to the account but we did not see that someone could bypass the move to factor authentication So someone got the talent I did not accept and therefore no one could get in the the additional thing that I I think already mentioned that it's very important to log stuff.

[00:19:43]
And just to give you an additional highlight about that logging the fire walls and all of the infrastructure it's obvious there are already practices about that the part that is not fully documented at least not fully. I'd say known by default is how do you lawyer up location logs the justification from a non-security perspective is you'll just be able to support your customers and the security just if occasion is yes I'll definitely be able to identify.

[00:20:17]
Security incidents. You must have the response capabilities as well so you should know what to do in case of identifying the incident it's not something that you build in one day but at least when you have the right people that. Are diligent about fixing a problem and learning from that you're there the process is OK but eventually the technology that provides all of that eco system is extremely important Well this is this is an interesting topic then out of service I'll ask you this way how many of you think that denial of service is one of the biggest problems for startup companies one OK I'll ask it differently how many of you think that the service is not a big problem for startups Ne Ne OK.

[00:21:30]
So you know when. When you talk about another service you see that this is the number one factor. Or one number one attack over the Internet obviously there's a lot of traffic and you can see the charts pretty much in every company that provided the the analytics reports the Verizon's the semantics and.

[00:21:52]
Cetera but yet when you think about it a startup company a denial of service solution is super expensive and you need to justify such solution. With which obviously competes with other dollars So the way that I explain denial of service to to our management I say you know what if we'll get a denial of service and that would be a good thing for our company it means that we're so popular that someone wants to attack us said that of course we have some backup technologies to back it up.

[00:22:33]
So the service is important but not one of the most important things as opposed to what is probably considered across the market and the other thing is reputation I'll give you a scenario what happens if 1st of all how many of you heard about Google say browsing one or 2 OK.

[00:22:56]
So Google says browsing. The project that identifies websites that were infected in some way can be a model or that it was infected on this the effect of this website it can be something that violates the Google rules can be too many redirections. Can be just you know something just made the reputation go down from other sources let's say someone on the virus stole one of the.

[00:23:27]
You know dozens of engines on Virus Total identified to your threat and save browsing can actually identify that and block other users to access your website so what happens if you're a startup company and no one can access your website while you think you from or you're going to have a job so this is one of the most important things.

[00:23:53]
To notice obviously think about how can you automate the process in our case. Every 30 minutes we scan all of those reputation channels to see if there is any impact across the channels if there's anything that can prevent users from accessing our Web sites and feel unsafe This is a thing that I'm trying to do for a while I hate patching there were always mistakes with patching I hate.

[00:24:33]
So the solution to bypass all of the spattering. Is to develop an immutable system anyone heard about containers. Very few docker do OK So container it's essentially a. I'll simplify that in Linux commands it's a truth command very sophisticated truth command that creates processes and they look like operating systems so when you run your systems with containers you can run a lot of my core services or a lot of your other servers how your infrastructure works you can actually put every server every Apache for instance on a separate container so when you turn that down you don't care about it but when you spin it up it's automated.

[00:25:28]
A good example for that is Netflix they have a project called kills monkey and the project is awesome what he does is randomly tears down the scenes on Amazon so it can be in the middle of the night at one of the machines is is tear down and off towards the infrastructure is responsible for automating and speeding up a new instance that looks exactly the same as the one that was done awesome project you should definitely take a look at that and by doing that this is how you achieve the patching because every time that you spin a new instance it's already patched you run that as part of the script therefore you don't need to patch anymore and this is one of the things that we are pursuing next thing is going to a simple but you should definitely take a look at is the next next next deployment a lot of the problems are just next next next next and we'll just deployed with a default settings when you get into a company that didn't have you know a security person it's usually going to be a next next next if not going to good position.

[00:26:43]
Next thing is leveraging the tools that you already have in the company we use dear for everything legal security engineering everyone used for for ticketing in my case I was able to integrate our scanners and put our incident response process into everything with work flows and you know conduct we talk about that offline if you'd like to get more information but the cool thing is that now I have desk boards I know how to measure security I know how many vulnerabilities I have I know to determine how long it takes me to respond to an incident and I know how effective it is and obviously we can say we have more things that we can measure like you know the the bounty stuff we can see how many money how much money we spent on that how many people reported etc.

[00:27:37]
So this is a question for you you know assuming that you're a startup company what would be easier for you Would you or actually less it differently who would be a better target for a security startup company let's say that if you own security start up companies and you want to sell the product would you sell it to a startup company well it's a established startup company or you would sell that to an enterprise who thinks the former option or here's actually the flip side who things that selling to enterprise is the best thing to do as a start up company awesome who thinks that it's better to sell choice start up company OK who is neutral who's not listening now.

[00:28:34]
So there is no right or wrong in that case. What I can tell that I think that it's going to be better to sell to a start up company but we can do if they have debates about it the key reason for that is because companies can have more mistakes I can implement a solution that is not mature enough but you know what I'll save a lot of money and this is very important for me plus startup companies are not that big to have big mistakes with security products so if I get a security product and it's not mature enough where I had certain mistakes with this product I'm OK because I can replace that just not in the figures it's easy So lesson learned is make sure that you focus on the people process and technology there is no one or 2 things that are you know the most important things you need to focus on everything and keep in mind that you know we started with you know protecting the unicorn.

[00:29:40]
So you know when you you are announced to be a unicorn you're on the news people are looking at you people see all the it's an amazing company I want to come and work for this company this is a great messaging for most people it's bad messaging from me that unicorn to the hackers because they also see that you're a unicorn and you know what they think that you look like this they think that this is an awesome target because they're on the news they have money and they will I will get the money from them but the real thing that you need to do is not to look like this as it is a unicorn The only thing you need to do is to look like this you need to make sure that you communicate about security you communicate about privacy people know that you have the right technology process and people.

[00:30:44]
And obviously go to talk to Georgia Tech. But obviously you also need to implement the technologies behind that and make sure that the hackers will have an attention span when they tried to get into a systems Thank you. We have some time for questions yeah. Any questions yeah.

[00:31:24]
The question was with regards to the background of programs where Or did I find the most critical vulnerabilities that I was looking for the answers that I didn't know what is the most critical vulnerability that I was looking for because I didn't know what I didn't know the people were rewarded in that program only if they reported something that I did not have any clue about it so I knew about the critical big stuff when I reviewed the risk assessment but I also got a few interesting.

[00:31:59]
Notifications that eventually rewarded people about juicy findings. The question is What if someone externally reported that. What I mean of the company. Yes it is was it is was it it was and it's still an internal about money program so it's for employees only for now as we go forward with less and the definitely going to expand that to something wider but the quick wins is what you get with an internal program.

[00:32:43]
Yes. Right. There's. A. Huge. Or it's a good question actually a good 2 questions so the 1st question. You know your students want to know what is more relevant for the industry so I can tell you that. I started my master's here in Georgia Tech and I did this critic orses they were awesome.

[00:34:01]
They prepare me to the industry. To some extent he S. So I don't know what what is your curriculum but I know that the technical portion is extremely important if you are going to a technical role the. Would that cover 50 percent 20 percent or 40 percent I can give you the right number because it really depends what you're going to do I'll give an example if we're going to be a penetration tester you don't need that if you're a penetrations us or you already penetration tester because you learn by yourself but if you're going to do research or you know data science or develop the next you'll be a solution or you know anything related to user behavior and based on that to a dentist by the militias behaviors.

[00:34:53]
OK For that you definitely need some formal education that will bring you to the point that you can develop something innovative So that's a reason why I don't know what would be the best thing depends on your visions I guess with regards to new technologies that we're looking at.

[00:35:13]
You know privacy is a big thing so they don't yet thing and classification is extremely important for us. Especially when you try to connect to multiple channels and it's very important to understand that it's not all about regular expressions sometimes you need to do your own images. Sometimes you don't even have the permissions How do you find that or in some cases it must be related to a specific context I'll give you an example.

[00:35:46]
A social security number may look the same as a zip code it's the same length Who cares about it. So this is this is a big problem to solve and in addition to that in privacy there is something that I'm not sure that there's a real term for that but I'm looking for some sort of a privacy vault which means let's put all the privacy stuff in one place one vault something that is very secure and then anything or any system that wants to get access to this privacy information that will be allowed only based on user's consent like with G.D.P. for Europe or you know C.P.A. that is coming now with California.

[00:36:35]
With regards to synthetic identities Yes dart there are products that will actually we use to identify synthetic identities it's part of our you know fraud detection mechanisms so when we buy a product we kind of run that through a a process where we need to see that we actually can utilize it if we can't utilize it or we don't have owners when we implement that it will go through make sense and there's some questions yes.

[00:37:17]
So. Yeah so it's a good question so what is the big concern from external attackers. So I would classify that as a 3 way path and then we'll go to the product the path of a hacker is getting from the outside to the company then when you get to something internally this is the 2nd step that you can actually find something or find what you're looking for and then the 3rd step is exfiltrate ing the data right which is again getting out of the company so the doctors that we need to look at or actually actively looking at is obviously application security it's a big thing for us 3rd party lab is yes it's important and it's something that is ongoing and there's only a few vendors that can do that but educating the engineering teams with some code practices either statically or dynamically it's a big thing.

[00:38:25]
Additionally when you look at c I see the. Process in general you will see that web application fire walls become less relevant so we're looking at something called runtime up the security protection grasp this is something that you deploy on the servers I think about it as like an on a debug poort or you deploy that as a listener you can hook the Java calls.

[00:38:55]
And that's the thing that will identify if something can be exploited based on mobiles that they built it's not like signature bass or something like that so this is one of the things we have other problems that we definitely want to address. Like have you heard about the recent.

[00:39:15]
Java Script attack. There is an attack that allows. Allows hackers to rewrite the DOM by injecting a script. It's a problem it's a it's a kind of big problem right now it can be you know replacing your J. Query can be that bad so we're looking into that as well it's part of the 3rd party products valuation but we're still not sure how to categorize that as it can be in a client site attack that eventually put some malware on your browser or even scrape your credit cards or Scrubs other sensitive data.

[00:39:54]
Yes. You're. Very. Very. Curious whether. Here OK. So the question is how a measure on security and who's involved from a management perspective on security on security views so. The the K P I's are created as part of the Keep your eyes that are C.T.O.. This is actually something that we're going through these days and the C.T.O. gets he's K.-P. eyes from company's strategy so at the end of the day when I'm creating my eyes they are based on he's goals so he's objectives become my tactics and then my tactics become the objectives for well my tactics become objectives and that eventually translated to tactics on my team members and that makes sense from the management standpoint Well this is how I got the budget I had to present that to the co-founders of the company explain the risks.

[00:41:21]
You know keep in mind that every time that you present a budget should be like if what you need or what do you what the minimum that you need so I just build a pack build 3 packages good better best and said hey guys this is the money I can play with that with the amounts I can play with what I can execute So tell me how much money you want to spend these other risks and it's all matter of your risk appetite and this is how we got this security program going with regards to my role my understanding is that it was one of the major concerns for our C.E.O. and you know how this well was open but maybe it was better than me so I don't know.

[00:42:05]
Any additional questions yes. It's a good question Do I need to follow all those already attacks or all the new C.V.S. and see if it applies to my systems so that you raised an interesting topic because there is a big hype right now for start ups in that area it's like a governess risk and compliance products that started to evolve yes they managed compliance is definitely there but the person that you mentioned it's the threat intelligence that is integrated those project into those products that eventually gives you the information about what are the new what is 0 days versus what is your infrastructure.

[00:43:03]
Am I looking into this I am subscribed to something a bit different I don't have a G R C product like that yet. But I'm looking into FS Isaac. Alerts for instance which is more relevant to financial success financial services but they have quite a lot of alert any additional questions just.

[00:43:38]
Well. You know. It's a good question so what do we do about interim response and tabletop exercises so from from an incident response perspective we have the process we have few examples that we had in our mind is a perfect No Will it ever be perfect Probably not but at least we know who the stakeholders and who should call whom and we have the call and numbers of their relationships for instance we have a relationship with the authorities here to make sure that if something happens we are able to to get this company Similarly if we need to do any.

[00:44:30]
Forensics investigation will also have this relationship so we're already built an eco system on the process and the other portion of your question is tabletop exercises so we had our last tabletop exercise at the beginning of December and it was very successful because we invited people that we didn't know if they will get anything out of it.

[00:44:57]
And we ended up with understanding that they are a major player in in crisis management so if you think it's in a response it's one thing that you have a live in a small group that plays there but if you think about crisis management that is something that just you know think about like so many right there is there is no service but actually you know the other thing happened they got to the data this is a crisis and in a crisis case for this is one of the things if you you know we didn't have in our mind is these guys from from customer support they're extremely important in the process it's not a we're going to give them the masses that are legal marketing will come up with and hey here's your MacIt.

[00:45:38]
We need to explain what happens it needs to be constant but they need to know that there is a process for they there is that they need to know that there is a place they need to go to and communicate the message so these are the small things that you can identify doing the tabletop exercise.

[00:45:56]
I think it was very beneficial and we'll definitely do that at least once a year. It's a huge footprint crisis yes any additional questions yes but yeah so the question is what about the employees what do we do about them so. From the procedural I would say from the people perspective people management.

[00:46:38]
You know the biggest problem is fishing and I think I explained how fishing works and how do we you know educate people about fishing. But we do also you know we have the deal P. would have the products that. Should prevent X. filtration theoretically because the LP does not where you prevent exploration.

[00:46:59]
But the the products that we put around the employees are related Lee narrow comparing to what we put in production and incorporate I.T. So do we have segmentation Yes Do we have to do it on it's yes is that the right solution I don't know. I mean if you are aiming towards be a solutions it's kind of tricky because it's very difficult to get into a success with such a category.

[00:48:11]
Or. There are things that are people's. Issue that. It's very difficult to solve this is one of them. I don't have a good answer for that and to be honest I don't think I'll have a good answer for that you know in the next year or 2 I don't know.

[00:48:41]
What. So what you describe sounds more like you may be a product and what you describe sounds more like E U E B A user and behavior analytics this is an entire domain of products that should address such problems from my experience it's not there yet. You know everyone can have their way around by any additional questions OK thank you thank.