DEFEND THE DEFENDERS MANAGING AND PARTICIPATING IN EXCELLENT

DEFEND THE DEFENDERS MANAGING AND PARTICIPATING IN EXCELLENT TEAMS SETH HANFORD, PROOFPOINT RVASEC 6 JUNE 8 -9, 2017

SOLVING PROBLEMS W/ LIMITED RESOURCES COMBATTING HUMAN (BUDGET, PEOPLE, PROCESS, TECH) ADVERSARIES ATTRACT AND RETAIN THE PEOPLE YOU NEED DEFEND THE DEFENDERS

$ whoami @Seth. Hanford • CURRENT: • STAFF INFORMATION SECURITY ENGINEER, PROOFPOINT (BLUE TEAM, PSIRT, ETC) • FORMER: • SR. LEAD MANAGER, DETECTION &RESPONSE (F 100 FINANCIAL; LOCAL &DISTRIBUTED TEAM) • MANAGER, THREAT RESEARCH TEAM (F 100 TECH; GLOBAL TEAM) • PSIRT INCIDENT MANAGER (F 100 TECH; GLOBAL TEAM) • OSINT HIPSTER (STARTUP / F 100 TECH; LOCAL TEAM) • OTHER: • ~11 YEARSFULL-TIME TELEWORKER

$ whoami guest • INDIVIDUALS • DEFENDERS OF ALL TYPES (OR THOSE ASPIRING TO BE): DETECTION, RESPONSE, THREAT INTELLIGENCE, TOOLS AND OTHER SECURITY OPERATIONS • ASPIRING LEADERS (COACHES / MENTORS / INFLUENCERS, NOT NECESSARILY MANAGERS) • LONGING TO FIND THAT “AWESOME GIG”, FEARING THE “GRASS IS ALWAYS GREENER” • BURNED OUT BY A PAST SECURITY GIG, DIDN’T FEEL THE COMPANY HAD YOUR BACK • MANAGERS • BUILDING A NEW PROGRAM, OR SIGNIFICANTLY EXPANDING / REBUILDING ONE • STRUGGLING TO GET THE “PEOPLE PART” RIGHT WITH VARIOUS INTERNAL PRESSURES (BUDGET, VISION, DIRECTION, SKILL SETS, ORGANIZATIONAL CHALLENGES) • FEELING LIKE THE TEAM IS GREAT, NOT SURE HOW IT GOT HERE AND/OR HOW TO KEEP IT HERE • FEELING LIKE THE TEAM IS AT RISK, WORRIED ITS MEMBERS ARE GETTING CLOSE TO BURNING OUT

WHAT THIS IS, AND WHAT IT ISN’T • IS SELF- AND TEAM-CARE, NOT PROFESSIONAL MENTAL HEALTH ADVICE OR COUNSELING • IS ENCOURAGING GROWTH & CHALLENGENOT ADVOCATING STAYING IN TOXICITY • IS MAKING NON-TECH SUBJECTS ACCESSIBLENOT ENCOURAGING RIGID MODELING • IS ANECDOTE AND MENTAL MODELSNOT NET-NEW SOCIAL SCIENCE OR RESEARCH

THREAT CHALLENGE MODELING BECAUSE WORDS MATTER

WITH APOLOGIES TO SECURITY ARCHITECTS • THE APPROACH: • IDENTIFY ASSETS • CREATE AN ARCHITECTURE OVERVIEW (TEAM &ORG) • DECOMPOSE THE APPLICATION (GOALS/PROCESSES) • IDENTIFY THE CHALLENGES • DOCUMENT THE CHALLENGES • RATE THE CHALLENGES

ASSETS TEAM PERSONALITIES, DRIVE, MOTIVE; IMPACT & AFFECT; SKILLS PARTNERS CISO, AUDITORS, RED TEAM, TECH TEAMS, BUSINESS-AREA PARTNERS INVENTORY SYSTEMS, APPLICATIONS, TOOLS, SUBSCRIPTIONS, DATA SOURCES INFLUENCE POLITICAL OR SOCIAL CAPITAL; TRUST. BUSINESS ALIGNMENT FINANCIAL BUDGET, HEADCOUNT, OPEN REQUISITIONS

ARCHITECTURE OVERVIEW – EXAMPLE Security TEAM/ORG Security Operations Internal Partners Organization External Partners Event Detection Security Engineering Vulnerability Remediation Application Security Incident Response Threat Intelligence & Communications Corporate Communications Security Awareness & Communications Governance, Risk and Compliance Security Tools Development

DECOMPOSE THE TEAM - GOALS & PROCESSES • MISSION &VISION, TEAM CHARTERS • EXPLICIT &IMPLICIT RESPONSIBILITIES • PROCESS &PROCEDURE • CONSIDER ALSO TIME-BASED CHALLENGES – WHERE YOU ARE VS WHERE YOU WANT TO GO

MISSION & CHARTERS - EXAMPLE MISSION EVENT DETECTION PROTECTING THE INFORMATION RESOURCES OF $COMPANY BY MONITORING FOR INFORMATION CONTINUOUSLY IMPROVING OUR ABILITY TO SECURITY INCIDENTS AND RESPONDING TO CONTAIN, ERADICATE, AND RECOVER FROM THEM. PROMPTLY AND EFFECTIVELY TRIAGE AND DISPOSITION THE SECURITY EVENTS THAT THREATEN OUR ORGANIZATION. INCIDENT RESPONSE DEDICATED TO CONSISTENT AND REPEATABLE INVESTIGATION, CRISIS MANAGEMENT, AND CONTAINMENT / ERADICATION / RECOVERY OF INFORMATION SECURITY INCIDENTS.

IDENTIFY AND DOCUMENT CHALLENGES: SOURCES INTERNAL PARTNER EXTERNAL ORIGINATING WITHIN ORIGINATING IN THE ORIGINATING FROM LARGER SECURITY OUTSIDE YOUR ORGANIZATION, THE COMPANY, OR WORKING COMPANY, OR OTHERWISE TANGENTIAL WITH YOU TOWARD YOUR MISSION TO ACCOMPLISHING YOUR MISSION THE TEAM YOU ARE ON (YOUR PEERS, DIRECT MANAGER, AND ANY OF YOUR REPORTS), UNDER YOUR CONTROL TO ACCOMPLISH YOUR MISSION

IDENTIFY AND DOCUMENT CHALLENGES: TYPES SOCIAL PERSONALITIES, INTERACTIONS, TEMPERAMENTS, ORG POLITICS CRISIS UNSTABLE, CRUCIAL SITUATIONS FINANCIAL ERROR / MISUSE BUDGETS, PAY, SKILLS, CAPABILITIES, AND THE (UN)INTENTIONALTRAINING, OPEX / CAPEX DAMAGE FROM THEM RESPONSIBILITIES IMPACTS FROM DOING ASSIGNED WORK (TIME, MONEY, MENTAL HARM) PHYSICAL / ENVIRONMENTAL HEALTH, WORKPLACE CONDITIONS, VIOLENCE OR PHYSICAL DANGER

IDENTIFY AND DOCUMENT CHALLENGES: EXAMPLES TITLE: EXTERNAL PENTEST REPORTS FOCUSED ON NICHE SHORTCOMINGS SOURCE: EXTERNAL, PARTNER TYPE: SOCIAL, RESPONSIBILITIES SEVERITY: MEDIUM IMPACTED ASSET, GOAL, OR PROCESS: INFLUENCE, TEAM REPEATED REPORTS FROM $PENTEST-COMPANY HAVE IDENTIFIED SEVERAL SHORTCOMINGS IN OUR SECURITY POSTURE. THESE ARE VALID AND KNOWN, BUT ARE LOWER PRIORITY ON OUR LIST THAN THE KEY DEFICIENCIES THAT WE HAVE BEEN TRYING TO ADDRESS. SEVERAL OF THE BASIC ITEMS WE’RE TRYING TO ADDRESS WOULD ALSO COVER SOME ASPECTS OF THE IDENTIFIED FLAWS.

CHALLENGE MITIGATIONS WHEREIN WE DEFEND THE DEFENDERS

COMBATTING CHALLENGE TYPES: SOCIAL • GOOGLE – AFTER YEARS OF ANALYSIS, KEY TO TEAMWORK IS BEING NICE • RESPECT OTHERS’ EMOTIONS • ALLOW OTHERS TO CONTRIBUTE TO CONVERSATION EQUALLY • HTTPS: //QZ. COM/625870/AFTER-YEARS-OF-INTENSIVE-ANALYSIS-GOOGLE-DISCOVERS-THE-KEY-TO-GOODTEAMWORK-IS-BEING-NICE/ • FOSTER BUSINESS & SOCIAL COMMUNICATION, PARTICULARLY REMOTELYC( HAT ROOMS) • • BEST • HOUSE RULES – DISRESPECT ISN’T WELCOME HERE $1500 I’VE SPENT: TEPPANYAKI & BOWLING; MINOR LEAGUE BALL IN THE QUEEN CITY FOCUS ON THE TEAM: INTERACTIVE & FUN EVENTS THAT FEEL REWARDING, NOT MANDATORY • INVESTMENT DURING PLENTY WILL REAP REWARDS DURING DIFFICULTY

COMBATTING CHALLENGE TYPES: ERROR / MISUSE • HIRE FOR POTENTIAL, BUT FOSTER & EXPECT GROWTH • “EXPERTS CAN’T DOCUMENT THEIR ART” AND OTHER FALLACIES • PROCEDURES &CHECKLISTS SAVE LIVES • CONSISTENCY &REPEATABILITY • CAPABILITY MATURITY MODEL-> AUTOMATE THE BORING STUFF • LEARN, TRAIN, DOCUMENT. IF ABSOLUTELY NECESSARY USE BUDGET

COMBATTING CHALLENGE TYPES: FINANCIAL • UNDERSTAND YOUR BUSINESS AND ITS BUDGET PROCESS • WHEN OPEX ISN’T AROUND, LEARN HOW TO USE CAPEX • BUY THE RIGHT THINGS, BUILD THE RIGHT THINGS • KEEP A RUNNING LIST OF NEEDS, WANTS, JUSTIFICATIONS AND QUOTES • ALIGN TO YOUR MISSION / CHARTER • FIGHT FOR BONUSES, REVIEWS, PAY. BE HONEST & FAIR, BUT ADVOCATE FOR YOUR PEOPLE • METRICS, RESULTS, CHALLENGES

COMBATTING CHALLENGE TYPES: CRISIS • L. E. A. D. : LIMIT, EVALUATE, ACT, DEPART • EMERGENCY VS ADAPTIVE CRISIS PHASES (HBR – LEADERSHIP IN A PERMANENT CRISIS) • PROCEDURE WINS EMERGENCIES, BUT RIGIDITY STIFLES ADAPTATION • HTTP: //COMMUNICATION-LEADERSHIP-CHANGE. COM/FILES/119516674. PDF • LEAD BY SERVICE, RESERVE AUTHORITY FOR CRISIS • HTTPS: //TWITTER. COM/SARAHMEI/STATUS/832662375073329152 • AFTER-ACTION REVIEW

COMBATTING CHALLENGE TYPES: RESPONSIBILITIES • MISSION &CHARTER – CORE VS CONTEXT • PUSH BACK ON THINGS THAT YOU CAN, AUTOMATE THINGS YOU CAN’T • WORK WITH THE BUSINESS /HR ON HARMFUL ENVIRONMENTS • (PORN, INSIDER INVESTIGATIONS, EMPLOYEE MISCONDUCT) • SHARE THE LOAD, CROSS-TRAIN, TAKE INPUT ON PROCESS IMPROVEMENT

COMBATTING CHALLENGE TYPES: PHYSICAL / ENVIRONMENTAL • CO-WORKERS GIVE YOU A LARGE PART OF THEIR LIFETIME; STEWARD IT WELL • FAMILY, ILLNESS, OTHER CONCERNS ARE VITALLY IMPORTANT • VACATIONS, TIME-OFF, FLEXIBLE WORKING ENVIRONMENTS • DON’T OVERLOOK PHYSICAL COMFORT IN THE WORKING ENVIRONMENT. HARSH CONDITIONS CREATE REAL STRESS • OBVIOUSLY THOSE IN DANGEROUS / COMBAT ENVIRONMENTS KNOW THIS WELL

PROBLEM SOLVING WITH LIMITED RESOURCES: PEOPLE, PROCESS, TECH • PEOPLE > PROCESS > TECHNOLOGY • GETTING TO YES: NEGOTIATING AGREEMENT WITHOUT GIVING IN –FISHER &URY • LISTEN TO YOUR TEAM, TAKE TIME TO PRIORITIZE NOT ONLY THE PAIN POINTS BUT THE THINGS THAT ARE LOW EFFORT / HIGH GAIN

ATTRACT & RETAIN THE PEOPLE YOU NEED • CAN YOU COMPETE IN YOUR METRO AREA(S)? HIRE REMOTE WORKERS, LEVERAGELCOL • BE SOMEONE YOUR TEAM CAN TRUST; PEOPLE WILL GO THROUGH A LOT IF THEY’RE SUPPORTED • DIVERSITY – GENDER, SOCIAL, RACIAL, SKILLSET, ETC. – TEAMS ARE BETTER WHEN EVERYONE HAS A VOICE, TEAMS WITH MORE PERSPECTIVES CAN HANDLE MORE THINGS • BE A FIREWALL, BE AN ADVOCATE • APOLLO 13, KEN MATTINGLY

COMBATTING HUMAN ADVERSARIES • UNDERSTAND THAT SOME OF YOUR PRESSURES ARE NOT BAD LUCK, THEY’RE ORCHESTRATED TO SET YOU OFF BALANCE • BALANCE OPERATIONAL SECURITY AGAINST REAL RISKS; DON’T LET OVER-PARANOIA BECOME ITS OWN RISK • WORK WITH YOUR PARTNERS (EXEC. ADMINS, SYSADMINS, FINANCE FOLKS) AND HELP THEM HAVE REASONABLE SAFEGUARDS

THANK YOU! @SETHHANFORD

IDENTIFY AND DOCUMENT CHALLENGES: EXAMPLES TITLE: FRICTION WITH DIFFICULT TEAM MEMBER SOURCE: INTERNAL TYPE: SOCIAL SEVERITY: MEDIUM IMPACTED ASSET, GOAL, OR PROCESS: TEAM; INCIDENT RESPONSE PROCESSES SEVERAL TEAM MEMBERS HAVE NOTED THAT $EMPLOYEE IS VERY DIFFICULT TO DEAL WITH IN STRESSFUL SITUATIONS. $EMPLOYEE OFTEN BECOMES RECLUSIVE / SECLUDED AND COMBATIVE ABOUT SHARING KNOWLEDGE AND TECHNIQUES RELATED TO THEIR UNIQUE SKILL SET

IDENTIFY AND DOCUMENT CHALLENGES: EXAMPLES TITLE: BETTER DATASETS NEEDED SOURCE: PARTNER, INTERNAL TYPE: FINANCIAL IMPACTED ASSET, GOAL, OR PROCESS: TEAM; INVENTORY SEVERITY: HIGH EXISTING TOOLS AND DATASETS ARE NOT SUITED TO THE DETECTION & RESPONSE NEEDS OF THE TEAM HAS IDENTIFIED NETFLOW, PASSIVE DNS, AND HOST-BASED ENDPOINT LOGGING AS THE THREE PRIMARY GOALS, BUT CENTRAL COLLECTION OF THESE LARGE DATASETS IS NOT WITHIN BUDGET. IT WILL COST $XXX TO PUT IN PLACE THE PRIMARY IDENTIFIED NEED: CENTRALIZED ENDPOINT LOGGING. ($ YYY FORNETFLOW (#2) AND Z $ZZ FOR PDNS (#3))