SlideShare una empresa de Scribd logo

Effective security

Mike Mackintosh
Mike Mackintosh

Learn the most effective way to integrate a security culture into your company.

Tecnología
1 de 30
BUILDING AN EFFECTIVE SECURITY TEAM IN 2016 SECURITY
WHO AM I? ▸ I am Mike Mackintosh ▸ On Twitter: @mikemackintosh ▸ On GitHub: @mikemackintosh ▸ I was a Principle Engineer, VZW - Infrastructure Security ▸ I ran Security at Shutterstock ▸ I currently run Security at Signal Sciences
OBJECTIVE: SHOW THE VALUE IN BUILDING A SMART, INTEGRATED AND BUSINESS-MINDED SECURITY TEAM
WHAT GOES INTO MAINTAINING A SECURITY ORG? ▸ A lot. ▸ Advocating for better security practices to protect the end-user/consumer ▸ Advocating for better security practices to protect the company ▸ Supporting the internal organization’s infrastructure and applications ▸ Providing tools and knowledge to employees to help support security-driven development ▸ Making sure the company doesn’t get hacked isn’t a goal, it’s a byproduct
ARE YOU THINKING TO YOURSELF “WE DON’T HAVE A BIG SECURITY TEAM” ▸ Actually, you probably don’t have a security team at all… ▸ Or at least not an effective team
GREAT NEWS! ▸ You don’t need a traditional silo’d security team working on secret projects that no one else in the company knows about. ▸ You need to make security more visible ▸ If integrating services into your web app makes them better, so can integrating security teams with other business units
ULTIMATE SECTEAM LIFE-HACK ▸ Hire security-focused people with skills in different business units, and attach them to those units. ▸ Don’t look at me sideways, look at me with batted eyelids
NO MORE OF THIS ▸ The following used to run directly under Director/VP of Security/CISO ▸ Application Security Engineers ▸ Security Operation Engineers ▸ Risk Assessment Engineers ▸ Information Security Engineers
BUT THAT’S A BIG SECURITY TEAM ▸ You’re right. And sometimes, especially in smaller businesses, there’s not a CONSTANT need for a ________ security engineer. ▸ That’s actually O.K. ▸ Instead, hire the same amount of security engineers, but have them benefit the business in other ways too.
WHY WOULD THIS WORK? BECAUSE THEY CAN NOW HAVE KICKASS TEAM NAMES AND LOGOS. SERIOUSLY, IT CREATES A SENSE OF PRIDE AND A “FREE” SOURCE OF MOTIVATION.
WHERE DO THE SECURITY-RELATED RESPONSIBILITIES LIVE? ▸ Product Security - Defined by the use of existing sales, frontend, and application engineers that work on customer features to fix security issues. Security responsibilities include: ▸ AppSec ▸ Brand Integrity ▸ Bug Bounties ▸ Corporate Security - Infrastructure and Information security engineers responsible for the security at a device/node level, which can serve many responsibilities of Ops and traditional IT teams: ▸ Infrastructure Hardening (opsy-style things) ▸ Endpoint Defense (endpoints, firewalls, etc) ▸ Automation ▸ Training
WHAT DO THE SECURITY OUTFITS BECOME? ▸ Security Planning - Planning is made up of security risk assessors and/or analysts and fit perfectly with a team under the CFO or Legal. These people are responsible for identifying and protecting against literal financial attacks. ▸ Security Tooling - Security tooling is one of the most valuable assets to a company by means of increasing productivity for the company while creating the toolsets required for both security and non-security personnel to complete their jobs.
COMPLIANCE IS NOT A SECURITY PROBLEM ▸ Compliance != Security ▸ Sometimes being compliant makes things more secure ▸ Sometimes being more secure makes things compliant ▸ Validating the integrity of scan results could be useful with a security team; but the security team should not be making/implementing all the changes to enforce compliance ▸ Security leadership should be an enabler, not a doer.
WHY SHOULD THEY REPORT WITHIN THE BUSINESS ORG TREE? ▸ Security is not a joke. People lose jobs because companies tank because people don’t take security seriously. ▸ Having security leadership in any team is important, and that leadership is best prepared and equipped for handling both technical and personal incidents. ▸ Engineering, ops, and other leadership historically have interest in keeping up with product demands, regardless of security concerns. ▸ Security must adapt with a companies’ move to a more cross-functional culture, and begin embedding with other parts of the org
HOW WOULD THIS HELP? ▸ Because security teams using sprints are the worst… They’re just the worst… ▸ An engineering team using sprints is pretty effective. ▸ An engineering team that has a dedicated security engineer working within a sprint while ensuring the product doesn’t outpace security posture is the most effective use of the companies time and money. ▸ Turn bug fixes and incident response into learning experiences for the devs, ops and sales. ▸ It’s better than patching fixes after massive amounts of public embarrassment.
I STILL DON’T GET IT ▸ You have to hire engineers to work on your product and you have to hire people in sales as well as operations. ▸ Have one person from each of those teams report to your security team lead. ▸ This planted security engineer can help deliver company wide goals with the product or internal milestones while supporting that smaller team’s security requirements.
WHAT YOUR FLOW LOOKS LIKE RIGHT NOW (IF YOU HAVE ONE) LOL
WHAT YOUR FLOW WILL LOOK LIKE (IF YOU LISTEN TO ME)
WHY WOULD I DO THIS? ▸ Your attackers are motivated by success. ▸ Your employees are motivated by success.
SUCCESS CAN BE… financial: bug bounty payout, raise, bonus, promotion, selling stolen goods on the `dark` web
SUCCESS CAN BE… Recognition: bug bounty attribution, peer recognition (giving `props`)
SUCCESS CAN BE… Thrill and Knowledge: learning something new, solving an `impossible` challenge
EMPLOYEES ARE MOTIVATED ▸ If you are in a leadership position, find your motivated employees. ▸ If you are motivated, find your manager. ▸ Inspiration + Motivation = Success MOTIVATE YOUR EMPLOYEES WITH SUCCESS TO PREVENT A SUCCESSFUL ATTACKER
YOU JUST TRIPLED YOUR SECURITY COVERAGE BY NOT HIRING ANYONE ▸ All you needed to do was a simple reorg. ▸ Tasks need to be completed. People need to complete them. ▸ Have a security SME for that area work with the team to deliver on company goals and disseminate their security knowledge while allowing someone to advocate for them. ▸ They won’t always be understood by traditional managers. ▸ Having security leadership support them creates a successful secure environment.
AND GIVE OUT T-SHIRTS People. Love. Swag.
Effective security

Recomendados

Andrew Vermes - You are antifragility
Andrew Vermes - You are antifragilityAndrew Vermes - You are antifragility
Andrew Vermes - You are antifragilityitSMF UK
 
Prove it, ship it! - XP2010 Lightning talk
Prove it, ship it! - XP2010 Lightning talkProve it, ship it! - XP2010 Lightning talk
Prove it, ship it! - XP2010 Lightning talkAnders Sveen
 
The Security Ecosystem
The Security EcosystemThe Security Ecosystem
The Security EcosystemAnthony Bertuzzi
 
Scrum x
Scrum xScrum x
Scrum xPierre E. NEIS
 
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsShedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsSynopsys Software Integrity Group
 
7 Must Follow Steps For Safe and Secured Workplace
7 Must Follow Steps For Safe and Secured Workplace7 Must Follow Steps For Safe and Secured Workplace
7 Must Follow Steps For Safe and Secured WorkplaceAltura Communication Solutions
 
562425
562425562425
562425Felix Segil Villa
 
B.Sc.
B.Sc.B.Sc.
B.Sc.Hafiz M. Sohail (B.Sc,MBA, ACCA Fin)
 

Recomendados

Andrew Vermes - You are antifragility
Andrew Vermes - You are antifragilityAndrew Vermes - You are antifragility
Andrew Vermes - You are antifragilityitSMF UK
 
Prove it, ship it! - XP2010 Lightning talk
Prove it, ship it! - XP2010 Lightning talkProve it, ship it! - XP2010 Lightning talk
Prove it, ship it! - XP2010 Lightning talkAnders Sveen
 
The Security Ecosystem
The Security EcosystemThe Security Ecosystem
The Security EcosystemAnthony Bertuzzi
 
Scrum x
Scrum xScrum x
Scrum xPierre E. NEIS
 
Shedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsShedding Light Onto the Top 6 Threat Modeling Misconceptions
Shedding Light Onto the Top 6 Threat Modeling MisconceptionsSynopsys Software Integrity Group
 
7 Must Follow Steps For Safe and Secured Workplace
7 Must Follow Steps For Safe and Secured Workplace7 Must Follow Steps For Safe and Secured Workplace
7 Must Follow Steps For Safe and Secured WorkplaceAltura Communication Solutions
 
562425
562425562425
562425Felix Segil Villa
 
B.Sc.
B.Sc.B.Sc.
B.Sc.Hafiz M. Sohail (B.Sc,MBA, ACCA Fin)
 
Reference Letter
Reference LetterReference Letter
Reference LetterAngelo Schobbe
 
Material Engineer Experience -Aljmi
Material Engineer Experience -AljmiMaterial Engineer Experience -Aljmi
Material Engineer Experience -AljmiElias Omer Adam
 
Feliz día de la madre
Feliz día de la madreFeliz día de la madre
Feliz día de la madresamuelcorreaguiza
 
117 o senhor salva...
117 o senhor salva...117 o senhor salva...
117 o senhor salva...Mylena Vasconcelos
 
Lifejacket
LifejacketLifejacket
LifejacketMarlana Beste
 
Recommendation Letter SS
Recommendation Letter SSRecommendation Letter SS
Recommendation Letter SSDércio Cossa
 
Nuevo documento de microsoft word
Nuevo documento de microsoft wordNuevo documento de microsoft word
Nuevo documento de microsoft wordFranklin Janampa Bonifacio
 
Helen Certificate 2
Helen Certificate 2Helen Certificate 2
Helen Certificate 2Helen Grant
 
Qué es un virus informático
Qué es un virus informáticoQué es un virus informático
Qué es un virus informáticoAxel Bedoolla Reza
 
Omayma tommouhi 1r a
Omayma tommouhi 1r aOmayma tommouhi 1r a
Omayma tommouhi 1r adretsjoanoro
 
Diodos
DiodosDiodos
Diodosocarpioa
 
Amina
AminaAmina
AminaZelorius
 
mariposas
mariposasmariposas
mariposasluciana10015555
 
6633u.pdf
6633u.pdf6633u.pdf
6633u.pdfJeff Smith
 
T&L Starters
T&L StartersT&L Starters
T&L Starterscaldiesschool
 
Eletrônicos santa efigenia são paulo telefones
Eletrônicos santa efigenia são paulo telefonesEletrônicos santa efigenia são paulo telefones
Eletrônicos santa efigenia são paulo telefonesHENIQUEFO
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Safety - The Business With-in Your Business
Safety - The Business With-in Your BusinessSafety - The Business With-in Your Business
Safety - The Business With-in Your BusinessTyler Shannon
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in DepthCIO Talk Network
 
Lone Worker Security
Lone Worker SecurityLone Worker Security
Lone Worker Securitygpsgeoguard1
 

Más contenido relacionado

Destacado

Material Engineer Experience -Aljmi
Material Engineer Experience -AljmiMaterial Engineer Experience -Aljmi
Material Engineer Experience -AljmiElias Omer Adam
 
Recommendation Letter SS
Recommendation Letter SSRecommendation Letter SS
Recommendation Letter SSDércio Cossa
 
Helen Certificate 2
Helen Certificate 2Helen Certificate 2
Helen Certificate 2Helen Grant
 
Omayma tommouhi 1r a
Omayma tommouhi 1r aOmayma tommouhi 1r a
Omayma tommouhi 1r adretsjoanoro
 
Eletrônicos santa efigenia são paulo telefones
Eletrônicos santa efigenia são paulo telefonesEletrônicos santa efigenia são paulo telefones
Eletrônicos santa efigenia são paulo telefonesHENIQUEFO
 

Destacado (16)

Reference Letter
Reference LetterReference Letter
Reference Letter
 
Material Engineer Experience -Aljmi
Material Engineer Experience -AljmiMaterial Engineer Experience -Aljmi
Material Engineer Experience -Aljmi
 
Feliz día de la madre
Feliz día de la madreFeliz día de la madre
Feliz día de la madre
 
117 o senhor salva...
117 o senhor salva...117 o senhor salva...
117 o senhor salva...
 
Lifejacket
LifejacketLifejacket
Lifejacket
 
Recommendation Letter SS
Recommendation Letter SSRecommendation Letter SS
Recommendation Letter SS
 
Nuevo documento de microsoft word
Nuevo documento de microsoft wordNuevo documento de microsoft word
Nuevo documento de microsoft word
 
Helen Certificate 2
Helen Certificate 2Helen Certificate 2
Helen Certificate 2
 
Qué es un virus informático
Qué es un virus informáticoQué es un virus informático
Qué es un virus informático
 
Omayma tommouhi 1r a
Omayma tommouhi 1r aOmayma tommouhi 1r a
Omayma tommouhi 1r a
 
Diodos
DiodosDiodos
Diodos
 
Amina
AminaAmina
Amina
 
mariposas
mariposasmariposas
mariposas
 
6633u.pdf
6633u.pdf6633u.pdf
6633u.pdf
 
T&L Starters
T&L StartersT&L Starters
T&L Starters
 
Eletrônicos santa efigenia são paulo telefones
Eletrônicos santa efigenia são paulo telefonesEletrônicos santa efigenia são paulo telefones
Eletrônicos santa efigenia são paulo telefones
 

Similar a Effective security

Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Safety - The Business With-in Your Business
Safety - The Business With-in Your BusinessSafety - The Business With-in Your Business
Safety - The Business With-in Your BusinessTyler Shannon
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Companydanielblander
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in DepthCIO Talk Network
 
Lone Worker Security
Lone Worker SecurityLone Worker Security
Lone Worker Securitygpsgeoguard1
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Mighty Guides, Inc.
 
Application Security by Ethical Hackers
Application Security by Ethical HackersApplication Security by Ethical Hackers
Application Security by Ethical HackersEntersoft
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environmentArthur Donkers
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security TestingPECB
 
What Professional Security Companies Must Use for Liability Defense
What Professional Security Companies Must Use for Liability DefenseWhat Professional Security Companies Must Use for Liability Defense
What Professional Security Companies Must Use for Liability Defense24/7 Software
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Yazad Khandhadia
 
The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud SecurityAlert Logic
 
The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud SecurityFrederick Harris
 
Agility at Emirates Airline
Agility at Emirates AirlineAgility at Emirates Airline
Agility at Emirates AirlineRasmus Runberg
 
Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture Asim Jahan
 

Similar a Effective security (20)

Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
Safety - The Business With-in Your Business
Safety - The Business With-in Your BusinessSafety - The Business With-in Your Business
Safety - The Business With-in Your Business
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0
 
Zero Trust vs Defense in Depth
Zero Trust vs Defense in DepthZero Trust vs Defense in Depth
Zero Trust vs Defense in Depth
 
Lone Worker Security
Lone Worker SecurityLone Worker Security
Lone Worker Security
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
Tenable: Economic, Operational and Strategic Benefits of Security Framework A...
 
Application Security by Ethical Hackers
Application Security by Ethical HackersApplication Security by Ethical Hackers
Application Security by Ethical Hackers
 
Building Security Teams
Building Security TeamsBuilding Security Teams
Building Security Teams
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
 
Cyber Security Testing
Cyber Security TestingCyber Security Testing
Cyber Security Testing
 
What Professional Security Companies Must Use for Liability Defense
What Professional Security Companies Must Use for Liability DefenseWhat Professional Security Companies Must Use for Liability Defense
What Professional Security Companies Must Use for Liability Defense
 
Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...Shift Left Security – Guidance on embedding security for a Digital Transforma...
Shift Left Security – Guidance on embedding security for a Digital Transforma...
 
The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud Security
 
The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud Security
 
Agility at Emirates Airline
Agility at Emirates AirlineAgility at Emirates Airline
Agility at Emirates Airline
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
ProActive Security
ProActive SecurityProActive Security
ProActive Security
 
Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture
 

Último

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Último (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Effective security

  • 1. BUILDING AN EFFECTIVE SECURITY TEAM IN 2016 SECURITY
  • 2. WHO AM I? ▸ I am Mike Mackintosh ▸ On Twitter: @mikemackintosh ▸ On GitHub: @mikemackintosh ▸ I was a Principle Engineer, VZW - Infrastructure Security ▸ I ran Security at Shutterstock ▸ I currently run Security at Signal Sciences
  • 3. OBJECTIVE: SHOW THE VALUE IN BUILDING A SMART, INTEGRATED AND BUSINESS-MINDED SECURITY TEAM
  • 4.
  • 5. WHAT GOES INTO MAINTAINING A SECURITY ORG? ▸ A lot. ▸ Advocating for better security practices to protect the end-user/consumer ▸ Advocating for better security practices to protect the company ▸ Supporting the internal organization’s infrastructure and applications ▸ Providing tools and knowledge to employees to help support security-driven development ▸ Making sure the company doesn’t get hacked isn’t a goal, it’s a byproduct
  • 6. ARE YOU THINKING TO YOURSELF “WE DON’T HAVE A BIG SECURITY TEAM” ▸ Actually, you probably don’t have a security team at all… ▸ Or at least not an effective team
  • 7. GREAT NEWS! ▸ You don’t need a traditional silo’d security team working on secret projects that no one else in the company knows about. ▸ You need to make security more visible ▸ If integrating services into your web app makes them better, so can integrating security teams with other business units
  • 8. ULTIMATE SECTEAM LIFE-HACK ▸ Hire security-focused people with skills in different business units, and attach them to those units. ▸ Don’t look at me sideways, look at me with batted eyelids
  • 9.
  • 10. NO MORE OF THIS ▸ The following used to run directly under Director/VP of Security/CISO ▸ Application Security Engineers ▸ Security Operation Engineers ▸ Risk Assessment Engineers ▸ Information Security Engineers
  • 11. BUT THAT’S A BIG SECURITY TEAM ▸ You’re right. And sometimes, especially in smaller businesses, there’s not a CONSTANT need for a ________ security engineer. ▸ That’s actually O.K. ▸ Instead, hire the same amount of security engineers, but have them benefit the business in other ways too.
  • 12. WHY WOULD THIS WORK? BECAUSE THEY CAN NOW HAVE KICKASS TEAM NAMES AND LOGOS. SERIOUSLY, IT CREATES A SENSE OF PRIDE AND A “FREE” SOURCE OF MOTIVATION.
  • 13. WHERE DO THE SECURITY-RELATED RESPONSIBILITIES LIVE? ▸ Product Security - Defined by the use of existing sales, frontend, and application engineers that work on customer features to fix security issues. Security responsibilities include: ▸ AppSec ▸ Brand Integrity ▸ Bug Bounties ▸ Corporate Security - Infrastructure and Information security engineers responsible for the security at a device/node level, which can serve many responsibilities of Ops and traditional IT teams: ▸ Infrastructure Hardening (opsy-style things) ▸ Endpoint Defense (endpoints, firewalls, etc) ▸ Automation ▸ Training
  • 14. WHAT DO THE SECURITY OUTFITS BECOME? ▸ Security Planning - Planning is made up of security risk assessors and/or analysts and fit perfectly with a team under the CFO or Legal. These people are responsible for identifying and protecting against literal financial attacks. ▸ Security Tooling - Security tooling is one of the most valuable assets to a company by means of increasing productivity for the company while creating the toolsets required for both security and non-security personnel to complete their jobs.
  • 15. COMPLIANCE IS NOT A SECURITY PROBLEM ▸ Compliance != Security ▸ Sometimes being compliant makes things more secure ▸ Sometimes being more secure makes things compliant ▸ Validating the integrity of scan results could be useful with a security team; but the security team should not be making/implementing all the changes to enforce compliance ▸ Security leadership should be an enabler, not a doer.
  • 16. WHY SHOULD THEY REPORT WITHIN THE BUSINESS ORG TREE? ▸ Security is not a joke. People lose jobs because companies tank because people don’t take security seriously. ▸ Having security leadership in any team is important, and that leadership is best prepared and equipped for handling both technical and personal incidents. ▸ Engineering, ops, and other leadership historically have interest in keeping up with product demands, regardless of security concerns. ▸ Security must adapt with a companies’ move to a more cross-functional culture, and begin embedding with other parts of the org
  • 17. HOW WOULD THIS HELP? ▸ Because security teams using sprints are the worst… They’re just the worst… ▸ An engineering team using sprints is pretty effective. ▸ An engineering team that has a dedicated security engineer working within a sprint while ensuring the product doesn’t outpace security posture is the most effective use of the companies time and money. ▸ Turn bug fixes and incident response into learning experiences for the devs, ops and sales. ▸ It’s better than patching fixes after massive amounts of public embarrassment.
  • 18. I STILL DON’T GET IT ▸ You have to hire engineers to work on your product and you have to hire people in sales as well as operations. ▸ Have one person from each of those teams report to your security team lead. ▸ This planted security engineer can help deliver company wide goals with the product or internal milestones while supporting that smaller team’s security requirements.
  • 19. WHAT YOUR FLOW LOOKS LIKE RIGHT NOW (IF YOU HAVE ONE) LOL
  • 20.
  • 21. WHAT YOUR FLOW WILL LOOK LIKE (IF YOU LISTEN TO ME)
  • 22.
  • 23. WHY WOULD I DO THIS? ▸ Your attackers are motivated by success. ▸ Your employees are motivated by success.
  • 24. SUCCESS CAN BE… financial: bug bounty payout, raise, bonus, promotion, selling stolen goods on the `dark` web
  • 25. SUCCESS CAN BE… Recognition: bug bounty attribution, peer recognition (giving `props`)
  • 26. SUCCESS CAN BE… Thrill and Knowledge: learning something new, solving an `impossible` challenge
  • 27. EMPLOYEES ARE MOTIVATED ▸ If you are in a leadership position, find your motivated employees. ▸ If you are motivated, find your manager. ▸ Inspiration + Motivation = Success MOTIVATE YOUR EMPLOYEES WITH SUCCESS TO PREVENT A SUCCESSFUL ATTACKER
  • 28. YOU JUST TRIPLED YOUR SECURITY COVERAGE BY NOT HIRING ANYONE ▸ All you needed to do was a simple reorg. ▸ Tasks need to be completed. People need to complete them. ▸ Have a security SME for that area work with the team to deliver on company goals and disseminate their security knowledge while allowing someone to advocate for them. ▸ They won’t always be understood by traditional managers. ▸ Having security leadership support them creates a successful secure environment.
  • 29. AND GIVE OUT T-SHIRTS People. Love. Swag.