We have a lot to do on the cybersecurity side, and we are almost always lacking people, or budget, or both. Can we take lessons and approaches from entrepreneurship to apply to our cybersecurity programs? Can we do more with what we have, or for each addition can we make sure it has a large impact?
We’ll explore some entrepreneurship principles and then dive into some ways to improve security without large increases in headcount or budget.
2. @chicagoben | @obsidiansec
Abstract
We have a lot to do on the cybersecurity side, and we are
almost always lacking people, or budget, or both. Can we
take lessons and approaches from entrepreneurship to
apply to our cybersecurity programs? Can we do more
with what we have, or for each addition can we make sure
it has a large impact?
We’ll explore some entrepreneurship principles and then
dive into some ways to improve security without large
increases in headcount or budget.
Lean Security
4. Ben Johnson
Co-Founder and CTO, Obsidian Security
Co-founder and former CTO of Carbon Black, built the first EDR product.
Previously, NSA CNO and AI Lab.
1st Technical Advisor to US FISA Court (Department of Justice)
2000 20172010
Career
Board Seats
Background Check
Entrepreneurship Professor
9. @chicagoben | @obsidiansec
Even the Cloud is Leaky
Booz Allen
OneLogin
The RNC
Verizon
Accenture
Dow Jones
Viacom
Deloitte
Sweden
California
10. @chicagoben | @obsidiansec
Variety of adversaries
Cybercriminals
• Broad-based and
targeted
• Financially
motivated
• Getting more
sophisticated
Hactivists
• Targeted and
destructive
• Unpredictable
motivations
• Generally less
sophisticated
Nation-States
• Targeted and
multi-stage
• Motivated by data
collection
• Highly
sophisticated with
endless resources
Insiders
• Targeted and
destructive
• Unpredictable
motivations
• Sophistication
varies
11. @chicagoben | @obsidiansec
Skills Gap +
Deploy-and-Decay +
= LACK OF CYBER SELF-ESTEEM
Huge Data (more than big)
Attacker Successes +
Many challenges
12. @chicagoben | @obsidiansec
Can security be formulaic?
What’s the formula for being secure?
X FTE * Y tooling + Z buy-in ?= Secure
16. @chicagoben | @obsidiansec
Lean Manufacturing
• Developed by Toyota 70s/80s, perhaps 30s!
• Systematic, holistic identification of waste
• Improves the flow / smoothness of work
• Just-In-Time and Autonomation (smart automation)
• Identify features, process, inputs that create
customer value, everything else is waste
17. @chicagoben | @obsidiansec
Lean Manufacturing
Eight types of waste require monitoring:
1. Overproduction – Is supply way higher than demand?
2. Waiting – Lag time between production steps
3. Inventory (work in progress) – Are supply levels and work in progress inventories
too high?
4. Transportation – Do you move materials efficiently?
5. Over-processing – Do you work on the product too many times?
6. Motion – Do people and things move between tasks efficiently?
7. Defects – How much time do you spend finding, fixing mistakes?
8. Workforce – Do you use workers efficiently?
Waste:
anything that
doesn't add value
to the end product
18. @chicagoben | @obsidiansec
Essentialism?
“It is about making the wisest possible
investment of your time and energy in order to
operate at our highest point of contribution by
doing only what is essential.”
– Greg McKeown, Author of Essentialism
19. @chicagoben | @obsidiansec
Lean Startup Methodology
“The Lean Startup method
teaches you how to drive a
startup - how to steer, when to
turn, and when to persevere -
and grow a business with
maximum acceleration.”
- Eric Ries
Lean methodology:
•Gets products and services
in the hands of customers
faster.
•Reduces uncertainty (and
waste)!
20. @chicagoben | @obsidiansec
Entrepreneurs are Everywhere
Think Big.
Start Small.
Scale Fast.
"The day before
something is a
breakthrough, it's a crazy
idea."
- Peter Diamandis
21. @chicagoben | @obsidiansec
Validated Learning
Create hypothesis.
Run Experiment.
Analyze Results.
Repeat.
How quickly can you learn?
“Are you learning in gulps or sips?”
- Apollo Astronauts
It’s all about product-market fit!
22. @chicagoben | @obsidiansec
Build. Measure. Learn
Learn Faster
Measure Faster
Build Faster
The Lean Startup
LEARN BUILD
IDEAS
CODEDATA
Unit Tests
Customer interviews
Customer development
Five whys root cause analysis
Customer advisory board
Justifiable hypothesis
Product owner accountability
Custom archetypes
Cross-functional team
Smoke tests
Split tests
Clear product owner
Continuous development
Usability Tests
Real-time monitoring
Customer Liaison
MEASURE
Funnel analysis
Cohort analysis
Net promoter score
Search engine marketing
Real-time alerting
Predictive monitoring
Unit tests
Usability tests
Continuous integration
Incremental deployment
Free & open-source components
Cloud computing
Cluster immune system
Just-in-time scalability
Refactoring
Developer sandbox
23. @chicagoben | @obsidiansec
Wait … OODA LOOPS!
“Time is the dominant parameter.
The pilot who goes through the OODA
cycle in the shortest time prevails
because his opponent is caught
responding to situations that have
already changed.”
- Colonel John Boyd, 1966
Observe.
Orient.
Decide.
Act.
24. @chicagoben | @obsidiansec
Minimum Viable Product.
What’s the
MVP you think
is necessary?
Minimum viable product: The skinniest
version of a product that still functions.
• sufficient functionality to attract initial users/customers
• promises enough future benefit to keep early adopters
• designed with a feedback loop to guide new features
29. Develop Your National Guard
1000 vs 10 (100:1)
If 1000 employees are adding risk, why are only 10
security members mitigating it?
• Enable employees to provide granular feedback and take responsibility
• Show users their impact and ask questions of those who have context
• How can the 99% help?
30. @chicagoben | @obsidiansec
Right-Size the Surface Area
DORMANT ACCOUNTS
COMPLEX POLICIES?
238 days
181 days
87 days
79 days
22 days
17 days
9 days
8 days
20758 lines
31. @chicagoben | @obsidiansec
Understand Your Problems
Who is this for?
What is this for?
Painkillers vs Vitamins
(vs Candy)
What is your pain point?
“If I had an hour to solve a
problem I'd spend 55 minutes
thinking about the problem and 5
minutes thinking about solutions.”
- Albert Einstein
35. @chicagoben | @obsidiansec
Accelerating Processes
Move quickly with feedback
loops and validated learning.
Start
Triage
or
Hunting
Successful
discovery
Fail fast
36. @chicagoben | @obsidiansec
Filling Automation Gaps
Hunting: because there’s
always a gap between
automated threat
detection and the
universe of threats.
Universe of threats
Automated threat
detection processes
37. @chicagoben | @obsidiansec
You Have to Sell!
Can you sell your organization on new spending?
Can you sell your organization on freeing up time to hunt?
Can you sell the culture on spending time to help with hunting?
What are you
selling?
You’re always
selling!
We aren’t
selling
anything.
Ben People
39. @chicagoben | @obsidiansec
Dormant Accounts?
Aside from risk, cost
savings could be huge!
At left, a relatively small
company (600 employees)
could save over $300k /
year by right-sizing 3
services!
40. @chicagoben | @obsidiansec
Beware of the Cloud
“IT is going from 0 to 100 in the
cloud and leaving us in the dust”
- CISO, Financial Tech Company
“We’re blind to all these new
SaaS accounts”
- Director, Cyber Intelligence,
Top Athletics Brand
“We have 300 AWS accounts
and no governance”
- Public Tech Company
“Hackers don’t break in, they login.” - CISO, Cisco
“50% of our IR Engagements
are Office 365.”
- Principal IR, Rapid7
42. @chicagoben | @obsidiansec
Approach
• Mitigate weaknesses of user population
• Amplify strengths of Security and IT
• Leverage elastic and surge capacity
• Stitch together tools, datasets, and capabilities
• Reduce waste and entropy
43. @chicagoben | @obsidiansec
Playbook 1 of 3
1. Start with a password manager (i.e. Dashlane)
2. Enable MFA everywhere (bad guys find the gaps)
3. Encourage updated smart devices (iPhones)
4. Standardize on Chrome & Firefox
5. Disable Flash & Java; enable Ad-Blockers
6. DNS Sinkhole (Pi-Hole) or Domain whitelisting (top 10,000)
7. Built-in OS encryption (FileVault, etc) ; Remote-wipe?
8. Provide free security training (Cybrary, Youtube, etc…)
44. @chicagoben | @obsidiansec
Playbook 2 of 3
1. Train developers (Hacksplaining)
2. Static and Dynamic analysis on code commit (Gitlab)
3. Give DevOps engineers a multi-week rotation in security
4. Enable built-in cloud monitoring and controls
5. Automate provisioning or deprovisioning (use-it-or-lose-it)
6. Play the numbers: Macbook Pros & iPads
7. Separate Admin accounts (or just-in-time privileges)
8. Send alerts to Slack
45. @chicagoben | @obsidiansec
Playbook 3 of 3
1. Use LetsEncrypt for certificates
2. Utilize ELK for storage and search
3. Utilize osquery, BroIDS, Cuckoo open source tools
4. Disable Mail Forwarding, utilize built-in email inspection & tools
5. Wrap common utilities (net.exe, cmd.exe) with a logging function
6. Only a short weekly window for enabling Powershell
7. Partner with early vendors who want feedback — free tech!
8. Learn python then BUILD and AUTOMATE
46. @chicagoben | @obsidiansec
Reduce Waste
Where’s the IT waste? (Dormant Accounts, Config Drift, etc)
Where can you get the biggest ROI of your Security time?
Identify features, process, inputs that add cyber defense value…
everything else is waste (or could be)!
47. @chicagoben | @obsidiansec
Essentialism?
“It is about making the wisest possible
investment of your time and energy in order to
operate at our highest point of contribution by
doing only what is essential.”
– Greg McKeown, Author of Essentialism
51. Today’s Goal: TO SPARK CONTEMPLATION
“If you’re not embarrassed by your first product
you’ve shipped too late.” - Reid Hoffman
What can you do TODAY to upgrade security?