SESSION ID:SESSION ID:

#RSAC

Shannon Lietz

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World!

PROF-T11

Director, DevSecOpsIntuit@devsecops

#RSAC

Take Responsibility.Give Credit.

@seniorstoryteller

<me />1984 1989 1996 2001 2011

DEVELOPER

OPERATIONS“DEVSECOPS”

“RUGGED”

SECURITY

PRESENT

-- FOUNDER --

SAFER SOFTWARE

SOONER

#RSAC

3

How we’ll spend our time today…

Educate + Learn = ApplySo that we can achieve safer

software sooner in our lifetime.

…the next generation of security is ours to ignite!

In hopes of speeding up your journey and

inspiring you to rebel in your own way…

I have banged my head against the

wall many times to bring you these

lessons…

4

Most say it’s never a good idea to break the rules...

Pixabay @ Pickit

until the forces of change demand it.

#RSAC

Software is eating the world!!!

http://www.wsj.com/articles/SB10001424053111903480904576512250915629460

-Mark Andreessen, 2011

#RSAC

DevOps is eating the world!!!

Imagine solving the world’s problems faster by collaborating and taking responsibility.In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation.With the goal of solving customer problems faster, no wonder DevOps is taking over.

~1500% increase In 2 years

#RSAC

Cloud is eating the world!!!

Public Cloud adoption is accelerating at a rapid pace…Software defined environments allow scale to happen and more decisions to be made daily…More people can experiment, learn and fail at a rapid pace to solve for customer demand….Creativity is the next frontier…

http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/

#RSAC

Security is blocking the world!!! <- Say What???

“THIS IS THE END OF SECURITY AS WE KNOW IT… AND ISN’T IT A GOOD THING!”-Josh Corman

#RSAC

Security is viewed as the proctologist of the

technology universe… and we really need

to change this perception!

http://www.flowmotioncafe.com

@petecheslock

#RSAC

https://www.flickr.com/photos/mjhagen/2973212926

Unicorns suck!!!!

WE MUST AVOID SECURITY EXTINCTION…http://donsmaps.com/images22/mutta1200.jpgStock Unlimited 1288835 @ Pickit

Security DNA

DevOps

Cloud

LeaderMobile

IoT

End Users

#RSAC

Culture Hacking

Traditional Security

Security isEveryone’s

Responsibility

DEVSECOPS

#RSAC

Why is this necessary?

evolution

value

compliance

genesis

customer

custom-built

product(+rental)

commodity(+utility)

devsecops

visible

invisible compute

cloud

compliance as code

informational website

domain names

devopscontinuous deployment

continuous integration

transparent security

rugged software

fewer better suppliers

security as code

agile

mobile

customer-driveninnovation

traditionalSDLC

traditionalsecurity

web appsearch engine

red team

penetrationtesting

commodity boundgrowthemerging

Catching up takes commitment

#RSAC

How hard could it be?

SourceCode CI Server Artifacts MonitoringDeployTest & Scan

DevOps Code - Creating Value & Availability

DevSecOps Code - Creating Trust & Confidence

#RSAC

15

What type of skills are required?

Dev Sec Ops Dev Sec Ops Dev Sec Ops

Developer Sys Admin Security Engineer

competencyneeded skill; functional

#RSAC

Is everyone bought in?

Management has some firm requirements due to financial commitments and reportingDevOps and Innovation can easily live in 3 out of 4 boxes but hardly like ControlSecurity practitioners tend to write policies and distrust everyone not them; rightfully so, 1% insider threat is a lot!

CONTROLCOLLABORATION

CULTIVATION COMPETENCE

people company

reality

possibility

#RSAC

17

Who can help?

Forming the C.A.T. Team:

Big bet10 rare people in 6 months Hire for passionRemove barriers (logical and physical) Mixed skills and levels

P. Svangren @ Pickit

C.A.T.T. aka Cyber Attack Tiger Team

Bring big leadership skills if you want to wrangle big cats…

#RSAC

At first, it looked a lot like this…

Offices fostered the wrong culture

• Break down the walls• Long flat tables• Lounge areas• Continuous Learning• Increase communication• Small teams with purpose• Take a walk• Difficult discussions• Dedicated to success

#RSAC

How do I avoid being eaten by big CATTs?

FROMAUTHORITYSTRUCTURED POLICIESCOMMAND & CONTROLRISK MITIGATEDAPPROVALS

TOINSPIRATIONFIRST PRINCIPLESVALUE DRIVENRISK BALANCEDLESSONS LEARNED

Stock

Unlimite

d 1492669@ Pick

it

#RSAC

20

Goals matter…

Without a goal you are neither a great leader nor a good follower…

0 15 years5 10

“Security is done!” J. Ekstam @ Pickit

#RSAC

21

HPO starts with team principles…

• Everyone is learning• No one left behind• Don’t hug your code• Check your ego at the

door• One for all

S. Khuntale 1434620403900 @ Pickit

Measure for crunchiness once a week…

#RSAC

22

Confidence is critical…

Operating model must increase confidence at all stagesOpt for Coaching vs. ManagingIncrease communicationPatience pays offKeep it blameless

operatecommit

understandaware

confi

denc

e

#RSAC

23

Does your team keep score?

Everyone can be a hero!Keeping score is fun!Outcomes driven by the team provide greater valueUnderstanding how to score is empoweringBrings us together…

http://www.4dxbook.com/blog/people-play-differently-when-theyre-keeping-score/

S. Zahnfee @ Pickit

#RSAC

This path gave us DevSecOps…

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

#RSAC

Enabled us to understand the problem space…

Gating processes are not Deming-likeSecurity is a design constraintDecisions made by engineering teams

Hard to avoid business catastrophes by applying one-size-fits-all strategies Security defects is more like a security “recall”

design build deploy operate

How do I secure my app?

What component is secure enough?

How do I secure secrets for the

app?

Is my app getting attacked? How?

Typical gates for security

checks & balances

Mistakes and drift often happen after design and build phases that

result in weaknesses and potentially exploits

Most costly mistakesHappen during design

Faster security feedback loop

#RSAC

Gave us the courage to question everything…

Determine defect and feature flows for Security to funnel to distributed teamsInventory work processes, guidelines, policies, experiments, data and toolsIdentify groups, roles and skills required to support processesIdentify friction and measure speed of MTTRIdentify types of decisionsIdentify metrics for measuring experiments and adapting processes

• Implement Code & Infrastructure Guidelines• Implement Rules Engineering Processes• Implement Security Defect Reporting • Implement Consulting and Requests Process• Implement Infrastructure Templates• Implement Red Team & SOC Processes• Implement Manual Staging Processes• Implement a Decisions Process • Implement an Escalation Process with clear

stakeholders

• All systems should be run with API inspection available via a Security Fabric. (Systems without inspection require manual intervention.)

• Implement Security Portal for feedback consolidation across security processes

• Implement Case Management for Requests, Defects, and Incidents

• Implement Testing framework• Implement Correlation engine• Implement foundational security controls• Integrate with core organizational systems

Operating Model Processes Tooling

n number of experiments to refine processes and automate where possible

• Identified opportunities to develop capacity without increasing risk to too high a level

• Inventory provides information for Decisions board to help with risk decisions

outcomes

• Decisions board with clear escalation path by type of decision

• Ability to Communicate and Train on initial processes

• Consistent Ins/Outs of Dynamic Work with standard templates

• SDE helps with reducing manual efforts• Ability to build up capacity for Stage Two

Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch

#RSAC

Empowered us to challenge the status quo…

API KEY EXPOSURE -> 8 HRS

DEFAULT CONFIGS -> 24 HRS

SECURITY GROUPS -> 24 HRS

ESCALATION OF PRIVS -> 5 D

KNOWN VULN -> 8 HRS

#RSACGot us to communicate with developers like a developer…

#RSAC

Made us think about how to shift left…

Everyone knows Maslow…If you can remember 5 things, remember these ->

“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”

#RSAC

30

Helped us blaze a trail so others could succeed too…

Stock Unlimited 1515599 @ Pickit

#RSAC

How do I learn more about this?

#RSAC

32

It is time to change…

Get involved.Write an article.Give and take feedback.Contribute to Open Source.Give feedback.Volunteer.