Remember the message, the future is not set.
Good afternoon, everyone.
Quick question for you all.
Can you hear me in the back?
Raise your hand.
How about up front?
Can you hear me okay up front?
How about everybody raise your hand right now if you can hear me.
Now say hallelujah!
How many of you have gone ahead and felt like an imposter in your position before?
How many of you have felt overwhelmed by your job?
That's pretty typical, don't you think?
It's weird.
We're all smart people.
Everybody looks at us as the smartest people in the room, and we all know that we're not, and we all know that we always feel that we're faking it.
Why?
Well, we'll discuss that in How Do You Eat an Elephant?
Bite by bite.
The elephant looking at you, trying to figure you out.
Why is it an elephant?
Because it's your job.
It's security.
Why is security this big elephant that's looming over us?
And that's where the problem comes in.
Is it's the elephant in the room?
It didn't always used to be the elephant in the room.
No.
That's from 2022.
I snagged it from a website, a blog from four and six lady.
Shows at the time in 2022 all the different areas that you have of InfoSec, of cybersecurity.
Every single little area there.
It didn't used to be like that way.
How many people here remember when security was just an outside perimeter with some firewalls?
Miss those days, don't you?
Used to complain up to the yin-yang about the firewalls, and nowadays it's like, why can't we get back to simpler times?
Because like anything else, time moves forward.
And what's happened is that we can no longer be that general practitioner that knows everything.
You can be a general practitioner, don't get me wrong.
You can go ahead and be somebody that knows a lot about certain things.
But there is no way, and I don't care who you are, and you cannot convince me, the smartest people in this room cannot know everything.
And it's something that we've gone ahead and lost track of.
Great Groucho Marx once said, one morning I shot an elephant in my pajamas.
How he got in my pajamas, I'll never know.
And that's what we're trying to do right now, is we're trying to shoot that elephant in our pajamas.
We're trying to shove all that stuff, we're trying to shove the firewalls, everything else into this one small box, and it doesn't work.
It does not work at all.
We have to take a look at stuff, we have to break stuff down, we have to get at this elephant, and take it bit by bit.
How many people here have actually eaten an elephant?
All right, how many people here have eaten a huge-ass steak?
Do you shove the whole steak in your mouth?
Okay, you might shove the whole steak in your mouth.
But most people cut it up, take bites, and work their way through it bit by bit by bit by bit.
The first and foremost thing that we have to remember is, again, we don't know everything.
And you have to admit that to yourself.
Not only do you have to admit that to yourself, but you have to be okay with that idea of not knowing anything.
Asian philosophy says the first step to true knowledge is admitting you don't know.
You cannot fill up a filled cup.
The cup has to be empty.
You have to admit that you don't understand this stuff.
Now, where does this all lead to?
And why am I even talking about this?
It's a matter of our lives.
We talked about, we saw how many hands got rose for burnout, for being overwhelmed, for being an imposter.
All of this is contributed by the weight that gets put on us by this whole thing.
And it's our own fault because we're too smart and we're too curious.
We have that hacker mentality, that hacker mindset, that little itch that has to know a little bit more here and a little bit more there and a little bit more here.
And that starts working against us, much to our chagrin and much to the way that we don't realize.
So let's break things down.
When you go into a new job or even at your current job, I like to think of breaking things down in this way, at least from a blue team perspective, which is where my background lies.
First off, learn what's critical to defend.
If it's not a critical system, it should be a second tier.
This is how we prioritize and start taking the chunks out of it.
First off, learn what you need to really defend.
Second, depending upon the size of your organization, the amount of departments, learn what departments you have to deal with and what they do.
We are thought of as the no people.
No, you can't have this, it's too insecure.
No, you can't have that, it's too insecure.
No, you can't do this, it's too insecure.
What if we said no but?
Because we've got contacts inside of those departments, we understand what they're actually trying to do and say, no we can't do this this way, but let's see how we can do this in a secure fashion.
I used to work at a company and we had to deal with an FTP connection.
And we set up hundreds of these FTP connections to our areas and stuff, and each one of them had their own little things.
Started to set up a new one and this company wouldn't give us anything for SFTP.
And I kept saying, no, let me talk to the company over there.
I understand that we need this.
We need this data.
We need to be able to go back and forth with them.
But they're not hearing what we're saying.
We're saying we want to do this, but we need this security level.
We need this key to go ahead, key exchange, to work.
Why is it not working and why are they not willing to work with us on it?
Well, after about a week and a half of going back and forth, I finally got the key.
We got everything all set up properly.
It turns out they hadn't updated their system, so the current level of keys weren't working properly.
Once we got it, once we got the key problem solved, boom, everything went.
It took an extra week and a half, but we were willing to work with the department and tell them, listen, we want to do this.
We're not saying that you can't do this.
We're saying you can't do it in this way, so let's find the better way of doing it.
And finally, you need to prioritize what needs to be done, and that, that is a horse of its own nature.
I mean, think about it.
You go ahead and you say to yourself, you say, I'm gonna go ahead and I'm gonna work on getting an inventory taken care of and see where my vulnerabilities are in this set of software.
And your boss comes up to you and says, hey, you're gonna need to do this, and then all of a sudden that incident hits.
And now all of a sudden your priorities are all shot to all get up and go, and that's okay.
You still need to go ahead and mark down somewhere where you were with that first priority, so that way when the emergency is over you can get back to that.
It's not a bad idea to communicate with your boss, with, with the people above you.
Listen, this is where I see the priorities.
Do you see them in this fashion?
So that way you're on the same page.
Now you're not fighting against the boss, you're working with them.
You're collaborating.
Collaboration.
Where have I heard that before?
Anybody, anybody ever done any collaboration before?
Although one person in the back has collaborated with people before.
I have a hard time believing that.
Collaboration is tough because we tend to speak a different language than some of the other departments.
We're techies, we're nerds, we're geeks, we're whatever you wish to put as what you are is perfectly fine.
But we have a different language sometimes than other people.
And a lot of us tend to be neurodivergent in some way.
Maybe it's ADHD, maybe it's autism, maybe it's Asperger's.
It doesn't matter.
We're all good people.
We all communicate.
It's a way of finding that collaboration point between them.
So we go forward.
Then we have the perfection problem.
How many people think there's perfect security?
Good answer.
How many people here think that there's perfect anything?
No.
Security is not a single item.
Security is a path.
It is a journey.
And in that journey you might sometimes take large steps, but a lot of times it's going to be a very small step here and there.
And one of the things that we do to ourselves as far as that... how many people here think EDR is a piece of junk?
No, there was a person behind you that did that.
You do realize that EDR goes ahead and knows exactly what's on each machine, right ?
You know that equates to a software inventory, something that we always say that you need to go ahead and be able to secure stuff properly.
Small things like this.
Could one vendor's EDR be better than another's?
Sure.
But if you have EDR, if you have antivirus, you're already at a certain level that's going to block known knowns.
And all you have to do is learn how to query that stuff to find out information that you want.
I did talk a few years about that, about how to go ahead and take your EDR and turn it into an inventory machine for you.
It's an amazing little thing that can happen.
All of a sudden you know what software is out there.
You know what software you've got.
You can query these machines through the EDR.
You can query the machines through what information you get into your sim.
Now you're not trying to reinvent the wheel and trying to fight to go ahead and get an audit done on each and every individual machine.
They've got EDR on it.
You've got the data.
You just need to be able to access that data.
These are the small steps forward that lead to you being more secure overall and lead to you going ahead and tearing your hair out less.
And believe me, I know about tearing hair out.
It is not fun.
It is also the way that we burn ourselves out is by trying to do too much.
We need to take those small bites.
We need to take that little step of, okay, I don't necessarily like EDR, but I will work with it and I will use it as a tool because each tool has its place.
They say defense in depth is the way to go.
Well, you're not going to like every level of defense in depth.
You're not going to necessarily agree with everything.
You're going to want to say there's a better way of doing it and that's fine and that's fantastic.
But until you've got something in place there, you're just going to spin your wheels if you don't use the tools that you've got.
Am I going to spend 20-30 hours writing a Python script to go ahead and reach out and hit every single machine in my company to go ahead and pull data from it?
Or am I going to use a tool that's already giving me all that data as much as I might loathe that tool?
We've got to get out of our heads.
We've got to stop realizing that, yes, while we are smart, our brains work against us.
We've got to be willing to take that step back and slow down and take that deep breath.
You get an alert when something hasn't communicated back from the machine.
There's a small little step in being secure.
You go ahead in a sim and all of a sudden a firewall is not reporting back.
Now you've all of a sudden got to wonder, is it failed open or is it failed closed?
If it's failed open , you've got a problem.
But now you've got a machine that you can actually take a look at and wonder what's going on with it.
This is above and beyond vulnerability management , above and beyond a lot of the other stuff, but it's essential.
But it's a bite.
It's a single individual bite and you've got to prioritize those bites and take that small step and take that small victory.
Oh yay!
I figured out that, hey, this machine has a little bit older version of Teams on it that is still susceptible to X, Y, and Z because my EDR went ahead and said something to me in its inventory and my, whether it's Tenable, Qualys, or what have you for vulnerability management,
has said that I've had this vulnerability floating around.
But wait a second, I don't have a way to get into that.
There's a chain involved with it.
Okay, now I can put that onto the back burner and go back to working what I was working on.
It needs to be patched, yes, but it's not necessarily high priority.
There are so many ways that we can make our lives easier by getting out of our own heads and turning around and saying, okay, I've hit this wall.
Somebody help me, please.
And where you work, it might not be somebody where you work at.
You might be the department.
But there's things, there's ISACs, there's ISSA, there's groups, there's conferences, there's all sorts of places that you can turn to in Discord, in Slacks, what have not, where you can ask a question.
You know why half of us don't ask the questions?
How many people are scared to go ahead and be honest here, and I will raise my hand on this one, are scared to ask a question because you think it makes you look dumb?
The only dumb question is the one that's never asked.
You might get a silly answer back.
You might get a jerk on the other side that says, yes, that's a dumb question.
It's not.
If you don't understand it and are looking for true understanding, it is never dumb to ask a question .
All you're doing is putting more stress on yourself and not getting the work done that you need to get done, so you can move on, so you can learn something new.
Oh, wait a second, didn't Johnny Christmas talk about learning something every day?
How many people saw Johnny's keynote today?
How many people remember Johnny talking about, you should be learning something every day?
And you should.
What's the best way to learn something?
Ask a damn question.
I know so little.
I see people out here that I've looked up to throughout my whole career that have helped me by me asking questions, and sometimes they joke with me about it, but in the long run they'll help me out or they'll lead me to finding the answer.
Not necessarily give me the answer, but lead me down the path to figure out the answer.
And that's just as important as getting an answer itself.
How many people here think certifications are dumb?
Certifications aren't dumb.
The process of getting certified sometimes is dumb, because it's a lot of memorization.
It doesn't teach you to think.
It's the same problem we have throughout society.
People are looking for answers without looking how to learn to answer the question.
And again, that adds on to the stress.
So now you think that asking a question is dumb, so you're not going to ask a question, but you see somebody else that knows the answer, so you think that you're an imposter and stupid because they know the answer and you don't, because you're a smart guy.
You're in a field which is filled with smart people.
Is that fair to you?
No.
So you take a little bite and you ask the question, and you learn a little bit, and you move yourself forward a little bit more.
We had at my work recently a situation where somehow or another, and we don't know if it was the gentleman himself or not, turned off his web filtering.
How many people here think web filtering software, something like Open DNS, Umbrella, Zscalers, some of these web proxies that will go ahead and filter out websites for you, are worthwhile?
How many of you feel that it's worthwhile?
How many of you would like to take that thing and chuck that hunk of junk out the window?
In this case, it showed that it was worthwhile.
Why?
Because it got turned off, and we could never figure out whether it was a guy himself who was a dev and had local admin rights because he's a dev and devs need local admin rights to do their stuff.
No, they don't.
They just need a better way of doing it.
So he goes ahead and he turns it off.
Then he goes to some website to watch anime that's an unreputable website and winds up with a virus on his machine that the EDR catches and alerts on while I'm at a hockey game with my kid.
Situation got taken care of real fast between myself and my boss, and I didn't have to leave the hockey game early with my kid.
We still got to go ahead and have fun with it.
But this is a little piece of software that people don't think does much.
When I went ahead and started trying to figure out how this stuff came in, I went into a sandboxed environment that I put on my web proxy on there, and went ahead and went to it, and tried to go to this site, and sure enough, Cisco Umbrella, and I will use the name on this one,
blocked the site.
If it was working, it wouldn't have gotten that virus.
This is what I'm talking about.
We get inside our own heads.
We think that something's stupid.
We think that something doesn't work.
It might not work in every situation, but there's a reason why it's there.
And getting outside of our own heads is where we actually go ahead and become even better than what we are.
Perfection is the enemy.
Progress is the solution.
So a little step forward here, a little step forward there, always I'm going to take a step back.
Yeah, I might cha-cha a little bit during the course of it all, but eventually if I take those small steps, you get there.
And this is not just true in our field, in cybersecurity, infosec, whatever you wish to call this field, fucked up in the head if you want to call it that.
This is true in just about anything.
I know that there's some friends of mine here.
You've watched what I've been doing with some on social media with some of you with my workouts and stuff.
And you've seen the progression over the course of the last two years.
I look back in it and I go, I can't believe how far I've come.
But if I looked at it from week to week, it was, oh I did half an extra rep here.
I got an extra five pound heavier on this barbell.
I was able to make it one extra rung on this obstacle.
Doesn't seem like much.
Three months down the line I look back and I'm making the obstacle, or I'm 20 pounds heavier on a rep, or I'm doing 15 more reps, and all of a sudden there it is.
There's the progress.
There's that big leap that everybody looks for.
It's not happening all at once.
Get out of your head.
See yourself as what you are.
A great person, an important person to your company, doing an important piece of work, that in the end you're not going to know everything.
And when you admit to not knowing and asking for help, 90% of the time you're going to get that help.
The answers we seek are simpler than we realize.
What I'm giving you today is nothing more or less than a basic set of ideas to go forward with.
And what are those ideas as we look at it?
Get out of our own heads.
Don't sweat the small steps because they will lead up to the big solutions.
And finally, just take care of yourselves.
With the state of the world and the state of companies right now, there's a lot of uncertainty.
Take care of yourself.
Because if you don't take care of yourself, nobody else is going to.
For those that don't know who I am, my name is Shecky, otherwise known as Mike Kafka.
I am one of the BIRBSEC organizers down in Chicago.
I am also on the board for B-Sides 312, which is coming up in June 1st.
I've got my social medias up there, Macedon Blue Sky, and my blog site, which I do not blog as often as I probably should.
Why?
Because I get inside my own head and can't think of what to blog about.
I hope that you enjoyed the talk.
Is there any questions from anybody out there since we've got a few minutes left?
Well, thank you very much for coming.
I hope that you learned something today.
Oh, in the back.
I work remotely.
My bosses decided that I was going to work remotely, even though our global headquarters is in Chicago itself.
It is a global company.
The company that I work for has been around for over a hundred years, so it's a long-term company that is in the financial markets.
For me personally, it's actually helped a lot with the imposter syndrome.
I have direct communications through, in this case , Teams, like most of us, or Slack, which is the other big thing, with my bosses , and I talk with them on a regular basis.
I'm able to go ahead, because I'm not behind their firewall, I'm able to have my personal machine set up next to me where I can be on different discords and checking that sort of stuff out and asking questions inside of discords.
If I can't do that because I actually have to go into the office, I will go ahead and write down my questions and bring them back to do it on the train on my mobile or from my house, what have not, if I have to.
My bosses, I'm lucky, my bosses believe in training, they believe in communication, they believe in collaboration, and they allow me to go ahead and do talks like this and mention incidents that are sanitized from my office.
As long as it's sanitized and doesn't give any personal information on it, they're cool with it, which is very nice of them.
I know that not everybody is available to do that, but if you go to your bosses and say, hey listen, maybe I need to go ahead and ask some questions, even if it's of the vendor itself.
So say it's Microsoft or Tenable or what have not, and you've hit a block.
They've got people at those companies that are supposed to help you out with that stuff.
Turn to them even, and that you should be able to do from your office.
As far as collaboration goes overall, it can be tough in our field because a lot of us only have one or two people around us at any time, if we're lucky.
When you get into larger corporations, maybe you've got more people there, but everybody's so busy, who are you going to get a chance to talk to?
So the whole in-office collaboration thing, most of the people that I've talked to still winds up being over something like Teams or Slack, which is why I got to go remote full-time.
It was like, all you're going to do is sit here and be on Teams and Slack all the time.
No, we've proven you stay home, you get to stay home.
So anything else?
Any other questions?
Yes?
What are some of the things my leaders have done that have... that my leaders have done to help my imposter syndrome?
They've believed in me, they've shown trust in me, they've turned around and asked me the same question 20 million different times and I've answered it.
I think probably the biggest thing is that they've gotten to a point where they... and it took about a year of working under them, where they really started to trust me and my knowledge.
And the fact that I could go ahead and find... if I didn't know the answer, I was willing to find the answer wherever it took.
And that's where they got rid of my... helped me out with my imposter syndrome.
I still have imposter syndrome, don't get that wrong.
I'm just very good at keeping it at bay at this point in time, because I've got the support of friends and family and especially people in my office.
Any other questions?
We've got another minute or so.
Yes?
Besides... what are the knowledge pools I'm using to go ahead and help get 1% better every day?
Besides coming to cons and doing things like BirbSec, etc., I use sites like TryHackMe or HackTheBox.
Microsoft Learn is a fantastic tool.
There's a lot of stuff in there.
I think we're running... we still got one more minute.
Did they answer your question?
Any other questions?
It looks like people are coming in for the next talk.
All right.
Well, I hope that you enjoyed this.
I hope that you take something out of it.
I will be around the con, and feel free to come up and talk to me and ask me anything.
I promise I don't bite unless you ask me to bite you.
And on that note, have a great day everybody.