 It is my pleasure to introduce to you the Cat Suite. Is that good? You hear me? Okay, still good? Level leaders were not made for things that don't have colors. So, good morning. I will warn you in advance, I have a cold, and so I'm feeling a little, a little drained, but I'm sure some of you were out late last night, so hopefully between the two of us, we form like one competent human. So, yeah, thank you for the introduction, Bing. Thank you for having me here. I'm Cat Suite. I'm an information security analyst at Duo Security. I've been there for about a year. I will not be answering any probing questions about Cisco's intent to acquire, to acquire Duo. So, a big part of my job is security education internally for employees at Duo. And this is often a topic that people think either is an exercise in futility. The prevailing wisdom seems to be kind of that security education is a binary. It can either exist as effective yet inefficient training for a really small population or efficient yet ineffective training for a large population, automate all the things. And so I want to talk about, I guess, success stories of sort of delivering more in-depth in the basics, role-based security education that helps us scale up effective training, sort of champagne security add on a limited budget, which I'm guessing a lot of us have, so not just going for efficiency, but actually going for something that's going to be effective for change. But I also want to make sure I give us a chance to, I don't know, hold space and talk about security education in general and I'm happy to answer questions. We have a mic here and we're a pretty small crowd, so I want to try and make this somewhat interactive and if I have lost my voice, I'll keep going. I've got water, the best water, $6 can buy on the strip and I'm happy to take questions at any point and at the end about security education, about how we've done it, about how I see it outside of work. So yeah, just by show of hands, how many of you are responsible for various security education things at work Oh wow, a lot of you, cool. How many of you feel you have enough resources to do that effectively? So for those in the front, that was like four hands. Yeah, so we're recorded, so I'll repeat back, shout outs, but what are some of the problems you are trying to solve in your internal security education? Yeah. Engagement. Usability. Retention, yes. Oh my God, how do they remember what they just got thrown at them like one minute later? Compliance, yes. Security education is a compliance requirement for a lot of people. Yes. Generating interest, yeah. How do you get them to actually be engaged in a thing that they have to go to? Yeah. Maintaining that across a huge site, basically problems of scale of a huge company. Yeah. Cool, yeah. And some of the challenges come down to having enough resources for that. So every year SANS does this study on basically they put out a report on the state of security awareness and the, oh sorry, Mike. The biggest challenges are time resources to devote to security education, awareness and outreach. Another problem is that training is often really generic and so there's that problem of how do you get people engaged. It's not contextual to employees' roles, particularly when the training is outsourced. When it's not homegrown you're thinking like, okay, how does this actually, what does this have to do with me and my company and my role when it's just this canned message about yeah, don't click shit. Scaling is often addressed, sometimes it's your job to click shit. Scaling is often addressed via over automation. When this more in-depth tailored contextual role-based training beyond the basics does exist a really common split is to group employees into just a few buckets, upper management, technical teams and everyone else and sometimes just technical teams and everyone else. So regardless of where the lines are drawn oftentimes just ends up receiving training separately and the everyone else bucket is a big bucket so this can lead to some further scaling challenges. Developing curricula specific to each role or each team or each level of sensitive information that people deal with a lot of time and sources, sorry. Is that better? So sometimes important focus area. Yeah, just to keep going in and out. So one second. I'm wondering if I'm bumping anything. All right. If anyone is hacking packets don't hack these packets. Actually I don't think this is a very smart mic. What's that? Please note to be hacking this packet. So anyway, so important focus areas get overlooked. For example, technical teams might focus on just the OWASP10 training, really application security specific. I think maybe the best thing in this. But nothing about threat modeling or basic can we maybe get an AV person? Thank you so much. I'm, yeah, sorry about that. I apparently didn't make a sacrifice to the demo gods this morning. Cool. So, okay. So there's a lot of challenges in this landscape. So how do we address them? Where do we start? We have to think about what problem we're trying to solve. My manager always tries to map everything we do back to what problem are we trying to solve. So we are trying to enable the business. We're trying to protect our company so that the company can succeed. And so we need to think about what are our assets, what is the information we deal with risk. And so who are the people who deal with the information that is the most sensitive that would have the most detrimental impact if it were to get made unavailable or compromised or leaked. And start with those high risk roles. We can also think about pooling multiple groups mix of technical teams across all seniority levels. We don't necessarily need to break up and pull them together with different information. Oh thanks Grant. How do we build off concepts in training that employees receive and go deeper together while still thinking about our own individual roles and access. So we also a few people mention things like engagement, interaction, retention. And so we really need to be thinking about how do we bring in interaction and collaboration. Especially if we're distributed across different spaces. Somebody mentioned different offices. So we need to think about how can we build something that engages remote employees. How can we do something where people who aren't just in a physical space can be engaged. Because oftentimes remote employees or employees who aren't in a centralized location are more likely to just have the security education automated away. It'll be like just watch this video. Don't come into the classroom. So I'm going to be talking mainly about like one specific example of training that I built it do, but using that as a way to think about the larger problems of scaling security education about making sure we're building stuff that's actually retained. And that opens the door to how do we continue to build security engagement when we're not just all sitting in a room together once or twice a year. And so I encourage all of you to also think about how you can maybe take one example, two examples, and build out similar things. Cool. It sounds like the mic is doing its thing now. Knock on wood. So I was doing a lot of the other kind of things. So I mentioned identifying these high risk teams. So if you have to choose where to focus your educational efforts, you can start with people who are in the highest impact targets based on their role, based on their access, based on the sensitivity of the information they handle. Basically what is the attack surface of the entire company and who's the most likely targets for disruption to all of that. So I'm going to throw it out to all of you who in your company not specific names, but specific teams or specific types of roles, who do you think are some very high risk targets? Finance. Why? Because they're often asked to why are money to unknown resources. Yes. I saw other hands. Executive assistance. Yes, they are the gatekeepers to upper management and they get all the things. They're points of intake for the most high profile people in the company. Sales and marketing. Why? Because they're easy targets. Because they're easy targets. Can you elaborate on that? Because correctly crafted, anyone can be an easy target for social engineering. Yeah, they have a high volume of emails and especially sales. They're interfacing heavily with external people. Whereas like my role in corporate security, almost everything I do is with people within the company. So yeah, you had a hand up as well. Professors. Oh, so you're with the public university? Public. Sorry, with the university. Yeah, why professors? Yeah, you've touched on something a lot of people have in common, which is they just want to do their jobs and not have security be a thing that gets in the way. Blue shirt, then glasses. What's that? I'm sorry? Customer service. Yeah, oh man, it's really easy to call a customer. Give me a my own account. Oh man, it's happening again. Let's see. IT support. Same thing. Yeah. Data analysts. Why? Yeah, they have access to all the data they do. Yeah. So pretty much you can map it to anything. So it depends on what basically what's your threat model for your business. So high profile employees like upper management. And you have to think about like too what is going back to the old CIA triad. Teams with a significant impact on confidentiality of data like legal. Significant impact on availability like DevOps people. You have to think about physical access too like facilities people who are the first line of defense when you enter a physical building. Recruiting people who are going out and meeting strangers and getting resumes from strangers. So it's their job to download strange attachments. So identifying these teams also gives the security team more deliberate visibility into the rest of the organization. It makes you actually think, okay, what are our assets? What teams do have access to these assets? Basically just like extensions of risk assessments. So security teams identify who the high risk teams are, what kind of access each team requires, and more about each team's attack surface. One that I didn't hear called out was security teams. We are also super high impact. We know all kinds of things. We drink and we know things. Some of us don't drink and we know we have access to things like vulnerability scans. We know about all of the incidents that happen when there's IRs. So we too are not completely, are not exempt. And in the case of my, like, certain employers, one can argue that, like, certain just by being a certain type of company, your employees are all high risk targets of one way or another. So rather than telling attendees of a training why they're there, we can do exactly what I did with you and have them tell us why they think they're there. Starting with that mental exercise sort of sets the tone of people getting into a mindset of thinking about their attack surface and really evaluating what the impact is to the company, to the business, based on what they have access to. And this type of discussion also promotes a better understanding of the big picture, the attack surface of other teams instead of just like I'm on the security team, I know that I have access to information about incident response and vulnerability scans and stuff like that. But maybe I need to start thinking about the big picture of why I might be also concerned about, like, what the finance team has, like, vulnerability to phishing attacks related to tax season and stuff like that. So it gives people a bigger, a clearer sense of why we're all in this together. And that's good to keep in perspective too. It's easy to get siloed, especially when you start to be a bigger company. Participants also know more about the respective roles than the security team presenters do. Like, I think a lot of us in the community maybe like to think we know everything and know what's best for everyone, but we do have a lot to learn from other teams. And especially as we get bigger, we're here for us to have visibility into what everyone is working on. And so having trainings like this in the first place gives us as security team members more insight into other teams' roles and access. And increasing visibility into our whole security landscape, into our whole environment, enables us to do our jobs more effectively. Because as they say, you can't secure what you don't know. And also, letting participants across departments describe their roles or information they handle takes the burden off the security team having to front load, prepare all of that information ourselves going into giving trainings. It's also just helps build trust. We spend a lot of time telling people what to do and not enough time listening to people. And so we have a lot to learn from other teams. And I think it builds trust when we go in there and say, tell me about what you do instead of just having us lecture them. And presenters can engage in this discussion too. Like I mentioned, security teams are very high impact. And so letting participants know that we're not exempt from all of this, from all of this important stuff, makes it feel more peer based and less top down. And I think that's important because oftentimes that's better for feeling engaged when it's a peer talking to us and teaching us things than somebody just lecturing us, you will do this you will do this, this is why you should be scared you're cool. So when we identify what we are trying to protect and we're trying to protect it from basically just go down the line of threat modeling, when we teach security awareness, we often tell participants, think like a hacker and then kind of leave it at that. We rarely put them through the actual exercise of giving to an attacker mindset. Although when I teach lock picking, that's exactly what we're going for and people love picking locks. So I like giving participants a chance to threat model what they're trying to protect by devising scenarios where they hack each other based on their own roles. I called it hack your neighbor. Just pair them or group them instead of having everyone work on their own and then they go through this mental exercise of what would an attacker do and lever my role to do harm to my company. So again, they get better insight to other teams with access if they're thinking about someone on the same team, I'm so sorry for the mic issues. And people with outsider knowledge may come up with really creative methods of attack if you have people trying to hack each other. Everything from like say you've got a recruiter and somebody tries to get information out of them by going up to them at a recruiting event, asking all of these questions. Oh, who reports to this? Who's this manager? And then escalating levels of sensitive information. So it's in recruiters jobs just to be very helpful in accommodating and give out just one example of many. Also, the sort of interactive threat modeling and devising attack scenarios together. Again, interaction is way more effective than lectures and if you can tie these scenarios back to real life examples if there's any that you can share from that have actually happened, people are really interested in what has actually happened and know that what they come up with isn't actually that far-fetched. So then how do you bring it all together? Once you've got all of this on the table about like, okay, we're going to do this. Everything is terrible. How do you actually bring that back to you don't have to be scared, here's what you can actually do. So regardless of differences in teams roles or their technical skill levels and the information that they handle there can be a lot of common ground in the way we talk about proactive security advice, especially for roles that are higher risk, beyond just the basics of don't click shit and use strong and unique passwords, these password managers. So one really common universal theme is just basic upset that's something that a lot of people going in don't think about or they don't necessarily map their personal to their work stuff. And so they don't necessarily think about information that they're putting out there just either on social media or just by using their computer in a coffee shop without a privacy screen. So and they usually don't think about others information that they're giving out too. So it's important to think about not only their own protecting their own asses but also thinking about others roles and how they map that back. Really good example that I use is I gave a security training at our all hands kickoff meeting earlier this year and our CEO then tweeted out a photo the next day and covered up some laptop screens on it and didn't say and didn't do it during the training and waited until afterwards and didn't say the location and I'm like yay, upset from the top down. So we also want to encourage open lines of communication. That's a pretty universal thing regardless of which team people are on that as members of the security team we want to make ourselves available and so that's something that we constantly need to be reinforcing and living. So we go beyond just like tell people report fishes to the security team. We really want to encourage that they can consult with us that they can partner with us and hopefully they're going to be more receptive to it after we lead with listening instead of lecturing. So where do we take all of that? So we can use security trainings as a jumping off point for identifying additional needs for education and additional needs for awareness and opportunities for partnerships between security and other teams areas where we need to improve our messaging. Every training that we give whether it's somebody's specific somebody's roles or just a general all purpose it's an opportunity for iteration and so that's something that we always need to be keeping in mind identifying feedback measure efficacy not just compliance not just checking the box to make sure everyone has gone think about what kind of impact is this actually having what problem are we trying to solve with this and what are the next problems that we're going to solve keep the doors open for not only future trainings and educational opportunities but also for open communication between the security team and other teams in between when we're all in a room together iterate on training content based on feedback and also based on shifting business needs this is a thing that's going to become super relevant in my case as we go from a company of 700 to being part of a company of 70,000 you can automate the absolute baseline of security messaging but as you go higher on the pyramid of training instead of what tends to happen is things get more automated as you tailor efforts and as you go beyond the basics you really want to get less automated as much as you can for as long as you can there's really no substitute for interaction there's no substitute for engagement and you can take that and run with it so we have a lot of time left so the mic does work and so if you have any questions please feel free to use the mic and I'll be happy to answer them see one so especially at large companies I'm sorry I'm having a little trouble hearing if you can speak up so especially at large companies or when you are a trainer for hire essentially carving up your audience into roles beyond everybody, the technical and maybe the executive admins do you have any suggestions for helping people brainstorm for how people can what for how people can brainstorm or how you can get that group together because 2,000 general users can't all be in the same auditorium at the same time so suggestions in that space I would say one thing to do is even if people can't be in the same physical space if you have any kind of capacity for remote collaboration whether it's like Zoom or WebEx or something like that get people on a screen together even if they can't be on a room together just so they still have that synchronous training or that they can be in the same discussion even if they're not in the same physical space that also if they're in a bunch of different locations and they're not just like distributed remote another thing to do is start thinking about how you leverage and build security advocates in other departments people who can be champions for you when you can't be there yourself find somebody in sales who can talk security with other sales people find somebody in marketing who can talk marketing security for marketing people things like that because we can't necessarily be everywhere at once so it's when we we gotta think about fostering our champions to be our eyes and ears so yeah, good question when you're speaking to a department that isn't your own sorry is that better? a little I think you need to really hug the mic really close, better? when you're speaking to a department that isn't your own how do you best put the bottom row on the ladder figure out where they are and then figure out where to build from okay asking is a good start you can also before you're actually in a room with them try to sit down with someone engage where they are just try and figure out what they need and where they're at from a technical level sometimes it helps to ask what they're working on and that way you might know what kind of things they're dealing with but yeah, never hurts to ask when it comes to building and maintaining community engagement what works and what doesn't work gamification, awards, certificates I'm sorry I didn't catch the last part of that what works and what doesn't work in terms of gamification, awards, certificates free food completely serious yeah, I think people generally like gamification the problem is it can turn into a lot of work for somebody to build that in but yeah rewards I would say just normal recognition on a day to day basis to always instead of just having a few big ones because if you have like a security friend award once a year it's easy for people to forget about that so if you've got levels of giving recognition giving good karma basically Slack even has a karma bot that you can give just ways of building it into the culture instead of just having small things but also free food if you are at a company that has a culture of free food or a budget for it first of all, thank you despite the mic issues I think you did a really great talk for everybody what about cadence and frequency oh yeah so from a compliance standpoint usually the minimum requirement is to give security awareness training once a year for certain frameworks but I would say it depends is the short answer and I guess it depends on the size of your organization and the time resources you have and also what the needs are but I don't think it's out of the question to have something security related a lot more frequently than once a year so that people don't forget it whether it's whether it's something kind of tailored for certain people like a secure coding workshop or something else just something that keeps it top of mind and yeah anything from like a monthly lunch and learn or something like that definitely more than once a year probably more than once a quarter just something to get people there cool anyone else we're still doing okay on time and if you have a question you'd prefer to not ask in the audience I will be around for a little while afterward I'm also the sweet cat on twitter so feel free to come and find me that way I will try not to cough on anyone alright oh we got one more false cadences alright hi what are your thoughts on the perception that security is a function of IT that security is a function of IT we run into that a lot where the general perception is that security is a part of IT and therefore it's an IT related function and sometimes it's hard to get people to realize the import okay yeah so hard to get people to realize the importance of security as a function of IT so if you're running into that issue I don't know why is IT important to start there because people probably wouldn't be able to do their jobs without internal tech support but I think emphasizing that security is kind of a function of everything in one way or another is important too that it's not this walled off thing it touches every aspect of the company so yeah yeah I guess decoupling it from IT it can be a thing but also you can also use that and here's why security is important as it relates to IT so yeah so in a perfect world like we're all passionate and interested in doing this right but a lot of times especially in like smaller organizations with like a large user base and it sounds weird but like RIT is like 7 people oh sure like 30,000 users so we have issues like internally generating interests in like the people who kind of fell into the security team at all so like my problem is getting people to just want to like fucking do it yeah it's like you have the same job as me but you're not interested in like talking to users or like getting any of this information out there generating interest among security people yeah internally seems like a dumb question but it's a big problem no it is a lot of people think that any kind of user education is an exercise in futility and so that's a huge a huge roadblock that we're up against so I think it's important to remember that users don't have to be just the weakest link in the chain like they have the potential to be our greatest asset and it's in our best interest to be engaging with them for many reasons for one thing if they trust us they're going to be more likely to report stuff to us and they're not going to be scared to report things that could be detrimental to our company so that's important to keep in mind in thinking about the way we interact with users and making sure we make ourselves available it's also in our best interest to know what's in our environment and what people are doing so there's a visibility argument to be had and then making sure that we're excuse me it will be chugging cough drops after this so there's the visibility argument there's just making ourselves not antagonistic and then yeah we need to yeah things like that basically I think we need to not think about users as the enemy and so if we can think about security education as a security control and that's one that's important to implement then hopefully security people will not I don't want to say stop because there will always be people that don't want to do education but think about it as an important security control for our team yeah hi I work for a managed service provider so we have a lot of clients on the smaller side and in many cases you have high value folks like doctors, lawyers executive types who demand lack security for themselves and then tighter security for lower value targets and I've never really been very successful in inspiring these folks to think about creating thoughts like screen lockouts even oh man I make feelings on screen lockouts I think it can be funny to determine somebody's screen upside down if they don't lock it but it also might make them shamed and I don't think shaming is necessarily a good we want to think about carrots not sticks so I think you've got to find a way to bring it back to what they value and so as a security manager a lot of it comes not back to like because security but because productivity because it's efficiency it's hundreds of passwords that you no longer have to remember and it frees up brain space you don't always have to put security in security terms you have to sort of meet them on their terms sometimes so think about what they value how you can work with that yeah question this is when it comes to a large company wherein you have a lot of users so we already sent like a security awareness can you speak into the mic a little more we actually have like a large base user in our company so we frequently send them like a security awareness and as part of the security team we still receive a lot of alerts from them so since we're already giving up like a security awareness what would be your best approach so so we can have them so we can instill it to them make it more efficient because we're already giving them the awareness but still they're missing it out so what is the best way that we can implement it without forcing it to them like providing like memos just for them to stop and also what's the best way on how we can measure it as well measure the effectiveness of the security awareness yeah so to address the first question of how can we make sure we're actually doing our training effectively when you're giving security awareness and alerts are still I don't think it's inherently a bad thing that alerts are still firing because if you suddenly have no alerts in your sock something has gone horribly wrong but there is no 100% secure and there's no 100% informed user base so I think I think one of the most important things is making sure that you have a positive relationship with other teams that they feel safe to report things when something has gone wrong and that they feel safe saying yes I clicked what ended up being a phishing link so that they can admit it because the more information you have the more quickly you can remediate a situation and if you're doing something where a user isn't going to feel safe then that I think in my opinion has a higher potential for risk to the company and so as far as thinking about effectiveness of that so I think a lot of times security awareness trainings only tend to get measured for effectiveness in terms of on an internal phishing link before and after or over a monthly period and I think sometimes that can actually kind of lead to phishing fatigue they're like oh yeah I got another one let me just not click this anymore I think some other ways to think about measuring success and this is something that I'm admittedly not in I still metrics aren't like my specialty but we want to think about other ways we can track track engagement like how many people reported of an internal phishing campaign before and after track engagement just in general with how many people are interacting with a security team track how quickly people update their devices when updates if you're not automatically pushing out updates how many people are using a password map how many people have two factor authentication enabled what is the attendance like when you give security trainings and security education events that aren't mandatory or if you've got a CTF going for Hacktober how many people play it also metrics don't just have to be numbers numbers often lie and narrative is data too so think about qualitative feedback as well and what people are saying about your security education content and take it from there that's often where you get the juicy stuff hi thank you very much for my question was is there any security training resources that you would recommend so one that I really like is the EFF security education companion and their surveillance self defense guide they have really good basic it's in there for things like how to threat model how to protect yourself on social media how to set up two factor authentication and then the security education companion is also they've got a bunch of different pre-made training modules as well as some train the trainer stuff so I definitely check them out oh yeah the electronic frontier function the EFF their security education companion quick question can you hear me okay I was just wondering can you hear me yes I was just wondering as your approach changed now that so many companies are a hundred percent in the cloud where like everyone's very empowered and open up virtual machines and they may not understand private subnets first public subnets and security groups and things like that since everyone's so empowered now I was wondering if some of your education is towards that at all I think that actually makes a piece of it easier because you don't necessarily have to talk about VPNs in a beyond-corp environment you can say the network doesn't matter because your device is trusted so it's not necessarily harder just different I would say alright any others sold thanks for coming