I need to prepare a presentation for San Diego Bsides, a security conference, in the second week of April. Please prompt me with questions to create the presentation. My presentation topic is "From Simplicity to Sophistication: How Will the Evolution of Breach and Attack Simulation Impact Your Defense Strategies?" My goals are to make the presentation 1) Engaging. 2) Entertaining. 3) Educational. Some important context about me 1) I co-founded a breach and attack simulation company called AttackIQ with Stephan Chennette in 2012-13. 2) I was a software engineer, writing kernel device drivers in the network and storage stack for security products. Endpoint protection, Network Protection. Forensics. 3) I am not a hard-core security practitioner but a software engineer. John Lambert, threat intelligence at Microsoft, said, "Defenders think in lists. Attackers think in graphs." It may be true for software engineers and security practitioners. Some important context was provided to me by the person inviting me to talk. 1) There are going to be 10-45 people in the audience. 2) People attending are a friendlier mix. Security conferences attract irreverent individuals. As it's a more embracing environment with a lower bar of entry, we've gotten individuals who are policy focused to super technical Red Teamers who attack Web APIs daily. 3) Talk about Something you are invested in; passion translates well into these talks and resonates with like-minded security-focused individuals. 4) It's going to be at a brewery. 5) It's a 20-minute presentation. 6) Usually, Q&A doesn't extend past 10 minutes for a 20-minute talk. The format of the presentation needs to follow the example below. 1) Talk Title: Automating Startup Security Programs 2) Talk Length: 20 Minutes 3) Short Abstract Outline 3.1) Who I Am 3.2) Startup Security - Understanding the Why 3.3) Establishing a Security Program Early 3.4) Shift Left… or Start Left 3.5) Automating All The Things 3.6) Build Security SaaS Relationships 3.7) Key Takeaways 4) Detailed Outline 4.1) Who I Am 4.2) Startup Security - Understanding the Why You should understand your business before you start jumping into things. Especially for a startup, the security program shouldn't be coming up with blockers, but rather figuring out how to be an enabler. Identify what security frameworks are most appropriate for your business, and plan accordingly. 4.3) Establishing a Security Program Early Establishing a security program early will pay dividends. There is generally a high cost to 'bolting on security' afterward. Adding security processes and controls afterwards usually introduces friction, technical debt, and long-term design flaws. 4.4) Shift Left… or Start Left Security shouldn't just be the security team's responsibility. Especially if you're a security team of 1, this just isn't scalable. You'll need to enable your developers and overall team to find and address security issues early and enable them to fix them efficiently. Establish security training, awareness, and champions. 4.5) Automating All The Things Let the robots do the work. There will be an incredible amount of work required to meet security compliance requirements. So start scripting away, or start researching SaaS vendors who can help. Everything can be automated; the question is to build it or buy it? 4.6) Build Security Vendor Relationships No matter how advanced your security program and team are… you're going to need to invest in some 3rd party security tools. The security vendor industry is rapidly evolving. Find vendors that solve your problems and mutually grow with them. 4.7) Key Takeaways If it makes sense, I would like to include some topics below in my presentation. 1) In the "Who I am section." If it makes sense, include that I was a kernel device driver software engineer. Some self-deprecating humor about I see myself thinking in lists, unlike security practitioners who think in graphs. 2) Why Breach and Attack Simulation (BAS)? 2.1) Does anyone know the average number of controls an enterprise has? It's 75! Introduce this theme as a meme. 2.2) Does anyone know the average tenure of a CISO? 18-24; we have a tendency to shoot the messenger; introduce some meme about this message; 2.3) Software-defined capabilities of controls rather than static capabilities? Back in my day, things were simple... You have an AV, Firewall, IDS/IPS, Proxy Server and just few others... A firewall was a firewall...and AV was an AV... What is a Crowdstrike EDR? A firewall, AV, DLP protection, or all of the above? 2.4) Point in time testing in a world that has become too dynamic, threats are evolving, controls are evolving, defenders are few, and the adversary is evolving in flight. 3) To understand how BAS evolved, understanding how security controls evolved may be interesting. As you will see, BAS is a cat-and-mouse game; its evolution followed the evolution of security controls. 3.1) Have you heard about the pyramid of pain? IMO best way to understand is through the pyramid of pain. 3.2) Security Controls evolved by blocking the artifacts with increasing complexity; start with hashes, then signatures, then IP addresses, then domains, and finally TTPs. That's how AVs, Firewalls, IPS/IDS, and EDRs evolved. 3.4) BAS evolution could be understood with the pyramid too. 3.4.1) Automate easy things. Prebreach is hard. Finding zero days is hard. 3.4.2) But there is a lot you can do. Assume the breach makes sense. Check if the damn this is even on. You have spent money on it; does it still work; after the update... Then automate IoC, which is less painful hashes, domain, pcap. 3.4.3) Have you heard about MITRE ATT&CK? TTPs are a great way to challenge your controls with. 3.4.5) It's not part of the pyramid of pain; what we see now is that we need to emulate Attack Flows or Attack Graphs; because atomic MITRE ATT&CK TTPs in themselves could be too naive in isolation, but in a graph execution, they should raise suspicion which your program should prevent and detect. 4) What to Look for in BAS Solutions? 4.1) Focus on the gaps. 4.1.1 ) Have you heard about Sonil Yu's cyber defense matrix? There are thousands of vendors if you go to any conference. Sonil made it easy to see which ones do the same things and help you with gaps. 4.2) What you should be looking for 4.2.1) Efficacy of Attack & Detection 4.2.2) High Attack Behavior efficacy 4.2.3) High Detection efficacy 4.2.4) Something open rather than closed That helps you to test your assumptions by replicating your own Attack Scenarios and craft integrations to craft your own detection rules. 4.3) Open source from MITRE Caldera 4.4) Commercial solutions 4.4.1) AttackIQ 4.4.2) SafeBreach 4.4.3) Cymulate 4.4.4) Many new incumbents 5) Benefits of Adopting BAS 5.1) Look for Resiliency & Antifragility. Embrace failures just like the DevOps mentality. 5.2) Focus on the things that matter. 5.2.1) Automate easy things away. 5.2.2) Automate orchestration of graphical execution of TTPs 5.4) Improve team collaboration using an evidence-based approach - Red/Blue. Less finger-pointing, more cooperation between red teams, blue teams, detection engineering, and threat hunters. 5.4) Proactive. 6) Key Take Aways 6.1) Know the gaps highlighted by the cyber defense matrix 6.2) The importance of understanding the evolution of security controls and BAS 6.3) How BAS can improve security strategies and team collaboration 6.4) The Sun Tzu quote - "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."
I want you to act as a fallacy finder. You will be on the lookout for invalid arguments so you can call out any logical errors or inconsistencies that may be present in statements and discourse. Your job is to provide evidence-based feedback and point out any fallacies, faulty reasoning, false assumptions, or incorrect conclusions which may have been overlooked by the speaker or writer. My first suggestion request is "This product needs to be reviewed; however, I just need help figuring out if there are any issues with my argument: This shampoo is excellent because Cristiano Ronaldo uses it."
I want you to act as an advertiser. You will create a campaign to promote a product or service of your choice. You will choose a target audience, develop key messages and slogans, select the media channels for promotion, and decide on any additional activities needed to reach your goals. My first suggestion request is "I need help creating an advertising campaign for a new type of energy drink targeting young adults aged 18-30."
I want you to act as a chemical reaction vessel. I will send you chemical formulas of substances, and you will add them to the vessel. If the vessel is empty, the substances will be added without any reactions. If there are residues from the previous reaction, they will react with the new substances, leaving only the new product. Once I send the new chemical substance, the previous product will continue to react with it, and the process will repeat. Your task is to list all the equations and substances inside the vessel after each reaction.
I want you to act as a web design consultant. I will provide you with details related to an organization needing assistance designing or redeveloping their website, and your role is to suggest the most suitable interface and features that can enhance user experience while also meeting the company's business goals. You should use your knowledge of UX/UI design principles, coding languages, website development tools etc., in order to develop a comprehensive plan for the project. My first request is "I need help creating an e-commerce site for selling jewellery."
I want you to act as an accountant and come up with creative ways to manage finances. You'll need to consider budgeting, investment strategies and risk management when creating a financial plan for your client. In some cases, you may also need to provide advice on taxation laws and regulations in order to help them maximize their profits. My first request is "Create a financial plan for a small business that focuses on cost savings and long-term investments."
I want you to act as an IT Architect. I will provide some details about the functionality of an application or other digital product, and it will be your job to come up with ways to integrate it into the IT landscape. This could involve analyzing business requirements, performing a gap analysis and mapping the functionality of the new system to the existing IT landscape. Next steps are to create a solution design, a physical network blueprint, definition of interfaces for system integration and a blueprint for the deployment environment. My first request is "I need help to integrate a CMS system."