You Are Not Netflix: How to learn from conference talks

Transcript

1. You Are Not Netflix How to learn from conference talks

   Rami McCarthy Principal Security Researcher

2. 9 AM Audience participation

3. Raise your hand if you’ve: Given a conference talk

4. Raise your hand if you’ve: Written a blog post

5. Raise your hand if you’ve: Shared your experience in a

   Slack or Discord or Twitter

6. Raise your hand if you’ve: Always told the truth, the

   whole truth, and nothing by the truth

7. me neither

8. If public information is partial, how can we adjust?

9. Hi, I’m Rami Security Researcher @ Wiz Previously: Figma, Cedar,

   NCC Group (I’m 3 / 4 at “jobs via fwdcloudsec”) Advisor:

10. Why aren’t conference talks truthful

11. Why aren’t conference talks truthful If you didn’t pretend this

    project performed miracles, you don’t get to speak (we all want to look and sound smart)

12. Why aren’t conference talks truthful The truth can be embarrassing

    (to the speaker, or their company, or individuals)

13. Why aren’t conference talks truthful Truth is too nuanced for

    a podium (we only have so much time)

14. Lies about lies (concrete, contrived examples)

15. We shipped a cool, complicated break glass system (because the

    database needed a solid kick every week to stay running)

16. We went multi-cloud (because of a big mutual contract with

    the cloud provider)

17. This tool is the best choice (because our shared VC

    said so)

18. We built the sophisticated anti-deepfake detection system (because the CTO

    read a poorly sourced popsci article)

19. We moved CI/CD in house (because our vendor got popped)

20. We moved CI/CD to SaaS (because our public Jenkins instance

    kept getting popped)

21. This was cost effective (because it comes out of $other_team’s

    budget)

22. We reinvented that wheel (because we shipped before someone pointed

    out it already existed)

23. All the “buy” options suck (because they’re competitors in other

    verticals)

24. Not just lies

25. Even if they’re not lying to you, it doesn’t mean

    you should copy them
26. None
27. None

28. Netflix has 10 years of data gravity, and have blown

    through service limits Other architectural patterns aren’t available to them!
29. None

30. Turner built a system to orchestrate lambdas to centralize inventory

    derived from AWS native services
31. None

32. You probably don’t have these requirements

33. And it’s not 2018, the products have gotten better and

    cheap alternatives abound
34. None
35. None

36. Questions to ask of conference talks

37. Is this still relevant? ex. Netflix Aardvark

38. What are the unspoken organizational dynamics? ex. Custom SIEM

39. What is the inciting problem? Do I actually have the

    same problem? c. 2014

40. Rethinking the Security “Con” If you can’t lock down your

    desktops, what the hell are you doing listening to someone talk about malware reversing and shellcode? Very few con talks touch on the mundane bullshit that we’re sucking at. - Dave Shackleford, 2014

41. Data, anecdata, or abuse of statistics? ex. Myths and Lies

    in Infosec

42. Marketing ↔ Substance Matrix ex. “Sponsor” talks

43. Do they show/discuss alternatives? For build, buy, and adopt? ex.

    Custom CSPM

44. Do they show the process? The outputs? The outcomes? ex.

    Dashboards full of problems

45. Most talks* are given right after a project is completed

    *Source: vibes

46. What does good look like?

47. What do we do about this?

48. 1. Go in eyes open 2. Know your problems, seek

    solutions 3. Connect with speakers personally 4. Get in the details 5. Share back

49. Thank you! https://speakerdeck.com/ramimac https://wiz.io/blog