My guest this week is Kelly Shortridge, VP of Product Strategy at Capsule8, and we’re talking about infosec. We get into some interesting discussion: threat modeling, foundational security defense, why you’re totally screwed if a nation-state is after you (tip: they’re probably not), and why chaos engineering and ephemeral infrastructure is actually great for security. Also, we totally crap on security vendor FUD for a bit and how to choose security tools that actually work.
About Kelly Shortridge
Kelly Shortridge is currently VP of Product Strategy at Capsule8. Kelly is known for research into the applications of behavioral economics to information security, which Kelly has presented conferences internationally, including Black Hat, AusCERT, Hacktivity, Troopers, and ZeroNights. Most recently, Kelly was the Product Manager for Analytics at SecurityScorecard. Previously, Kelly was the Product Manager for cross-platform detection capabilities at BAE Systems Applied Intelligence as well as co-founder and COO of IperLane, which was acquired. Prior to IperLane, Kelly was an investment banking analyst at Teneo Capital covering the data security and analytics sectors.
Kelly graduated from Vassar College with a B.A. in Economics and was awarded the Leo M. Prince Prize for Academic Achievement. In Kelly's spare time, she enjoys world-building, weight lifting, reading sci-fi novels, and playing open-world RPGs.
Mike Julian: This is the Real World DevOps Podcast and I'm your host Mike Julian. I'm setting out to meet the world's most interesting people doing always work in the world of DevOps. From the creators of your favorite tools to the organizers or amazing conferences. From the authors of great books to fantastic public speakers. I want to introduce you to the most interesting people I can find.
This episode is sponsored by the lovely folks at InfluxData. If you're listening to this podcast, you're probably also interested in better monitoring tools and that's where Influx comes in. Personally, I'm a huge fan of their products and I often recommend them to my own clients. You're probably familiar with their time series database InfluxDB, but you may not be as familiar with our other tools. Telegraf for metrics collection from systems, Chronograf for visualization, and Kapacitor for real-time streaming. All of this is available as open source, and as a hosted SaaS solution. You can check it out InfluxData.com.
My thanks for InfluxData for helping making this podcast possible.
Hi folks I'm Mike Julian, your host for the Real World DevOps Podcast. My guest this week is Kelly Shortridge, the VP of Product at Capsule8 and an internationally known speaker on InfoSec topics.
So Kelly, welcome to the show.
Kelly Shortridge: Thank you so much for having me Mike.
Mike Julian: You know I was looking at your LinkedIn and there was something that kind of stood out to me was your FINRA license. You started your career off in finance.
Kelly Shortridge: That's true.
Mike Julian: So what in the world happened there? How does that work?
Kelly Shortridge: Yeah. How does that even happen. So one, FINRA exams are very painful so I didn't want to have to re-up those, but mostly I started my career doing mergers and acquisitions covering information security companies. And while I quite liked the finance side I noticed that security had a ton of opportunity not just as far as vendors, but the problem space is huge and it's very unsolved and the incentive problems are enormous. So for someone like myself who had studied some Behavioral Economics, just all of the messy incentive problems were kind of like catnip for me. So I knew I had to go into the industry.
Mike Julian: Yeah. The Behavioral Economics side, the study of incentives. That's absolutely fascinating to me because, especially in security and systems got everything we do is incentives based.
Kelly Shortridge: Yes.
Mike Julian: And it's often incentive that we're not even paying attention to. Things we don't even think about. Like if you-
Kelly Shortridge: That's definitely true.
Mike Julian: Yeah. Like you make it hard to use two-factor and people aren't going to use two-factor.
Kelly Shortridge: Yup, so that's something that I feel like people outside of security understand immediately, but inside security they don't always understand the fact that if you don't make something that integrates into work flows, people are going to bypass it. But you're absolutely right, there's such a web of incentives and on the one hand you have things that are explicitly stated you know, security to your privacy is important, but then you have more of a tacit goals and priorities, which are that, well security's a cost center and really what matters is being able to deliver on time and you know releasing at a certain cadence.
So those tacit assumptions also create a bunch of incentive problems and InfoSec. But I always think that InfoSec because they wish they were more relevant try to be the culture of know and ram through really annoying technologies for people to use just to show that they're still relevant.
Mike Julian: Yeah, that hits home. I've seen that way too many times.
Kelly Shortridge: Yeah. I think most developers... It's not really a love hate relationship, it's mostly just a hate relationship for the most part. Somewhat bi-directional.
Mike Julian: What really about security drew you away from finance? Have you found there's good parallels that you've been seeing?
Kelly Shortridge: It's interesting. There's certainly parallels, particularly on the risk management side, particularly anything around risk centrality because that's a huge part of financial systems, so that's not really what I did day to day. I think what's interesting in security is there's a huge lack of effective communication. Even when you go to conferences you know, there will be some 0-day that's dropped or whatever, but it's often not communicated very well, and certainly when you look at enterprises, security priorities aren't really communicated well to the rest of the business. And a lot of investment banking is quite frankly effective communication.
It's about quickly researching something in general companies and understanding it very deeply to be able to talk about it and effectively persuade acquirers that's it's worth acquiring a company and so frankly even the excel and PowerPoint skills I learned along the way are really helpful in just being able to talk to people about security. You know I can speak to CEO's, I can speak to Board members, I can speak to DevOps people about security in a way that's still understandable and that's what I feel like we're still missing a lot of in information security.
Mike Julian: Yeah that makes a ton of sense. I was reading one of your articles, I can't remember which one it is. I'll have to go find it and throw it into the show notes, but you made mention of a tax from nation states. And I thought that was pretty interesting. It definitely stood out to me. And perhaps I have a bit more security exposure to that side of things than the average DevOps person might, just from, I worked for the government for a while so I've seen it. But for the vast majority of people who haven't, what is a nation state? Like what are we talking about in security context?
Kelly Shortridge: Nation state's generally in the context of an attacker is a government sponsored entity. So in some cases it gets a bit blurry, particularly with China or Russia where you have criminal groups that either lightly or strongly have the backing of the government, or at least the government looks the other way because it still benefits you know the government's goals. But in general it means a nation state attacker and you'll also hear the term APT which is and Advanced Persistent Threat. Part of the reason why they can be advanced and persistent is because they're well resourced and they're also well motivated. They have very stated goals and they have actual budgets that can go towards pwning things.
Mike Julian: This is actually a thing, like this is actually happening?
Kelly Shortridge: It is actually happening, so the extent to which it's happening, particularly for the average organization I think is a bit more dubious. I think by far and away, the script kiddie threat or the criminal group threat is far bigger.
And that's where for example why a transition to security looking at behavioral economics, there's a concept called prospect theory. And part of that is basically people overweight small probabilities under underweight large probabilities. So for example you overweight the probability that a shark's going to eat you and you underweight the probability that you know you'll be hit by a car you know, succumb to some sort of car accident.
The same applies in security that people vastly underweight the fact that probably they'll succumb to phishing or some other sort of kind of like somewhat stupid scripted attack and then they overweight how much you know Mossad is a classic example, Mossad's going to you know find who your secretary is and they're going to install some special sort of pen that then transmits some sort of exploit over to his or her machine. And then that machine's going to exfiltrate data by fluctuating the power supply and someone's then hacked into the power plant to read that... all of that stuff is more fan fiction than anything else except for you know national laboratories or governments. Maybe Fortune 10’s.
So in general, people definitely like how sexy nation states are as far as this kind of attacker because no one wants to be owned by a 12 year old, right? That just feels bad.
Mike Julian: Right. That's just embarrassing.
Kelly Shortridge: Exactly. Exactly. So I think that's why there's so much focus on nation states rather than kind of the quotidian threats.
Mike Julian: I got to see James Mickens speak a while back. And one of his slides was... It basically just said, the threat model is Mossad or not Mossad.
Kelly Shortridge: Absolutely. Yes.
Mike Julian: If it's Mossad you're screwed anyway. It's like, don't bother, give up, you're done. If it's not Mossad well now we can have a conversation about what you can do.
Kelly Shortridge: Precisely. And that goes into a really good threat modeling in the sense that even with, I think it was APT 28, which most people know as the one that you know hacked the DNC. They tried phishing first. I think it was something like google-admin, but the google had two zeros and maybe you know people should have spotted it. I tend not to blame users for those sorts of errors. But the point is that even this super sophisticated groups will absolutely try phishing and absolutely will try these unsophisticated methods first because if they don't have to blow something expensive like a zero-day vulnerability which takes tons of time to research and perfect and get reliable. They won't do it. They'll absolutely try low hanging fruit.
I think it's similar with a lot of developers, if they don't have to like reinvent the wheel and create something fancy, they won't. People tend to optimize for what's quick and what works.
Mike Julian: Right. Yeah. When I used to work for Oak Ridge National Lab, one of the first things that we were taught was, you don't plug in USB drives from outside of here. And be very careful about what links you click in an email. And the FBI came around through the InfraGard
program to tell us that... they basically gave us this briefing on system administrators by nation states are the, they're kind of at the core of who they're targeting because they have tons of access and no one pays attention to them.
Kelly Shortridge: Definitely.
Mike Julian: That was kind of scary when I first heard it and then I realized, well actually most... what they're going to be doing is just coming in at the lowest level possible. Like here, plug in this USB drive.
Kelly Shortridge: Exactly.
Mike Julian: They're not going to be like, a beautiful woman in a bar trying to find me in this long 18 month process. That's just not going to happen.
Kelly Shortridge: Yeah. If the USB stick in the parking lot works, you might as well try it and then after that you know it's some discounted thing on NewEgg in an e-mail, right? And then it escalates from there.
Mike Julian: Yeah. Exactly. They're not starting at the top.
Kelly Shortridge: Exactly. I think it completely defies human nature to think that they would start with the most expensive option rather than exhausting the rest of the options.
Mike Julian: The threat modeling here is really interesting to me because... so say the attacker is going to be starting with the cheapest perhaps most effective option, that means how I'm thinking about my defense is also going to be very different. I'm not protecting against these really fantastical situations. I'm protecting against phishing links.
Kelly Shortridge: Yes.
Mike Julian: When I'm trying to design some sort of security posture and like, I'm a DevOps engineer, I don't have any standard security staff I don't have any specialists around me, what can I do?
Kelly Shortridge: So one thing that I definitely recommend, and it's actually lucky because it's somewhat easy, is just go through kind of 101 guides on how to hack web applications. Because whatever the 101 guide says is probably what their minimum viable threat model is, right?
It's the same thing with corporate security. Going through and trying to crack passwords is probably step one using some sort of dictionary. Obviously something like two-factor kind of mitigates that. So what I've proposed before is the concept of decision trees, which I assume a lot of the audience will be pretty familiar with them.
But if you're not is basically the idea that you start with, okay, you have the state of the world, you have some sort of attacker and you have let's say an application that contains sensitive information. Obviously the attacker isn't going to care about the non sensitive information. They'll probably go for whatever the, let's say credit card data.
Then you figure out, okay, what's the easiest way the attacker will get there? So I have this notion called yellow sec, which is basically if you do nothing and you just hope that security will happen out of the ether, that would be for example if you're storing the credentials in the database, you don't have any network segmentation. You don't have any data tokenization. You certainly don't have any access control on it. So that would be the yellow sec option.
And so then when you start think about, okay, if we did absolutely nothing, what would be the easiest thing for the attacker to do? You can start eliminating those paths and then forcing the attacker down the hardest paths possible, which again eliminates a lot of the very common script kiddie threats. Then you move onto eliminating the common criminal group threat. And finally again once you get the Mossad level, like just don't care about Mossad, they're going to find a way regardless. So as long as you keep forcing attackers down that harder path, you're going to frankly eliminate yourself as a target.
Mike Julian: That's fantastic advice and for whatever reason, and I'm kind of ashamed to admit this now, I never considered looking at the 101 attack guides to figure out how to set up my defense.
Kelly Shortridge: Yeah. I think if you want to role play a bit it's like, okay imagine you're a teenager you know the stereotypical teenager in Eastern Europe, what would you do first? You know that you're... I assume probably a lot of your listeners were at technology companies. You know of technology company through an article in TechCrunch. You know that they have sensitive customer communication, something like that. Okay, now you think, how am I going to hack them? You're probably going to go to really stupid guides at first, so just look at those and eliminate all of those stupid ways, right?
Mike Julian: Yeah.
Kelly Shortridge: Yeah.
Mike Julian: How do you consider... you're absolutely right.
Kelly Shortridge: Yeah.
Mike Julian: So you and I were talking before we started recording, about... DevOps people and security people.
Kelly Shortridge: Yes.
Mike Julian: And you have opinions on this. Can you tell me more?
Kelly Shortridge: I do and I'm a bit of a traitor in that I definitely empathize more with the DevOps side than the security side of things. But-
Mike Julian: Why is that?
Kelly Shortridge: It's that way because I really dislike the notion that I see a lot in security which is again that culture of “No.” It's that notion that there's this almost, you know I almost call it this moral and almost like missionary perspective of there's this abstract perfect security archetype and every company has to meet it and anyone who violates security is just you know, violating divine blessing or something like that. It's just very overly serious to a certain extent and there's this lack of self awareness that security most of the time slows companies down. And that if security isn't working on behalf of the business to make sure the business can survive and not choking out those workflows, then what is it doing? If it's hindering the business then you might as well not have deployed security at all because mostly frankly, most of the consequences of any sort of breach or reasonably minimal, particularly with the rise of cyber insurance, that means you'll get reimbursed for incidents.
So to me DevOps at least understands, okay we are supporting money making activities, but also we do face cost constraints and stuff. Security doesn't quite have that same level of self awareness and they certainly aren't making money for the business. So, again I empathize more with the people that seem to be supporting the business more than not. And I do in my experience think that when I talk to DevOps people about security they're way more receptive than when I try to talk to security about DevOps and what they can learn.
So that's part of why I side more on the DevOps side. But my thesis right now, which I've been harping at least for a year now is that DevOps and security should actually be BFFs. They're frenemies but they shouldn't be. But there are obviously a bunch of cultural challenges. There's a ton of scar tissues, but ultimately with the rise of something like resilience engineering, you can extend the concept of like, okay, assume that things are going to fail. To assume that things are going to fail also in a security context. There will be a breach. So really there's a lot of common ground that I think both teams so to speak don't realize, exist.
Mike Julian: Tell me more about those cultural challenges you mentioned.
Kelly Shortridge: There are a ton of cultural challenges. So for one security people tend to have the break it mindset rather than the build it mindset. And they tend to think that most people who don't consider security first, are stupid. So if you aren't beginning your design phase with architecting perfect security, a lot of times they'll just think that developers are fundamentally less intelligent. That's something I've legitimately heard. And I think that's stupid in itself. Right? It's just-
Mike Julian: Yeah that's awful.
Kelly Shortridge: Yeah. There are different priorities obviously. I think on the DevOps side, there's also this notion of it's the, what is it... fail fast or fail faster, maybe I'm just quoting Silicon Valley at this point, but you know building things not necessarily with regard for security. Which also isn't great because security still is a part of managing business risk. So I think it's... fundamentally those mindsets are different, and frankly the best security people I know are the ones who have developer experience.
Kelly Shortridge: And even on the DevOps side the ones who tend to consider security, tend to be I think better in organizations. I love the stat from the state of DevOps report by Dr. Forsgren, where it states that companies that resolve security incidents more quickly and also have security sooner in the build phase, actually reduce any time to recovery. It actually benefits the business. And it benefits velocity when you're considering security. It's just, are you doing it in the right way?
Kelly Shortridge: I have not.
Mike Julian: Oh. It's a really great book by Gene Kim.
Kelly Shortridge: Okay.
Mike Julian: And how it opens up is talking about this archetype of a security professional and this person, I think they named him John. It's a parable, which really great read, really enjoyable. But this character John, does all this bunch of stuff and just isn't telling anyone that he's doing it. And then the entire application completely crashes.
Kelly Shortridge: I believe it.
Mike Julian: And then he starts blaming everyone else and like, oh well, none of you care about security and I'm the only one protecting this company and, all of you else only care about making money. And like, we've got to save this.
Kelly Shortridge: Exactly.
Mike Julian: And then it progresses through and there's kind of a... this security person changes their mindset over time with the input and experience of talking to other people to realize, well, no, there are actually layers of security and I may not see them all.
Kelly Shortridge: Exactly.
Mike Julian: So the example given in the book was the security person wanted to encrypt a field with CVVs or something like that, and it later came out that was completely unnecessary because finance had paper controls to handle it all.
Kelly Shortridge: Okay.
Mike Julian: So it was completely moot point, but in doing so he actually broke the entire business as a result of making this completely unnecessary change because he was only seeing things from his perspective.
Kelly Shortridge: Yes. Yeah. I feel like half of my talks around conferences are about seeing things from other people's perspectives and teaching security people how to do that. So I'm not sure if the parable has been fully digested yet in InfoSec, but I think it's a good one.
Mike Julian: Like hearing everything you're saying, I'm like, surely we've solved this by now. But apparently not.
Kelly Shortridge: No. If you look... One meme that I really hate and if you hear security people telling you this, don't believe them, is that the pace of attacks and you know attackers shifting methods it's just evolving constantly and we could never keep up. That's just not true. For the most part if you look at underlying techniques, they don't change that much. Even phishing is something that was happening in the 90s. So fundamentally-
Mike Julian: That's interesting-
Kelly Shortridge: Yeah, fundamentally things don't change all that much. Though I do think on the positive side of things, some of the new technology around infrastructure is actually changing things for the better. But otherwise if someone is saying that they can't keep up with the pace of change, it means that they don't have good underlying basics in place. And so they are just constantly reactive. And that's a huge problem in security, is very few people are proactive and thinking frankly more in the DevOps kind of like architectural view, rather than in just like, oh there's a fire, must put it out. Okay next fire, et cetera.
Mike Julian: Right. So I want to get into that but I have one other question before we talk about that area. We've been talking about this terrible archetype of security people. Some of the people listening have security staff that they may not have the best of relationships with. What can they do to start to bridge that gap? You mentioned that DevOps and security should really be BFFs. How do we get there if we're not already?
Kelly Shortridge: So one reason why I like resilience is because of all the commonalities there are with security. So I think even starting with the conversation about like, okay listen we want to make sure that our apps have really good up time and they aren't disrupted somehow because we have to be performant. What are some of the security benefits there? Is there a way that maybe we can collaborate to make sure that part of that up time for example like reduces the threat of like denial of service. That's something that I think both goals have in common. Kind of looking for what are you working on and where could that somehow apply to security I think is a good first step.
Also just acknowledging it's a bit of I guess ego stroking and nudging in a certain way but acknowledging like, listen we think security's really important like we're looking to implement x technology kind of leading into kind of the next discussion we'll have like, what are some of the security benefits here. Like for service measures for example, is there a way that this orchestration can actually reduce work for you? We know that you're super busy and you're putting out a ton of fires. Is there some way that we can actually help automate this for you because we're going to automate some stuff for ourselves?
So I think those are the sort of olive branches I would recommend. It's kind of like you don't want to tell them they're unimportant.
Mike Julian: Sure.
Kelly Shortridge: That's... right? That's their biggest fear in a certain way. But it's think sometimes they just fundamentally don't realize... they see knew technology as something almost scary and it's another again fire they have to put out. It's another threat model they have to create. So figuring out, okay like we're frankly going to do this regardless, like what are the ways that we can reduce work for them, is something that I think for the most part security people will be really receptive to that.
Mike Julian: I have found that telling a security team that thinks like that, hey by the way we're going to turn all of the servers every couple days, or every couple minutes. Like we're just going to rotate the entire infrastructure and also by the way we're going to consistently break out own infrastructure intentionally. And you just see their heads explode. Like, "You can't do that!"
Kelly Shortridge: Yes. So here's my counter because this is something I've been talking about constantly and will keep talking about, is something like that, what you just mentioned... Remember back to that nation state and the APT, well the P in that is persistence and it turns out it's really hard to persist on something that's constantly rotating, right? So there are actually security benefits. So you can tell them, "No, you can even drop my name, not that I'm super important, but say like listen I heard that it's really hard for attacker to persist if our infrastructure's constantly rotating."
Another thing I've constantly mentioned is how Chaos Monkey
is actually a really good security tool, not just a resilience tool for that reason because it reduces persistence. Again bringing up service mesh like I believe personally scratched the surface but I promise you most security people know nothing about it. And I guarantee you they don't know the fact that it means that they don't have to manage individual blinky boxes anymore. That they can actually just deploy firewall rules and access control and stuff like that in a much friendlier manner.
So I think it's trying to, and this is where I put the onus more on security to understand the technology rather on DevOps to understand the threat models and the security needs by going back to, if you create a really basic threat model right? And you go through those 101 things and every time you're looking at new technology like you mentioned thinking about, okay how would this stop the script kiddie? Where would this make it difficult for them? And presenting that to the security team is a really effective way to remind them like, "Listen, this isn't scary, this is something that can actually help you."
Mike Julian: Yeah. I mean it's hard to not be scared when you go into security conferences.
Kelly Shortridge: Yes.
Mike Julian: Until recently I lived in San Francisco, so... RSA Conference
is there every year. And walking the floor of RSA it's hard to not think the world is burning and everything is awful.
Kelly Shortridge: It's so true. There's so much fear, uncertainty and doubt in all of the marketing messaging. I personally hate it. I think it's totally unnecessary, but yeah I think security, the industry itself really tries to be inaccessible and sound scary, which totally hurts and then they complain about the fact that there's a security skills shortage. And it's like, well you're kind of presenting the industry like a nightmare. No wonder people don't want to join in with you.
Mike Julian: Right.
Kelly Shortridge: So I definitely quibble with that. But I think remembering that security fundamentally is about in this digital age, is businesses are just inevitably they have to be in the digital world. Just making sure they can survive. That's fundamentally what security's. There are digital risks and how can we make sure the business can still survive and ideally thrive with those digital risks. We remove the nation state stuff and you know the 0-day and the FUD and all of that. When you make it that simple I think it's a lot more accessible and it starts to make a lot more sense as far as what you should do strategically.
Mike Julian: If I'm looking at security products, like something to help me, should I just categorically ignore all the ones that are using FUD and marketing?
Kelly Shortridge: I think you may be left with basically no products to be honest. I think-
Mike Julian: Well that sucks.
Kelly Shortridge: Yeah it does suck. It's incredibly difficult even for seasoned security professionals to navigate. You know they're seasoned with 20 years of experience that still talk to me about how difficult they find it just to figure out what are companies actually doing, particularly with the rise of AI and machine learning and everything. Then they just hand wave and say, "Oh it's our crystal ball don't worry about it." Which is helpful of no one.
So I think if you're a systems administrator or a DevOps person looking at security tools, the key thing to ask I would say is start with the work flows. Make sure that you're not going to be adding undo work because if something, you know some, what are called SIMs, I think like Splunk and other things that basically ingest a bunch of data and help you manage alerts and stuff like that, sometimes those can add 30 hours of work a month just to maintain them, right? Yeah.
Mike Julian: Wow.
Kelly Shortridge: They're really difficult to implement and this is often across the board with security products. They're really difficult to maintain so just starting even with like, okay but what's the realistic, essentially cost of using your product on an ongoing basis, I think will help you a lot because security shelfware isn't going to help anyone.
I think the other thing is specifically looking at the site to see, are they kind of pain... do they at least acknowledge that that's even a pain point. Because companies that are just hyping up again like the machine learning or the AI and stuff like that and not talking about optimizing workflows or reducing manual effort. Those are the ones that probably in general aren't going to provide as much value. Again, because either they're going to sit there or they're going to be so time consuming that you can't actually focus on more strategic products.
Mike Julian: It has been absolutely fantastic chatting with you.
Kelly Shortridge: Thank you so much, yeah.
Mike Julian: I've learned a ton. This is great.
Kelly Shortridge: Yes definitely and anyone listening, feel free to always talk to me because I'm always looking to see how we can... don't tell the security people, but how to make security teams a little more obsolete and integrated more into the DevOps process itself.
Mike Julian: Well on that note, where can people find you?
Kelly Shortridge: Yes so I have a website, swagitda.com
It's S-W-A-G-I-T-D-A. It's a finance joke for another time, but I have both speaking and writing sections which includes kind of blog posts both long form and shorter as well as some of the conference presentations I've given and that word 'swagitda' is also where you can find me on Twitter and reach out.
Mike Julian: Well fantastic. Well thank you so much.
Kelly Shortridge: Thank you so much Mike.
Mike Julian: And to the rest of you thanks for listening to the Real World DevOps Podcast. If you want to stay up to date on the latest episodes you can find us at realworlddevops.com and on iTunes google player, wherever it is you get your podcasts.
Mike Julian: I'll see you in the next episode.