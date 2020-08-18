Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 1© 2018 CONFIDENTIAL The Dynamic...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 2 ● Problem - Ops are first resp...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 3 ● Laugh at me ● Interrupt with...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 4 ● I am an old man ○ I yell at ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 5WELCOME TO THE ERA OF SELF-PROT...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 6 Conway’s Law Any organization ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 7 Two Systems What? ● Manager La...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 8 Human System versus _and_ Soft...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 9 My Conclusions (YMMV) Where th...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 10 Conway’s Law Any organization...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 11WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 12 Project Management is coming ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 13 Sorry … You’ll have to compla...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 14 We in Ops are first responders
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 15 Who is the ultimate first res...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 16 Batman’s Mission Unblock thos...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 17WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 18 The Bat Phone Why? ● Fun ● Ea...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 19 @batman is a great communicat...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 20WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 21 The Weekly Bat Rotation Why? ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 22 @batman works alone (so far a...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 23 @batman is an antihero Why? ●...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 24WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 25 @batman has staff Why? ● Batm...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 26WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 27 @batman is underutilized Why?...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 28 Manager Maths Consider Batman...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 29 Manager Maths Now consider Su...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 30 Manager Maths Clearly Batman ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 31 Idle hands are ... Opportunit...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 32 Batman’s Mission (reminder) U...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 33WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 34 Real first responders train r...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 35 They regularly maintain their...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 36 They work to prevent above al...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 37 Enter Robin
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 38 Robin’s Mission Ensure that w...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 39WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 40 Robin makes @batman less busy...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 41 Prevent What? ● Study key sys...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 42 Improve What? ● Study a noisy...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 43 Maintain What? ● Replace a TL...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 44 Train The possibilities ● Con...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 45WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 46 Enabling Robin What? ● Are yo...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 47 Enabling Robin What? ● Maybe ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 48WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 49 A hard truth done truthfully ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 50WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 51WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 52 The Rise of Batman ● We were ...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 53 The Rise of Batman (2) ● In F...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 54 The Rise of Batman (3) ● Less...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 55WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 56
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 57 That is to say ... ● 385 inte...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 58WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 59 Observe - Orient - Decide - A...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 60 Act - Observe - Orient - Deci...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 61 Act - Observe - Orient - Deci...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 62WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 63
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 64 That is to say ... ● 162 impr...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 65WELCOME TO THE ERA OF SELF-PRO...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 66 Key Takeaways Hard won wisdom...
WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 67 Useful Links ● Conway’s Law -...
Upcoming SlideShare
Loading in …5
×

The Dynamic Duo

38 views

Published on

How Batman and Robin have saved Ops at Contrast Security. Or, Engineering Human Systems that create high performing software systems.

Published in: Software
no profile picture user

  • Be the first to comment

  • Be the first to like this

The Dynamic Duo

  1. 1. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 1© 2018 CONFIDENTIAL The Dynamic Duo How Batman & Robin have saved Ops at Contrast Security Boyd E. Hemphill, Director of Cloud Engineering | @behemphi
  2. 2. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 2 ● Problem - Ops are first responders. ○ IT Concierge ○ Incident response ○ Can I ask you a quick question? ● Problem - First responders need assistance ○ Remove toil ○ Improve visibility ○ Strive for prevention over reaction ● The Messy Reality ○ What it takes to get where we are today ○ We have a ways to go In this talk ...
  3. 3. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 3 ● Laugh at me ● Interrupt with questions in chat ○ Please allow me to defer if it will be covered later ● Laugh at yourself ● Learn something ● Share something Ground Rules
  4. 4. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 4 ● I am an old man ○ I yell at the Cloud (Engineers) ● I’m hiring ○ So, if you want to get yelled at … (?) ● Recovering SysOp/DBA ○ Why I yell? ● PHP Developer ○ Why I chose YAML developer ● DevOp ○ Because its a job title ● CTO - pfffft ● Director of Cloud Engineering at Contrast Security About Me
  5. 5. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 5WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 5 Melvin Conway
  6. 6. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 6 Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure.
  7. 7. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 7 Two Systems What? ● Manager Land: ○ The system of people who produce software. ○ Owned by the manager _and_ the team ● Engineer Land ○ The system of technology that represents a product or platform. ○ The tool chain for producing the product or platform Woah!
  8. 8. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 8 Human System versus _and_ Software Systems What? ● Humans have ○ opinions ○ context ○ the need to be heard ● Software has ○ Defects ○ Incidents ○ Humans to care for and feed it ● That last bullet point is critical ○ Without a healthy and intentional human system, the software system will be chaotic Humor is “truth”
  9. 9. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 9 My Conclusions (YMMV) Where the ideas come from ● We generally underinvest in the system of people so we can maximize time writing code. ● It is hard, skilled and time consuming work to design and implement the right system for a group of people ● That work must be prioritized over other types of work it the _human_ system that produces the _software_ product will be successful Humor is “truth”
  10. 10. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 10 Conway’s Law Any organization that designs a system (defined broadly) will produce a design whose structure is a copy of the organization's communication structure. It is my job, as a leader, to ensure a humane and effective _people_ system that produces the platform our customers want. I engineer this system in concert with my boss and peers.
  11. 11. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 11WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 11 Batman
  12. 12. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 12 Project Management is coming to get you. You’ve missed another deadline.
  13. 13. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 13 Sorry … You’ll have to complain at me later …
  14. 14. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 14 We in Ops are first responders
  15. 15. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 15 Who is the ultimate first responder?
  16. 16. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 16 Batman’s Mission Unblock those who cannot get their work done (empathy for other teams) Protect Cloud Engineering and its high value work from random interrupts (empathy for our team mates) Facilitate Knowledge Transfer (continuous human-system improvement activity - more team empathy) Make on-call suck a little less (empathy for the individual human)
  17. 17. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 17WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 17 Unblocking Others
  18. 18. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 18 The Bat Phone Why? ● Fun ● Easy to Remember ● Intuitive ● Because “@OpsOnCall” limits the scope when we are dealing with unknowns. ● We _want_ others unblocked so they can get their jobs done. ○ That is how Contrast makes money! It’s Corny
  19. 19. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 19 @batman is a great communicator How? ● Polite ● Effective ● Responsive ● Follows the sun for all our offices ○ Belfast and NZ work a bit different It’s Corny
  20. 20. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 20WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 20 Protect CloudEng
  21. 21. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 21 The Weekly Bat Rotation Why? ● We dedicate an entire human to this role ● Follows are on-call rotation ● No more personal IT concierge ● Make on-call suck less by removing deadline obligations for the week Batman is the Best!
  22. 22. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 22 @batman works alone (so far as others are aware anyway) Why? ● Because the rest of us can say, “Please ask @batman in #operations” and get back to our high value work. ● Over time everyone in the company gets trained on that simple behavior ○ (Pavlov & drooling dogs here) Batman is the Best!
  23. 23. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 23 @batman is an antihero Why? ● The need for heroes in Ops is antithetical to what we strive for: ○ Boredom ○ Prevention ● “Batman” is a subtle nod to the idea that we don’t want to be heroes ● The reality is, however, we needed someone to save CloudEng from all the interrupts Batman doesn’t want to be batman.
  24. 24. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 24WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 24 Facilitate Knowledge Transfer
  25. 25. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 25 @batman has staff Why? ● Batman can - and does - ask for help internally ● Batman learns when he/she does not know how to help ● Prevents those outside the team from developing a personal IT Concierge ● Means each of us has to gently say, “No” when someone reaches out directly. Justice League
  26. 26. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 26WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 26 Make On-call Suck Less
  27. 27. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 27 @batman is underutilized Why? ● Because the busier someone is, the longer it takes for the next person with a need to get service (lead time) ● Because being on-call sucks, so let’s make the day a bit easier. He’s a trustifarian!
  28. 28. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 28 Manager Maths Consider Batman is busy 50% of the time in this role. He might appear to a slacker, but (50% * 1 hour) / (100% - 50%) means the lead time on a starting the request is about 1 hour. Let's call this acceptable.
  29. 29. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 29 Manager Maths Now consider Superman. He is busy 90% of the time. At first blush Superman looks like a superhero, but (90% * 1hour) / (100% - 90%) = 9 hours lead time to get a task started. Over a day!
  30. 30. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 30 Manager Maths Clearly Batman is better than Superman when considering that we want to be able to handle things quickly and predictably for our external customers.
  31. 31. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 31 Idle hands are ... Opportunity ● Gaining some sort of certification ○ AWS ○ Sumologic ○ Kubernetes ○ Secure Code Warrior ● We all have those things we must do for HR & compliance reasons. People ● Time to invest in oneself professionally ● Time to do that one small thing you’d love to work on. ● A benefit to the team as a whole ● Continuous improvement applies to _people_ as well as process and tech! ● Humane
  32. 32. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 32 Batman’s Mission (reminder) Unblock those who cannot get their work done (empathy for other teams) Protect Cloud Engineering and its high value work from random interrupts (empathy for our team mates) Facilitate Knowledge Transfer (continuous team improvement activity) Make on-call suck a little less (empathy for the individual)
  33. 33. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 33WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 33 Robin
  34. 34. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 34 Real first responders train regularly
  35. 35. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 35 They regularly maintain their equipment
  36. 36. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 36 They work to prevent above all else
  37. 37. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 37 Enter Robin
  38. 38. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 38 Robin’s Mission Ensure that what we learn from incidents is put in to practice (reduce the number of times we see the bat signal) Remove toil from the batman role (keep Batman’s thumbs twiddling) Provide capacity for scheduled work (change the oil & rotate the tires)
  39. 39. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 39WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 39 What Robin Does
  40. 40. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 40 Robin makes @batman less busy What? ● Prevent ● Improve ● Maintain ● Train ● Robin strives relentlessly to help the team achieve boredom ● Robin secretly wants to put Batman out of business The real hero ...
  41. 41. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 41 Prevent What? ● Study key system metrics to understand what trouble is coming our way ○ Slow query log ○ Queue depth ○ Message latency ● Propose internal projects to prevent issues on the horizon ○ Project to tune queries ○ Story to compress queue messages It was only a little ...
  42. 42. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 42 Improve What? ● Study a noisy alert and adjust it ● Add a linter to the Terraform build pipeline and fail the build before code review ● Update the runbook ○ We are now gearing up to create automated run books and remove the need for on-call to correlate to privilege. Because ...
  43. 43. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 43 Maintain What? ● Replace a TLS certificate ○ Oil change ● Patch servers ● Rotate secrets ○ Tire rotation No Maintenance => Incidents
  44. 44. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 44 Train The possibilities ● Conduct Fault Injection Experiments regularly ○ Reboot the DB ○ Kill Elasticache ○ Reboot AmazonMQ ○ Instruct a team mate to lie 20% of the time for a week. ● Restore a database backup and check RPO and RTO ● Red Team! ● Restore system to different region Say it with me ...
  45. 45. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 45WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 45 How Robin Happens
  46. 46. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 46 Enabling Robin What? ● Are you thinking PDCA? ○ Plan ○ Do ○ Check ○ Act ● Maybe W Edwards Deming is the the boy wonder? Deming behind the mask?
  47. 47. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 47 Enabling Robin What? ● Maybe OODA instead? ○ Observe ○ Orient ○ Decide ○ Act ● Maybe John Boyd is the the boy(d) wonder? The Boy(d) Wonder?
  48. 48. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 48WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 48 The Making of Batman And Robin
  49. 49. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 49 A hard truth done truthfully ... My motivation ● Under the umbrella of sharing some effective ideas …. ○ Damian and I want to entice you to Contrast Security. ● Presentations like this are lies ○ We present an ideal ○ Wherever I go, rainbows follow ○ It’s as if there isn’t real _work_ ● You leave this talk and become inherently dissatisfied with your current job You need one of these ...
  50. 50. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 50WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 50 STOP and THINK CRITICALLY
  51. 51. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 51WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 51 Continuous Improvement is Hard to Recognize from Inside the loop
  52. 52. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 52 The Rise of Batman ● We were three engineers and me when I arrived in May 2019. ○ We could not get any sustained effort going on strategic work ○ One guy fielded nearly every team interrupt ○ Our platform was waking us up 2 to 5 times per week in off hours ○ The humane work environment my boss had hired me in to was straining ○ Change was necessary, yet … ● Batman’s was born in conflict from the name to the need ○ I exchanged over 10,000 written words with the team over about two weeks (real work/time) ○ I was told I was stupid and would ruin the team (yep really) ○ Leadership is a lonely place sometimes and it is _always_ hard. ● By November we’d added two engineers, but ○ Batman was way too busy ○ Team agreed it was working ○ Many a heated discussion in Team Meeting about what was (not) appropriate work ○ We needed a way to remove repetitive, low value work (toil) from the Batman role
  53. 53. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 53 The Rise of Batman (2) ● In February 2020 we added our first Belfast and New Zealand Engineers ○ Batman was still too busy ○ Now there are two FNG’s to help come aboard ○ We can see the new onboarding process paired with Batman facilitating knowledge transfer ■ Remember process needs awesome people to own it and make it run! ● In June of 2020 we had an ad hoc conversation about how Batman had begun to be noticeably less busy. ○ Team (including FNGs) started arguing with me constantly about small projects to remove even more toil from Batman. (NOTE: This is a very very good thing as it’s ownership) ○ Our FNGs are already contributing to improvements. ○ The number of discussions about what is (not) a Batman task has dropped to 1 per month ● It took over a year for this role to mature! ○ That is a year of _suck_ just to get one - key - role defined and working well! ○ If you read carefully you’ll see that the need for Robin is rising from this maturity.
  54. 54. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 54 The Rise of Batman (3) ● Lessons Learned (so you can go faster) ○ Changing human systems takes a great deal of time ■ Give yourself permission to fail and try again ■ Give your teammates the same ○ During this time period it was common to hear: ■ We don’t innovate ■ We are not improving ■ Still hear this today! ○ Because substantial improvement happens over a time scale of weeks & months … ■ Day to day it is easy for individual contributors to have recency bias on what hurts them in the moment ■ This is both real and important. Have stories and numbers ready. ■ Help your team and other stakeholder see improvement. ● Your ability to provide the perspective is a skill ● Their ability to see the positive change is a skill ● Skills take time to develop.
  55. 55. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 55WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 55 A picture of Batman’s Health
  56. 56. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 56
  57. 57. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 57 That is to say ... ● 385 interrupts that did not interfere with high value project work ● 385 interrupts that did not stress the person in the role due to “other work” ● Average turn around time of less than a day. ○ Low lead times ● A standard deviation that is trending to about 2 days. ○ Predictable performance ● We know we are seeing a decrease in ticket count ○ You can see it in the graph, but it’s not yet a solid trend. ○ We still are not realizing some of the benefits of being able to study for certs and such.
  58. 58. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 58WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 58 The Maturing of Robin
  59. 59. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 59 Observe - Orient - Decide - Act ● Robin was “born” on Nov 2019 because I observed how much work it was bring the Batman change forward. ○ I acted to foster team investment in the idea that we have a couple of people who own their roadmap to the benefit of the team and our colleagues in application engineering. ○ As the existing team “cheated” with spare time in their project lanes and Batman, visceral definitions of the type of work we should be doing came into being (See that OODA?) ● In Feb 2020 we had our final two engineers join us and now had the ability to populate the role. ○ By this time full blown angst about what we were not doing and the growth of the backlog of “good ideas” could be observed ○ We found ourselves simultaneously kvetching and reminding ourselves help was on the way. ○ These “bitch sessions” helped us orient towards an initial mission
  60. 60. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 60 Act - Observe - Orient - Decide - Act (2) ● Since May 2020, Robin has been fully staffed with two engineers. ○ Like Batman we’ve had conflict about what should be handled. ■ The trust and habits formed during Batman’s birth helped us here. ○ You will see Robin is not doing well yet. ● See above that “Act” comes first now in the title. ○ Our team ethos is to try something and see what happens. ○ We say a decision is “carved in soap, not stone” ● Robin’s has had _a_ desired impact ○ The Batman control chart is _proof_ this. ○ I made the mistake of scoping the role to narrowly ● Today we _suffer_ from the inability to execute projects driven by us and for our benefit.
  61. 61. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 61 Act - Observe - Orient - Decide - Act (2) ● In August 2020 we’ve realized the narrow scoping is crippling us. ○ I imposed a limit of one week on the “size” of any task. ○ I designed the grooming process to bubble up things that could be done within a week. ○ We chafe under our current inability to make more substantial improvements our our platform, tools and technologies. ○ This was me leaning too hard on the “4 kinds of work” from Gene Kim’s The Phoenix Project ● We’ve decided it is time to try running an entirely internal facing project within this lane. ○ There will be conflict between team members about how this happens and the processes we need to be effective. ○ We _will_ struggle the first few weeks with the first project and likely in the second and third projects ○ It is that very struggle that is CONTINUOUS IMPROVEMENT
  62. 62. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 62WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 62 A picture of Robin’s unhealthiness
  63. 63. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 63
  64. 64. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 64 That is to say ... ● 162 improvements to the platform have been prioritized by us and implemented by us. ○ Note that I can not make a strategic statement about any cohesive effort b/c there has not been one. ● Things take about 7.5 days to get done on average. ○ This is longer than the 5 by quite a ways ● The Standard Deviation shows a real bias to small things (all the blue below the average), but still 7.5 days. ● Coupled with the perceived drop off in Batman’s toil we know this represents a positive impact. We are still working out seeing it in the chart. ● Coupled with weeks between a SEV1 or SEV2 incident we also know we have had a positive impact. We need to adapt our measures.
  65. 65. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 65WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 65 Continuous Improvement needs teammates who can disagree and still commit. It is a process of failure.
  66. 66. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 66 Key Takeaways Hard won wisdom ... ● If you don’t have control of your interrupts, you are not effective. ○ Solve this problem first. ● It is _real_ work that takes real time and effort (like writing code) to create Cont-Imp loops. ○ Invest in this like it’s a first order problem (it is) ● Birthing a human process is messy because humans are messy. ○ Pick the right humans. You still need one of these ...
  67. 67. WELCOME TO THE ERA OF SELF-PROTECTING SOFTWARE | CONTRASTSECURITY.COM © 2018 CONFIDENTIAL 67 Useful Links ● Conway’s Law - A place to start. Dig in if you aspire to leadership. ● Batman Definition Page - Our Confluence page dressed slightly for public. ● Robin Definition Page - Our Confluence page dressed slightly for public. ● PDCA Reference- A place to start. If you favor analysis first this is better than OODA for you. ● OODA Loop Reference - A place to start. If you favor action first this is a bit better than PDCA b/c you can move it to be AOODA. ● Kanban Control Chart Reference - Jira’s docs on the control chart. Great if you are sick of scrum, but believe Agile is the right philosophy. ● 4 Kinds of Work Reference - really just an overview. Read The Phoenix Project (by Gene Kim) as the story is largely about understanding this concept and ... ● 3 ways reference - Loops within loops (the meta struggle to build the team lanes of work to meet the needs contains daily improvement activities) ● The Five Ideals of Developer Satisfaction - It is also a story format and tells the same story as The Phoenix Project from the perspective of an Application Developer.

×