SlideShare a Scribd company logo

Building a Security culture at Skyscanner 2016

Download as PPTX, PDF
Stu Hirst
Stu Hirst
1 of 47
Security in the Internet Economy How to go from nothing to something! @StuHirstInfosec
My background My Background….. @StuHirstInfosec • 12 years as a mainframe COBOL guy • 1 year in the music industry • 3 years at The Trainline where I moved into security • Now the IT Security Manager / Squad Lead at Skyscanner
Skyscanner Skyscanner….. background One of the world’s leading travel search engines formed in 2003 Over 3 million hits a day Flights, Hotels, Car Hire Mobile apps Powering MSN’s Flight Search, plus Yahoo Japan JV Over 30 versions of the site around the globe Offices in Edinburgh, Glasgow, Miami, Beijing, Singapore, Shenzen, Budapest, Sofia, Barcelona, London 100 employees in 2012, 800+ now!
Skyscanner 2013 Skyscanner Security in 2013…
Skyscanner 2014 Skyscanner Security in 2014…
Skyscanner 2015 Skyscanner Security in 2015…
Skyscanner 2016 Skyscanner Security in 2016…
Squads and Tribes…
Squads Squads (Flights Search, Car Hire iOS, Hotels android etc…) Nearly 100 Squads across the business! Are cross functional teams; usually around 3 – 6 people – essentially a ‘mini start-up’ They look after specific parts of the Skyscanner product Establish & improve their own processes and use their own technologies – self sufficient
DevSecOps SecDevOps OpsSec for Dev Oh come on….. Security in Development
I’m a developer Q. How many of our recent engineering recruits had heard of the OWASP Top 10? A. Less than 30% @StuHirstInfosec
DevOps & Security NOT We don’t exist to clean up the mess from Developers – it’s a combined effort – Security inbuilt in the DevOps process
So what have we done? (we don’t re-invent the wheel!)
Security engineering Some Security measures are reasonably pointless….
Two-factor Two-Factor All The Things • VPN • Windows / MAC Login • Web portals • Apps
User Data User Data Implemented new MINIMUM STANDARDS for user data Privacy BY DESIGN! Examples; • Only stored in agreed places (e.g. AWS) • Minimum encryptions levels when transferring • Same for data at rest • Only using TLS • Get rid of old ciphers • Segment the network • Tighten up access controls to the data
Two-factor Password solutions LOTS of options!!! For individual use / team use
Anti malware Endpoint Protection
What we do… What we do: Security Champions @StuHirstInfosec
AWS AWS @StuHirstInfosec • HUGE learning curve! • Security have had to learn about the whole product, not just security aspects; EC2 instances, Container Service, Elastic Beanstalk, Lambda, Glacier, DynamoDB etc We’re now preparing training courses for AWS Best Practice in Security, based on the CIS Benchmark Standards and using info from the various White Papers available and content from the 2015 Re:Invent conference
What we do… What we do: Code Voyagers / Ignition • 1 hour specific induction sessions with all new engineers • Focusing on secure development • OWASP Top 10 • Trends
What we do… What we do: Security Meet Up @stuhirstinfosec Community Sharing Ideas
Employees Employee behaviour….blog post
Phishing Phishing – part1 Actually investigate them! • If there’s a link, debug it – where is it going? • If an attachment, what does it do? Does it look to download a payload? If so, block the IP’s on your firewall • Check anti-virus to see if it’s been picked up • Use a malware sandboxer • Strip the malware apart & understand what it’s doing
Phishing Phishing It’s OPEN SOURCE! It’s EASY!
What we do What we do: Bug Bounties “Let’s be safe, let’s get a CREST registered Pen Tester to test us” Why don’t you get the public to test you? They’re the ones that’ll be hacking you… IN ONE WEEK OF A BUG BOUNTY PROGRAM, WE HAD OVER 150 SUBMISSIONS FROM 49 TESTERS
What we do What we do: Bug Bounties…cont • Why not take the main bugs found and learn how to replicate them and test against them in the future? • Teach your engineers / devs to do the same • Share the knowledge / the love / the beer Any reasonable security analyst should be able to test for a SQL Injection and a XSS vulnerability – plenty of online training resources to help
What we do Announcing failure… Weekly PRODOPS Review NO BLAME! It’s a learning exercise @StuHirstInfosec
What we do Learning… Cybrary, PluralSight, Twitter, Blogs
Open Source Open Source Facebook Netflix – wow! Google Rappor Virus Total – amazing – use it every day!
War Games What we do (a bit more exciting!) WAR GAMES! WE SET OURSELVES A TARGET TO HACK OURSELVES FOR 2 DAYS A MONTH We drain Data Centres and try to DDoS them We set up spoof wi-fi points and attempt Man In The Middle attacks on company phones We try to find internal data we shouldn’t have access to AND MORE!
Culture Culture -No fear “This is the moment of my failure and I am not scared”
What hasn’t gone so well?…
What didn’t go so well? What didn’t go so well? Static Code Scanning Tool – invested lots of money, doesn’t support the latest version of Python
What didn’t go so well? What didn’t go so well? Secure Coding Online Training “I’m too busy!!”
What didn’t go so well? What didn’t go so well? Our first Bug Bounty scheme… They sent me Qualys scans… yay!
Findings/Musings…
Stats Not everything is critical! Simple and quick wins are GOOD wins! Try and increase the likelihood of an employee telling you about an event or potential attack Run attack simulations. Break something before someone else does! FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS IF YOU GO FROM 48% TO 32% ON FIRE, YOU’RE STILL ON FIRE! (Zane Lackey, ex-Etsy)
Past Vs Future Just because you have done something a certain way in the past, doesn’t mean it has to be that way in the future e.g. pen testing vs bug bounty
What next? What next? Focus on what you can do, not necessarily what you’d like to do Discover your ‘crown jewels’. Protect that! Build defences around real-world attack patterns. Focus on who is going after you! EMPLOY MORE PEOPLE!
Some thoughts to leave you with…
Scaremongering Security Scaremongering
What next? Employ more people! “Proactive Security, not Reactive” A lot of companies are merely performing gap analysis and plugging the gaps (or not!) At Skyscanner, we’ve split our strategy into two streams; Product and Corporate and we identify the major risks for each of those
What next? Don’t lie! I took on a role where the guy before me had DRASTICALLY under-estimated how far they were from PCI compliance. If you deal with Boards/Execs – it’s better they know the real position – even if it’s a sh*t- storm
Some thoughts to take away Reward people… For making you aware of issues. You feel good, they feel good & they’re likely to tell others.
What next? Shout about your successes! • Security is as important as any other business unit • So shout about successes you have • Positive PR across the business
Edinburgh Quartermile One 15 Lauriston Place Edinburgh EH3 9EN Glasgow 5th floor, 151-155 St Vincent St, Glasgow G2 5NW Singapore No. 08-01&04 & 09- 04 8th floor, Robinson Point, 39 Robinson Rd, Singapore Beijing Level 19, Tower E2, Oriental Plaza, No. 1 East Chang An Avenue, Dong Cheng District, Beijing 100738 Miami 1395 Brickell Ave, Suite 900, Miami, Florida 33131 Barcelona C/Esteve Terradas, 21, Bajos 3a - 08023 Barcelona, España thank you @stuhirstinfosec

Recommended

DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
If You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 Chicago
If You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 ChicagoIf You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 Chicago
If You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 ChicagoPunchkick Interactive
 
Grammar of truth and lies
Grammar of truth and liesGrammar of truth and lies
Grammar of truth and liesPeter Bleackley
 
The Grammar of Truth and Lies
The Grammar of Truth and LiesThe Grammar of Truth and Lies
The Grammar of Truth and LiesPeter Bleackley
 
Skeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalSkeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalZenoss
 
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...Denim Group
 
Online Privacy: A Customer's Perspective
Online Privacy: A Customer's PerspectiveOnline Privacy: A Customer's Perspective
Online Privacy: A Customer's Perspectivekumar641
 
Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDDenim Group
 

Recommended

DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!DevSecOps - a 2 year journey of success & failure!
DevSecOps - a 2 year journey of success & failure!Stu Hirst
 
If You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 Chicago
If You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 ChicagoIf You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 Chicago
If You Like Big Data & Getting Caught in the Rain... -- Techweek 2013 ChicagoPunchkick Interactive
 
Grammar of truth and lies
Grammar of truth and liesGrammar of truth and lies
Grammar of truth and liesPeter Bleackley
 
The Grammar of Truth and Lies
The Grammar of Truth and LiesThe Grammar of Truth and Lies
The Grammar of Truth and LiesPeter Bleackley
 
Skeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalSkeptics in the Church of Data: Getting Evangelical
Skeptics in the Church of Data: Getting EvangelicalZenoss
 
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...
Building an Application Security Program with Sun Tzu, The Dalai Lama and Hon...Denim Group
 
Online Privacy: A Customer's Perspective
Online Privacy: A Customer's PerspectiveOnline Privacy: A Customer's Perspective
Online Privacy: A Customer's Perspectivekumar641
 
Getting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDGetting Your Security Budget Approved Without FUD
Getting Your Security Budget Approved Without FUDDenim Group
 
Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsPECB
 
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...Amazon Web Services
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointProtectWise
 
Building a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketBuilding a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketJohn Varghese
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudProtectWise
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportCyren, Inc
 
Anwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBTAnwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBTSkandalAnwarIbrahim
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportCyren, Inc
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyCyren, Inc
 
The Seven Axioms Of Security
The Seven Axioms Of SecurityThe Seven Axioms Of Security
The Seven Axioms Of SecuritySaumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017chrissanders88
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017Saumil Shah
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteSaumil Shah
 
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 

More Related Content

What's hot

Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsPECB
 
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...Amazon Web Services
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointProtectWise
 
Building a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketBuilding a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketJohn Varghese
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksCyren, Inc
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning CrowdStrike
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For MoneyShubham Gupta
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudProtectWise
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportCyren, Inc
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportCyren, Inc
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyCyren, Inc
 
The Seven Axioms Of Security
The Seven Axioms Of SecurityThe Seven Axioms Of Security
The Seven Axioms Of SecuritySaumil Shah
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsSaumil Shah
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017chrissanders88
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecuritySatnam Singh
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017Saumil Shah
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakCrowdStrike
 
Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteSaumil Shah
 

What's hot (20)

Managing Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of PasswordsManaging Your Risks – The Problem of Passwords
Managing Your Risks – The Problem of Passwords
 
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
A CISO’s Journey at Vonage: Achieving Unified Security at Scale - SID210 - re...
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the Endpoint
 
Building a Highly Secure S3 Bucket
Building a Highly Secure S3 BucketBuilding a Highly Secure S3 Bucket
Building a Highly Secure S3 Bucket
 
Webinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array worksWebinar: Stopping evasive malware - how a cloud sandbox array works
Webinar: Stopping evasive malware - how a cloud sandbox array works
 
Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning Battling Unknown Malware with Machine Learning
Battling Unknown Malware with Machine Learning
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
 
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend ReportWebinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report
 
Anwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBTAnwar Ibrahim Sokong LGBT
Anwar Ibrahim Sokong LGBT
 
Webinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat reportWebinar: Insights from Cyren's 2016 cyberthreat report
Webinar: Insights from Cyren's 2016 cyberthreat report
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Webinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking surveyWebinar: IT security at SMBs: 2016 benchmarking survey
Webinar: IT security at SMBs: 2016 benchmarking survey
 
The Seven Axioms Of Security
The Seven Axioms Of SecurityThe Seven Axioms Of Security
The Seven Axioms Of Security
 
Hack.LU - The Infosec Crossroads
Hack.LU - The Infosec CrossroadsHack.LU - The Infosec Crossroads
Hack.LU - The Infosec Crossroads
 
Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017Threats that Matter - Murray State University 2017
Threats that Matter - Murray State University 2017
 
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise SecurityThreat Hunting with Deceptive Defense and Splunk Enterprise Security
Threat Hunting with Deceptive Defense and Splunk Enterprise Security
 
The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017The Seven Axioms of Security - ITWeb 2017
The Seven Axioms of Security - ITWeb 2017
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
Redefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS KeynoteRedefining Defense - HITB2017AMS Keynote
Redefining Defense - HITB2017AMS Keynote
 

Similar to Building a Security culture at Skyscanner 2016

Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsMagno Logan
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранSigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecurityVlad Styran
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane LackeyYandex
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In LibrariesBlake Carver
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OMichael Roytman
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsAlison Gianotto
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?Izar Tarandach
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for ActivistsGreg Stromire
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsMagno Logan
 

Similar to Building a Security culture at Skyscanner 2016 (20)

Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applicationsJust4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey Building a Modern Security Engineering Organization. Zane Lackey
Building a Modern Security Engineering Organization. Zane Lackey
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk FundamentalsMacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
Data Privacy for Activists
Data Privacy for ActivistsData Privacy for Activists
Data Privacy for Activists
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
BHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applicationsBHack 2012 - How to protect your web applications
BHack 2012 - How to protect your web applications
 

More from Stu Hirst

Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...
Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...
Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...Stu Hirst
 
AWS Meet Up COPENHAGEN.pptx
AWS Meet Up COPENHAGEN.pptxAWS Meet Up COPENHAGEN.pptx
AWS Meet Up COPENHAGEN.pptxStu Hirst
 
Stu Hirst - 10 Years To Ciso
Stu Hirst - 10 Years To CisoStu Hirst - 10 Years To Ciso
Stu Hirst - 10 Years To CisoStu Hirst
 
Stu Hirst - Thinking Out cLoud 2020
Stu Hirst - Thinking Out cLoud 2020Stu Hirst - Thinking Out cLoud 2020
Stu Hirst - Thinking Out cLoud 2020Stu Hirst
 
Hi DevOps, I'm Security, I Love You
Hi DevOps, I'm Security, I Love YouHi DevOps, I'm Security, I Love You
Hi DevOps, I'm Security, I Love YouStu Hirst
 
Stu Hirst - Thinking Out cLoud July 2019
Stu Hirst - Thinking Out cLoud July 2019Stu Hirst - Thinking Out cLoud July 2019
Stu Hirst - Thinking Out cLoud July 2019Stu Hirst
 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecStu Hirst
 
Stu Hirst "Thinking Out cLoud" 2019
Stu Hirst "Thinking Out cLoud" 2019Stu Hirst "Thinking Out cLoud" 2019
Stu Hirst "Thinking Out cLoud" 2019Stu Hirst
 
War Stories - From The Front Lines Of InfoSec!
War Stories - From The Front Lines Of InfoSec!War Stories - From The Front Lines Of InfoSec!
War Stories - From The Front Lines Of InfoSec!Stu Hirst
 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecStu Hirst
 
Turing's Testers - Security Scotland May 2018
Turing's Testers - Security Scotland May 2018Turing's Testers - Security Scotland May 2018
Turing's Testers - Security Scotland May 2018Stu Hirst
 

More from Stu Hirst (11)

Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...
Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...
Stu Hirst - Imposter Syndrome 2024 - Presented at Cloud Expo Europe (Cyber Ke...
 
AWS Meet Up COPENHAGEN.pptx
AWS Meet Up COPENHAGEN.pptxAWS Meet Up COPENHAGEN.pptx
AWS Meet Up COPENHAGEN.pptx
 
Stu Hirst - 10 Years To Ciso
Stu Hirst - 10 Years To CisoStu Hirst - 10 Years To Ciso
Stu Hirst - 10 Years To Ciso
 
Stu Hirst - Thinking Out cLoud 2020
Stu Hirst - Thinking Out cLoud 2020Stu Hirst - Thinking Out cLoud 2020
Stu Hirst - Thinking Out cLoud 2020
 
Hi DevOps, I'm Security, I Love You
Hi DevOps, I'm Security, I Love YouHi DevOps, I'm Security, I Love You
Hi DevOps, I'm Security, I Love You
 
Stu Hirst - Thinking Out cLoud July 2019
Stu Hirst - Thinking Out cLoud July 2019Stu Hirst - Thinking Out cLoud July 2019
Stu Hirst - Thinking Out cLoud July 2019
 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSec
 
Stu Hirst "Thinking Out cLoud" 2019
Stu Hirst "Thinking Out cLoud" 2019Stu Hirst "Thinking Out cLoud" 2019
Stu Hirst "Thinking Out cLoud" 2019
 
War Stories - From The Front Lines Of InfoSec!
War Stories - From The Front Lines Of InfoSec!War Stories - From The Front Lines Of InfoSec!
War Stories - From The Front Lines Of InfoSec!
 
An Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSecAn Imposter's Journey Into InfoSec
An Imposter's Journey Into InfoSec
 
Turing's Testers - Security Scotland May 2018
Turing's Testers - Security Scotland May 2018Turing's Testers - Security Scotland May 2018
Turing's Testers - Security Scotland May 2018
 

Building a Security culture at Skyscanner 2016

  • 1. Security in the Internet Economy How to go from nothing to something! @StuHirstInfosec
  • 2. My background My Background….. @StuHirstInfosec • 12 years as a mainframe COBOL guy • 1 year in the music industry • 3 years at The Trainline where I moved into security • Now the IT Security Manager / Squad Lead at Skyscanner
  • 3. Skyscanner Skyscanner….. background One of the world’s leading travel search engines formed in 2003 Over 3 million hits a day Flights, Hotels, Car Hire Mobile apps Powering MSN’s Flight Search, plus Yahoo Japan JV Over 30 versions of the site around the globe Offices in Edinburgh, Glasgow, Miami, Beijing, Singapore, Shenzen, Budapest, Sofia, Barcelona, London 100 employees in 2012, 800+ now!
  • 9. Squads Squads (Flights Search, Car Hire iOS, Hotels android etc…) Nearly 100 Squads across the business! Are cross functional teams; usually around 3 – 6 people – essentially a ‘mini start-up’ They look after specific parts of the Skyscanner product Establish & improve their own processes and use their own technologies – self sufficient
  • 10. DevSecOps SecDevOps OpsSec for Dev Oh come on….. Security in Development
  • 11. I’m a developer Q. How many of our recent engineering recruits had heard of the OWASP Top 10? A. Less than 30% @StuHirstInfosec
  • 12. DevOps & Security NOT We don’t exist to clean up the mess from Developers – it’s a combined effort – Security inbuilt in the DevOps process
  • 13. So what have we done? (we don’t re-invent the wheel!)
  • 14. Security engineering Some Security measures are reasonably pointless….
  • 15. Two-factor Two-Factor All The Things • VPN • Windows / MAC Login • Web portals • Apps
  • 16. User Data User Data Implemented new MINIMUM STANDARDS for user data Privacy BY DESIGN! Examples; • Only stored in agreed places (e.g. AWS) • Minimum encryptions levels when transferring • Same for data at rest • Only using TLS • Get rid of old ciphers • Segment the network • Tighten up access controls to the data
  • 17. Two-factor Password solutions LOTS of options!!! For individual use / team use
  • 19. What we do… What we do: Security Champions @StuHirstInfosec
  • 20. AWS AWS @StuHirstInfosec • HUGE learning curve! • Security have had to learn about the whole product, not just security aspects; EC2 instances, Container Service, Elastic Beanstalk, Lambda, Glacier, DynamoDB etc We’re now preparing training courses for AWS Best Practice in Security, based on the CIS Benchmark Standards and using info from the various White Papers available and content from the 2015 Re:Invent conference
  • 21. What we do… What we do: Code Voyagers / Ignition • 1 hour specific induction sessions with all new engineers • Focusing on secure development • OWASP Top 10 • Trends
  • 22. What we do… What we do: Security Meet Up @stuhirstinfosec Community Sharing Ideas
  • 24. Phishing Phishing – part1 Actually investigate them! • If there’s a link, debug it – where is it going? • If an attachment, what does it do? Does it look to download a payload? If so, block the IP’s on your firewall • Check anti-virus to see if it’s been picked up • Use a malware sandboxer • Strip the malware apart & understand what it’s doing
  • 26. What we do What we do: Bug Bounties “Let’s be safe, let’s get a CREST registered Pen Tester to test us” Why don’t you get the public to test you? They’re the ones that’ll be hacking you… IN ONE WEEK OF A BUG BOUNTY PROGRAM, WE HAD OVER 150 SUBMISSIONS FROM 49 TESTERS
  • 27. What we do What we do: Bug Bounties…cont • Why not take the main bugs found and learn how to replicate them and test against them in the future? • Teach your engineers / devs to do the same • Share the knowledge / the love / the beer Any reasonable security analyst should be able to test for a SQL Injection and a XSS vulnerability – plenty of online training resources to help
  • 28. What we do Announcing failure… Weekly PRODOPS Review NO BLAME! It’s a learning exercise @StuHirstInfosec
  • 29. What we do Learning… Cybrary, PluralSight, Twitter, Blogs
  • 30. Open Source Open Source Facebook Netflix – wow! Google Rappor Virus Total – amazing – use it every day!
  • 31. War Games What we do (a bit more exciting!) WAR GAMES! WE SET OURSELVES A TARGET TO HACK OURSELVES FOR 2 DAYS A MONTH We drain Data Centres and try to DDoS them We set up spoof wi-fi points and attempt Man In The Middle attacks on company phones We try to find internal data we shouldn’t have access to AND MORE!
  • 32. Culture Culture -No fear “This is the moment of my failure and I am not scared”
  • 33. What hasn’t gone so well?…
  • 34. What didn’t go so well? What didn’t go so well? Static Code Scanning Tool – invested lots of money, doesn’t support the latest version of Python
  • 35. What didn’t go so well? What didn’t go so well? Secure Coding Online Training “I’m too busy!!”
  • 36. What didn’t go so well? What didn’t go so well? Our first Bug Bounty scheme… They sent me Qualys scans… yay!
  • 38. Stats Not everything is critical! Simple and quick wins are GOOD wins! Try and increase the likelihood of an employee telling you about an event or potential attack Run attack simulations. Break something before someone else does! FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS IF YOU GO FROM 48% TO 32% ON FIRE, YOU’RE STILL ON FIRE! (Zane Lackey, ex-Etsy)
  • 39. Past Vs Future Just because you have done something a certain way in the past, doesn’t mean it has to be that way in the future e.g. pen testing vs bug bounty
  • 40. What next? What next? Focus on what you can do, not necessarily what you’d like to do Discover your ‘crown jewels’. Protect that! Build defences around real-world attack patterns. Focus on who is going after you! EMPLOY MORE PEOPLE!
  • 41. Some thoughts to leave you with…
  • 43. What next? Employ more people! “Proactive Security, not Reactive” A lot of companies are merely performing gap analysis and plugging the gaps (or not!) At Skyscanner, we’ve split our strategy into two streams; Product and Corporate and we identify the major risks for each of those
  • 44. What next? Don’t lie! I took on a role where the guy before me had DRASTICALLY under-estimated how far they were from PCI compliance. If you deal with Boards/Execs – it’s better they know the real position – even if it’s a sh*t- storm
  • 45. Some thoughts to take away Reward people… For making you aware of issues. You feel good, they feel good & they’re likely to tell others.
  • 46. What next? Shout about your successes! • Security is as important as any other business unit • So shout about successes you have • Positive PR across the business
  • 47. Edinburgh Quartermile One 15 Lauriston Place Edinburgh EH3 9EN Glasgow 5th floor, 151-155 St Vincent St, Glasgow G2 5NW Singapore No. 08-01&04 & 09- 04 8th floor, Robinson Point, 39 Robinson Rd, Singapore Beijing Level 19, Tower E2, Oriental Plaza, No. 1 East Chang An Avenue, Dong Cheng District, Beijing 100738 Miami 1395 Brickell Ave, Suite 900, Miami, Florida 33131 Barcelona C/Esteve Terradas, 21, Bajos 3a - 08023 Barcelona, España thank you @stuhirstinfosec