By Gregory Hale
It wasn’t that long ago when Dino Dai Zovi learned the art of leverage and how just one worker can level the playing field against a behemoth.
It all came during a capture the flag tournament at a Def Con conference years ago when he was working on his own against teams that had a multitude of workers.
That team was targeting him to deny him access to servers for him to do his work, so he, in turn, was able to automate some code to ensure this team that had him outnumbered was likewise unable to reach its servers. After a while, he went up to the team and said if they would stop denying him access, he would stop denying them access. They acquiesced.
“That is when I learned automation and software can be a multiplier,” said Dai Zovi, head of security for cash app at Square during his keynote address Wednesday at the Black Hat USA 2019 security conference in Las Vegas, NV.
In another role, he further expanded his idea of automation in security when he was working with a trading firm. “I automated a lot of patch management. I learned from the environment around me and they were automating everything.”
He also learned about the art of communication and by doing it right, it can lead to great dividends for an organization.
Didn’t Know Enough
Take Square as a case in point.
When he started working there is 2014, he said he did not know the depth of things he did not know.
The culture at the company had security engineers writing code like anyone else.
“Because the security team wrote code like everyone else, there was a level of team work and communication. I was sitting with a security team one day and a coder came over and said if we could help figure out some issues he was having. Who ever came over to security to seek help? Dai Zovi asked. “That was a transformative change. That is when I learned how to learn how to work inside a company. Some of the first security polices I recommended, like changing a password every 42 days, was just bad advice.”
Understanding this is a total team effort, Dai Zovi learned three tansformative lessons:
1. Work backwards from the job.
2. Seek and apply leverage
3. Culture is more powerful than strategy and is more powerful than tactics.
A job is functional and emotional. In learning how to get a better focus on your job, you can almost reverse engineer what the end result is and move forward.
“It turns out you can learn a lot about this by learning about milkshakes,” Dai Zovi said.
He talked about folks going to McDonalds and they studied people that bought milkshakes and what they found was a surprise. They found people were buying milkshakes before 8:30 a.m. and they bought them alone and purchased them through the drive through window.
The reason for that was McDonalds milkshakes are thicker than others and it takes a long time to drink on the drive to the office and it fills up the purchaser until lunch. The purchase filled time during the drive and it kept them occupied.
“What they found is (milkshake purchasers) were board,” Dai Zovi said.
Understanding the job and working backwards remains important as does the idea of remaining agile when it comes to security.
“The threats in security changes so rapidly, the ability to adjust to change is important,” he said.
When it comes to security, talk to five internal customer teams and try to understand their struggles. Also learn when and why they use security. What are their hiring criteria? What are the things that are important to use one solution over the other? Also learn What are their firing criteria, he said.
The second lesson Dai Zovi talked about was seeking and applying leverage.
“Leverage is nothing new. The challenge is we all have deep pride in being subject matter experts and we end up doing things manually instead of automating. If we do it right, we can measure attackers probing our sites. This automation thing is a big deal.”
The third lesson Dai Zovi talked about is culture.
“That is more important than strategy and tactics,” he said. “You need to change culture in order for the tools to have an effect.”
He point out the leading causes in a negative culture like when people say no all the time, or they are afraid these new-fangled things will break a site and then they decide to start pointing fingers.
He said a company needs to developing cultures that are generative where, among other things, they focus on saying risks are shared. In an attempt to get to the root cause of an incident, try having it “be a learning experience instead of a blaming experience.”
Start with Yes
In moving forward companies need to apply security empathy.
“Instead of starting with no, why not start with yes. Most don’t start with this is because they are afraid. We have a fear of the unknown, of change, which leads to paralysis. A few years ago I learned about fear. I was afraid the fly. At some point I learned to sky dive which is more scary than flying.”
Security technology abounds across the world, but culture far exceeds any technology advances.
“Start with yes,” Dai Zovi said. “We need to engage the world with starting with yes because it keeps the conversation going. That is how we create real change and have real impact.”