Sarai talks to us about how security is about assessing risk and deciding what you care about in your systems, what you want to protect, and what you want to do about these risks. Bea hops in to describe security as being about managing risk, and harm reduction as you can’t defend everything equally.
“You can’t secure everything, not everything in your company is the most important thing”
In debunking a common myth in security, Bea talks to us about how there isn’t always one solution for everyone:
“That there’s one solution that works for everyone, that what is a big risk for me for my product, for my software is going to be a risk for every software, the threats that I have to care about the things that I want to protect are completely different than the threats that you may want to protect and the things that you care about.”
Bea and Sarai talk about the values on the PagerDuty security team and why the team has those values.
Sarai talks about how at previous companies, there was naming and shaming of folks who failed things like phishing tests, and how at PagerDuty “we try to make it easy to bring in other people, never hesitate to escalate”.
Sarai talks to us about how while you can’t prevent phishing, there are ways to help people use their emails in a secure way without trying to trick employees so you can catch them and call them out.
Instead of creating a negative experience Sarai tells us that it’s ok to fail.
Bea talks to us about how it’s not the fault of specific people to accept risk instead: “Present this information in a secure way, and not chastise them for doing their job”, instead as a security team you need to update what you’re doing to enable folks to do their jobs.
Sarai and Bea talk about how it is important to make security training fun for the participants, and how through the use of lockpicking you can “find things that people can use so they understand that security is about defense and depth”.
They go on to share with us how Security has a collective responsibility to be collaborative.
Bea expands on why lockpicking is a great example of the vulnerability of security but is part of a “layer of security”.
We talk about how PagerDuty’s Security team has a little bit of a different take on incident response because it is a mixture of traditional security response which is responding to attacker or breaches, and how tuning alerting also comes into play.
Sarai: “It’s this cycle of tuning our alerts as we add more and more monitors”. Julie: “…and tuning is so important because eliminating the noise, reducing the noise; helps with alert fatigue, it makes life better for your engineers”.
Bea talks to us about how to reduce the noise, and how if you can get rid of unnecessary services you have less to secure.
Bea: “Step one, in buying an IDS, don’t; if you do by mistake, delete all the rules and then slowly add them in because every IDS rule set has way too many things to actually be useful”. Bea goes on to say how alerts should have outcomes and be high quality.
Sarai discusses how quick wins are great and how there are so many risks out there, so let’s look at one particular process. “Start with basic things and the easiest things to implement”. By starting with something quick and easy we get that quick wins.
Bea talks about how having a security win not be perfect is better than pretending that you can get to 100%.
Sarai tells us how she wished she realized that she has a lower risk tolerance than other security and software people in general and that she should: “Just go for it, go try something, see if it works, see what happens if I break something. As long as I have a plan to go backwards then might as well try it”.
Bea brings us the closing wisdom of “stop worrying about your crypto because that’s probably not where you are going to get owned in a security sense”, and Sarai says: “Cryptography problems are actually social problems… it depends on your use case”.
Bea has been frustrated at Linux’s IP blocking tools for over 20 years now, and are just waiting to see what Nftables is replaced by.
Bea likes shouting about threat models a lot, and trying to convince people that their primary concern is probably not the NSA and that DNSSEC should be put out to pasture.
She is more opinionated about coffee.
Sarai Rosenberg is an Insecurity Princess working in Security Engineering at PagerDuty. She is a professional mathematician who has been working in security since 2015. Sarai has spoken on threat modeling, recommendation algorithms, and psychological safety, as well as being an advocate for compassion, mentorship, and elliptic curve cryptography.
Julie Gunderson is a DevOps Advocate on the Community & Advocacy team. Her role focuses on interacting with PagerDuty practitioners to build a sense of community. She will be creating and delivering thought leadership content that defines both the challenges and solutions common to managing real-time operations. She will also meet with customers and prospects to help them learn about and adopt best practices in our Real-Time Operations arena. As an advocate, her mission is to engage with the community to advocate for PagerDuty and to engage with different teams at PagerDuty to advocate on behalf of the community.