Realigning From Chaotic Evil presented at BSidesRDU 2019

by Joe Schottman,

Summary : The talk uses AD&D (Advanced Dungeons and Dragons) as a metaphor for problems created by corporations and other organizations by having incorrect metrics and incentives for different teams and the need to realign to solve them.The AD&D theme provides a variety of jokes and clip art throughout the talk but enough background on the game is given that the audience does not need to be familiar with it to understand.The first part of the talk examines common incentives/goals for offensive and defensive security staff as well as other groups they often interact with such as developers and operations, some of the common ways that they end up working against each other to the detriment of security, and how to fix it.The second part of the talk delves into using individual sections of the MITRE ATT&CK framework to create manageable, granular tests that offensive and defensive teams can work together on in order to affect a positive change in a unified way.The talk closes with a brief detour into the terminology of video game terminology to use the concept of tanking (players whose characters take the brunt of damage but often are relegated to the not so exciting parts of games) to talk about how junior SOC analysts often do a substantial portion of actually keeping companies secure and how security as an industry should do a better job of respecting and supporting them.