Tod Bearsley: Oh, Jen, I am super riled up. I could not believe my eyes when I saw the news not once, but twice, that Florida City pays off ransomware hooligans.
Jen Ellis: Wait was it a Florida Man?
Tod Beardsley: It was basically a Florida Man story, but for InfoSec. This is insane. So here’s the deal. As we’re recording this, this was toward the end of last week, not one but two Florida townships has now together paid out about a million dollars, US, in the form of bitcoin to ransomware folks, ransomware criminals.
Jen Ellis. Your tax dollars at work, people of Florida!
Tod Bearsley: It’s super bad news. And here’s why. It’s easy for me to say, never ever pay the ransom. It’s not my data…
Jen Ellis: It is easy! You just said it!
Tod Beardsley: I literally just said it! So it’s super easy for me to say, but it’s not my data and maybe they wanged things up when it came to backups and recovery and all that. But when you’re dealing with your disaster recovery and let’s say a hurricane—which is not unknown in Florida—comes in and wipes out all your computers, it would be great if you could just pay the hurricane to restore your stuff, right? But the problem here is that hurricanes are not criminal organizations. They don’t have sideline businesses in child sex trafficking and drug distributions and other kinds of nasty things. And we know that for many criminal organizations that operate on the internet this but one of many untoward things they are doing to generate revenue here. Also the numbers are astounding. Lake City paid $450,000. Riviera Beach paid over $600,000 and just for context, last year, Atlanta, a big city in Georgia that people have heard of...
Jen Ellis: I’ve heard of Atlanta. That’s a thing.
Tod Beardsley: The ransomers last year demanded merely $51,000. So is like a 10x increase in one year. I think it’s obvious at this point that these municipalities are embolding criminals to perform this kind of attack.
Jen Ellis: I feel like there was a story earlier this year about a municipality that got hit by ransomware. They agreed to pay and the attackers upped the price. They were like, “Really? Oh, in this case, give us one million dollars!”
Tod Beardsley: It is a very Dr. Evil move! That’s the thing, when you pay you don’t even know if you’re going to get the thing back. You are incidentally funding other crime.
Jen Ellis: Here’s the problem, though. Going back to your hurricane analogy. You can’t pay the hurricane to give you your stuff back. If you could, people would do that. The challenge is there are situations that happen where you have to accept everything’s gone and you try to do what you can to build in some resilience—please, people, if you’re not thinking about resilience and continuity, start doing that. Hopefully you have a plan, but if you don’t and your data center gets wiped out, it gets wiped out. There’s nothing you can do about it. With attackers, the problem is that there is that avenue and it’s really hard to be in a situation where you say, “Hey, we’re not going to pay or go down that route, we’re going to just accept that stuff is gone.” Even though there’s an attacker saying, “It’s not gone! It’s right here for you. Mwahaha!
Okay, so we’re going to wrap this up. Thank you so much, Tod, for taking us through this. And if you’re out there listening, think of resilience. Think about how to get ahead of this stuff so you’re not left relying on insurance and paying out to attackers and paying the bad guys. Although I will say, to any bad guys listening, The Hurricane sounds like a great attack group name. So for our guest this episode, we’re continuing our tour of the Five Eyes nations. Last episode, we chatted with Aussie Zate Berg, the head of information security at Indeed.com. If you haven’t listened to that episode, do check it out. This week, we get a twofer. Who doesn’t love a twofer? Hurray, twofer! Not only is our next guest one of my fellow countrymen, albeit a bit northern, he also lives in Canada, so that totally counts as two of the five eyes.
So, apart from his nationality, what can I tell you about this week’s guest? Well, firstly, his name is Lee Brotherston. He is the director of security at an IoT startup, ecobee. I’m sure he’ll tell us a little bit more about ecobee in a bit. He’s also the co-author of the “Defensive Security Handbook,” published by O'Reilly and co-authored by Amanda Berlin, who I’ll hopefully get on the podcast sometime in the future. The book is highly rated. If you haven’t checked it out, please do so. And I will now stop plugging his wares for him—he should do that himself. Please welcome Lee! Oh, and to mention, Tod is also with us again this episode. Hi, guys!
Lee Brotherston: Hello! How are you?
Jen Ellis: I’m peachy! How are you on this fine day?
Lee Brotherston: I’m great, thank you very much.
Jen Ellis: So, Lee, let’s get into it a little bit. Let’s find out a little bit more about you. Can you just start off by telling us a little bit about your background and ecobee, and what ecobee’s all about?
Lee Brotherston: Okay! So I am what I think you would call a security generalist. I haven’t focused into a deep niche on forensics or IR or anything like that. I tend to work mostly on the defensive side. I’m currently, like you mentioned, director of security at ecobee, and we make IoT devices, and that includes the hardware and the firmware and the backend API, and all that stuff. So I’m kept busy with a lot of different security areas regarding all of that. And yeah, IoT is an interesting challenge from a security perspective, because not many people have to deal with the hardware manufacturer and that kind of thing along with software and all that side.
Jen Ellis: Let me ask you some asinine questions, just to really get to know you a bit more. Let’s start with one of my favorites, which is, if you weren’t doing this, what would you be doing?
Lee Brotherston: I would like to say that my metal band would be doing incredibly well, but that might be a stretch of the imagination, somewhat.
Jen Ellis: I almost spat water all over the laptop at the idea of you in a metal band. Yeah, awesome. Yeah, rock on.
Lee Brotherston: Or probably boring office work, I guess. I can’t really imagine myself doing anything else in reality.
Jen Ellis: What would your metal band be called?
Lee Brotherston: I don’t know.
Jen Ellis: Would it be murder dungeon?
Lee Brotherston: That would be a fantastic name. For reasons.
Jen Ellis: There is a backstory here. We’re not sharing it. Unless you’re the authorities, in which case, please contact us.
Tod Beardsley: I’m so glad my attorney’s in the room.
Jen Ellis: Your attorney’s always in the room, which worries me a little bit. Alright, fantastic. Lee, if you could only take one food to your desert island—I don’t know why you have a desert island, but if you had a desert island and you could only take one food, what would it be?
Lee Brotherston: Everyone would say carrot cake...
Jen Ellis: I’m sorry, like, everyone would say carrot cake?
Tod Beardsley: I mean, obviously.
Lee Brotherston: Sorry. Everyone would say that I would say carrot cake.
Jen Ellis: Right, like I was going to say, I’m not taking carrot cake!
Lee Brotherston: I am kind of known for being a bit obsessive about carrot cake, although I don’t think that works well on a desert island. I don’t feel like the nice frosting would keep very well. But I may be overthinking this question.
Jen Ellis: Is the carrot cake just a vehicle for the frosting?
Lee Brotherston: It’s always just a vehicle for the frosting. Carrot cake without frosting is not carrot cake.
Jen Ellis: Awesome, so you’re going to take sweaty carrot cake to your desert island. I mean, presumably if you could own a desert island, you also could buy a refrigerator, hopefully.
Lee Brotherston: Oh, I was thinking sort of stranded, actually.
Jen Ellis: I mean, I guess if you’re stranded, do you really have the chance to be like, “I want the carrot cake! I refuse to be shipwrecked without the carrot cake!”
Lee Brotherston: Okay, fine.
Jen Ellis: I was thinking more of a Branson thing. Apparently I’m going for like a full-on British flavor for this particular episode. So I was going more for like a Richard Branson, own-your-own-island ridiculous thing.
Lee Brotherston: Right. What would you take?
Jen Ellis: Oh, god, I have no idea. A personal chef! I wouldn’t eat the chef, just to be clear.
Tod Beardsley: It would technically count as food.
Jen Ellis: Okay, fair, fair. I don’t know—what kind of food do I really love eating? Tod, what would you take? I’m just going to defer.
Tod Beardsley: I’m a hacker, so obviously I’m going to try to trick the genie who’s granting this wish into giving me, I don’t know, a yacht-sized waffle so I could leave.
Jen Ellis: A waffle seems like a bad option for something to get out of there on, though.
Tod Beardsley: No, but really big. Sure, I have to be able to eat it eventually…
Jen Ellis: But it still has holes, right?
Tod Beardsley: Not all the way through! The holes in the bottom create balance. I feel like waffles are the most seaworthy of food.
Jen Ellis: Do you know how boats work? Alright, I’m trying to think now what I would go for that’s boat-sized that I think you could reasonably make it out of there. Like something that’s definitely not very soluble. Like what if you asked for…
Tod Beardsley: Beef jerky!
Jen Ellis: Perfect! You could make it into a raft. A raft of beef jerky. And, if that didn’t work out for you, you’d still have beef jerky to eat for a long time. It doesn’t go off, perfect. Okay, so Lee, I was going to ask you what your top tip is for creating your own murder dungeon, but we’ll leave it at this. How did you get into security?
Lee Brotherston: So my kind of backstory is I did the usual thing, going in, doing some like technology-related bachelor’s degree at university. Then I went and got a tech support job at an ISP, worked tech support/CIS admin/network engineer as these these things kind of work out. This was sort of mid- to late-nineties, So there weren’t really security degrees and such like to go and get. And then it was just a case of, I had always been interested in security on the side, and then one day a customer came in and had a security issue and needed some help, and I helped them out. And then the people that ran the help desk were like, “Oh, that’s useful. We can sell that.” So I went and helped out another customer that had an issue, and so on.
And then it just escalated. They got bought by another company, and I started up the security team at that company. And then it’s, once you’re in security, you’re in. It’s just moving roles within the industry as the years have gone on after that.
Jen Ellis: I like that idea that once you’re in, you’re in. I’m not sure if I buy that…
Lee Brotherston: It’s like the mafia, there’s no leaving.
Jen Ellis: Once you’re in, there’s no escape.
Lee Brotherston: Infosec’s John Wick.
Jen Ellis: Oh my god, this actually makes perfect sense. Excellent. So, when did you join ecobee?
Lee Brotherston: I’ve only been here since October. I say only, in sort of the smaller startup land where that’s quite a lot of time, but yeah, since October.
Jen Ellis: And prior to that, where were you?
Lee Brotherston: I was at a fintech startup, also in Toronto.
Jen Ellis: And you were doing a similar role there?
Lee Brotherston: Yeah, I was also director of security in that role. Once again, it’s sort of looking at absolutely everything on the defense side, except for they didn’t make hardware. But they did have to deal with money, so that was another fun thing.
Jen Ellis: So, you’ve got a good amount of experience now of going into startups, it sounds like very early-stage startups, and building security from the ground up. Is that a fair thing to say?
Lee Brotherston: Yeah, I think so. The last couple of jobs have definitely been that, and there’s been hints of that earlier in my career as well.
Jen Ellis: Can we talk about that? Can we get into the details of how you go about that? So like, you get there, you land, you get started, what do you do? How do you think about this from the start?
Lee Brotherston: I think the first thing is you need to understand a bunch of things about the business. And some of it is very auditory, gap analysis kind of stuff. So, looking at what they do today, and in line with their business, where they should be, so you can see what the difference is and what they need to work on. A lot of that depends on the industry. For example, at the fintech, a certain amount comes from regulation. Because financial services companies are regulated, there are certain minimum bars by law that they have to reach. Some are not—in my current role, we obviously have to adhere to compliance around electrical safety standards, but less so around things like software and security and stuff.
Jen Ellis: Which might change in the future!
Lee Brotherston: It may well change in the future, but today, yes! So it’s going in and seeing where the gaps are. And some of that comes with the business. What is most important to them? Is it protecting the customers’ accounts that log on? Is it protecting their intellectual property? Is it uptime and availability? It’s a lot easier to get buy-in to protect the things that are most important to the company. You also want to prioritize what you’re protecting. And then it’s looking at the maturity levels in each of those areas. So, what do you think has the most appropriate controls in place? Do you have the policies you need? It’s almost like walking through the ISO standards or something and going like, “Which boxes of these do we tick and not tick?” And then it’s mostly a case of prioritizing the unticked boxes, exactly which ones you want to fix first, and sort of how hard you want to go at that. You don’t need to achieve full maximum security in every area. It would be nice, but there’s time and resources.
Jen Ellis: Yeah, not astonishingly realistic. So how do you deal with the chicken-and-egg problem of you need to build capability, you have limited resources, you have limited budget? Do you think about outsourcing? Do you think about staffing up first? Do you think about taking on some projects that you can create as wins to demonstrate value to the business, and then staffing? How do you think of all of this stuff?
Lee Brotherston: My personal view is, going in with a quick win. It doesn’t even have to be a big win, but just to demonstrate that there is value in doing this. I think with regards to staffing, you are often forced one way or the other. So hiring is hard, and hiring for security is really hard and super competitive. So sometimes you may be forced to outsource or get contractors, or what have you. It may be forced that way. But my general view is if there isn’t something forcing you that way, I would prefer to take someone in-house for any task that’s likely to be ongoing. So being a general security engineer, for example, but to outsource something that might be a one-time piece of project work or something like that. The prime example of that is, we tend to outsource pen testing. We don’t have a requirement for full-time penetration testing, but when we do need it, we want to get a specialist in, so they come in and do that. But we try to do things like internal tool development and things like that in-house. It works out better in multiple areas. I think in the long-term, that probably works out cheaper. It’s also someone that’s familiar with the business, has a long-term interest in it, that sort of thing, so I think it’s a good thing overall.
Jen Ellis: We talked about how resources are sometimes constrained, and it’s a thing upon you. If you’re going in early-stage, I mean, presumably the business has recognized that it needs to do something in terms of security by the very fact that it hired you. But how do you get real organizational buy-in? You’re going to go in, and maybe somebody on the leadership team has decided, “We need security,” but that doesn’t mean the engineering team is on board. It doesn’t mean that the IT team is on board. How are you getting buy-in from all these different parts of the org?
Lee Brotherston: It’s the “We should do a security. We don’t know what a security looks like. But we should do that.”
Jen Ellis: That thing there, that’s the thing we should do.
Lee Brotherston: We should tick that box. The main thing is, it’s a couple of areas. It’s firstly, sort of making it clear that this isn’t just a ticky box, to tick a box thing. It’s really to drive real benefit. And I think people appreciate it when you can show that there’s real benefit. And I think more and more, it’s the case that you can’t go in and be like security teams used to be, be the gatekeeper whose job it is to come in and say no at architectural reviews and everything, and annoy everyone. It’s more to work with people and deliver some value. And there is a certain amount of politics in that. I think doing things that are super visible are good to do occasionally because it makes people see that security is being considered and handled.
So, like, a prime example for letting customers see it is, going into a company and enabling 2FA and making sure all their web properties are on SSL or TLS, really. But things like that. It’s visible to the outside world and it gives them a feeling of trust, and it demonstrates some instant value to the business, because most companies I’ve worked with have a requirement on customers to trust you. At a fintech, they want you to give them your money to look after and to grow. And they obviously don’t want that to disappear somewhere. And similarly, I am at an IoT company now, and we want people to plug devices into their house. And so both of those require trust. So, building customer trust through enabling the business and providing features is a great way of doing things. And I think another thing is sort of empowering. A number of people talk about pushing security left, which I think is a really useful way of demonstrating value. So rather than being the person that comes in and code audits and goes, “You did it wrong here, here, and here. Go fix the thing,” going in and doing things like training developers to not do it wrong in the first place and getting them on board with it, it’s a case of getting things done earlier in the cycle. Once embedded, it makes things quicker because retrofitting anything is always more painful than doing it right in the first place. And it does tend to lead to less repeated mistakes. Once someone's accidentally caused a cross-site scripting or SQL injection or whatever, and you've gone and explained to them why, and how, and all that sort of thing, they're less likely to make the same mistake again.
So I think that it’s generally like, the whole—I’m going to break out all the cliches—but it’s the whole, be an enabler, work with the business, do things to help, instead of saying, “You can never, ever send files externally, because security.” Helping people come up with the right way to share files externally because that way they’re not going to sidestep you. And I think that people just generally appreciate that attitude of helping, rather than being the big, bad, “I said no.”
Tod Beardsley: So, Lee, you said specifically that you want to be able to enable developers to do secure coding, rather than fixing it after the fact. Is that the kind of thing you find yourself doing as much as you want? Or do you want to do more of that in your current position, or what? Because in my experience, security people are OK developers. They tend to be the level of amateur developers, but super great hackers. To be a good security person, you have to know 50 different languages, and to be a good developer, you have to know 30. So I’m curious how that dynamic works, because you also mentioned building trust first and doing that. How successful are you at that? Are you as successful as you want to be?
Lee Brotherston: I’m never as successful as I want to be. Security is one of those “never done” tasks. I fall into that boat you described of “I can code because I’ve had to clutch tools together” or whatever, but I code like a security person codes. I don’t think about things like scaling in quite the way that a developer thinks about systems scaling out. I think some of it is what you said about, that a lot of time security people are like, “Ugh, developers don’t know anything, silly developer writing SQL injection…”
Tod Beardsley: Right, and it’s unfair, too, because it’s not like developers are evil or children. It’s not even so much that they’re ignorant…
Jen Ellis: I love that those are your three buckets: evil, stupid, or children.
Tod Beardsley: Those are my buckets. Developers want to do the right thing. I go and talk at developer conferences every once in a while about security, and usually that tends to generate the aha! moment in the audience about something about how a SQL injection works, like, under the covers. And they are, in my experience, very desperate to want to know this stuff and want to know how to do it well. It’s conversely a thing that security teams don’t do a ton of, and it’s where they get the most bang for their buck. Do you agree?
Lee Brotherston: Yes, I do. I mean, I think that stuff works well because one of the things I find is, that like doing security stuff, not talking technology, like firewalls or whatever, but it doesn’t scale. Anything that’s manual code review or whatever, you can only throw people at it for so long. So you need to scale it, and getting other people to help with that helps scale it. And you’re right. I think the aha! moment is something that’s great. I’ve done things like give people—I forget what it’s called, is it “Damn Vulnerable Web Server?” The one that’s got a bunch of vulnerabilities in it, and show people how to break into it. And once they’ve done it a couple of times, I think they get quite excited about it and start thinking about stuff a little more.
Jen Ellis: And then you recruit them to the security team!
Lee Brotherston: I may have done that? The other thing we've had quite a lot of luck with is running bug bounties, and finding that when the reports come in, we don't have the security team just go and fix it and raise a pull request or whatever. We actually put it into the backlog of the relevant development team, and go and work with them on fixing it. So it's like a learning experience, as they go through that. And I think that sort of also helps because that's then no longer the internal security guy being the tinfoil-hat guy who's like, "You can't do that." This is a real world, external person has gone, "Look, I did a thing and I didn't have access to the source code and I just found it." And I think that carries a lot of weight with people and like you said, developers aren’t silly. They understand the implications of authentication bypass or something. So I think it goes down really well with them when they can be involved and that kind of stuff.
Jen Ellis: I think what you’re both talking about, at core, is when it comes to collaboration and colleagues, not assuming bad intent, and recognizing that people have areas of expertise. Those areas, these might not be the same, but that's a great opportunity for you to learn from each other. And if you can come to the table with a little bit of humility, and treat others with respect, then probably you'll get a lot further along the road in getting buy-in and finding ways to work together.Treat other people as you'd like to be treated, should be a pretty basic thing, I think. Not to get all preachy and Hallmark-ey.
Lee Brotheston: No, I agree. I think the other thing as well that I forgot to mention in that is also giving some idea of priority to people. Because when everything's a fire, nothing's a fire. I think if you come in with the attitude of like hey, there’s this bug and it needs to be fixed but it’s not super bad, if you could do it in the next couple months, that would be great. You’ve got a lot more social capital if you come in and say, “Drop everything, the bad thing has happened.”
Jen Ellis: Yes, and hopefully you've done some tabletops by this time to prepare people for what it's like when the bad thing happens.
Lee Brotherston: Right, yeah, hopefully.
Jen Ellis: So, it all sounds very much like everything is going swimmingly. But we all know the real world's not quite like that and you wouldn't need a murder dungeon if it was. So, what are some of the challenges that you have encountered as you've been building?
Lee Brotherson: Right. So there's a few things. One of them is what we kind of touched on already. Hiring is hard, and it’s time-consuming, and it's even more time-consuming when you use that time and you don’t get anywhere. So that’s one thing. I think the initial, getting business buy-in, like security rarely makes life easier for anyone. I mean, it makes things better, but it's always like, it's an extra click or something takes a few more CPU cycles, or there's an extra gate to go through or whatever. So you know, getting people sort of bought into it can be a challenge, and that's definitely one of them.
And, I think also sometimes convincing leadership that it's the right thing to do can be more difficult than you think. Because like you said, you've got the tick box, the “we should do a security, we've hired you, do the security.” But sometimes I think, because people don't know what that looks like, they're not always prepared for you to come in and go deliver some difficult message around like "Okay. You want to do a security, well this is the awkward thing you now have to do." And, they have a bunch of priorities, especially in startups or small to medium businesses, where there's an onus on shipping, and shipping now, and moving fast, and only slightly breaking things, and, and all that kind of stuff.
And by virtue of that, trying to get priority to go like, "Hey can you stop making product and fix this bug that like four people are going to notice?" is sometimes a hard sell. And I think there's a certain amount of realism and pragmatism, has to come along with things. I think I also ... I suffer from something that probably most security people do is, you want to fix everything. And actually, it's a challenge to narrow it down, because when you're a one-person team, or there's like you and you've got like two people working for you or something of that sort of size, you definitely can’t touch everything. You can barely do high-level management of everything. So there is very much prioritizing and having your prioritize list aligned with everyone else’s prioritize list.
Jen Ellis: What would be the piece of advice you would give yourself if you were going back in time to when you went to your first startup. What would you tell yourself to do or think about?
Lee Brotherston: I think that early mistakes are going in and thinking of things just from a security perspective or a technology perspective and actually understanding what people’s core business objectives are is actually a good way to make sure you’re focusing on the right things that are going to resonate with people and be accepted for funding or resourcing or whatever else. So yeah, learning the business and how to express that to other people, because not everyone wants CVSS scores. Sometimes people just want to know how big the fine is going to be or what have you.
Tod Beardsley: I can tell you that no one wants CVSS scores. But they are here.
Jen Ellis: Nobody is disputing this.
Lee Brotherston: Bad example.
Jen Ellis: But yeah, figuring out the commonality and focusing on that is great advice. Figuring out how to speak in a language people care about.
Lee Brotherston: A lot of small companies, if they’re venture-capital-backed, they’re probably looking for specific growth numbers. They’re probably also having to explain their spending. So being able to leverage that by understanding it is good.
Jen Ellis: I’m into that. Tod, anything you want to ask Lee?
Tod Beardsley: I’m good.
Jen Ellis: Now that you’ve had a dig at CVSS, you feel like everything has been covered.
Lee Brotherston: The mission is complete.
Tod Beardsley: Mission accomplished!
Jen Ellis: I do feel like before we let Lee go, I should clarify to anybody listening, particularly in law enforcement, that Lee, does not, in fact, have a murder dungeon, as far as I know. The last time we did a call with him, it looked very much as if he might from the background and we therefore spent much of the time on that call, rather than talking about security things, speculating why there was a very strange shower curtain hanging up behind him in his basement. So, yes, I presume that Lee is not, in fact, a murderer.
Tod Beardsley: Great, well that clears things up!
Jen Ellis: I presume he’s not a murderer, I cannot say for certain, but I presume.
Tod Beardsley: Jen, we don’t have to qualify it anymore.
Jen Ellis: No? You think it’s done?
Tod Beardsley: I think we're good.
Jen Ellis: I just don’t want to get implicated in this. So I will just say thank you very much, Lee. We appreciate it. You have a great story, and it’s great to hear from people who are building from scratch. We would love to have you on again sometime in the future no doubt.
Lee Brotherson: I would love to. That would be great. Thank you for having me.
Jen Ellis: Cheers, Lee. Take care. Bye! So that’s our episode. Thanks so much for listening, and thanks so much to our guest, Lee Brotherston, my amazing copilot Tod Beardsley, my amazingly ranty co-pilot. And most of all, thank you to the woman behind the scenes, she is the Wizard of Oz, she makes it all happen, Bri Hand, who is our producer and basically the most patient person on the planet. If you like the podcast, please subscribe. We release episodes every two weeks, so the next episode will be out Friday, July 19. We will be speaking with yet another Brit!
Tod Beardsley: Oh jolly good!
Jen Ellis: I promise it’s a real person and not just Tod speaking in a British accent, although maybe that’s something we can do in the future. In fact we’re going to be talking to David Rodgers, who is an amazing chap. He wrote the UK Code of Practice for consumer IoT Security, check it out if you aren’t familiar with it, it’s very good. It’s so good in fact and such an impressive piece of work that he’s been recognized by the Queen. The actual queen, the one in England with the crown and stuff, jumped out of a helicopter during the Olympics—you know who I mean. So we’re going to have him on next week, so don’t miss it. Thanks very much!
