Paula J:
You guys need to hear about Shannon Lietz because there’s so many nice things about you. First of all, you are the director of DevSecOps at Intuit.
Shannon Lietz:
Yes.
Paula J:
And you’re also running a Red Team, right?
Shannon Lietz:
Yep, I run the Red Team as well.
Paula J:
Do you have a lot of challenges with that?
Shannon Lietz:
Absolutely. It’s like managing tigers and not getting eaten by them.
Paula J:
Oh, yeah? Managing tigers is a good comparison. And, yeah, that’s interesting. And you won different types of awards, yeah?
Shannon Lietz:
Yeah, I won the Scott Cook Innovation Award at Intuit.
Paula J:
Yeah.
Shannon Lietz:
And that was for cloud security. So we, basically, figured out how to take sensitive data workloads into the cloud and make them secure when at the time a lot of the cloud platforms just didn’t have a lot of security features in them. So it’s kind of a cool capability.
Paula J:
Yeah, awesome, awesome. So you, in general, see little, different types of companies ‘cuz you have a chance to cooperate with Fortune 500s, different types of companies, like banks, for example.
Shannon Lietz:
Yep. Very large banks, governments, you name it.
Security awareness amongst big organizations, leaders and employees
Paula J:
How would you evaluate security awareness in such big organizations, because everybody would expect that it’s very high because we all know big brands and so on, but how do you see that?
Shannon Lietz:
Yeah, you know it’s interesting. It depends on the maturity of the organizations. I, actually, tend to believe that many try very hard to build up their security capabilities. There’s rigorous programs and frameworks. But when it comes down to it, our Red Teams are able to do things that the frameworks don’t necessarily cover.
And, so, there’s still an exposure that has to be part of how you bring your security program together is understanding attackers and adversaries and bringing that information into the fold. And, so, I would say that from a maturity standpoint, a majority of the programs out there are still sort of advancing at the time when attackers have truly got an upper leg.
Paula J:
And what about the leaders over there? So, if someone is managing security, what kind of challenges does this person have within their team?
Shannon Lietz:
Managers really have the challenge of taking frameworks and making them useful against attackers. When it comes down to it, those frameworks help us raise the minimum bar. Things like PCI DSS have really done a great job of doing that. But, truly, adversaries and attackers have taken advantage of things like the cloud and other capabilities to be able to pivot and do more dynamic things. And, so, the bar really isn’t enough when it comes to advancing your security capabilities. I think that a lot of managers do need to figure out how to pull those things together.
Paula J:
And what we also notice is that that particular manager needs to be placed in the organization correctly, right?
Shannon Lietz:
That’s absolutely true. When you place your management for security, what we find is that there are different parts of the environment where they will be more successful. And, so, really, organizing around the work that’s coming in, the right stakeholders, getting that information pulled together properly, and having that stakeholder support is essential to being able to advance your security programs.
Paula J:
And what about building security awareness amongst employees? What kind of challenges do you usually see ‘cuz people are quite resistant about, for example, inventing strong passwords, yes? That’s something that is quite difficult for them. It’s an easy case, but there’s much, much more to convince them that security is important. What kind of challenges do you see?
Shannon Lietz:
Right. You know it’s interesting because, when you build security awareness programs, it tends to be that somebody will take that security awareness training. They do it for two hours and then they’re done for the year, right?
Paula J:
That’s it, exactly.
Shannon Lietz:
And they’re completely trained. But what we find is that when you do Red Teaming and you do adversarial attacks and you do simulations, fire drills, and things like that, you ultimately build up skills because the person is actually able to then apply the things that they learn. And, so, from an awareness standpoint, unless you’re actually pushing on those skills, you’re not ultimately building them. So you’re not really creating the understanding of what the information is and then building upon it.
Paula J:
Especially after two hours video.
Shannon Lietz:
Exactly.
Paula J:
There’s no chance someone can, working, especially in a corporation –
Shannon Lietz:
Consume it.
Paula J:
Consume it when there’s maybe not even a super nice feeling to the company that you are working with. Still, people need to care about security. So it needs to be an ongoing program, right?
Shannon Lietz:
Exactly. And it should be continuous and evolving constantly. One of the things that we’re constantly working on is figuring out how to bring fire drills to bear. We do things like Red Team Mondays. So on a Monday, we can fool or trick somebody into understanding what happened to them. And, ultimately, that means that you’re raising the security bar constantly, and you’re pushing on the skills so that people can understand and develop further empathy for how hard it truly is to stay ahead of attackers.
Red Team and Metasploit module
Paula J:
And what about your Red Team recent research because this is pretty amazing. Can you tell us a little bit more about it?
Shannon Lietz:
Yeah.
Paula J:
Because this is news, yes? This is coming.
Shannon Lietz:
Yeah, yeah, this is good news. So from Red Team research perspective, one of the things that we really have been advancing on is things like cloud, DevOps, and, also, just some of the IoT recent exposures. We have a couple of people who are talking about a new Metasploit module to do account takeovers in the cloud.
And what’s interesting about that is you could inadvertently set up your account to be exposed and not necessarily know it. So we’re constantly trying to build tools and capabilities that help developers who are leveraging things like cloud services or cell services to understand the exposure and be able to test it more effectively.
So being able to contribute to open source out there has really helped us to work within the community to really ultimately get Red Team information and metrics back.
Paula J:
So the module is coming?
Shannon Lietz:
Yes, the module’s actually been checked into Metasploit. And, so, we’re really excited about it.
Paula J:
Oh, yes, definitely. I will definitely need to check on it.
Shannon Lietz:
Yeah, it’s really cool.
Being a female in a security field
Paula J:
But my female part speaks out and, well, I have to ask you a question. How is it for you to be a female in a security field? How do you feel?
Shannon Lietz:
It’s almost been a few decades now, and I would say at first it was pretty lonely. I remember when I first started taking programming classes and I was one in a hundred men, basically, –
Paula J:
Exactly.
Shannon Lietz:
– sitting there. And it was interesting because I could barely even get a lab partner to work with me because I was the girl in the room. I would say that over the years, I thought that would advance and change because there was more and more capabilities, there was more online education that started to evoke.
And then, just recently, I was pretty surprised. I went to a recent conference in Las Vegas, and it had, I think it was 30,000 people were there. And in 30,000 people, there were less than 1% was female. And, so, that was really kind of devastating –
Paula J:
That’s unbelievable.
Shannon Lietz:
– to me. A cloud engagement like that where this is the newest, hottest thing and we can’t attract female talent. I think that it speaks to people like me who want to see more and more woman really get exposed to this environment.
Paula J:
Same for me, yeah. There should be more of us.
Shannon Lietz:
So on that note, getting more woman to the field, I would say … So I’m a technical female. I really do try to advance my skills constantly. I program. I do all these different things.
Paula J:
Exactly.
Shannon Lietz:
Right? And what’s kind of cool about that is being able to Red Team. You have to have programming skills. And being able to work with other woman and other people, you have to be able to share with them. So I find that exciting.
Hacker Girl – a foundation that raises cybersecurity awareness
I’m now founding a second foundation that’s called Hacker Girl. And the idea behind this is to really kind of raise that awareness about cybersecurity.
Paula J:
That’s a great idea.
Shannon Lietz:
But, also, bring people like me to the table to be able to work with more woman that are out there who are looking to advance their skills. I recently attracted a lady from Rochester Institute of Technology. She’s been coming and being an intern in my group the last couple of years.
Paula J:
That’s great.
Shannon Lietz:
She was a brand new freshman in college when she joined my group as an intern, and she keeps coming back year after year. Her hacker skills have advanced, and it’s really been very cool to see her internships produce somebody who’s able to be both technical and be able to walk other people through those capabilities.
Paula J:
Yeah, yeah, I definitely see your point. But at that stage, while you’re probably not dealing with the female problems anymore ‘cuz you’ve got your brand and people know who you are, so there are no questions. You’re going to speak about what you know, and the same story is for me. But it’s kind of funny when I do the pen-test and I go to the customer side, when someone invites us, probably one person from the crowd knows me. But the other team that is out there, not everybody needs to know you. So they kind of treat you like, “Oh, it’s a girl. Probably, she doesn’t know anything.”
Shannon Lietz:
She doesn’t know anything, exactly. And basically it’s interesting ‘cuz a lot of times you’re hacking into something and you’re showing somebody how to do it; you’re social engineering. And I find to be female and social engineering as kind of an interesting thing, right?
Paula J:
I absolutely agree with you, yeah.
Shannon Lietz:
You get such an advantage from it when you’re trying to run a test. The simulations can go a lot better.
Paula J:
There’s a level of cuteness that we introduce.
Shannon Lietz:
Exactly. Hey, the hair.
Paula J:
But that works. I’m sorry. Social engineering in progress.
Shannon Lietz:
Yeah, but at the same time, you sit me down in front of a computer and I can produce a lot of different things and outcomes, and I think that that’s interesting. But I think, ultimately, there’s just not enough role models out there for it.
Paula J:
Yeah, I agree.
Shannon Lietz:
We’ve earned our stripes the hard way. I would say, you know, a few decades in earning your stripes was really, really tough. I took every job out there so that I could get skills, and nobody really wanted to teach me. So I did it the hard way. And I really would love to see it be a lot easier for the woman today.
Key factors that a woman should have to succeed in cybersecurity
Paula J:
What, in your opinion, are the factors or the skills that a woman should have to succeed in cybersecurity? What do you think?
Shannon Lietz:
So one of the major skills that I see that prevents people from being able to do things like Red Team or the more advanced capabilities is being able to program. So being able to develop code, be able to contribute to open source, be able to learn from a community and collaborate, that’s a real essential skill.
I have taken some folks that really didn’t have coding skills, now I’m not saying I got them to a really great level, but I got them to actually get pretty comfortable with coding. And the way that I did that was to introduce them to things like Code School and Pluralsight and Lynda and some of those things to get their confidence that they could develop code. And I think the next thing in my mind –
Paula J:
You should bring them to our academy.
Shannon Lietz:
Yeah, exactly. I think the next thing in my mind is testing, right? You know there’s just not enough scanners and tools out there. And what’s interesting is that most people will run those scanners and tools, but they don’t understand the fringes, they don’t understand the attack cases. And, so, we’ve done something to reduce the barrier to entry for things like threat modeling by doing attack maps.
Because, what we found is that if you could articulate an attack map, you could actually start to understand and embrace the information that’s coming out of programs and environments so that you could make better adversarial decisions. So I think that that’s really critical. And I think the last one is actually something that’s really emerging in this space, is machine learning. There’s some really great capabilities out there. I –
Paula J:
It’s a hot subject, yeah. You know?
Shannon Lietz:
It was. You know it’s interesting ‘cuz in November, I went to a one-day class on building a recommendation engine.
Paula J:
Oh, that’s cool.
Shannon Lietz:
And I built a recommendation engine, and it’s not all that hard.
Paula J:
No.
Shannon Lietz:
And it’s pretty easy. There was a bunch of serverless capabilities, Lambda, a whole bunch of stuff in AWS that makes it easy to do those things. And when you take training sets and you start to make decisions through computing technology, you can easily start to adapt it for some of the more interesting testing scenarios for security.
A piece of advice from Shannon Lietz for women getting into cybersecurity
Paula J:
Okay, yeah. And what about a young woman? So what would you recommend for those girls? ‘Cuz they say it’s a man’s world. I mean no doubts, it is. So, basically, we want to change it. So you do your amazing program with the Hacker Girl, yeah? So this is the case. But these girls need to hear about it, and then they need to see the value. But what else they need to know? Like what is a push factor for them to jump into this field?
Shannon Lietz:
Yeah, it’s a great question. I have two little girls.
Paula J:
Oh, you do?
Shannon Lietz:
Yeah.
Paula J:
That’s great.
Shannon Lietz:
I tend to be a mommy with a mission and a passion to make my girls be able to do the things that they want to.
Paula J:
Do they do programming already?
Shannon Lietz:
Yeah, so my eldest daughter is taking programming classes through her school.
Paula J:
Perfect.
Shannon Lietz:
And the way that she’s gotten exposed to it has been just through leveraging computers to be able to learn has been a real nice feature. And then, in addition, they have things like programmable robots, now, where –
Paula J:
Yeah, Lego Mindstorms.
Shannon Lietz:
Yeah, they do. They have this great technology now. And, so, we exposed her to that. We made it so she built a robot. She could do it by herself, build confidence. And then the other thing that we exposed her to was being able to build her own stories through PowerPoint.
So you can actually get your children to be able to build stories online and start to understand and work with computers. And I think it’s the beginning of confidence and the essential skills of building that capability that makes it so that they really do start to internalize, “I can do this.”
Paula J:
I can do that, and I’m not afraid to speak.
Shannon Lietz:
I’m not afraid to speak about it. I’m not afraid to learn a new skill. I’m not afraid to teach. I love the fact that you can have a child, basically, build a book online because that’s actually the first beginnings of them teaching the things that they’re learning. So she draws a bunch of stuff, and we digitize it, and then she’s able to kind of move it around on the screen.
Paula J:
That’s cool
Shannon Lietz:
And then there’s actually publishing capabilities. What’s great about that, from my perspective, is then she starts to want to do things like robots, and she wants to build more capabilities.
Paula J:
‘Cuz it’s fun.
Shannon Lietz:
Exactly. And, so, we have to find a way to make it fun. We have to find a way to build better skills and capabilities. But, most importantly, and I think this is the most essential skill, is confidence. So what’s interesting is if you build on the thought of children starting to build confidence and getting those capabilities from a female perspective, there’s a million cybersecurity jobs right now that are going unfilled.
And, truly, those are opportunities for women to be able to come into entry-level positions, be able to fulfill on these capabilities and, ultimately, creates career path. Because as we get more and more woman into the field, –
Paula J:
There’s a need, yeah?
Shannon Lietz:
-we can actually uplevel those jobs. And I think there is serious need. When I look at things like Grace Hopper, which I attended this year and spoke at, what was interesting to me, and this was a lesson learned, was that I realized that there wasn’t a lot of exposure, even in that forum, to what cybersecurity was. And, so, I had a whole bunch of ladies that I got to talk to while I was there, and they said, “I never even imagined cybersecurity could be something that I would be passionate about until I got to see this talk.”
So I was super excited about seeing that come to bear. But we just don’t have a lot of forums for it. We don’t have a lot of people pushing on it. And that many jobs being available just tells me that this is such an opportunity, that we should go after it.
Paula J:
Yeah, definitely. On the other hand, companies need to understand that there is a need for positions like that, right?
Shannon Lietz:
Yeah, absolutely.
Paula J:
And that’s basically why we are here, why we are talking about it. ‘Cuz, as you mentioned, there will be a need of different types of security jobs, that they are unfilled. So the career path, it’s just there. The job is there. It’s just that we need to jump on it, educate ourselves and be the best, yeah?
Shannon Lietz:
Yeah, exactly. And I think one of the more interesting challenges is that I think that woman tend to believe they can’t do something like this. If you look at all the STEM programs that are out there, the science, technology, engineering, and math, building up confidence is really the critical and essential element. And I don’t know that we spend a tremendous amount of time building up that science mindset.
And that’s where I think we could really expose folks to understand what it means to have a community around this. I mean, we got to meet, and it was because we really do enjoy science and math and –
Paula J:
Absolutely.
Shannon Lietz:
– technology. And I think it’s just a matter of really getting more vocal and looking for people like yourself to be able to engage with. And then ultimately growing out around those folks new circles that can help to bring these initiatives to bear.
Paula J:
Motivation.
Shannon Lietz:
Exactly.
Paula J:
The different types of news is awesome.
Shannon Lietz:
Anybody can do it. And that’s the thing is what’s interesting to me is that this is such a big problem, and we really need more help, and we need people to contribute and get involved. And everyone out there has a good incentive to do that.
As an example, if we don’t actually fight off attackers, actually, most of the technology that we use will be untrusted. And a lot of things that we’re doing as a community may end up getting broken in the mindset of the next generation because it can’t ultimately trust that technology. I think that’s a big problem that we have to solve, and we’ve got to start thinking about it now.
DevSecOps – trying to make security valuable
Paula J:
Yeah, absolutely. So when we’ve got DevOps and the software is developed, with this, yes? So the customer, basically, should ask the question, “Where’s the security?” And here comes the DevSecOps, yeah?
Shannon Lietz:
Exactly. So we’re primarily trying to make security valuable instead of just being a cost center, instead of making it invisible from the standpoint of attackers. We’re ultimately, now, trying to figure out how do we fight adversaries that are leveraging their information and skills against software.
That means that we want to do things like build up a developer’s capabilities, have them understand what logs mean to them, be able to track and trace against attackers, and ultimately be able to make decisions about the logic that they have in their products so that they can make those products safer.
If you think about that, that includes things like better authentication, MFA, adding in new identity mechanisms, and really advancing your technology so that it meets the purpose of a customer’s needs, but ultimately helps them to make their information and access to things that are going to be able to do transactions for them. It’s safer for them, ultimately, online.
Paula J:
And, so, finally, security becomes a part of the business process.
Shannon Lietz:
Exactly. And, so, –
Paula J:
It’s good to hear that.
Shannon Lietz:
– from my perspective, I’m super excited about this initiative because you’re now seeing security become part of the drivers that make a business successful. And that, ultimately, is something that is valuable because end users are now asking for more security. I actually think that as an end user, I’m constantly looking for features like MFA and some of those things to make me feel more comfortable, that I’m putting my information and trust in the right companies.
Paula J:
Okay, so let’s summarize. We’ve had an exciting discussion.
Shannon Lietz:
We had a major exciting discussion.
Paula J:
Thanks so much for that.
Shannon Lietz:
And it’s been great to meet you.
Paula J:
Same, same, definitely. So just to summarize this subject, guys, we’ve been talking about, well first of all, the Metasploit module that you got, the Red Team challenges, security awareness with, at the end, a little bit of a female factor, why being a woman can be challenging in this field, but on the other hand, we are doing very well.
Shannon Lietz:
We’re just emerging.
Paula J:
We are, definitely. And knowledge is everything.
Shannon Lietz:
It is, yeah. And being able to share and collaborate is so essential. Finding new forums for folks like us to meet –
Paula J:
Yeah, exactly.
Shannon Lietz:
– and really participate in spreading the message is really essential, I think.