NICK DRAGE The popularity of DevSecCon, and the enthusiasm for DevSecOps as a concept, shows that there is a desire for significant change within the IT industry – that merely improving our abilities, and our tooling, hasn’t provided the gains we expected and hoped for. This presentation will demonstrate the value of ideas from diverse areas, providing a range of examples where others have faced similar situations regarding conflict, training, adversaries, or complexity, and showing how we can use those ideas to improve our own processes and practice.

1. Nick Drage – Path Dependence – @SonOfSunTzu
Lessons From The Legion
Nick Drage
Path Dependence Limited
DevSecCon - 19 Oct 18
V 4.11 - 19Oct

2. LONDON 18-19 OCT
2018
Lessons From the Legion
( The DevSecCon Remix )
NICK DRAGE

3. Nick Drage – Path Dependence – @SonOfSunTzu

4. LONDON 18-19 OCT
2018
Lessons From the Legion
( The DevSecCon Remix )
NICK DRAGE

5. Nick Drage – Path Dependence – @SonOfSunTzu
I have a question

6. Nick Drage – Path Dependence – @SonOfSunTzu
You’ll Have Questions...
● Available afterwards
● Contact details at the end
● All references blogged
● All media – owner’s copyright
● If no credit, probably Pixabay

7. Nick Drage – Path Dependence – @SonOfSunTzu

8. Nick Drage – Path Dependence – @SonOfSunTzu

9. Nick Drage – Path Dependence – @SonOfSunTzu

10. Nick Drage – Path Dependence – @SonOfSunTzu

11. Nick Drage – Path Dependence – @SonOfSunTzu

12. Nick Drage – Path Dependence – @SonOfSunTzu

13. Nick Drage – Path Dependence – @SonOfSunTzu
Tactics
● System Administrators
● Developers
● Security Operations

14. Nick Drage – Path Dependence – @SonOfSunTzu
How do we learn and train

15. Nick Drage – Path Dependence – @SonOfSunTzu
Matt Wiebe - a lonely robot - https://www.flickr.com/photos/mattwieve/29221303838 CC2.0

16. Nick Drage – Path Dependence – @SonOfSunTzu
BreachLevelIndex.com

17. Nick Drage – Path Dependence – @SonOfSunTzu
BreachLevelIndex.com

18. Nick Drage – Path Dependence – @SonOfSunTzu

19. Nick Drage – Path Dependence – @SonOfSunTzu

20. Nick Drage – Path Dependence – @SonOfSunTzu

21. Nick Drage – Path Dependence – @SonOfSunTzu

22. Nick Drage – Path Dependence – @SonOfSunTzu
What’s wrong with Golf?
● Nothing wrong with golf
● … or training for golf
● … if you’re going to play golf.
Image: Costume SuperCentre

23. Nick Drage – Path Dependence – @SonOfSunTzu

24. Nick Drage – Path Dependence – @SonOfSunTzuhttps://www.competitivedge.com/catalog/all-sports

25. Nick Drage – Path Dependence – @SonOfSunTzu
TRIZ
● Russian - “Theory of Inventive Problem Solving”
● Characteristics of problems
● Patterns in solutions
● A sufficient level of abstraction
● Use other’s solutions

26. Nick Drage – Path Dependence – @SonOfSunTzu

27. Nick Drage – Path Dependence – @SonOfSunTzu
By Oxford Creativity - Own work, CC BY-SA 4.0
https://commons.wikimedia.org/w/index.php?curid=40358248

28. Nick Drage – Path Dependence – @SonOfSunTzu
Strategic Inflection Point

29. Nick Drage – Path Dependence – @SonOfSunTzu
Jump the s-curve

30. Nick Drage – Path Dependence – @SonOfSunTzu
So ...

31. Nick Drage – Path Dependence – @SonOfSunTzu

32. Nick Drage – Path Dependence – @SonOfSunTzu
● Utterly incomprehensible from outside
● Complex
● Team games
● Highly specialised
– By situation
– Attack or Defend
● Fight over territory
● Offensive or defensive playbooks

33. Nick Drage – Path Dependence – @SonOfSunTzuhttps://media.defense.gov/

34. Nick Drage – Path Dependence – @SonOfSunTzu

35. Nick Drage – Path Dependence – @SonOfSunTzu
● Get screenshot about 14 seconds in to
https://www.youtube.com/watch?v=f1ZK7T5dezI

36. Nick Drage – Path Dependence – @SonOfSunTzu

37. Nick Drage – Path Dependence – @SonOfSunTzu

38. Nick Drage – Path Dependence – @SonOfSunTzu
Seattle Seahawks’ Defense – 2011 to 2017
● Sherman - CornerBack
● Thomas – Free Safety
● Chancellor – Strong Safety
● Everyone

39. Nick Drage – Path Dependence – @SonOfSunTzu
2012-2015
● Fewest points allowed 2012, 2013, 2014, 2015 – NFL Record
Image: ESPN

40. Nick Drage – Path Dependence – @SonOfSunTzu
2012-2015
● Lead the league – Fewest Passing Yards Allowed
● Lead the league – Fewest First Downs
● 2nd Quarterback Pressures
● 4th Rushing Yards per carry
● 6th in takeways
● Always high in DVOA ranking

41. Nick Drage – Path Dependence – @SonOfSunTzu
LESSON – “shift left” your conflict

42. Nick Drage – Path Dependence – @SonOfSunTzu
Practice is
everything

43. Nick Drage – Path Dependence – @SonOfSunTzu

44. Nick Drage – Path Dependence – @SonOfSunTzu

45. Nick Drage – Path Dependence – @SonOfSunTzu
The Caffrey Triangle

46. Nick Drage – Path Dependence – @SonOfSunTzu

47. Nick Drage – Path Dependence – @SonOfSunTzu
Image:FrasierScott

48. Nick Drage – Path Dependence – @SonOfSunTzu

49. Nick Drage – Path Dependence – @SonOfSunTzu

50. Nick Drage – Path Dependence – @SonOfSunTzu
The Base of Sand Problem

51. Nick Drage – Path Dependence – @SonOfSunTzu
Footnote 3
“Battle outcomes have historically borne no relationship to the raw
force ratio...
...what matters is the ratio of effective forces” ( emphasis mine )

52. Nick Drage – Path Dependence – @SonOfSunTzu

53. Nick Drage – Path Dependence – @SonOfSunTzu

54. Nick Drage – Path Dependence – @SonOfSunTzu
LESSON – Eliminate the big play

55. Nick Drage – Path Dependence – @SonOfSunTzu

56. Nick Drage – Path Dependence – @SonOfSunTzu

57. Nick Drage – Path Dependence – @SonOfSunTzu
NIST – five core functions
https://medium.com/@TechTieu/cyber-security-framework-66aa07c1b7a5

58. Nick Drage – Path Dependence – @SonOfSunTzu
NIST – five core functions
https://medium.com/@TechTieu/cyber-security-framework-66aa07c1b7a5

59. Nick Drage – Path Dependence – @SonOfSunTzu
NIST – five core functions
https://medium.com/@TechTieu/cyber-security-framework-66aa07c1b7a5

60. Nick Drage – Path Dependence – @SonOfSunTzu
NIST – five core functions
https://medium.com/@TechTieu/cyber-security-framework-66aa07c1b7a5

61. Nick Drage – Path Dependence – @SonOfSunTzu
Drive chart
Wikipedia:ByRunfellow-Ownwork,derivedfromFile:AmFBfield.svgby
userXyzzyn,CCBY-SA3.0,https://commons.wikimedia.org/w/index.php?
curid=22524383
+3

62. Nick Drage – Path Dependence – @SonOfSunTzu

63. Nick Drage – Path Dependence – @SonOfSunTzu

64. Nick Drage – Path Dependence – @SonOfSunTzu
Sounil Yu - matrix

65. Nick Drage – Path Dependence – @SonOfSunTzu
Sounil Yu - right of boom

66. Nick Drage – Path Dependence – @SonOfSunTzu
Sounil Yu - right of boom

67. Nick Drage – Path Dependence – @SonOfSunTzu

68. Nick Drage – Path Dependence – @SonOfSunTzu

69. Nick Drage – Path Dependence – @SonOfSunTzu

70. Nick Drage – Path Dependence – @SonOfSunTzu

71. Nick Drage – Path Dependence – @SonOfSunTzu
As we’re meant to be resilient now
http://csd.ncb.mu/English/Pages/Presentations/Mauritius%20Event%20Dec2013v1%20Symantec.pdf

72. Nick Drage – Path Dependence – @SonOfSunTzu
NCSC - “Cyber resilience - nothing to sneeze at”

73. Nick Drage – Path Dependence – @SonOfSunTzu
Blog - Black Swan Security

74. Nick Drage – Path Dependence – @SonOfSunTzu

75. Nick Drage – Path Dependence – @SonOfSunTzu
OODA: Observe – Orient – Decide - Act

76. Nick Drage – Path Dependence – @SonOfSunTzu

77. Nick Drage – Path Dependence – @SonOfSunTzu
Image:MarkSkillen

78. Nick Drage – Path Dependence – @SonOfSunTzu
LESSON – out hit your opponent
The evidence of history is that soft factors: command-control
processes, tactics, and strategy, are first-order determinants of
both deterrence and war outcomes ( emphasis mine )

79. Nick Drage – Path Dependence – @SonOfSunTzu

80. Nick Drage – Path Dependence – @SonOfSunTzu

81. Nick Drage – Path Dependence – @SonOfSunTzu

82. Nick Drage – Path Dependence – @SonOfSunTzu

83. Nick Drage – Path Dependence – @SonOfSunTzu
Bartle’s Taxonomy of Player Types

84. Nick Drage – Path Dependence – @SonOfSunTzu

85. Nick Drage – Path Dependence – @SonOfSunTzuImage: Yan Cui

86. Nick Drage – Path Dependence – @SonOfSunTzu

87. Nick Drage – Path Dependence – @SonOfSunTzuITHare.com

88. Nick Drage – Path Dependence – @SonOfSunTzu

89. Nick Drage – Path Dependence – @SonOfSunTzu

90. Nick Drage – Path Dependence – @SonOfSunTzu
Image:MeadowEllis

91. Nick Drage – Path Dependence – @SonOfSunTzu
Image:DevSecCon

92. Nick Drage – Path Dependence – @SonOfSunTzu

93. Nick Drage – Path Dependence – @SonOfSunTzu

94. Nick Drage – Path Dependence – @SonOfSunTzu

95. Nick Drage – Path Dependence – @SonOfSunTzu

96. Nick Drage – Path Dependence – @SonOfSunTzu

97. Nick Drage – Path Dependence – @SonOfSunTzu

98. Nick Drage – Path Dependence – @SonOfSunTzu

99. Nick Drage – Path Dependence – @SonOfSunTzu

100. Nick Drage – Path Dependence – @SonOfSunTzu

101. Nick Drage – Path Dependence – @SonOfSunTzu
CHANGE CONTROL?

102. Nick Drage – Path Dependence – @SonOfSunTzu

103. Nick Drage – Path Dependence – @SonOfSunTzu

104. Nick Drage – Path Dependence – @SonOfSunTzu

105. Nick Drage – Path Dependence – @SonOfSunTzu

106. Nick Drage – Path Dependence – @SonOfSunTzu

107. Nick Drage – Path Dependence – @SonOfSunTzu

108. Nick Drage – Path Dependence – @SonOfSunTzuhttps://gds.blog.gov.uk/2015/07/10/you-cant-be-half-agile/

109. Nick Drage – Path Dependence – @SonOfSunTzu

110. Nick Drage – Path Dependence – @SonOfSunTzu

111. Nick Drage – Path Dependence – @SonOfSunTzu
● Get screenshot about 14 seconds in to
https://www.youtube.com/watch?v=f1ZK7T5dezI

112. Nick Drage – Path Dependence – @SonOfSunTzu
LESSONS
● Use others’ lessons
● Practice Is Everything
● Eliminate the Big Play
● Out Hit Your Opponent
● Or try to Golf our way through
American Football...

113. Nick Drage – Path Dependence – @SonOfSunTzu

114. Nick Drage – Path Dependence – @SonOfSunTzu

115. LONDON 18-19 OCT
2018
[Nick Drage
nickd@pathdependence.co.uk
blog.sonofsuntzu.org.uk
@SonofSunTzu]

116. Nick Drage – Path Dependence – @SonOfSunTzu
BREAK BREAK BREAK