Security Sandbox 4.15.21
Ep 3 | 4.15.21

Scoring on Defense: Mixing Krav Maga with Data Security


Amanda Fennell: Welcome to Security Sandbox. I'm Amanda Fennell, chief security officer at Relativity, where we help the legal and compliance world solve complex data problems securely. And that takes a lot of creativity! One of the best things about a sandbox is that you can try anything. This season, let's explore how curiosity and personal passions inspire stronger security. Grab your shovel, and let's dig in!

AF: Security threats hit hard, and the true test of a security team is in its instinctive response to attacks. Today, we hope to play nice and avoid full contact combat while learning about the mixed martial art of Krav Maga and how that leads to a more secure cloud environment. Weighing in with twenty-six years of law enforcement experience, Tony Cianflone has trained in Krav Maga, Wing Chun, and jiu-jitsu. He's the founder of Tactical Fighting Systems. Ready in her corner is Relativity's very own Jessica MacAllister, manager of cloud security on the Calder7 team. Alright, Tony, I'm going to start with a question you have to answer all the time: what is Krav Maga?

Tony Cianflone: Krav Maga was created in Israel as a fighting system for their military. It was created in 1947 by Imi Lichtenfeld, who was in charge of training the IDF. Krav Maga was so effective because it used instinctual motions that you do anyway, and he weaponized it. It's easy to pick up. It's easy to learn. That's why their military adapted it. Their police then adapted it, and then went to the civilian world.

AF: Awesome. So what are you doing at Tactical Fighting Systems?

TC: Tactical Fighting Systems I started a long time ago, but then I transitioned into my Krav Maga as a business, so I teach Krav Maga at Tactical Fighting Systems. We teach how to defend yourself against multiple attackers and defend yourself with weapons involved. We teach you how to use the person's body leverage and use it against them. We teach you about awareness, we teach you about aggression, and we teach you techniques.

AF: That's awesome. Jessica, did this sound slightly familiar? You've worked with Tony before. You want to tell us about that?

Jessica MacAllister: Yes. I remember going into my very first Krav Maga class thinking, like, this is just going to be some exercise martial arts thing. And Tony's like, "Okay, we're going to attack the frame and concuss the brain. Aggression wins fights!" I was like, "Yes, this is going to be amazing!" I was instantly supercharged.

AF: Jessica, let's tell everyone what you do here as a manager at Relativity.

JM: I am a manager of the cloud security team. My team is in charge of identity and access management, cloud governance, and ensuring the safety of our cloud customers. We continually scan our environment, looking for vulnerable assets or something like that. We make sure people only have access to what they need for the minimum time they need it. And we make sure that our cloud configuration is as secure as possible.

AF: And there's one other side to your team that you work with as well, which is all about how to offer that transparency to a customer, right? So we do all these great security things, but they all want to know that they can see it, so that transparency is there with things like the security dashboard.

JM: Yes. Security Dashboard is a one-stop shop for all of your permission needs in Relativity. A system administrator can go here, and they can check and see what their users are doing, what level of access they have to their system, and we're even working on having a tool where they can check to see if there's any streams like user behavior, so they can get those alerts as fast as possible so they can act on them as fast as possible.

AF: That goes right back in. User and entity behavior analytics [UEBA] is just such an overlap with that situational awareness—being able to see when something looks amiss and when something looks like it's not quite right. You know, when you need to start looking at something closer. So I think it's great for the Krav realm and walking down the street and having that UEBA in your head: "That looks abnormal. You may not want to do that." It's a great idea to look at it that way. Let's talk about what escalation looks like in aggression? How does that look to a person whenever you're dealing with a fight, Tony?

TC: It could look like yelling and screaming. It could look like gaining distance or merging or coming closer to you. It looks like a push. It looks like a punch. It looks like body language, right? You have to read the body language. You have to look at their hands. If you look at their hands—if they're angry, if they're aggressive, you can see they start clenching their fists.

AF: Yeah, interestingly in the cyber realm, an increase in aggression looks like more activity. When we say there's aggressive scanning, it's because there's more activity taking place. So it's the same idea of this escalation. When things get hot, there's more stuff happening. When do you know an attack is over?

TC: When do I know when the attack is over? It's over when I end it, that's when it's over. I either ended it through de-escalation or I ended through force. De-escalation looks like you talking the person down. You calm them down. It looks like seeking cover to create time and distance—put something in between you. It looks like when two people agree that there was a miscommunication, and they go their separate ways. And that's what you want, right? That's what I want. Fights are nasty. Even though I say you have to be aggressive and win that fight, at the end you're going to do some damage to your body, too, right? You might hurt your hand. You might hurt your elbow. You might fall, hurt your knee. Fights are pretty nasty. So de-escalating is number one.

AF: I like the idea here that you're going to take some damage. You know you're going to take some damage when you have a physical altercation. In the security realm, do you think you're always going to take a little bit of damage when there's an attack?

JM: I think you might take a little bit of damage. There's a reason that we have “defense in depth” as a concept in security. You have separate, multiple layers of defense because you're expecting maybe your first defense could be breached. That's where you have that second backup layer. They might get you here, but we can stop them here. That way, maybe they get a little information, but they didn't get the data. They just got maybe, "This person works here." They didn't get what that person works on.

AF: That's a great answer. Defense in depth, big cyber term. Tony, just so you know, that's how we make sure we got all those layers in place. Just like if you want to get in a building, you got to get through five different locks or something. Well, when you're in an altercation of some type, what would you advise people are the vulnerable parts that you want to aim for, Tony?

TC: You always want to hit the vital parts—soft tissue and vital parts. You don't want to hit something that's hard that's going to hurt you. I usually like to go straight line. If you go straight line, you have the eyes, the nose, the chin, the throat, solar plexus, and groin, straight down that line. My secondary would be my vital points that are more around it. It would be your spleen, your liver, your floating ribs, your carotid, then the back of the neck. But I always follow that straight line. If you follow that straight line and you're aggressive enough, you pretty much take care of business.

AF: That's cool. So you go for that—you go for the straight line, you get the vulnerable parts. How do you do a takedown?

TC: Okay, the takedown. There are three ways you could take somebody down. One through striking: knocking the consciousness out of them, knocking them out. One would be throwing the person: you out-leverage them and throw them. The other one is sweeping the leg or taking their legs out underneath them. And they all hurt, by the way. If you ever get slammed, it hurts.

AF: Jessica, what was something comparable for you in security? That we develop our skills in different ways whenever you go further in them?

JM: I started my security career off as a web application pen tester. Initially I was only concerned with things like the OWASP Top 10 and the SANS Top 25. We stopped SQL injection; we stopped cross-site scripting. But as I've worked at Relativity, our department has grown from a five-person team to a 50-person department, and I've been exposed to way more of the security realm. I've learned about the corporate side of things—cyber phishing attacks, how to deconstruct malware—so now I'm not just thinking about, "Maybe I need to sanitize a parameter." I'm thinking, "Do our vendors take their security seriously? Do we need to be worried about a supply chain attack on their site? How do we secure our entire corporate network instead of just this one little web application?"

AF: That's an awesome thing to hear that you're focused on, by the way. As a CSO that's what I want to hear. It's interesting for Tony, though, because you mentioned earlier situational awareness, and that's part of this—knowing what your risky area is. How do you explain situational awareness, Tony, to people in your classes?

TC: One, I teach them to keep their heads out of their phones while walking down the street. There's a little game I play: I ask my members or my students to go outside, put their phone away, and pick victims while they're walking down the street. Who would you attack? Do that for about two weeks, get kind of used to being that predator, and then you sit back. Two weeks later, you pick that victim and then you look around and find the predator—who's watching that person? And once you develop that type of skill, then it becomes habit, and then I walk down the street and my head is looking for threats.

AF: Jessica, you know what I'm going to ask you, because that sounds familiar, right? How do you feel about thinking in security that's very similar here? How does this feel, like adversary thinking?

JM: Oh, yeah. This reminds me of threat modeling, where an engineer comes, they pitch us an idea, and we look say, "Okay, but what if we do this? Okay, but what if we do this to this system, or we attack here? Did you take that into account?" That's how we help our engineering teams build security into our platform. We also, at Relativity, have a fantastic threat intelligence team. They are just constantly searching dark web, normal web, just making sure that we are aware of what threats are emerging in what industries and if they are planning on targeting our own.

AF: This brings to mind stress, because when you're in a fight, there's stress. When there's security incidents, there's stress. Tony, stress plays a big part in how you fight. How do you handle your stress going up in a fight?

TC: You're right about the stress, Amanda. Stress could actually kill you in a fight, right? It could freeze you. It could stop the whole thought process on how to escape. So how do you handle stress in the fight? Tactical breathing, combat breathing, deep breaths. Hold them, let them out. Breathe through your nose, hold, and let it out. You could do that. You could bring your heart rate down, and you could pretty much manage that stress.

AF: Jessica, are you doing breathing tactics when you're dealing with work?

JM: Yes, I do. I do progressive muscle relaxation. If I'm starting to feel it, I just take care of it, although think the most important thing for stress is practice. Practice, practice, practice. If you might be in a situation where you could freeze, your habits just take over. In Tony's class, you just drill, drill, drill. And we have this particular exercise where you just are in the center of this group, and people just run in and attack you, and you get tired, and then eventually it's just reflexes. Did you practice enough that your reflex protects you? It's kind of the same in cybersecurity. We have run books, we do drills, we have tabletop meetings where we have a fake situation, but we run through how to handle it. We've built up good habits.

AF: It's interesting—breathing is a great one. I love it, Tony. We can have people do more of this breathing and understand what you're really saying is we control our stress level, and we should activate that.

TC: Yes, you definitely do control your stress level.

AF: That's awesome. Jessica, why did you first go into Tony's classes? What led you to do that?

JM: I had always wanted to learn a martial art, just self-defense. When I moved to Chicago, it was definitely more apparent that there were more threats around. I'd be riding on the train and people would just be saying crazy things, or they'd be screaming, or sometimes fights would just break out. And I was thinking, "I don't want to be caught up in this, but if I am, what would I be able to do?" So I just searched around, and I found Tony's gym, and I went to a class and thought, "This is going to do it; this is going to teach me." They're not just doing this so that they can advance you through the belts; they're doing this so that you can protect yourself.

AF: This was the thing that most made me interested in Krav Maga originally, is that you look normal whenever you're actually in a fighting stance. There's the neutral passive stance, like an everyday position and where you go, but it's this really subtle thing that you do when you start to feel a level of aggression increase. You very subtly move one of your feet, your primary foot back, and you can start to move up on the balls of your feet a little bit for weight distribution. But that, you know, hip width apart, shoulder width apart, kind of separating your feet, kind of moving, pivoting your movements a little bit so that you'd be ready to throw a punch if you needed to. But as far as the person's concerned, you look like you're defenseless. You know, you have your hands up. You know, you're kind of like, "Hey, hey, no big deal, guys, it's okay." It's that kind of dynamic when the reality is that's your stance. That's you ready to go. You're ready with very little movement in order to throw a punch that's going to start all the way from your ankle, that goes all the way up with your energy, and it will go right up into their face. So this is just ready to go. I've always loved that it was, like, hidden. So I'll talk to the security, but Jessica, what are your thoughts?

JM: When we were learning how to disarm someone who had, like, a pistol on you, and you're supposed to slowly raise your hands up, it looks defensive. It's what they expect. But it's also so that you can do that exponential jump into aggression where you move your hands fast, you get that gun out of the way, and they don't really see it coming. You've gone from defenseless victim to attacker, and that's part of Krav Maga. It's the attack and defend—the simultaneous attack and defend. It kind of reminds me of in security when we set up a honeypot because we're attracting attackers to this thing that we want them to look at, to see that it's vulnerable, so that we can get information on them. So we're defending, but we're also attacking.

AF: That's a great tie in for the honeypot. I was thinking super holistically, the whole program, we act very approachable, and we act very calm and very friendly. But behind that is a wealth of knowledge that's ready to be activated at any time. And I think that's how I was looking at it holistically, but very specifically, yes, the honeypot's the perfect example. "Come on in. Have some of this. Take a load off. We're just going to capture all your IPs and URLs and everything about you and learn your behavior as a malware." So, yeah, 100 percent true.

It does lead to a little bit of bravado, though, Tony, because when I would walk down the street over time, it was almost like I wish somebody would try. I wish someone would try. I'd love to see what this looks like in real life. Do you feel like you prepare people for that real life situation in those classes? And if so, how long until you feel like somebody is proficient enough to walk down that street alone?

TC: I think the way I structured the classes, I speed them along pretty quickly to get to a point where you're confident enough to deal with a situation on the street. Like I tell them, like I told Jess, nothing is perfect out there. There's not a perfect technique. There's not a perfect defense. The goal is you want to get away, right? The goal is to create enough space to get out. And if you're aggressive enough, and you hit the right targets—I like to say, "Concuss the brain; destroy the frame"—it gives you the opportunity to create that space that you need to get out. If you're stuck in the elevator with that person, then it's a different story. You can't get out. Now you really have to do some damage, right? Basically, that's the aggression. The aggression, the mindset, the heart, and the will to win. I think that Krav Maga force, I do teach that, I do instill that type of mindset. And there's been people, while they've been here, who have been in situations where they actually fell back on Krav Maga training, and it was successful. Not all of it turned into a physical fight. A lot of it was the backdown part. It was that mindset where I would de-escalate, I would stand firm, but I'm not going to give him anything either. Predators kind of read that in people, too. Predators think they could get away doing things, too. If you have that mindset—that security type of mindset, or "I'm going to be my own body guard" mindset—I think people, with no time, could get that type of mindset.

AF: You can see it on people, right? That confidence. Like you said earlier, looking around the area when you're walking, who's someone who you think would be a prey, who would be a predator? I definitely think that Krav opened my eyes to seeing that more, and there is that dynamic. It's very palpable to see the energy of someone walking that like, "I don't want to mess with that person. I feel like they would probably whoop me." So it's a good one.

I'm going to close this out and wrap up a couple security things that have woven in, but make sure that everybody who's listening really walks away with some of these overlaps that you could learn to better use in your security program that come from Krav Maga. And this is what I took away.

My first one is: understand the other view, looking at and assessing the predator versus prey. And Jessica, I think we call it the adversary view. It feels like that's the same and really useful to make sure you understand what somebody is after, how they're going to do it. That's situational awareness being there.

The second one is know what vulnerable looks like or what it is. Not just the idea that something looks like it could be more vulnerable, but also knowing what the vulnerabilities are and what the soft spots are—as you said, the straight line.

The last thing, and I was going to end on this anyway because I think it's relevant... I love me some Bruce Lee. I'm wearing my Bruce Lee shoes. Kickin' it. Love him. But one of the things he had is a quote—many that are great—but this one: "Absorb what is useful, discard what is useless, and add what is specifically your own." And that feels like exactly what you hit home here, Tony. Take what's useful. Don't use it if it's not. But make sure you make it your own.

Alright. Thank you both so much.

TC: Thank you. Bye, Jess.

JM: Thank you. Bye, Tony.

AF: Thanks for digging into these topics with us today. We hope you got some valuable insights from the episode. Please share your comments, give us a rating -- we'd love to hear from you!