Keynote: My 2 Paisa on Infosec

SlideDeck

Full Video

AI Generated Summary

This keynote presentation “My 2 Paisa on Infosec” shares insights from 15+ years of experience in information security, covering the distinction between hacking and infosec, industry challenges, hiring practices, remote work, and advice for attackers and defenders.

Speaker Background

• Anant Shrivastava: Information security professional with 14+ years corporate experience, 15 years teaching experience
• Projects:
  • Android Tamer: Linux-based environment for Android security (VM → live Linux machine, repository for tools, emulator with pre-configured setups, Android application repository, knowledge base)
  • Code Vigilant: Source code analysis project - found 300+ vulnerabilities in WordPress plugins (2014), restarted 2021, found 40-50 SQL injections in WordPress ecosystem
  • Hacking Archives of India: Website cataloging public speakers who presented at high-profile conferences, tracking their journey over years
• Started: 2008 corporate experience - not very popular to be in infosec space back then
• Communities: NULL (open source communities targeting spreading information security knowledge)

Key Topics Discussed

Infosec is NOT Equal to Hacking:

Hacking:

• Not about profession, it’s passion: Not after money, regulations, “I can save the world” or “I can save corporate environment”
• About the rush: Rush you get when you do something that is not expected from the environment
• Normal individual: “These are the five things I can do with this environment” → does those five things
• Hacker: “These are the five things I can do - what extra? What can I do to make this system do something which it is not supposed to do?”
• Not about ethics: Not about whether it’s good or bad - idea is to explore limits of system, understand system in deep manner, explore and exploit boundaries
• Reference: “The Conscience of a Hacker” or “Hacker’s Manifesto” (available on phrack.org) - predates speaker’s existence, written before he was born
• Recommendation: If interested in being hacker, read that manifesto, understand ideas by which hacking culture came into existence
• Reality: Most of us in infosec space were at one point into hacking culture, then realized there could be money/profession/career path in it - that’s why moved into infosec space
• Key point: “Infosec is not hacking, it is not just hacking - there’s so much more to it”

Infosec Industry:

• Bigger game than hacking: However, still not the most dominant thing in the world
• Part of business operations: Infosec or security operations or security in general is small cog wheel in entire process
• Subset: It is subset of lists of stuff that business has to do
• Can operate without it: Multiple businesses operate at least for some time without having infosec - may not operate successfully for very long time, but can definitely start operating without having infosec
• Other pieces: If take out other pieces of business, they may not even be able to function
• Important part: Because of way world is, security threats we have, infosec is becoming prominent - important piece of puzzle, but not entire puzzle
• Understanding needed: “That’s something all of us needs to understand”
• Perception problem: When we talk about infosec, we talk as if we are top species - everyone needs to listen to us
• Developer perspective: From developer or someone not part of infosec space - infosec professionals look like: “Hey I saved your city, would you help cleaning up the city? No, that’s not my job, you deal with it”

Offense vs. Defense:

• Offense subsection: Very loud, but not only part of puzzle
• Defense set: Actually much more important in the picture
• Purpose of offense: To facilitate defense so they can do their job
• Hierarchy: In long list of things for business → infosec is small space → within infosec, red is small space → blue is supposed to be helped by red → then world runs
• Problem: What we see in general is people becoming blocker in whole process
• Solution: “Be an enabler, not a blocker”
• When stepping into infosec: Think about how you can help business run
• Instead of: “Hey I don’t want you to do this because this is risky”
• Try and figure out: How it is that they reach the goal they want to reach
• Instead of worrying: “Hey if you do this there is a problem”
• Try and help: Individuals, organizations achieve the goal they want to achieve
• Create allies: Have to collaborate with people, instead of trying to alienate people
• Problem: When infosec person goes on rampage: “Hey I am doing all things right, you are not helping me, or the world does not understand security”
• Reality: “We can keep talking about all of that - it is interesting to talk about it, it’s good to talk about this, but in all honesty it does not helps anyone”
• Action: “If you want to help the world move forward, help them move forward”

Security is Not Just Hacking:

• Reference: Link from Christian Braga - difference between security is not just hacking
• Many pieces: So many pieces of puzzle
• Hacking/offensive side: Just small part - you tell that flaw exists
• What after that?: How do I monitor the flaw is exploited? How do I go about fixing the flaws? What can I do so someone cannot touch that system? If someone does touch that system, how can I contain them?
• Whole lot of: Policies, procedures, setups, operation centers, bunch of different things
• Not offensive: Which are not offensive in nature, which are defensive in nature
• All part: They’re all part of information security space

Skill Shortage - Different Take:

Industry Reality:

• Relatives approaching: Anyone in infosec space for at least 3 years would have relatives/people approach them about children/relatives/people just getting graduated asking: “This seems like interesting field, how can I make money in this field? How can I be infosec professional?”
• Important turn: From industry which was passion-driven (people were here because they wanted to be here) → now multi-million dollar money making industry
• Attraction: People getting attracted because pay scales are way too high compared to other jobs
• Reality: You have people here who want to just do their job, who want to work
• Nothing wrong: “There’s absolutely nothing wrong with that - that’s the first thing infosec industry right now needs to understand”
• Accept: It is not wrong to be in this industry if all you want to do is make money, if all you want to do is nine to five job
• Ground reality: People are going to be only here for nine to five jobs, people are going to be here because they want to make money, they may not be here for passion
• For industry: Need to accept that this is reality and act accordingly
• For employees: People interested in joining need to understand there are two aspects of infosec space:
  1. Money aspect
  2. Passion aspect
• Figure out: What do you want to deal with? Do you want to make money more and more money? Or do you want to be in infosec space for passion?
• Compromises: Both would have their own individual set of compromises, based on that you would move forward

Giving Credit to Defense:

• Need to start: All of us need to start giving credit to defense so defense also becomes prominent factor
• Many jobs: So many jobs in defense space which don’t even get mention, people not even aware of them
• First response: When talk with individual interested in getting into infosec space, first response: “Hey I’ve heard about bug bounties, I can get paid for finding flaws”
• Reality: “Yeah you’ll get paid far more also if you are employed at patching systems or securing systems”
• Limelight problem: You may not get limelight - this is tricky part
• Why no limelight: Because you’re helping fix the environment
• Change needed: “We might want to change around - we might want to give defenders their due credit”
• Credit: Yes, there are defenders who are helping world, because of which we have environments which are not hacked or environments which are secure (may not have 100% security, but more than what is there compared to other environments)

Hiring Strategies:

Certifications:

• Requirement: Industry requirement of certifications - “You should have X certificate, you should have Y certificate, we only hire people who have OSCP, OSCE, CISSP, CISA and bunch of these keywords”
• Question: “Do you really need those certificates?”
• If really need: “How about hiring people whom you see that they can clear those exams? Put them on your payroll, pay them, and then get them up-skilled on those certificates”
• Example: If want someone to have OSCP - test their skill set, if feel they are good enough to get OSCP
• Instead of: “Hey get OSCP and then I’ll hire you”
• Do this: Hire them, give them time to give that exam, once done with exam, reimburse that cost
• Result: Got someone who is skilled, who has certification, who’s at cutting edge
• Don’t bottleneck: “Don’t bottleneck your hiring process because certain certificate is not there”

Technical Interviews vs. Actual Job:

• Picture: Summarizes current world
• Technical interviews: Doing “Congress as Godzilla”
• Actual job: Basically just asking them to do some very simple jobs
• Re-look: As interviewer, as organization, need to re-look at ourselves
• Reality: People are going to be here for money, not for passion - got to accept that
• Looking for: People who can get job done - not looking for excellent people or people with passion only
• Example: If all you want from analyst is: go to web interface, log in with credential, click start scan, copy paste bunch of IP addresses, watch screen as scan runs, pass on results to next analyst
• If that’s job role: Then hire people who can do that job well
• Then: If feel like want them to do more job, train them up within job environment, train them up for more work
• Don’t hire for fancies: Hire for work that you want them to do
• Not saying: There are not going to be Congress Godzilla situations and actual job - yes there are going to be, for those jobs definitely go ahead and do those kind of technical interviews, hire people
• Balance: Try and maintain balance between what you are interviewing them for versus what you are asking them to do in their daily job

Outside Work:

• Scenario: Organizations start asking: “I see you’ve done jobs for like 4 years, 5 years - what have you done outside work? I’m looking to understand are you really interested in this industry?”
• Reality: There may be people who are just doing nine-to-five job
• May be good: They may be good at what job they’re doing, but may not want to do anything after their job
• That’s fine: Test them for skill set they have
• If organization: Only looking for passion, does not want to hire people doing nine to five jobs
• Then: “Don’t come back and say there is skill shortage - because yes there are going to be shortage”
• People with passion: Going to be far less compared to people available in market who are interested in getting job
• Re-look: Re-look at what you are making people to do
• If asking: People to do X as their job, hire for that role, maybe X+1
• Don’t go ahead: Hire for Z and never ask them in entire span in company to do that extra job
• Disservice: That’s disservice to you, disservice to industry, disservice to employee - all of us suffer because of that
• When say skill shortage: Be very clear what exactly are you looking for - do you really have shortage or is it just that you are over expecting from people and you may not even have requirements of that high caliber

Judging by Public Work:

• Experience: From experience with Hacking Archives of India
• When spend time: In industry, start spotting people who know their own craft, who know what makes the clock tick
• Large chunk: Yes, large chunk of them are public speakers, large chunk actually do go ahead and talk in conferences about their work, about their experiences
• Equally large number: Don’t even touch conference circuits, don’t want to do anything with public life
• Do immense work: Do complicated stuff which make speaker feel like infant who has no understanding of what’s going on
• Example: Even after spending about 20 years working with Linux, when talk with these people, they make speaker feel like need to go and read up about how Linux actually works
• Another example: After teaching 7 years information classes around infrastructure hacking, know people who can basically make speaker feel like have no idea what talking about within infrastructure space
• Not only qualifier: “Judging by public work is not going to be the only qualifier here”
• When trying to hire: Try to gauge them, ask questions which help understand their level of skills
• Quick question: “Pick up an example from your career which you’re very passionate about, that you did very good job, and give me as much detail as you want to give about what did you do - without naming the client, without naming actual incidents, give me as many details as you want about that particular instance”
• Gives ideas: Whether this person actually knows what they’re doing or not
• Can ask follow-up: Can ask follow-up questions, can discuss about it
• Open and receptive: It’s something they’ve already done, so they’d be open and receptive about it
• Explore: Want to explore what is it that they know, if they know what they’re talking about, would be interested in hiring them

Hiring Summary:

• Hire for work: Hire for work that you have, not for fancies that you have
• Don’t hire for: “This person needs to do X, this person needs to do Y, and they should be able to crack open entire world and should be able to compromise entirety of internet and every single street light across the globe”
• If not going to let them do it: Don’t try hunting for people like that
• Scenarios: Had scenarios where organizations look for people who can do red teaming work
• When job comes: “Hey I found SQL injection” - they’re like “Don’t exploit, just give bare minimum POC, write report, and that’s it, you’re not supposed to exploit them”
• If did not want: People to exploit and move forward, why even look for those kind of people?
• Let organizations: That actually need that kind of people hire those people
• Work with: Set of people who can get that job done
• All of us: Employees, employers, organizations - all of us have to understand
• Skill shortage: There is bit of skill shortage, but most of it is because we are over expecting from people and we are not even willing to give people chance

COVID-19 and Remote Work:

World Changed:

• From: Fully in office
• To: Fully remote
• Organizations: That just used to say “Hey we are not going to let you work from your home” have basically opened up VPNs for people to work from their home
• Not just cities: Not just from their cities, but from their hometowns - people have migrated back to their hometowns, working from there
• Need to understand: All of us need to understand, accept this, try and figure out how we can make most of this

Diversification - Location:

• Example India: Has certain set of metro cities where most of IT industry is situated
• If take those cities out: Large space available within country
• Many people: Cannot travel to those cities and get job
• Diversification: Not just in terms of gender or skill set and those parameters which everyone has been talking about
• Also look at: Diversification from angle of location
• Don’t limit: Don’t limit yourself to tier one city or tier two city
• What about: Tier 2, tier 3, tier 4 cities?
• Infrastructure: Most countries now have good enough infrastructure which allows you to operate with laptop and internet connection
• Personal example: Operating from city called “Popal” since 2016
• Started: 4 Mbps connection
• Now: 1 Gbps connection
• World changed: Over time
• More importantly: Even with 4 Mbps connection and laptop at place, was able to operate and do job
• Question: “Why can’t we have more and more people doing that?”
• Organization: Remote first from day one - 2015 when formed organization
• Since 2015 till now: 100% remote organization
• Been able to: Run things, do pen tests, develop training, deliver pentest projects, deliver trainings (both on-site, off-site) - all of it without asking people to be at one location all the time
• Important aspect: Employers got to understand - you have access to untapped potential if start looking at markets which are tier 2 and tier 3 cities
• Will find talent: Just sitting there because they don’t have access to resources, because you are not going there hiring people
• Similar to: Organizations focusing only on IIT-IIM and not hiring from anywhere else
• Look at: Other colleges, other cities, try and hunt for talent, then groom them up, work with them
• Will find: Large potential there

Hiring Practices - Salary:

• General flow: Technical interview happens, current salary is asked, then HR steps in and does weird calculation: “Hey you are earning X, I can only offer you 30% hike over your current salary or 40% hike over your current salary”
• Instead of doing that: Focus on what do you want person to do
• For that role: What are you willing to pay? Don’t worry about what they’re earning right now
• Create brackets: Create packets for roles, create brackets for responsibilities, offer them up
• Example: “For your skill set, this is bracket where you fall - I am going to pay you somewhere between this number, let’s say 5 lakhs to 10 lakhs, 10 lakhs to 15 lakhs - that’s range between which your salary would come up”
• Could be: Lower end or higher end, but will remain within this
• Till: You show us more talent, till you show us more work, and we promote you to next year
• Give that out: To employees or prospective employees, have fair discussion around it

Remote First Policies:

• Not just: “Hey our company’s remote first, we clear your laptop, we ask you to have internet, we ask you to have power backup, and you’re all set now”
• Much more: Remote first policies are much more than that
• Have to account for: People working in different hours, people working in asynchronous mode, informing larger set of audience who are not in one place
• Can’t just: Call up one person and tell them something, or do group call and tell something and not follow it up with email
• Try and be remote first: Which basically means do emails first
• Email contains details: Your calls may actually have shorter info because emails have already conveyed stuff
• But because email conveyed stuff: If someone could not attend, they still have access to information because they received email

Employee Aspect:

• Whole world open: Compared to pre-COVID scenario, large number of organizations offering remote jobs now
• Hunt for them: Look for them
• If local companies: Not paying you, look outside
• Demand: Demand that organization give you remote work
• Demand: Demand that organization gives you sane working hours
• Sick and tired: Of people actually working more than 8 hours, 9 hours
• Obsession: Seen obsession where people are like “Hey I want to work 12 hours, I want to work 20 hours, I want to work X number of hours, I’m super workaholic”
• Not good thing: It’s not good thing, it’s not long term sustainable thing to be workaholic
• Will have crash: Then it will take years to recover from it
• Take it from someone: Who has been on that point - it takes years to recover from that
• So demand: Demand for sane working hours, demand for remote work
• If don’t demand: Organizations would do whatever is going on
• From organization points: Try and figure out how you can actually give people comfortable life
• Successful organization: Can have comfortably living people doing nine to five jobs
• Just need: Balance things out
• Balance not easy: Neither for employee side, not for employer side
• So many ingrained biases: That we deal with - it’s not going to be easy
• But if start: Towards that journey, you will reach somewhere

Advice for Attackers:

Fancy About Cutting-Edge:

• Fancy: Doing most cutting-edge stuff, doing most emerging technology related work
• Everything way too complicated: Very much excited about finding five-step SQL injection, or four-step process to extract token via SSRF in internal application which is not exposed publicly but found way to integrate URL which caused leakage in PDF file, then did OCR and did bunch of mumbo jumbo and got access
• A lot relate: To scenarios drawn
• What actually happens: Very accurately depicted in XKCD picture
• How people think attack works: Person goes to house in USA, breaches house, finds passwords, then can do bunch of things
• What actually happens: Someone leaks passwords on one website, they’re like “Okay yeah, let’s take this credentials, let’s pass them on to another application and see if same credential works”
• Security world: Not that complicated when look at it from that angle

Two Cents to Attackers:

• Learn emerging stuff: Anyone in offensive side of equation - learn emerging stuff, be focused on it
• Important: It is important that you are aware of what is going on
• Cloud: Consider cloud as emerging technology because “Hell even vendors don’t know what they are doing”
• Vendors getting stuck: Constantly vendors also getting stuck in security vulnerabilities
• Cloud space: So much to explore, so many new things coming up every day - easy area to explore
• Try and look at: AI/ML - so many use cases where as attacker can actually use AI/ML and get better work done
• Look at it: From angle how it can help you, instead of saying “Hey that’s something I don’t want to touch”
• Look at it: See what you can get out of it
• Look at: Blockchains, Web 3, new buzzwords that are there in world
• Paid attention: Said blockchain, said Web3, did not say cryptocurrencies
• Don’t invest time: In learning how to do trade on cryptocurrencies - that’s not important
• Can make money: But that’s not important
• What is important: How blockchains operate, how Web 3 works, how cryptocurrency trade works is important, but that will be over blockchains or other similar environments
• Learn technologies: Be aware of what is emerging technology

Don’t Forget the Old:

• At same time: Don’t forget the old
• IBM still sells mainframes: Still earn heavy revenue from mainframes
• PHP: Language which everyone in infosec space says “Hey this should not be language of choice, this is riddled with problems” (just like people say about C)
• PHP still serves: Large chunk of visible internet
• Just like C: Still dominant language when comes to Linux kernels and bunch of other places
• Windows 80: Although Azure Active Directory and similar setups are there in existence, everyone talks about decentralized setups, not having AD, allowing zero trust setups and whatnot
• Windows 80s still in existence: Startups coming up now may not have these, may have focus on newer technologies
• But any old organization: Which has existed for couple of years would have these
• Not easy: To get rid of these setups
• So don’t forget old: Old is still here
• Believe me or not: Compared to newer, old is going to get hacked much more severely and is going to cause much more problem
• Why: People who built that code base may have already retired, may not even be in organization, and no one knows what is going on inside it
• When no one knows: What do they do? They don’t touch it, they let it run till it stops working one day, then figure out what to do with it
• But that means: Those are avenues where there’s no patches, there’s no security, there’s no one looking at it, no one caring about it
• Freeway passes: Those are freeway passes for attacker
• So as much as: Should focus on emerging technologies, keep handle on older stuff - it’s going to help

Advice for Defenders:

Collaboration:

• Funny aspect: Although done ton of negatives about attackers, got to give one thing to attackers: “Attackers know how to collaborate”
• Defenders sorely need: That’s something defenders sorely need
• Need to focus: Energies and work together
• When say focus energies, work together: Look at organizations
• Can see: Three different organizations designing exact same set of security rules or security policies, security tool sets within their environment but not exposing it out to public
• Because they feel: “This is something that I build, I’m only going to keep”
• Or buying: Anything that they could lay their eyes on, any thousands of dollars worth of blinky lights that they can find, they’d buy it, deploy it
• That’s not how security works: You can be best set of people, but you’re only going to be best till all of those people are within organization
• If team breaks: Your best is not there anymore
• Try and build tools: Build setups in collaborative manner

Sponsoring Open Source:

• Biggest pet peeve: With organizations
• Everyone wants: To use third party tools, everyone wants to use open source stuff, everyone wants to use stuff that someone else has built
• No one wants: To sponsor them, no one wants to support them, no one wants their own employees to contribute back to those code bases
• Got to change: That’s got to change
• If actually want: Good for that particular software, if feel that is important piece of equation, back it up
• Don’t just say: “It’s good” - back it up by putting money where your mouth is
• Support developers: This is where things like OpenSSF have come up which are trying to help
• Bunch of other initiatives: Coming up, and those initiatives are need of hour

Frameworks:

• ATT&CK, DEFEND: MITRE frameworks which are around - what are attack methodologies people do, what kind of different methodologies are in existence which people can apply
• Defenders need: To openly contribute and support these setups
• When support: When put things out, that’s when helping entire world in one shot
• Sigma: Common rule set for SIEMs, common language which all SIEMs should ideally understand
• Rules can be written: In that language which helps everyone attack certain set of attacks
• Collaboration at this level: Important
• If don’t do this: Remain in own silo, as good as set of team that you have, but not growing much beyond that

Metasploit Example:

• Very interesting example: In form of Metasploit
• Started because: Someone thought it is not good idea to write things every time by hand
• Attackers appreciated: That effort, went ahead and contributed to it
• Product got sold: To another company, they kept it open source
• Still have: Large number of attackers actually contributing to that project on daily basis
• Project continuously growing: Similar concrete collaborative effort is required in defense on ongoing basis
• Reference: “The GitHubification of Infosec” - interesting article, talks about bunch of these things, some things that were there at that time not right now, but good article that everyone should read about

Firefighters vs. Fire Prevention:

• While talking: About defenders who basically help protect against attacks, who basically help stop attack
• Remember: There are going to be firefighters who are there to stop fire
• But also have to: Start finding out people who don’t let fire start
• If there is someone: Who is ensuring proper precautions are taken in place so fire does not start in first place, they also need their due credit
• Up to managers: Up to organizations to appreciate efforts that go in
• Don’t just map: Matrix around fact that “Hey this person helped us defend against five attacks”
• Yes those were active attacks: Why were they active? Why were they not stopped even before attack started?
• Was it brute force?: Was it zero day? Was it something that was known to you?
• If known to you: Why was action not taken?
• If someone took action: Those are people that should be appreciated also

Take Care of Yourself:

• Important piece of advice: For defenders
• Take care of yourself: When say that, got to understand this
• Information security war: Is never-ending war
• There will always be: Something or other coming in every single day
• Cannot go: From battle to battle to battle to battle to battle
• Have to take pauses: Have to take care of yourself
• If not at 100: Cannot secure environment
• So don’t just focus: On single battle or single instance
• Focus on bigger picture: This is going to be there
• Take care of yourself: Very important
• If feeling burnt out: If feeling someone who needs support, be vocal about it, ask about it

Prevention vs. Detection/Containment:

• Interesting aspect: They’ve kind of given up on having 100% security
• Started way back: No one claims they are 100% secure
• Everyone expects: Breaches are going to happen
• But yet: We only focus on prevention
• Detection and containment: Is where focus should be
• Anomalies: That happen in network, how you can contain if attacker gets inside network is what got to focus on
• Assume breach will happen: How do you handle stuff if breach has happened? How do you contain attacker?
• Think in that direction

Last Nugget for Defenders:

• Got to understand: Attackers don’t play by the rules, but they play in your playground
• You are ones: Setting the playground
• If set playground: They will have to play on that playground
• So defenders can actually have upper hand: If are in that position where defining playground

References:

• Amanda (also known as Malware Unicorn): Black Hat USA 2019 keynote - talked about red and blue and how things change between the two
• Hollow Flake: Keynote in Black Hat Asia 2017 - “Why We Are Not Building a Defendable Internet” - own set of points around how we have failed in building secure internet
• Harun Mir: Talk called “What Got You Here Won’t Get You There” - very in-depth discussion around how world has evolved
• Sawmill Shop: Fellow Indian, talk at NullCon 2014 - “12 Years and Baker’s Dozen” - talked about trends, how things have been, how things are, where things are going
• All interesting: Presentations that should go ahead and have look at
• NULL Community: “Garage for Hackers” - sources of learning for many many years
• Not just that: When in infosec space, connect with communities, connect with individuals
• With each discussion: Get new thought
• With each thought: Whole thinking pattern that goes in
• Whatever talked about: In entire slide deck is based on all of those interactions combined

Key Insights:

• Infosec is not equal to hacking - hacking is passion, infosec is profession
• Infosec is small cog wheel in business operations, not entire puzzle
• Be enabler, not blocker - help business achieve goals
• Skill shortage mostly because over expecting from people
• Hire for work you have, not for fancies
• Remote work opens untapped potential in tier 2/3 cities
• Attackers know how to collaborate - defenders need to learn this
• Don’t forget old technologies - they’re still here and vulnerable
• Focus on detection and containment, not just prevention
• Take care of yourself - information security war is never-ending

Actionable Takeaways:

1. Understand difference between hacking (passion) and infosec (profession)
2. Be enabler, not blocker - help business achieve goals
3. Accept people are here for money, not just passion
4. Hire for work you have, not for fancies
5. Give credit to defense - they’re more important than offense
6. Don’t bottleneck hiring with certifications - hire skilled people, then certify them
7. Look at tier 2/3 cities for untapped talent
8. Implement proper remote first policies
9. Attackers: Learn emerging tech but don’t forget old tech
10. Defenders: Collaborate, sponsor open source, focus on detection/containment
11. Take care of yourself - never-ending war requires pauses
12. Assume breach will happen - focus on containment