Episode Transcript
[00:00:00] Speaker A: Tyler, what a pleasure to have you on the show today. I want to start with this very simple question. You've been in security for forever. Keep me honest on that one. What got you passionate about security at the beginning of your road?
[00:00:13] Speaker B: Oh, wow, that's a great question. So I was lucky. I got into security when nobody was in security. So I got into security in the late 90s, and at that time, the only way to get into security was really governments or military. And I just happened to find a company that had an opening for a security position. I had some IT background, but the reason why I became so passionate about it was honestly, you know, even back then in the late 90s, it changed daily. You know, you can't go a day without, you know, something new popping up, without a new attack or new vulnerability or, you know, something exciting happening in the world of security. And so that constant change, and it keeps you on your toes. It 100% does. But I think that's what I love about it is it keeps you going. You can't really find too many other places where you have this much of a dynamic atmosphere.
[00:01:15] Speaker A: I couldn't agree more. I mean, if you're the kind of person that wants to deal with incredibly difficult challenges where the landscape is just so dynamic. I mean, security. The other thing I love about security is, unfortunately, this is the cynical aspect of it. The industry is never going to go away. We're always going to have hackers and organized crime. We're always going to have health care. Right. People are always going to get sick. So it's one of those really cool and stable industries. When you think about your career, what I loved about your background is you started hardcore technical by reverse engineering threats. Look, we got to keep this high level for our audience, not getting super technical. And that's easy for me to do because I'm a software engineer. I started with the intelligence community myself. So let's keep it simple and high level. But tell us what that means. What is reverse engineering threats? What does that look like? Tell us a story of an actual threat. And people were panicking. And what did you do?
[00:02:08] Speaker B: All right, so I've got a great story for this. But reverse engineering with malware, that's what I focus on. Computer viruses is really taking the program, the executable that gets run on a computer, and then basically picking apart the bytes of the program down to the lowest level to figure out what it does. You know, if you kind of think about it, when you write a program, you write the source code, you Write the program in a language that's readable to somebody proficient in that language. It then gets compiled into what's called machine code. So basically the program that you execute on your computer. So for example, if you were to open up Notepad, the Notepad program in something like WordPress, it's going to be just a bunch of gobbledygook. It's not readable. Reverse engineering essentially takes that executable and you basically decipher it. It's a big puzzle. And that's another thing that I love about malware analysis and forensics is it's just a big puzzle that I'm peeling back the layers to figure out what it does. And that's what I did. Very early on in my career. I really got into doing reverse engineering and malware analysis to see how these viruses worked, to see how this malware worked and these attacker tools worked. And that was really very eye opening. You asked about a story. I've got a really great story about this. I'm allowed to talk about this because others did as well. But one of my first incident response positions, I was kind of like the lead reverse engineer and we had a attacker who was constantly getting into our environment.
What made this attacker so difficult is that they had all custom code. They didn't like download the malware or their back doors from somewhere else. Everything was custom written. And so one of my jobs was to go in and basically figure out what this did. And more importantly, how could we find it on our network? One of the things that I found was the attacker actually made a mistake in their encryption. And I won't get down into all the details of it, but essentially they made a mistake such that whenever they sent out network traffic, if we could find that network traffic, we could decrypt it just due to the mistakes that they made. And so we actually wrote a program that would decrypt their communications on the fly. So at the place that I worked, we had visibility into our entire network. As a global organization, we could see pretty much almost every network session in the environment. And we had figured out ways to detect the bad guys. Well, what we did is we got an alert one night, and this was probably like 11 o'clock at night because that's when alerts come in, right? They're never going to come in noon on Monday. They're always at like 2am on Saturday. But we had this alert come in that one of these back doors was on our. Was it. So my team and I jumped on. We were kind of Dealing with this. But what we did was we set up the decoding program so that we could watch what the attacker was doing and we would see the attacker. We could actually see them typing the keystrokes because that's how their backdoor worked. We saw them move to one computer and then we would shut that computer down and then they moved to another computer and then we would shut that computer down and we could see as they tried to move to all of the different computers in the environment, we would immediately shut down the computer they were going to. And you could just tell by the rate of their keystrokes and the mistakes they started to make, they were starting to panic. And then after a while we finally just got the, okay, let's shut down the, kind of like the main back door. And we did that. And this is one of the few cases where after that we completely kicked them out. We never saw them again. So it's very possible they moved to a different back door or something else, but we never saw them again. So that was a huge win for us. And I mean, not to, you know, be, you know, toot my own horn or anything, but you know, the ability for us to be able to decrypt that information on the fly from their back door, the reverse engineering really is what led us to be able to do that.
[00:06:28] Speaker A: And this is, this is straight out of Movie. Thank you for sharing that story. What is the, you're engaging with these basically criminals, right?
[00:06:38] Speaker B: Yeah.
[00:06:39] Speaker A: Is there any kind of collaboration with law enforcement or is it just every company to themselves trying to protect themselves? What do we look like from a community standpoint?
[00:06:50] Speaker B: Yeah, that's, it's always hard to say because so from an overall community perspective, law enforcement, you know, especially in the U.S. the FBI, DHS, you know, they, they're part of Infragard and some other organizations where they do share information. You know, if you're, if you reach out to them, you know, they may share some information to you. They release notifications and so on.
Unfortunately, in my experience though, when you have an incident, when an organization has an incident, the information between you and law force, law enforcement is going to be a one way street.
You're going to be giving them information, they're going to be using it to build their case. In some instances they will give you, give you some information on things to look for. But more often than not, it's kind of a one way street. Now that being said, that, that doesn't mean that I would advocate never talking to law enforcement because I have Seen instances where there is a ransomware attack and the FBI has a decryptor that the company can request access to. Sometimes they'll give you access to that. There have been public cases with that. So globally, it's, I think, you know, organizations tend to be kind of low on the priority list, unfortunately.
Again, this is my experience. I know, you know, everybody has their own experience with law enforcement and so on.
[00:08:13] Speaker A: Let me propose a, let's say a conflict to you, right? And on the one hand, law enforcement is very one sided. So what that means is that engaging, providing this information is not really to protect you. It's almost a public good that you're providing.
[00:08:34] Speaker B: Right.
[00:08:34] Speaker A: Which means that there's a cost and a time associated with the effort that you put into it. But on the other hand, right, like if everybody put the, this effort in, it would kind of all boats rise.
My question is this, and now if you disagree with that, stop me, tell me. But if you agree with that, my question is, is there something missing in legislation, in the process, in the interaction that can make this process? Maybe it's software, I don't know, something that can make this process so much better for people like yourself who are analyzing these attacks. Networks and companies all over the world that can feed this information and work together as a community. What are your feelings kind of about the big picture?
[00:09:17] Speaker B: So big picture, I don't think that there's anything missing in legislation. And the reason I say that is because law enforcement is really only one piece of the whole cybersecurity realm. Defenders do a pretty decent job of communicating with each other when bad things happen. There are lots of groups, special interest groups around different industries. So there's, they're called ISACs that, you know, there's one for education, there's one for finance, there's one for public infrastructure, and lots more. They're really good at communicating with each other to, you know, talk about what, what, what each other's seeing, how you can defend against those attacks, how you can detect them. Even competitors, like major competitors will work, their security teams will work with each other because they know that, you know, they're all against, you know, the bad guys. Whoever, you know, the, I'm using that term generically, but whoever the bad guys are. So on the legislation side, I don't think that there's anything missing there. Um, it's really just being able to, it kind of comes down to, honestly I think knowing the right people to talk to and being a part of the right groups and for a Lot of people in security. That sounds a little odd because we go into computers because we don't want to talk to people, you know, a lot of people. I mean, I was like this too. You know, we go into, you know, dealing with computers or hacking or whatever, whatever it is, because we don't want to, you know, interface with a lot of people. But you kind of have to when you're up against these threats, because you may not be seeing the whole picture, or you definitely aren't seeing the whole picture, somebody else is. And, you know, being able to communicate and, you know, even just, you know, bounce ideas off of people or, hey, what are you seeing? You know, how are you dealing with this is so incredibly important that, I don't know, I just can't stress that enough.
[00:11:14] Speaker A: I love that. I mean, I myself was always frustrated. I started my career as a software engineer and I was frustrated. You're interviewing me and talking to me and I'm supposed to sell myself and. But what I do is work on a computer. This is such a disconnect between the way that I'm evaluated towards what I actually do in life in a similar way to, you know, the difference between hackers and then working in the community. So that I think that's a fair point. I think that a lot of us learn how to become more and more and more social as we grow up, which is a wonderful thing and I think from many ways we're forced into it. But it also has its own surprises and delights.
There's another question I have. There's a lot of security tools and techniques out there.
Amazon has over the last five years introduced a lot of things, from Inspector to Auditing automatically, all this stuff.
Do we have good enough solutions? Are there tools that everybody should be using, or is it still the Wild West?
[00:12:21] Speaker B: I'm going to say a little bit of both. So there are definitely a lot of tools that everybody should be using. And you kind of, you know, taking that a little generically. When I started my career in security, you know, antivirus was the thing that you. Everybody said you had to have on your system. We've kind of moved off of that to EDR and xdr, you know, kind of a bit more.
I know some people hate this term, but like antivirus on steroids and explain.
[00:12:46] Speaker A: The difference between edr, XDR and an antivirus, to kind of bring everyone in the audience, not just the geeks like us with this journey.
[00:12:53] Speaker B: Sure. So, you know, traditional antivirus would basically scan your computer, watch your computer, and it would do that based off of signatures. So the antivirus company would find a virus, they would figure out some characteristics about it to detect it, and that is what they would use to find the computer viruses on all the systems. The issue with that was if you didn't have the updated signatures, you're not going to detect the latest stuff. And it got to a point where I think the recommendation was like updating your signatures every two hours or even more. So there was a lot. It also didn't take into account what was happening on your system. So, you know, as always, attackers advance their techniques, they advance their knowledge. And so they realize that, oh, if we are using the same like tools and static tools and malware, that it's going to be easy to detect, but if we change that up, then it's going to be harder for us to be detected. The antivirus companies won't be able to do that. And so they started to do that, but their behavior stayed the same. And so that's where EDR came into play. EDR stands for Endpoint Detection and Response.
Basically, it's think of it as like antivirus, but it's also looking at what's happening on your system. It's most EDR has some type of signatures within it, but it's also looking at what is this program doing? Is it writing to a place on the computer to autostart, which is a little suspicious? Is it trying to access files it shouldn't be? Is it scanning the network? And so on? And so all these different behaviors can be kind of correlated together to get a profile and determine if something malicious is happening on the computer. Now you move forward a couple years and then you get xdr, which is a little bit of a marketing term in my opinion. There's not too much difference between EDR and xdr, I'll be honest with you. I'm not really sure what the X stands for because I've heard so many different things. But it basically is the next step in endpoint visibility and detection, where it's not just looking at the behavior, it could be looking at across your entire environment to see if that makes sense. It probably adds in things like user behavior analytics. So in other words, looking to see, does this user normally log in at this time? You know, do they normally, you know, log in from where they logged in from? Do they normally access this? Is this person in hr? And if so, why are they accessing accounting's finance files? You know, things like that? I'm sure it's also including in Machine learning, AI, things like that. So it's just kind of like the.
[00:15:38] Speaker A: Next evolution and there's something beautiful about it. If you think about your mobile phone, you install an app, I think a lot of people kind of ignore this, but you see the permissions that the app is asking for and you know, EDR XDR is, you know, to kind of make a very simple analogy, if your app is asking for a whole bunch of permissions that it does not need, including listening to your microphone and your video, and it's a calculator app, like that's an issue, right? It's going beyond the scope and bounds of what it's supposed to do. So really that's kind of a simple way to understand everything has a certain scope and bound. And if it's trying to update your registry, why is it even trying to do that?
[00:16:17] Speaker B: Exactly.
[00:16:19] Speaker A: How is AI changing the industry, if at all? Like did something after ChatGPT came out, are we suddenly more concerned, less concerned, or did it not change anything?
[00:16:31] Speaker B: No, it's definitely more concerning. You know, AI, I would even say in the last two years has significantly changed the security space. If you look at it from the attacker's perspective, even starting at the beginning, you know, think of it with like phishing messages. You know, we're all used to the phishing messages that come in with the misspellings and bad grammar and things like that. Attackers are now using AI to basically craft legitimate looking messages that are really hard to distinguish. It's even going farther than that where even today I heard of a attack where an attacker sent a email to a victim, supposedly from their CEO, saying, hey, I need you to wire transfer this money to this new client. Oh, here's a teams meeting. Jump on this. Teams meeting with me to talk about this. And the person did. And the attacker had used generative AI to basically create a avatar of the CEO, sounded like the CEO, looked like the CEO and was talking to the person in real time. Now, fortunately, these aren't perfect yet, and so the person was able to figure out something's not right here. And so they hung up the call, called the CEO and obviously the CEO had no idea what they were talking about, but just the use of AI has significantly made security defense more difficult. Now, on the plus side, I think defenders, while there was, I think a little bit of a slow adoption in the beginning, more and more defenders are starting to use AI to their advantage. I'm seeing it pop up in security tools a lot more where it's able to correlate things faster. It gives more context around alerts and able to basically help defenders find the bad stuff or detect the bad stuff before it gets too far even into their environment at all.
[00:18:34] Speaker A: I gotta be humble and say that, you know, maybe five years ago, if I saw any kind of phishing attack, I was like, okay, that's a phishing attack. I can teach my teams how to avoid this, right? Look at the HTTPs, look at where the email's coming from. Look at this, that and another.
And I felt, okay, today I am scared. I look at stuff and I'm asking myself, is this real? Is this real? And I don't have a certain clear answer.
Even the professionals are now getting to the level that this stuff is scary.
[00:19:07] Speaker B: It's only going to get better from here. I mean, look at how far it's improved in the last year or two. Imagine what it's going to be like in five years. I mean, I agree. It's only going to get scarier and scarier from here.
[00:19:19] Speaker A: Yeah, no, it's absolutely horrifying.
I've gotten these texts, I'll send money, buy a gift card, buy this and that.
And really the only way for me to figure this out is to just call that person with the number that I know is verified and be like, is this you? Like, did you send me this? It's the only way I figured out to do this. And of course, the thing that's often a giveaway is patterns. If somebody is doing something which is a pattern which is odd or new or not, something that this person would traditionally do, that's a dead giveaway. But I think us as the community, we just need to be aware of that, that these patterns are important. If anything is odd, you should double check.
[00:20:01] Speaker B: Yeah, absolutely. And this doesn't even just. I would say this doesn't even extend or is limited to organizations. You know, this, this goes to, you know, your personal life as well. I don't know how many times I get, you know, somebody messaging me about, hey, I got this email from that. It looks like it's from Amazon or, you know, something similar. You know, that's. That, that's going to be, you know, AI in the background too. The attacker's using that. So, I mean, you're right if it's setting off those feelings that something's not quite right here, you know, go with your gut, that's really the best thing to do. The one thing that I'll say, though, from what you said, be very careful when you're calling that number, you know, make sure it's not the number in, like the email. Yes. I have worked several incidents where an attacker kind of intercepts those email messages and changes the phone number in there to be their own phone number. So go with what's saved in your phone or anything like that. That's really the way to go.
[00:21:01] Speaker A: Yeah, that's such a wonderful point.
I want to change the topic a little bit.
What is your number one concern today when it comes to security? Is it vulnerabilities? Is it phishing attacks? What do you think is the thing that is most scary nowadays?
[00:21:25] Speaker B: If I look at it in terms of what scale scary to me in that it has the most impact or it has the most impact that I've seen, I'm probably going to have to choose phishing.
And the reason I say that is because a phishing attack can lead to so many different things.
So one of the most common types of incidents that myself and my team will work are called business email compromises. It's where an attacker breaks into an email account, is able to then use the information within that account, start messaging, you know, their clients, you know, sending fake invoices, you know, things like that. And it can lead to a lot of money loss. It all always, it always starts with a phishing attack.
And there are so many things that can happen from there. You know, I've seen ransomware attacks start from a phishing attack. I've seen, you know, those business email compromises. I've seen server compromises, I've seen data breaches. I've seen so many things start with a phishing attack. You know, phishing has been around for a long time, and like we just talked about, it's only getting better and people are falling for it more. And so to me, that's, that's the scariest thing right now. And I know a lot of companies, a lot of organizations, they do a lot to try to prevent that or detect it. Unfortunately, it still gets through. It's one of those things where I don't know if we're, if we're ever going to be 100% protected against it. And so it always comes back to have a way for the people who receive a fish and potentially fall for it, have a way that they can notify somebody about that without suffering negative consequences.
That's another one of those things where I try to preach that if somebody fell victim to an attack, don't punish them for that. Everybody makes mistakes, and so you just need to move on and be thankful that they told you about it. So you can limit the damage?
[00:23:20] Speaker A: Absolutely.
Are there simple things or simple technologies when it comes to security that people are just not using? They should and it just makes them so much secure. And specifically I want to lean into the stuff that maybe people should own or should use or should basic stuff for the people themselves, not organizations and security teams.
[00:23:44] Speaker B: Sure. Um, yeah. So for people themselves.
One of the things that so actually one of the things that I use all the time that I'm surprised that more people don't use is like one time use credit cards. And so they're, you know, everybody shops online, right. You know, everybody's, you know, going to a website. You know, you all, if anybody is like me, you find like that one website that has a really good deal that on whatever you're trying to get and you want, you're not going to buy it from Amazon because Amazon is more expensive or whatever. And so you want to buy it from that place or you want to support that website, but you don't know if you can trust it.
There are you know, websites dedicated to basically allowing you to or legitimate websites and services allowing you to create one time use credit cards or limited use credit cards. Most credit card companies now have this as well where you can generate that. Yes, that's one of the most effective things I think to prevent somebody from, you know, suffering credit card fraud or financial fraud online by using those. I've even had it where a local pizza place that we ordered from all the time. I would never use my debit card when I was ordering online or even my credit card. I would generate a one time use credit card in order to just order pizza. Again, this is a local place down the road for me.
All of a sudden about six months ago on one of those one time use credit cards I started getting alerts that somebody was trying to charge funds to it. Now they couldn't because you know, technically it didn't exist anymore. But if I hadn't used that and used my debit card or my credit card, I would have had who knows how many hundreds of thousands of dollars.
So something like that is really easy to protect yourself.
[00:25:34] Speaker A: That's such a wonderful comment. I actually did not hear this before so this is a first for me. I have a genuine curiosity.
The iPhones and Google pays of the world are those, are they putting a technology there where when you pay it's really a one time use credit card number or is that just giving you their credit card number to the best of your knowledge? Because it seems like that's an obvious thing that it should do.
[00:25:56] Speaker B: You know what, I honestly don't know.
I use Google Pay every once in a while. I'm a Google user.
I don't know. Honestly, that would be so much into that.
[00:26:07] Speaker A: That would be such a good ad, right, for Google and Apple to be like, hey, using your phone is more secure than your actual credit card. If they haven't done that, they should. I'm going to look into this too. So.
Okay, so, so I want to ask you about this. Should everybody have something like this or.
And explain what it is and why it's important and how it helps. But physical tokens, do they have a place in our world?
[00:26:34] Speaker B: They absolutely do. So physical tokens, when you talk about like things like Yubikeys or you know, things like that, if I had to make a prediction over the next 10 years, I think we are going to be, I think we're moving to be being a passwordless society.
Passwords are going to be phased out at some point I think within the next decade.
And the reason that is is because, you know passwords, you can guess, you can crack passwords, you can, you know, leak them. You know, it happens all the time with the physical tokens. It's actually a more secure way to authenticate to services, to websites, to your computer and so on without having to know a password. I couldn't quite see the one you have. Is it one with the titan?
[00:27:25] Speaker A: Okay, yeah. It's not biometrics, but you do have to physically push it.
[00:27:29] Speaker B: Okay.
[00:27:29] Speaker A: So it's touched.
[00:27:30] Speaker B: It kind of comes back to, you know, that's what the original like multifactor two factor authentication was. It's, you know, something, you know, plus something that you have and plus the.
I'll admit I don't understand the protocols that happen underneath as well as I probably should, but I do know that with some of the physical tokens that you can buy, like, again like UBDs, and I just mentioned that one because that's the one that I know the most, that the method that information is transferred is actually done more securely. In fact, jumping back to business email compromises, one of the things that the attackers do is they set up a site so that they can intercept your password. And then even if you have multifactor authentication, like you get that text on your phone with however many number of PIN that you then have to type in, they can't intercept that, but they can intercept basically the authorization that comes back and then that's what allows them into the System with things like certain physical tokens, they can't do that. So it's actually an even more secure protocol.
So yeah, I would say, you know, they're not used as much as they should be, but they're definitely going to be, you know, coming, I think more, more in the future.
[00:28:50] Speaker A: Yeah, I, you know, there's so much. So here's the thing, right? If you're doing more than, you know, 50% of the, you know, general population, you're already much safer because organized crime and all these organizations that are coming after us, they're looking for the path of least resistance. So if you just do a little bit more, right, it's the bear chasing the both of us. I just need to run faster than you. The bear eats you, I'm safe. And so I always say, definitely turn on your. It's not the most secure in the world, but it's better than not having it. Right. Turn on your SMS authentication. I hate the apps, but I use them because sometimes you have to. The app authentication, physical tokens, right. It's super valuable. And you know, even just a password, you know, password manager that will generate random passwords for every different account. Like all these things put you a little bit above everybody else. So a little bit of a public service announcement over there.
I want to change the topic with your permission, Tyler. When you look at startups versus, you know, startups, let's say you know, up to 10 people, then you look at the. Up to 200 people, 10 to 200 people. And then you look at the massive, you know, Siemenses and Googles of the world.
Is the security approach different or are startups just, are they basically screwed because they don't have the money to secure themselves properly? Like, how do we think about this as the company grows?
[00:30:27] Speaker B: Yeah, so there is definitely a difference and I think it really comes down to how much money they have available, their budget or their funds to get security.
What I've seen is startups and I'll even kind of lump small businesses in there as well. Even established small businesses, they just don't have the funds to go out and buy all the security software that an organization, a larger organization can. You know, they may not be able to go out and buy the EDR to put on their systems. They may not be able to go out and get like an incident response retainer or even afford cyber insurance or anything like that. And so the approaches, you know, are definitely different.
One of the, I guess when I look at it with startups and small businesses really the most effective thing, some of the most effective things that I've seen them do is, you know, first off, you know, make sure that things are secure by default. You know, don't share passwords, you know, have passwords. I unfortunately have talked to some organizations where, you know, they just, you know, all the computers just boot up and everybody can access everybody else's files. You know, obviously that becomes an issue if an attacker gets in and they can just, you know, access whatever they want. I would also recommend that really any business, and to be fair, I see large businesses not doing this too, when they should, is create an incident response policy.
All that has to be is a document that says who you are going to call when something bad happens.
If you have cyber insurance, it should be that information. If you have an IT provider, it's going to be them. It's if you are lucky enough and have like an IR retainer or something similar to that, you know, it can be them. But the purpose of that document and print it off, too. Don't just keep it on your computer, print it off, put it in the file somewhere, put it in a safe somewhere.
But the advantage of having that document is when something bad does happen, it becomes very chaotic. It becomes, you know, crazy. People panic. But having that document at least is going to give you the first steps that you need to do in order and follow in order to start you on the road to recovery.
I'm not sure if that completely answered your question, but I'll give you a.
[00:32:56] Speaker A: Few more tips and tricks from my side.
We talk about pen testing, penetration testing, which is really hiring a hacker to come and try and hack into your network. My biggest pet peeve with pen testing is that you do it maybe once a year because that's what the standards require you to do.
And then, you know, except for that you have all your scanning tools. So my suggestion, and this totally flies with auditors like this is a legitimate strategy. Instead of spending 20 to $50,000 on a pen test, go and pay a security expert. And you can even change your expert once every three months to do a white box audit of your infrastructure. And to look what you're doing, how you're working, work closely with your engineering team to basically audit your stuff. Now, what this does is pretty amazing. One is, you know, your engineering team that's writing the code, they don't know too much about security. That's not their specialty. So that's teaching them a lot. The auditor is finding all these problems and is guiding the engineering team how to fix it. And auditors will genuinely accept that process as a replacement for pen testing. And in fact, I don't know if you would agree with me. Feel free to disagree. I would say it's a stronger process because you have somebody who would normally do pen testing, but instead of just doing a pen testing one point in time, they're going and checking that you're actually set up correctly in a white box manner. And sorry for the jargon, white box means that they actually open your infrastructure, looking at all your code, all of your setups on Amazon, all your scripts, and they're actually reviewing them as opposed to like guessing what your weakness might be. So, so I think that's such a, you know, a cheap hack to get good security if you just don't have the money for these more aggressives. And then the other thing I would say a lot of the Amazon, and I'm sure Azure has, you know, similars, is that you can turn on all these security scans and it's actually based on the size of your network and how much communication you have and all that. So it can cost you as low as 10, 20, 100 bucks a month just based on the fact that you're still small. So I think there's a lot of hacks out there, quote unquote, process hacks that startups should be aware of to be secure, even though they don't have the money to really have these red teams and this incredible security infrastructure. So definitely something that I'm passionate about.
[00:35:23] Speaker B: No, I 100% agree with you on that.
There is definitely a place for doing pen testing and red teaming and all the offensive services out there. But you know, especially for newer companies or, you know, if you've never done one before, going the route that you said, you know, having that white box essentially like configuration assessment done. Yes, you're going to get more for your money there because I mean, if you look at it, you know, when you do a pen test, they're really, you know, either they're going to be scanning your network for vulnerabilities, which, you know, the configuration analysis is probably going to find anyways, or they're, you know, just going through like one or two routes to, to break into your environment by doing the configuration analysis you're gonna get, you're gonna kind of like turn off all those holes at once. You know, they're gonna find all those things. Especially when you're talking about, you know, you mentioned Azure and aws.
I love cloud services. Yes, they're not really secure by default. So a lot of people just really don't know what they should and should not, you know, what they should turn off, what they should turn on, what they can and so on. And having that configuration assessment done will go a long way to help them with that. I'll even throw in too, that if a company is like, very concerned about a specific type of attack, I'm going to pick out ransomware. If they're really concerned that, oh, we're afraid that if we get hit by ransomware, we're going to be kind of completely taken out. You can even take that white box assessment and have whoever's doing it think of it from a ransomware, you know, side or that specific, you know, type of attack and look at it from that perspective. So, you know, in a, you know, white box assessment, maybe they're not looking at your backups too deeply, but in a ransomware version of that, they're probably going to look at your backups and see, you know, do you even have backups? Are they stored off site? Are they encrypted? Do you have immutable backups? You know, the whole laundry list of things that could be done to help prevent that.
And again, it's not a pen test that's doing it. It's somebody just looking at your stuff and telling you, all right, go flip these switches and you're going to be a thousand times more secure.
[00:37:33] Speaker A: Oh, my God, that is. You touched such a nerve for me, this topic of backups like. And you know what I have seen in systems that I've managed? The difference between having a backup and testing your backup. So incredibly important. The ability to actually restore and recover your system and to know that you haven't lost information, it is not trivial, it is not simple. It's got a lot better nowadays because back in the day, MySQL sorry, SQL databases, it was a pain in the ass. There's a lot better technology. But still, please, if people have to take one thing away from this interview is please test your backups.
Here's the thing, one of my big. And you mentioned this, but it was such an important point that I want to kind of drill into and make sure that the audience is with us. A pen tester could do something as simple as looking at the recent patches that have come out yesterday, right? And say, okay, this recent patch that come out yesterday, there's no way in hell that you probably patched your systems. So I'm just going to use the hack that I know is associated with this very Recent patch. Now what's the problem with that? If I'm hacking you, attacking you in that way, and you know, you go and fix that. Well, I really haven't fixed anything in your system.
Really what I need to be talking about is the fact that you have these automatic patches and you have the right security information, incidents coming into your system, and that there's a process there to remediate that across the board. Um, so, you know, passing a pen test, it could be that you just got lucky or unlucky. Thinking about this from a systematic process perspective is so, so, so important. So that's another thing that, you know, personal pet peeve of mine.
Okay, so for the, for the intermediate, right, I have a budget, right? I have, let's say 50 to 200 people.
Do I need to have a security team with five people? What is, what does the correct process look for, look like if I'm like in the, you know, you know, let's say 10 to 20, $50 million in revenue.
[00:39:43] Speaker B: You know, I'm, I hate to give like the typical consultant answer of it depends, but it really does, you know, so let's ignore any potential factors. Like you have like a regulatory requirement to have a security team, or you have client contracts that require you to. It really comes down.
[00:40:00] Speaker A: That's incredibly important because I think that's where it starts, right? If you're a healthcare company or if you're a banking company, or if you're like putting down videos on YouTube for a living, like, that is where you start. Like, how much are you at risk? So I think that's actually a really great point where you started from. Who are you? Right, right.
[00:40:18] Speaker B: Yeah, it's looking at, right, Just like you said, who are you? What type of systems do you have? What data? What data do you have? You know, how. How do you work with customers and so on. And do you need like an internal security team? Maybe not, but you should at least have somebody that you are working with who has that security mindset. If you, if you, if you're. The organization isn't big enough to have like their own ciso. There are fractional CISO services that you can hire out where you know, it's cheaper than hiring a person to be your, your chief information security officer. You and you have that constant expertise. I think what it comes down to is you. When the organization starts to feel overwhelmed with the potential security issues out there, that's when they need to start bringing in people. And this could come from multiple places in the organization. It could be from it because it usually gets stuck doing security first. It could come from legal, it could come from if you have like a risk management group or a privacy group or anything like that, you know that that's where it's going to come out of. But yeah, it's, I don't have like a, you know, checklist of you need to meet X, Y and Z before you have your own security team. But most organizations, I think once they hit, I think you said that you have 5 million plus, probably need to have at least somebody on their team who is, I'm not going to say an expert in security, but has a working knowledge of security. They don't necessarily need to be a full time person, but maybe they should be. Again, it's going to depend on how many employees you have, what your data is and so on.
[00:42:08] Speaker A: Yeah, I think one of the insights I came to is that being especially if you're one of these small organizations that you don't have to be perfect, you just need to be better every day or every week or every month. So this idea of incremental improvement, what that means is that over time you're going to be a hundred fold better than somebody that's just not thinking about it. So whatever, you know, whatever the budget that you could associate with this, create a process, have an activity that happens weekly, monthly, whatever, and just make sure that you're making these small steps and don't be frustrated. If you want, run one of these scans and you see that you have a thousand items, it's okay, take the, you know, prioritize them. Take only the high critical items. Take, you know, out of the, you know, end up with, let's say 50 or 30 items. Just say, okay, I'm going to do one of these once a week. Right. And just churn through them. It's completely, completely okay. You'll still be much better than not having that process.
[00:43:05] Speaker B: Yeah. And even with that, you know, over time you're going to start realizing where, where your big gaps are and you know, stuff that you just don't know how to handle or your organization doesn't know how to handle. And that's when you can start reaching out to companies that can help you with that. There are very few organizations, even the huge Fortune 50 whatever organizations, there are very few of them that can do everything around security themselves. In fact, I don't know any company that has that. Everybody reaches out to security consulting or security experts and just know who you can contact. I mean, there are so many security groups around, whether that's InfraGard or Issa or even a lot of local groups that spin up, go to one of those meetings, meet some of the security people there, and now you have people that you can kind of bounce things off of. Just having those contacts, it always goes back to the people you know.
Just having those contacts is going to go a long way when you do need that help.
[00:44:12] Speaker A: Yeah. And I'll name drop in version 6, which is the company that you recently joined, you can get a fractional security officer from them and from many other places.
So it's something that every CTO CEO should be thinking about. When you think about the future of security, what do you think are going to be the big things in, let's say, the next 10 years?
[00:44:42] Speaker B: Definitely AI, like we talked about. I think AI is going to just overwhelm everybody. Overwhelm is probably the wrong word, but it's going to be more in the forefront of security over the next 10 years, for sure. Honestly too, I think, I think that there are things that we haven't even thought of that 10 years from now are going to be commonplace for us.
Computing is going to advance, you know, tremendously over the next 10 years. We're going to have, you know, more technology that we need to worry about. You know, look back like 10 years ago, we didn't think, I don't think most people thought AI would be as commonplace as it is now. Or even like cell phones. You know, the usage of cell phones and mobile devices over the last 10 years has grown exponentially. Who knows what's going to come out tomorrow that, you know, everybody is going to want and start using on a constant basis. There's a lot of unknowns I think also. And as weird as this is going to sound, you know, there's all these unknowns, but there's also all of this legacy technology that we're going to have to figure out how to deal with over the next 10 years. I'm old enough to remember Y2K. I was part of it when Y2K happened. I don't think many people know this. There's another one coming up in 2038.
[00:46:11] Speaker A: That's the Linux one, right?
[00:46:12] Speaker B: Right. Yeah, yeah.
And so not only that, when you look at organizations that are in healthcare and manufacturing, even like public works, that have these 10, 20 year old computers that are extremely vulnerable and old, we're going to have to figure out what to do with them. That's a problem now. It's just going to, I think, get even worse.
[00:46:36] Speaker A: Over the next 10 years, my brother was a flight controller and they were like, nobody can update this system. Right.
It's impossible to update this and yet it works. But it's arcane and they put millions and millions and millions of dollars into writing a new system because like, look, we can't touch this. We need a new system. It completely failed. They threw it out within the first week. It was, it was, there were almost accidents that happened when they introduced the system.
So this is, this is a real problem, right? You have all this knowledge that has been poured into these infrastructural systems that nobody knows. You know the languages that these, some of these systems were even written in. And what we definitely don't know, even if you train on the languages, we definitely don't understand the business logic and why they're doing what they're doing and why it's so important. So this is a real problem. This is a significant problem.
[00:47:31] Speaker B: Yeah, I mean I can tell you from my experience, I'm an incident response. I get called into manufacturing environments, healthcare environments and so on. In the last two or three years I've worked on Windows 2000 systems, I've worked on Windows XT systems, I've worked on systems that were running Ms. DOS still. So it's it. Yeah, they're still out there.
[00:47:52] Speaker A: Yeah, it's ridiculous.
We just don't. Unless you're exposed to this, you, you just do not expect that that is the picture in the world. And you know, banking is suffering from this a lot as well, is a huge issue. And languages like, I mean Cobalt, like who even knows that that's a thing? Like who even I'm. You can see I've got the white hair, right? I programmed in assembly and C in is how I learned. So you know, I'm, I date myself.
But this is, this is a real problem. I. Taylor, what an absolute joy. I want to ask a question. This has been, you know, we're out of time, we're. I didn't even notice how time fly. But let me ask you one last question, okay.
If you had to, and this is a personal question, if you had to go back and give advice to 20 year old Taylor, what would that advice be?
[00:48:43] Speaker B: Don't stop learning.
And not that I have, but you know, when you get busy, you know, things, you tend to slow down.
But there have definitely been times in my life where I've had the opportunity to learn something new and I haven't. And just like what you said before, you know, with the organizations, do one small thing a week, you know, learn one small thing a week. Over time, that's going to build up. And there are some people I know who constantly do that, and they are in a much better place than they are now.
I would also probably say don't be afraid to step out of your comfort zone. I did that way too late in my career because, again, I was, you know, I got into computers because I didn't want to deal with people. I hated talking in front of groups and things like that. And once I finally kind of made myself do that, my career blossomed. I met so many new people. I have a lot of friends specifically because of that, and so don't be afraid to do that.
[00:49:52] Speaker A: Tyler, thank you so much. What an absolute joy. I appreciate.