David Raviv interviews Steve Cobb

David

So. Steve Cobb. Thanks for coming much.

Steve

Appreciate it. Yes, great to be here.

David

So, listen, I I'm glad to meet you in person. You know, we did this virtual and I you know, I was always amazed me like how, you know, people as much as we are, we like doing these, you know, virtual stuff. It's much better to do this in person is something to be said about being in the same the same room. So you you came here because you are a practitioner right here. You came here to learn, you know, Black Hat has been almost a staple for a lot of conditions for many years. You know, specifically what what kind of skill set are you looking to gain from from from this event?

Steve

So I've been coming to Black Hat for a few years now and doing the training, the trains, you know, fantastic, by the way. So out here, learning and expanding my skill set, a lot of it's got to do just with some leadership aspects as well as new techniques around defending, you know, the I think you're seeing a little bit of an addition to the blacks, the black hat def con world, where they're taking maybe defenders into the fold a little bit more than they used to. It was all about, you know, up until, you know, two or three years ago, honestly, it was all about attack, attack, attack, offensive. How do we hack? How do we how do you know? How do we break in those sort of things you're seeing now more openness to taking that knowledge and helping companies use it to defend themselves.

Steve

Right. And so that blew team a little bit of purple team type of idea kind of more and more. And that's really what I'm here to try to learn as much as possible because for all the, you know, cool hacks that you can do and all the neat stuff that you can do to break into places and own them and pono them and all those sorts of things, that's great. But when it comes down, you know, realistic, what pays the bills are companies there to try to protect and defend companies? And we want to do it the best way we know how.

David

Yeah, it's you know, it gets one to know one, right? Yeah, that's right. That's that's how you get into mindset.

David

Which leads me to the next question. You know, we've seen a lot of things change in, you know, during the pandemic and then afterwards and now it seems like we're one thing after another. Now we getting hit by economic conditions that are less than than ideal. Right. Do you see, you know, security getting impacted, like from your customers? You know, are they investing less or they're worried more? What's what's your take? Because you have kind of the hand like the pulse of the market.

Steve

Yeah, I think we're seeing we are seeing customers that are maybe they're being more budget conscious with the decisions they're making. Right. So they're they're making decisions around this and around the boardroom. The C-suite are having discussions on what is it we're doing today that really is providing the most value in our security operations, security controls. And that's where I think for for us, selfishly, as a as a security partner, where we come in to provide some value to to customers where maybe they don't have to spend on headcount or tooling, we can provide that as part of it.

Steve

Now, I'll also say, though, I think I think there are customers that are looking to trim those places where they used to have security tools or other things. You know, we see it all the time. We come in environments where organizations will have spent good money on really good tools, but maybe they never implemented them correctly or they have nobody watching the you know, they're nobody's watching the video screen, the detections coming in and that sort of thing. And I think they are being a little more intentional about the money they spend and how they spend it.

David

And and so you're well positioned because you are helping customers take advantage of, first of all, the existing infrastructure and tools that they already have in place. Right. Right. And then offset some of that cost associated with running running these tools by offloading it to you. Right. We just talk, you know, on the hallway, we hear where you take certain steps to when your take or ownership over a new infrastructure and customers. Talk to me about that process because it was super interesting.

Steve

Yeah. We learned early on when we when we had the experience a little bit that we wanted to make sure that environments were customers that we bring on, that we're validating the environment that we're inheriting. Right. So a lot of times, as I mentioned, they may have really good tools that may not have been configured correctly. They may have been put on the shelf and not even turned on. We've seen that in places and we've seen.

David

That's where the software comes on.

Steve

Yeah, exactly. Vaporware shelf where. That's right. And we see that a lot, you know, but we want to make sure that as we come into those environments we have a good understanding of the controls have in place what's already there and what risk may have already been potentially exploited by an attacker. So we will typically come in when we bring a customer on board and put them through a onboarding process that maybe has act or items in it that most managers. Providers may not do. One of those being we put honeypots in the environment to see if there is an attacker there already and maybe we can entice them to to show themselves so we can take it. We can take appropriate steps and more times or not. That may be a little bit high, but many, many times we come in environments where we put sensors in place or we put a honeypot in place to discover there's an attacker or a threat already in the environment.

Steve

And the customer had no idea. A lot of times we'll find artifacts where data has been exfiltrated or we've even come in the place where we've mentioned to the customer, have we found this data that's been moved around pretty interestingly? And the customer would say, Oh, you know what? We had a we had a competitor who somehow started to gain market share from us based on some of the IP or intellectual property we had and discovering things that maybe they had the data.

David

That's incredible.

Steve

Yeah, maybe you had a data leak that or you did have a data leak that maybe you didn't even know about. Right. So that's places where we want to come in because, you know, as we talked about in the hallway, as soon as that customer comes on board with us, we own it, right? We've inherited that. And and that's where we want to be. We want to own that. But we also want to make sure that we are alerting the customer to the situation before they can point the finger at us, say, hey, you all let these folks in.

Steve

We come back in that first week for you, more onboard and kind of give that report of, hey, there are some things we already see in your environment that are suspicious or have you had activity or breaches in the past? And sure enough, those things come to what.

David

Is it like almost like too much because like there's.

Steve

This sort.

David

Of, you know, like the setting up with you, you know, in some of these folks are like not you know, they're not the security is not in their DNA. So it's just like now they finally said, okay, let's let's get on board. And then the first you know, the first engagement they have with you, this comes up, right? You know, and you are, as the CSO has to deliver the bad news. Yeah. What is that like?

Steve

It's usually not fun. I mean, you know, I do think that for for customers as we try to change their their customer culture and behavior to be more security conscious of security aware. There is some, I think, thankfulness from the customer side to say, hey, you know, sure, it's bad, but at least we know it, right? And we know what's out there. And I think there's a a an understanding with the customer that they have to make this move. You know, it's almost you know, you dip in out into the water, you don't know how to swim for the first time to know you've got this floaties on your arms. Right. Makes you feel a little bit better. And that's really I think, the sense that a lot of folks have is, yes, there's some bad things going on, but we're here to help you and come in and try to take the necessary steps so we can at least stop what's going on now and protect them from the future.

David

In these like the the usual suspects or these, like the reaction is like, why us? You know, sometimes these these customers are, you know, they they always say that, you know, okay, we're we're not a target, right? Because they're, you know.

Steve

And then they've been in business forever. They're mom and pop and they don't think they're what they sell or what they have is worth anybody going after. Oh, you hear all the stories.

David

Yeah. So so when, when you when you come back and see and the you mentioned even the IP theft. It's it's incredible. I think it shows you were we're knowledge based economy anything to do with with how I don't care if you're a brick and mortar mortar or a restaurant whatever the the the money is in your process, you know something? You were engineered over a period of 20 years, especially if you were, you know, your your your manufacturing process and so on. That's valuable and that's what is getting stored.

Steve

Yeah. And I think that's the piece that a lot of companies undervalue, honestly, but they may not have the maybe the strategy or the business acumen, if you will, to think about their impact on the industry or where they're at in from that standpoint, they just make widgets and they've been making widgets and they're great at making widgets and that's what they've always done.

Steve

And to your point, I think a lot of people undervalue that. The secret sauce that they use to make those widgets, even if there's ten other companies making this widgets a lot of times is their brand, is their reputation, that's who they are. And so that information getting out or that information being leaked has real consequences to that company's reputation and their opportunity to make more revenue and more profit going forward. So those are things that we want to try to protect as much as possible. And in today's world where ransomware is a more and more prevalent thing, you know, attackers now are not just pivoting or they are pivoting from just encrypting, making it difficult for you to get on your laptop or get your data. They're pivoting to that extortion front where, hey, I've got your data and now if you want it back, you got to pay for it.

David

Yeah. It's incredible. Again, the you know, that no one is safe in the sense that, you know, and I'm sure it was quite a shock to the system to to view something like that, especially when they they finally realize that they need security.

David

So. Okay. So you you kind of went through and evaluate like the kind of the status quo, you know, how do you then decide where to prioritize? Like because it's, again, you coming into an infrastructure, maybe that is legacy. You have some application that no one attached and maybe you have another guy or gal that were doing something else for ten years.

Steve

Right now they're doing security. Yeah.

David

So that's a lot to handle. You know, it's it's almost like getting a stray dog off the pound and trying to get them to the point where they're show dog. Right. What's that process look like?

Steve

Yeah, that that process is usually pretty painful, to be quite honest, because it is an environment where customers haven't thought about the security apparatus, the the security details that they need to take in their environments and leading them down that path as sometimes it's painful. Now, the good thing is, if they can wrap their heads around the idea that, you know, security should be an enabler to my business rather than a hurdle or a, you know, a hit to the bottom line, then we can get over that hump of prioritizing. These are things you need to take you need to take the steps you need to take soon because they pose the most risk.

Steve

So it's really it's a risk based discussion about where are you exposed the greatest, and then addressing those one off, you know, and that is the challenge, I think as you dump potentially a lot of information on a new CIO, not new CIO, but for the first time a CIO. This may be new information for him or her to see. It's a lot to it's a lot to really digest.

Steve

Right. And so that's where we come in or other managed security fighters come in and we can take that information and say, hey, yeah, here's 40 pages of stuff that you need to think about, but let's focus on the first two pages and, you know, take bites out of this as we go and we can reduce the risk. I think to Dave, that's one of the things that a lot of customers or a lot of organizations that I speak to are really scared to take that first step. It's really it's really scary to take that first step because you don't know what you don't know. But if we can get them to that first step and say, yes, it's painful, but we can help you get through the initial piece, we can reduce risk tremendously just by doing some pretty straightforward and easy, simple steps. You just have to be willing to take the steps with them.

David

And how do you get the buy in from everybody? That's the because I'm assuming it is a champion. They call you in that loves you or about to love you. Right. And what's not to love. But then but then you know, then you come over. You dumped in the 40 page report and then we have to reorg or re-engineer, you know, some basic stuff. But, you know, how do you then get to buy in from, you know, from the rest of the company to to really get the stuff done?

Steve

Well, sometimes it's showing them what potentially the consequences are. I never like to work in that FUD state. The fear, uncertainty. Now I don't like to work in that space, but quite honestly, sometimes it works. You have to go there. And so a lot of times discussions around the board room or with C-suite folks and these organizations really are are horror tales. We we call them Tales from the Vault because our stock is in a vault, is actually in a bank vault. One of our one of our stocks is. And so we.

David

Tell North Carolina.

Steve

Yeah. And Raleigh, North Carolina. And so sometimes it's telling them real world stories about the consequences of not taking these steps. Organizations that are like size or maybe have in the industry, like industry to them. And what happened to those organizations when they suffer some type of.

David

At times statistics are horrible. Yeah you correct the the number of years you stay in business after a major breach is not not not great you know if you look at the numbers.

Steve

That's exactly right.

David

So you show them that. And then what's the typical reaction on a day like, you know, again, sometimes it's too much to absorb and the block, I guess, is just turned into a.

Steve

Right, you know? Yeah.

David

Like a ostrich in.

Steve

Their head in the thing. Yeah. And that, that, I think there is that initial reaction of they kind of get the glass glassed over eyes or either they do stick their head in the sand and say, I am, I'm not sure we want to take this on. And that's where the kind of the pushback comes a lot of times, honestly, is that, hey, we've been in business for 18 years. We've never been attacked or, you know, we're having to do this. A lot of these conversations now are coming out of cybersecurity insurance because some of the insurance providers or not, some of them, all of them require you to do some basic hygiene steps now.

Steve

Right. And so some of these engagements now are coming out of. Customers or potential customers who say, hey, we can't get our premiums or our premiums are 100% higher because we don't have multi-factor authentication in place or these other things that we really need to put in place. And when you tell them these are the stats and this is what the cost, what your budget's going to look like, you get pushback. There are a lot we never had to do this or, you know, we should be able to check a box and get over this and that sort of thing. And so, yeah, I think that the initial reaction is really helping them understand what the risk is and what potentially the consequences those risks could be if they don't address them as part of their security program.

David

It's so interesting that you mentioned the cyber insurance because, you know, I've seen that quite a bit because they're there and they're in business to be in business. You know, they're not there to they're not, you know, philanthropic or like, oh, let's pay you for your right, for your inactivity, you know. And so when they come back, I'm assuming that all they want to do is you want to fix it so they can get the cyber insurance, right? Yeah.

Steve

Policy a lot of times.

David

Is so and they're thinking, I guess what you just mentioned, they're thinking is going to be just say something they need to do like, hey, can you help me just do the check mark and then you come back and say, no, no, no, it's you know, you have to go through it.

Steve

Instead. Right.

David

So what what's the engagement look like then? Like today, they realize that they have no choice. It's like they have to do something.

Steve

Yeah, I think so. I think that that insurance piece in a lot of discussions is a little bit of the the, you know, hit over the head for a lot of corporations, unfortunately, to understand that they're not going to be able to get the cybersecurity insurance until they meet these criteria or go through.

David

GUTHRIE I'm curious, like how much leeway to they have, like, let's say, because I'm assuming they send them what the policy when you were in like was four or five months in advance? Yes, because that's not a lot of time.

Steve

It's not.

David

You know.

Steve

Especially for some of these controls or remediations that you have to put in place. And depending on the size of the organization, 4 to 5 months may not be enough time. So a lot of it with certain insurance providers for us, we worked with them to say this. We're basically representing this organization and we're going to take these steps for them on their behalf. And so then we're beholden to come up with a plan, a timeline and those sort of things to work through. But yeah, that, that is a lot of times they want they've the renewals come up and they've seen their premiums go up 100%. And they are you know, on the flip side, they may say we just want this to go away. Right? We just want and we need that. We need the insurance. But I just need to be able to pay the same thing I have been paying.

Steve

Now, we've, you know, across the board, we've we typically been seeing premiums go up ten or 15%. But you have those providers who maybe have not done a health check or discussion with it with a company there that they are insuring that we'll say you either we've seen 2 to 2 different scenarios. You either do these steps or we won't be sure you at all or you do these steps or or you do these steps or else you're going to pay 100% premium is going to double what you paid last year.

David

Yeah. And that's and I think due to the fact that there there's so many so there where yeah. Companies were, you know, insured and then they the payout was same. Yeah.

Steve

You know. Exactly. And there was a lot of folks, a lot of a lot of organizations that were using cybersecurity insurance as their instant plan. Right. And that's just not what it's there for.

David

See, I like I like it what you call a spade a spade. I mean, and you're going to get some haters, but but you just call it like it is. Yeah.

Steve

And that's really I mean, don't get me wrong, cybersecurity insurance is should be part of your overall plan, but it can't be your only plan, right? I mean, that's just that's asking for trouble. And and what happens is you see exactly the market react to it as they are cyber cyber insurance providers are saying, hey, we're not just going to force this money out just for you to continue to do business as you have been doing. There are some steps we know that will lower your risk. They're good for you. They're good for us. You're going to have to do them. So I understand why the cybersecurity insurance market's going this way. I think the problem is for a lot of what who gets hurt the most, I think, is that small, medium business owner who has to make these changes and it's difficult for them to make the changes.

David

It's almost always the case. I think like there's a large, large enterprise. They have the tools, they have the funds and they have the teams. But, you know, frankly, but a lot of it is not you know, it's almost basic hygiene. Right. Is it is. You mentioned MFA. I'm assuming some of it are, you know, I'm assuming some you know, some pen testing or some, you know, you know, it's not you know, it's not from a security perspective, security maturity model. They're not they don't expect it to go all the way to the other end, right? Correct. So it's very it's relatively speaking, they should have it anyway.

Steve

Yeah, it is common sense steps. What I would say it's steps that are very what we would say low hanging fruit steps that you can take that are extremely expensive or labor intensive, but they drastically reduce your risk. And so it.

David

Doesn't. Cyber insurance company. Do they care? What's the underlying technology or they just. Did they ask you for a specific brand or they will.

Steve

Most, most all the questionnaires I filled out for customers or been involved with, they do ask you for brands. I don't think they really care about the vendor or the brand as much as they want to know that you actually know what you're talking about. Right. If you say they say what MFA provider usually puts for them forward, then they probably say, well, you know, there's there's probably more we need to talk about here. Right? So I think that's really why they do it. They do ask those questions, but it really is more about. Do you have those pieces in place or are you. Or do you have a plan to put them in place? And from what I've seen for a lot of insurance providers, as long as you're saying we've got a plan, we're working toward this, they'll take that into consideration.

David

Yeah. Again, because they're they know they want to keep you as a customer. We've got a majority of them and. Right. They're not there. And that's why I think that you have to understand is it's not about the you know, they're not there to buy health to your customer eventually. Like, yeah, they just don't wanna lose money. They don't need to lose money.

Steve

Right? Right.

David

So it's super interesting. So, you know, aside from that, you know, one of the project are involved in on a regular basis. So you mentioned that those are like the onboarding, which is really cool by the way too, to put in a honeypot in place, which you mentioned specifically. Not a lot of service providers are doing it right.

Steve

Yeah. I mean, when we look around the industry, that's not something that a lot of them think about. And so we do it, as I said, for our own protection, but also for the clients protection just so we know what we're going into because of the if the intruder or threat actors are in the environment, then do a lot of good for us to put barriers up on the outside when they're already in the house. Right. And so that's something we want to know early on.

David

So as a security practitioner, you know, you get tired from like just telling people that they need to do the basic stuff because you probably want to go out and do some really cool stuff. Like just like some, you know, a high end, you know, cutting edge technologies and so on. Are they customers like that that you that they have already really advanced in terms of the material? You get to do some really cool stuff.

Steve

There are there are those are the ones that it's fun to work with because then they are they've already they are made that journey about their security maturity model and they understand security is an enabler of the business.

Steve

Now what can we do to make sure that we are completely protected? I had this conversation. I was in training this week, in fact, and had this conversation with the trainer about, you know, we're going through some complex attack kill chains and a methodology is a very complex stuff and how to protect and defend against those. And I brought up the point in the class that, you know, a lot of the these are cool. These are things that are interesting to go out. And yeah, they are they have been seen in the wild. We've seen kind of advance these apt groups and nation states that use them. But for the normal mom and pop, if you just put MFA in, do some of the things like you mentioned and addr product, make sure that not everybody is a domain admin. I mean, you know, you've got 75 people and 50 of them are domain and you want to fix that. If you just take those steps, you lower your risk.

David

Steve That sounds like you come across something like that. Oh, it's almost like to.

Steve

Oh, yeah, it's real life. It's real life for sure. You have those organizations and I'm talking about organizations that you would expect to be more security conscious because they're either in the finance space or in the health care space. And those to me just seem like you want to have controls and measures in place, regardless if we're talking about cyber or just how you do bank transfers. Right. You got to have process in place. And many of these just they're really looking at convenience and they're looking for the fastest, most efficient way to get things done rather than the amplification implications of those that there's not security controls in place. So, yeah, we've we've been in business, we've come in to environments. This is no I've been in come into environments where the total population of the environment might be 300 and they have 75 plus domain admins. I mean, you know, you're more than likely that there's something going to happen in your environment.

David

Oh yeah, I know that. And it's almost reminds me of the old days where people just plugged in a wi fi, just turn off all the all the control, the security controls, just to make it work.

Steve

That's right. You to get everybody on. And sometimes it's because the CIO or the CEO is saying, I got it. You know, I got to check my email. You've got to get this thing fixed now. So let's just do everything we can to get it fixed. And ultimately, that leads to bad things a lot of times.

David

What about the, you know, issues with like the supply chain and that it may or may not be of an issue for your customers, but it is always like this, you know, thing where, okay, you know, you're you're closing doors. My and my infrastructure is secure. But then I have all these partners and I know how to worry about is is this a concern for your for your clients?

Steve

Oh, yeah, very much so, especially for for our clients, because we are a provider for those clients. So, you know, one of our along with those steps we talk about on onboarding, the other thing is to prove or to validate to those customers the control. That we're using and how we're protecting ourselves so that we're protecting them. But as well as looking at the other vendors they work with.

Steve

And so as we're involved in customers who have PIN tests done or they do some security controls for because of their security maturity program or because they are required to and we look at findings there, we typically will always find issues where there's third party applications or third party devices even that are standing on the network that are just completely vulnerable and exploitable. And those are always discussions that we have to have with customers and really comes down once again to best to risk and what the business functions of that application of that device is, whether or not it makes sense to contain it or remove it or whatever the case may be.

David

Yeah, and I think same goes for in the cloud environment it seems like oh yeah, spinning off, you know, application and a lot of them like they have security controls and then as soon as you and you come over, you talk to them to turn it on and then as soon as you leave it, turn off. Yeah. So because it's, I guess it's it's a.

Steve

Little it's a little cumbersome, right? Yeah. Maybe, maybe you have to put in a code or push for my MFA or something. Yeah, for sure. I think cloud is that space too that we're quickly growing into where third party risk is becoming tremendous because everybody's plugging in, you know, and into the security space. We want to be as as flexible and leverage other tools to give more visibility. We're become better defenders, that sort of thing. But at the same time, as we connect in the other tools and there's some insecurity in those spaces, you open yourself up to risk.

David

Yeah. And I've seen like even the, you know, even the security vendors are not immune. You know, we've seen a lot of security vendors that were.

Steve

Interested in knowing.

David

What is happening and which is which is, you know, okay, you know who's going to guard the guards? Yeah, you.

Steve

Know, exactly. A lot of as I said before, a lot of companies that we protect. You would expect them to have controls in place because their finance or health care. If you bring up a good point, a lot of companies that are in the security space slash technology space themselves have pretty poor controls around their app dev, their their devsecops or whatever it might be. So, you know, we've seen cases where vendors leave, you know, plaintext passwords in their code. I mean, so, you know, I think it is a lot of of a lot of times it's a convenience or let's, you know, get and move things as fast as we can. But as places where for us as a as a provider or managed service provider, those are always places we have to dig a little and look a bit a little bit deeper.

David

Yeah, it's funny you mentioned code review because it's amazing what you're going to find. I talked to somebody at another conference and they said that they had to do for before, like a due diligence for and they found a whole Tetris, uh, source code inside it. And they said, who knows how long it's been there? And somebody just decided to be a goofball and put that in there. Yeah.

David

So what's what a true story. What other technologies excite you here when you see like as you're getting you're learning, right? Which is part of it. First of all, it's amazing, right? So what's amazing about this is a lot of practitioners are so bogged down with the day to day practice that they're they're not taking the time off. Right. To really establish themselves to see what else is there, because it's such a fast moving target. It is and is as knowledgeable as you are, but it's so many years of experience. If you were not committed to do upgrading your skill set and understanding what's next, it's very easy to lose touch.

Steve

It is, especially as you mentioned, as the environment changes and cloud becomes more of a thing for customers and how they incorporate that, you can't continue to provide the value to customers using the same toolsets all the time. So yeah, I'm I want to upgrade myself personally and professionally and I think as well, as you mentioned before, just sitting down with some folks and having discussions really gives you an understanding of some of the things they see in the industry, in the marketplace, war stories. Those are always really interesting that to share and talk through. But then also places where you where you see deficits or deficiencies in yourself that you can shore up and learn more about.

David

Is it like the case where you come into to a car show and you see all these like unbelievable cars and then you come back and then you go back into your Toyota Camry to drive away. Is that the case?

Steve

Yeah, there's no doubt. That's a perfect analogy, too, because I've got a Toyota Camry in your driveway. Yeah. You come in and see all the Lamborghinis and Antares and all those Ferraris and all those things play out. But, yeah, there's there's a lot, right? I mean, you you see there, there's so much really good technology and new items on the market. I mean, talking just as we did a second ago. But with the idea of kind of attack simulation and how we can use artificial intelligence and machine learning to do some of those pin testing functions automatically continuously pin tests are are fantastic and are definitely something we recommend and always follow up with customers on.

Steve

But if you can look at things that are testing not only your vulnerabilities, but also the other interesting place I see gets me really excited is security validation. So it's not just what are you vulnerable to, but even if you've got the controls in place and they they protect you against those vulnerabilities, is your defense mechanism working the way it should? Meaning is it alerting the way it should? Are the right people getting notified? Do they even know when that alert comes in, what it means?

Steve

You know, we're in a lot of incident response. We do. We do a ton of incident response. We've seen a lot of cases where we go into a customer who's got really good tooling. Great tooling may be deployed pretty effectively, but alerts come in to their team or to their provider that they don't know anything about. Right. So we were in an AI recently where a large customer had a really good EDR product. Product was deployed in their environment as large as they were, was probably 85% deployed, which is pretty good. Mark E 100% better if I really good.

Steve

And they had an attacker get in the environment on one device, it wasn't protected and the attacker moved laterally in their environment and their EDR product did exactly what it should in alert. It's an alert back to their team, but their team was not versed on the product and so they didn't know what that alert meant and it led to them being ransom. The attacker went in and wrote a script to turn that off across the entire environment and ransom the whole thing, encrypted everything and they had law. We saw logs as we came in and look at the answer bot somebody you all got alerted on this, but nobody took any step.

David

That's unbelievable story. Yeah.

David

And and so how do you how do you so that's so how do you validate the you mentioned that that's an that can be a practice by itself because I'm assuming that everyone has the same problem. Right. Because it's not just there's so many moving parts.

Steve

Right. Are there are any of your tools? I mean, you know, you hear the analogy people say all the time that the the attackers, they can get lucky. You know, they don't have to be right every time. But the defender has got to be right every time. Right. So, I mean, when you think about that and all those pieces that come into play all the way down the line, I mean, just think about the that that's I think that's one of the things that interests me about this whole security validation places is great. We've got a tool that can detect an attack, but who gets notified on that? That is your is your notification system working? I mean, so a lot of companies may be tied into Slack or teams or other things or maybe the ticketing system. Is that even working the way you think it is? Because until you go through the exercise, you really don't know. Right.

David

Or alerts too much and they turn it off.

Steve

Exactly. Yeah, exactly. And that is what happened in this case that the EDR alerted them and just continued to alert them and the and their team was like, this is it's happening. And this is the other thing too. They get it so often they're like, this must be a false positive because it's happening every day when the attackers are sitting back, moving wherever they want to. Right. So they they they silence the alert and then, you know, you're vulnerable.

David

Yeah, it's incredible story. Um, it reminds me. I was like, I remember taking the cab from the airport one day, and the driver had it a little, you know, black tape over the I guess he had the engine light on. Now, he had put a black tape on it. So because he did want to see.

Steve

It anyways, he won.

David

Because it was all the time and nothing happened until the the engine blows up, right? Yeah.

Steve

Yeah, exactly. So out of sight. Out of mind until till it comes until it comes to do.

David

Yeah. So in your opinion, what would be the best way to to to start something like that, as you mentioned, to even doing basic validation again, because it's it's it doesn't have to be complicated, right? Yeah, it does. And so checking like maybe like the ABCs of validation.

Steve

Yeah, it really doesn't. And that's, I think not only checks your internal systems, but also if you're using a provider like, like we are, we want to make sure for our customers, yeah, we're validating the things or operating the way you expect them operate. I think it really is the organization running some test or some exercises in their environment just to make sure the outcome is what they expect could be a test malware. You know, there's an iCar test or something like that. There could be a phishing test just to make sure that the the process is what it is.

Steve

And it really doesn't have to be complicated. You know, the vector we all know the main vectors that attacks coming in, phishing or malware dropping in a machine, test those and test them, you know, once a month or once a quarter or even at least gives you the idea that, yeah, truly, these things are going the way they should. I'm interested. There's a lot of tools that are trying to automate that piece, and I think automation is going to be difficult because every environment's different. But there are some really smart folks out there way smarter than I am.

Steve

And so if you can figure that out, then imagine the idea that you tell a customer what EDR using. What ticketing system are you using? You get all these, you understand the the inventory, the assets in the environment and you say here, here's this widget, drop it in your environment and let's see what happens. And it test from beginning the kill chain from beginning to end all the way and the processes around defending that the validate yeah we're seeing what we should we're doing that we're starting to do that with with customers in a very manual way. It's, it's labor intensive as you can imagine, because different customers have different EDR, different systems. But we really are looking at it more to validate ourselves to our customers. Right, because they are entrusting us to do security for them. But that's a whole market, I think that is on on the rise. And when these large organizations who can fund it and actually put those things in place could be really valuable to them.

David

And so what that program will look like potentially just having somebody come in and run a bunch of scenarios and trying to figure out, you know, what is a workflow, for example, from an alert like who gets it, what a tool like, and then what's the killer who closes the loop on that?

Steve

Right.

David

Because I'm assuming like, listen, I'm sure I don't know about that case you mentioned, but I'm sure some heads were. Yeah, yeah. Because because it's they'll be very aggravating because you spend money, you have all the tools and you did a good job to it. 85% inspection is pretty good. Yeah. And after that, you, you still, you know, it's almost like a it's almost be better to not having all of that. Just, just, just you're right.

Steve

The Court Well, I say that the costs they spend on all the controls and the tooling and stuff wouldn't have paid the rent. It was a pretty hefty ransom that they got hit with. But still, the time and effort that goes behind deploying that and getting all that control in place is considerable, without a doubt. So yeah, and I was privy to those conversations that happen around the C-suite that, you know, there were a lot of expletives, as you can imagine, about these controls that we put in. Hey, we paid for this. We put it in. And I think that's to your point, that's a frustrating part of it. If you do get an organization that that is making good decisions and wants to be wants to raise their security maturity level, but then things fall down like that where there's, you know, good training for their for the analyst or their security teams, the notification channel or alerting channel, working the way it should. As I said, there's all these places where the think things could fall down. You really need to test that and make sure that that's.

David

Flowing, that you should figure it out what that program looks like. And then that's going to be a talk for you in Blackhat next year.

David

Okay. Yeah, I'm serious. Like, I think it makes total sense and I think a lot of companies are now and I think that's maybe that's the missing link. I think because companies are do you spend the money like the majority do, spend the money and effort and all that stuff? And then I think that is, you know, there's some break breaking points where and it doesn't have to be complicated.

Steve

It really does. You know, as I said, you know, the majority of the vectors now, you may not be able to test every scenario out there. But once again, as I told our instructor, these attackers that are doing ransomware as a service aren't doing all these advanced crazy techniques. They're doing five or six techniques that it's fairly easy for you to protect yourself against. Just do those things and your risk level goes down tremendously. Right. And the same thing when you do those things, then validate they work.

Steve

So, you know, we've we've been in environments as well where they had multifactor deployed and just really good job of everything, covert multifactor. But they had three or four accounts of guys who had older phones or gals who had older phones or maybe just didn't want to push. A CFO said, I'm not. I'll do that first. I'll put on file. And those are the the accounts that the attackers go after and they breach. And so you still need to know, you know, where you're in the security space corner cases can have impact. So you need to know your corner cases.

David

Yeah. And you know, you don't want to be in that corner, you know, like one where you are the one who's because you know, I'm sure these people have some some questions to ask, especially I get after they spend the money. That's amazing. So, you know, I'll probably first of all, thank you very much. For coming in. Much, much appreciated. Great. And I'll. I'll probably meet you up at the one of the after hours event, and you should invite me over. It's enough good that I can't see the. I would love to get into the vault, you know?

Steve

Yeah, let's do that. Likewise. I want to get to New York.

David

Yeah, we should.

Steve

Come to one of your own. One of your events?

David

Yeah, absolutely. Do you do tours for. For customers that we live on?

Steve

We do, yeah.

David

You know, it's funny because there's a lot of bank vaults that because now it's all digital. So a lot of these bank branches got closed down or converted. You know, I remember seeing one that was a clothing store. Right. Right. Yeah, retail. But I think the being a security center is much better. Yeah. So do you ever close it down, like to shut down the doors or is it just through like.

Steve

So the doors, they're operational by the time the locks on them have been disabled. So. Y you can close the door, you can't lock the doors. And it's pretty. These are I mean, you know, they're massive doors to close. There's two of them on each end of the vault. But, yeah, love to have you come check it out. Would you do a podcast.

David

Inside.

Steve

The vault? Yeah. It's something that.

David

Maybe, you know, that's, that's a, that's a cool podcast series. Yeah. From inside the vault. I should do that.

Steve

Maybe even some of the younger population who just take security for granted. Right. I give you a, a case, an instance here. I've got you know, I've got my son, as he was younger, played a lot of games online and things like that, had some friends who played online and and their online account. You know, there's a business a lot of these attacked these hackers or whatever have a business where they steal in-game money from Fortnite. Yeah. Yeah.

David

The blog happened to happen to my son, for sure.

Steve

Yeah. And so some of these kids set their passwords, that password or something like that, because they really don't understand the gravity of what it mean to that do that. Kids parent because I spoke to him about money as real money. He lost about 50 bucks on the kid's account and somebody went and clean around the kids crying because he doesn't have his Fortnite coat or whatever. But dad's crying because 50 bucks. But I.

David

Was like, Good that you got burned now instead of having your kid backing out me when you like.

Steve

Older. Yeah, I agree. I think sometimes those sometimes those unfortunate events are teaching.

David

And they're getting so good. Like, I mean, you know, I swear, like, these these these text messages are, you know, they're professional, they look good. They, you know, the email looks great, you know, everyone. So I just get it. And I always like, think before it before I look and I look at it and they're very convincing.

Steve

Right. And and I think that's the one of the sad, untold stories. One of the things that me personally, I really want to try to overcome or look into, trying to help a lot of those hurt those people that are in situations where they're being taken advantage of just because they don't understand the technology. I think about the older folks, my parents and and folks that are in that age where when they get a text from the bank, the legitimate, hey, somebody just do something on your account, they're going to click it because they want to know.

David

Clicking or even go, go, you know, they called the number. You know, I remember just, you know, I call this supposedly Amazon transaction thing and I knew the person, you know, yeah, I knew that it's a fake because I was I never sent those texts. But, you know, I'm just very convincing. They like to walk you through. And and I heard the story of somebody, like, out of your account taking over and they emailed to see the CFO to to wire some money. And it was a very large sum of money. And the CFO did the right thing and called. Yeah. And, and the person on the other line said yeah it's, it's, you know, a transfer. Right. Because the change your number. Yeah. They, they, whoever answered the inside was, was not the.

Steve

Person they thought they were.

David

And they transferred the funds. And so yeah.

Steve

And in the, in the business, in the technology world, there's still a lot of awareness. And I think those kind of processes and things still need to be learned where you hear, where you don't really hear. I always tell people for every one ransomware story that the media publishes, there's thousands that happen behind the scenes. But you really don't hear a lot of the personal situations where people get scammed out of it, maybe hundreds or thousands of dollars, but still a real impact to them and an attacker in these days, if I can. You know, I'm I go after the the big corporation where I get $1,000,000 payout or maybe if I go after the 100,000 individuals, I can get $1,000 payout. I can make the same amount of money. Either way, it might be a whole lot easier, you know? Yeah. So that's that's a place where I see as a country, we still struggle with that culture of security and just, you know, trusting things a little too much.

David

And and where I think this has to start with early age. Yeah. You know, like you certainly you mentioned, you know, I got a taste of it early on, but I don't think that happens enough. I think we're you know, and they're all giving in devices that are people doing everything and everything's becoming online and, you know, you're getting you're going to be hacked. And they. As you mentioned, and even a for small things like, you know, somebody opposed to a container, you know, there's a whole container scam going on like where people put, you know, I don't know why you're in. You want to purchase a container, but people are trying to purchase containers. And then they there's a, you know, you put money up front and you never see because the person you know versus in Nigeria.

Steve

Right.

David

You know, simple as that. And then Craigslist or Facebook or whatever. They never take those down. So they take they take ownership of it of accounts that were compromised. So it looks like a legit person. And then they you know, and then you buy them like $2,000 and it's gone. And it's not I mean, some people have $2,000. A lot of money, right? Exactly. Especially to lose like that, for sure. So, yeah, we have to do some something about that as well. But again, we deal with Enterprise, but eventually, uh, it's, it's a matter of everyone's, you know.

Steve

I agree.

David

That's the security too, to do that.

Steve

I agree.

David

Completely. And I think that they every time I you know, I've seen that with the pandemic and now with the economic conditions being the way they are, I always see there's an uptick. It's almost it's almost like maybe because people are stressed out and more vulnerable. And then and then, as you mentioned, they're they're they're revenue centers.

Steve

Yeah. Right. That's exactly right. Yeah. And then any time the attackers are for for everything else, they're they're they're trying to make they're they're looking at there are a lot of trying to make as much money as they can. And when they're in those when people are already under stress and anxiety because of pandemic or economy or whatever it is, they're easier targets, there's no doubt about it. And so the attackers are just going to kind of pile on in those places.

David

Yeah. Yeah, for sure. Well, at least you mentioned your son is here in a blackout. And did you tell him? Oh, I guess def con, right? Yes. So you had to you mentioned that he's got to leave this defined in the room.

Steve

That's right. You got to. You can't be on that. I did tell him that, too. You don't connect anyone to any of that kind of stuff. Let's be say.

David

If you were. Yeah. I tell him what's a wall? Wall of, you know, the wall of shame or.

Steve

Yeah, that's right.

David

Yeah.

Steve

Yeah. I don't want his picture on it.

David

And, and then what's interesting, you know, I think there's a place specifically to do security for for gamers. Yeah. You know, I think that I don't know why there's not other education or even the ability for you to secure potentially a secure account. Right. Because you mentioned it is $50, but some people have thousands.

Steve

Yeah, that's thousands.

David

Of of of digital assets, you know. Do you know so but until then, Steven Vincent, very much for coming. I'm looking forward to seeing you the after hours. Yeah. Thank you. Appreciate it. Thank you.

About The Speaker

Steve Cobb

Steve Cobb is One Source’s Chief Information Security Officer (CISO) bringing more than 25 years of leadership consulting surrounding IT infrastructure, cybersecurity, incident response, and cyber threat intelligence. Since joining One Source in 2015, Steve
Steve Cobb