Transcript

welcome to the cyber rants podcast where we're all about sharing the forbidden
secrets and slightly embellished truths about corporate cyber security programs
we're ranting raving and telling you the stuff that nobody talks about on their fancy website
and trade show giveaways all to help you protect your company from cyber criminals
and now here's your hosts michael rotondo zack fuller and lauro chavez welcome welcome welcome
to the cyber rants podcast this is our very first episode of the podcast to go right along with the
book that you know and love and if you don't know it and love it yet you will this is your co-host
zach fuller joined by laro chavez and mike rotondo and we are glad to be here today on our inaugural
episode of the cyber ants podcast to go right along with the book that you know and love cyber
ants check it out on amazon.com if you haven't already it is awesome and we're pretty cool
ourselves so we say well we're cool i don't know about you well yeah two of the two of the three
people on the podcast today are cool school consider me miles davis oh well cyber rants
what is cyber rants for those people that don't know anything about it that haven't read the book
haven't seen the stuff on social media or whatever which we don't do a lot of social media so if you
did see something congratulations you're one of the few not a lot of time for that stuff but cyber
rants is all about building effective proactive cyber security programs our podcast is for people
both with and without technical backgrounds so if you're a organizational leader and you have this
burden of responsibility to build a cyber security program don't have a background in it you're in
the right place and if you love this stuff and listen to all kinds of cyber security podcasts and
want a different angle at it yeah they're a different look at it you're also in the right
place you did it congratulations why don't we dive into some of the disconnects between the cyber
security industry and the people that need it the most i think we have a lot to talk about there
that's really a lot what a lot of the book is about there's a lot of people that are
just uh unfortunately failing at the cyber security game but they're not necessarily getting
the right guidance either everybody's pushing different products and tools pushing their own
agendas hard to know what's what if you're not in the industry all the time i think there's a
fundamental misunderstanding that cyber security actually is and that's part of the problem
you know you know everybody's seen you know swordfish and the guy clapping his hands
and and you know the five monitors with the worm that crosses all five and he's
you know writing this code and that's what you know or it's guys sitting in their basement
you know hacking into things really part of the reason we wrote this was to educate
the public on what cyber security really is and then once they're educated on it they will be
better practitioners of it and i think that's really uh you know one of the benefits of the
book um and that's where the shortcoming comes i i think most people just think it's i plug in the
right appliance um and then they forget the rest of it the training the policies the procedures i
just read something today um about the the firms that are most likely to get breached
are those without a proper privacy policy and the average firm shares their data with 730 different
companies on a regular on an annual basis and you know if you don't have a proper third party
assessment process or onboarding for vendors you you're just exposing data all over the place
and that's where a lot of the risk comes in so that's that's my two cents on that today
so so there's no halle berry or john travolta in cyber security is what you're showing me
uh not that i've come across but you never know oh wait a minute wait a minute i'm i've just got to
back the team up where you're telling me swordfish isn't real it is not a documentary as far as i'm
cyber security is really more like the death star yeah that's a good analogy i yeah you
know agree with mike and you know there's just a there's a lot of somewhat organizations that
i think certainly have misinformation on on how to i guess accurately implement a
proactive cyber security program and it's not just you know these onesie little things and you
know relating it to the death star is a perfect example because you know that the emperor if he
if the sith lord right if he's if he's the ceo of the company then darth vader is his project
manager and if you remember that i mean he is right i mean he is he does not i just thought
of a couple of specific project managers that's when you brought that up that's all
yeah i did that's why i brought it up i was hoping it it hitting a little sticker in your arm
and so they're not technical right vader's not technical i mean you know he can choke you right
to a timeline and that's what's important not that he really knows what's going on and i don't know
if you remember the gosh you know i should know if it was episode three or four where he shows up to
the death star and it's it's not put together yet and he gets off his ship and they're like
greetings vader and he's like this he's like this battle station better be fully ready the emperor
sent me here to make sure it's built on time and they're like he's like i'll double them in and
you know get things rolling and it's you know they their speed to market mentality is what caused the
their whole demise in the first place you know due to a vent shaft the size of a womp rat you
know that would be a return to jedi sir was that jedi a jedi and it's uh yes that that case of not
being completed properly and uh the overconfidence of the emperor ceo and of course the furry little
critters on the moon which could be your employees i don't know that were the problem
yeah you got you got taken out by ewoks yeah and a handful of cowboys and cowgirls is kind of funny
but i mean it's relatable you know i mean every every organization wants you know to put their new
widget on the web so everybody can use it and no one's looking at fundamental cybersecurity basics
to in the devops process or devsecops as they're calling it now right and in that process on making
sure that all of those security checks are being done prior to the to the to the push to deploy in
production and you're you're really just setting yourself up for failure by not doing those things
well and you know the defense of all the you know leadership and people that don't have
a background in cyber security out there they're getting fed a lot of garbage from the industry too
and we are uh certainly gonna make some some enemies through the book and the podcast and
that's just fine but we're making a lot of friends too you know a lot of people it's they're hearing
a refreshing message and that is it's not just about buying more stuff more tools more dashboards
um more and more and more you know that's i think what a lot of corporate leaders are just led to
believe it's like if we want more effective cyber security then we just got to allocate
more and more and more budget but there's so much waste in organizations we can talk with
security professionals around the country every day and you know almost unanimously they're saying
i'm sick of being stuck in meetings six to eight hours a day i'm not going to do the work i got
in this business to do in the first place i'm too busy navigating corporate politics uh to actually
achieve the uh the security posture objectives that i know we need to hit and i mean you guys
know that how that goes firsthand that's one of the reasons why we do what we do today well yeah
documenting you know the one piece of advice i'll give to security practitioners that are listening
to this that are roadblocked by departmental politics is just document document document
everything in emails and in white papers if you can that way when there is a failure because
you probably know it's coming you're trying to make a change and you can't because of
weird leadership things or budgetary issues at least from a from a consultant perspective right
you've you've recommended what is going to be best to to resolve the risk to reduce the risk
and you've documented that so when they come back later you can at least show them all the
who are going to make a difference it might save your job though when you show them all the
all the documents that you had trying to explain to them why they needed to do this and they still
chose not to well if you have enough white papers you got the foundation for a book
right oh yeah yeah that's kind of how that's kind of how it happened right it happened right
you do do a lot of writing i mean that's i know mike you talk about that a lot what's the most
critical skill you could have as a cyber security practitioner right documentation
is the most underrated but the most needed to be honest it's really one of those things where you
have to be able to do it and no one likes to do it and no one wants to do it sitting in the cubicle
but that's where it's incumbent upon management to you know work with your resources that you know
find someone that does do some writing that does understand the process and give them the freedom
to write when they're comfortable not don't set up arbitrary deadlines but you know some of this
has to be organically you know come out you know i i do much better when i'm sitting at home and
with a scotch and listening to jimmy buffett writing my documentation as opposed to
sitting you know trying to sit in a cube or an office or uh airport or you know i've written
all over the place trains um but you know in a comfortable space your documentation will be
that more meaningful that much more effective and uh will actually get produced a lot more quickly
wasted away in vulnerabilities all right is that is that why you put those words in those
documents oh i get it now i get it yeah it's interesting to see what's going on out there
i mean i think there's um relatively speaking the cyber security industry is still a young industry
right so it's still trying to figure itself out there's a lot to learn luckily there's a lot of
brilliant people in the industry but um it's been a little bit bastardized by you know some of the
investment groups and such that create a lot of hype out of i think sometimes the wrong things
um and when it really takes the boots on the ground practitioners and one of the problems
that we have in this country is that we you know everybody's very quick to blame the shortage
of cyber security professionals right they're very you know they're they're just not enough cyber
security girls and that's that's absolutely true right but in but in a in a battle or in war you
you know like you've said it before mike you you fight with the army you have
not the one you want and that's what we're faced with here in the united states you know and so
i think we have to look at things a little bit differently we can't just say oh well you know
we're we're failing because of this this and this let's look at how we can succeed um you know and
that's a lot of what we talk about uh through the book and we'll be continuing to talk about through
these podcasts because uh there are a lot of great things we can do and a lot of times
what we see when working with clients a whole bunch of different sectors is that it's it's
the fundamentals that they're missing right it's the basics it's not the fancy stuff it's not that
they're you know short on the latest you know ai driven technology it's it's more that they're just
failing to even outline their basic processes right they don't have they don't even you know
necessarily have things like you know regular pen testing or scanning or anything like that
to validate their their efforts and and what we see a lot is that um most
business leadership outside the industry has still not been introduced in the mid-market and
smaller organizations it's not been introduced yet to the concept of cyber security frameworks
like cis controls or nist 800-171 or nist csf or any of that they instead they're they think of it
as this kind of um you know this kind of mythical world that exists out there in the ether well
it's really it's really following a process it's process driven or should be process driven um but
what's happening is we see you know people come in there you know they get a msp or some you know i.t
person or something so we're gonna do this this and this and that's cyber security right we're
gonna configure the firewalls and put antivirus on everybody's machines well great but that's
not a cyber security program and and you know it's really about defense and depth it's not about it's
not about you know individual tasks and so you know we'll be talking about that a lot through
the uh the rest of the uh episodes you know as we continue moving forward that's really the premise
of all this is what can we do with what we have today you know the resources that are out there
and available what can we do to make the most of those because that's what we have to do as a
country right we don't have a choice but to make the most of the resources that we already have
yeah absolutely you know like two things right if if american cyber security was a football team
we'd be the cleveland browns all right and um just you know and and also you know mike's certainly a
got more star wars knowledge than i do so thank you for the correction on return of the jedi but
but i will say zach that in my opinion security's been around since august 15th 1983 because that
is the time in which the department of defense put in the trusted computer system evaluation criteria
also known as the rainbow series that was when the orange book came out that you know talked about
basic level security stuff so i think it's been around a long time i think it's i think it's it's
one of those things where um companies in the last 10 years have just began to want to acknowledge it
well they haven't been forced to which is part of the problem now with the you know
the litigation potential and everything else they they kind of don't have a choice anymore
right i mean but i remember back in the early i.t days when when i was setting up networks and i was
managing environments and and you know we had to do the whole thing ourselves and we didn't have
anything called cyber security we had barely any guidance uh even from the manufacturers of
the os is where we basically had to build our own programs from scratch to figure out what was best
what wasn't and you know um but yeah that orange book from 1983 i think you oh it's a geek dollar
for that one i think oh well yeah i have run out of greek dollars but uh no i i agree i think that
you know it was it was an organic thing right when you know especially in the department of defense
you know we we had a very specific criteria that we had to align to and so it wasn't even a thought
it was this computer can't be plugged into the network until it meets these specific criteria
they have to be tested and then signed off on we call that certification accreditation and you know
i mean it seems like a very it's too stringent for most organizations to even pull off today
even being fortune 100 um it's it's like they're still not to that level of quality assurance
you know for cyber security configurations prior to prior to any deployment and i just i don't
i don't see any of the fancy tech now helping drive any of that i mean it sure isn't gonna
you know is it gonna stop spam from getting to your email gateway well sure that's fantastic but
what about all the i mean are you investigating where the spam is coming from are you looking at
these are you trying to develop you know some form of lists to block that type of stuff or
are you just relying on the technology to take care of it for you so you can go on and drink
coffee and play ping pong in the break room i mean there's a there's a huge difference between using
you know plugging in a tool and letting it work and then actually using the tool effectively and
to 100 of its capability so that you can get real data-driven metrics out of it that you understand
and you're always you have to always always always be looking at that that attack surface and trying
to reduce the risk based on what changes you see from your telemetry and sometimes that's that's
many times during the day um hopefully it's it's every couple of minutes right where
you're getting this data and you can actually make actionable changes to the environment based
on what you're seeing and i just don't i don't see any organization out there that's that's
to that level of of i guess completedness right where they're really looking at the whole process
well i think the problem too is that you know they're getting information overload because they
haven't been tuned properly right so they generate these major logs and a ton of events so we came
out log aggregators log aggregators um some of them that we've worked with in the past generate
a ton of events and a ton of data which is also data overload so you almost need a log aggregator
for the log aggregator to find out what's really actually real and we you know and at that point
you know it becomes unmanageable but i think you're you're right on the fact that we don't
have the necessary resources they're not staffed properly you know no one's sitting there watching
their log log aggregator console all day long and trying to understand the data um you know even in
a sock i think you get overloaded i mean you know staffed with you know a ton of people because they
have multiple clients and blah blah so unless you have a captive sock that does nothing but watch
log events and track them down and alert the appropriate people or or even better what i think
is pretty hilarious is when the big var comes in and they install this you know intrusion detection
mechanism right there's a lot of them out there and they hook it into your ticketing system
the api so every time it sees an event it starts to create a ticket and then you just
you just watch in minutes how many hundreds and hundreds of tickets they're getting to investigate
these events and it's just like they've assigned some interim just to delete tickets you know
right well hey we're running low on time here we have a lot to talk about over the next uh many
episodes so why don't we just uh cap it off with a you know let's each come up with our final rant
for the day and uh we'll close it out mikey what's your what's your rant of the day what do you want
to tell people make sure they know i i guess it's just make sure you establish your people
properly and make sure you document everything you need to document the documentation is the key
uh because you know god forbid someone gets hit by a bus or wins a lottery and disappears on you
the next day you know one of the things that i've seen is is you know coming to these places with
tools and uh you know the guy that managed the tool is gone and the guy that backed him up is
gone and you know all of a sudden you've got no one to run this magic tool that you put your
security practice around so um documentation is is a big key how about you laura
well i got two things first i'll just say if if you're a leader and you hired smart people to
do smart jobs trust your people and listen to what they're telling you because you're gonna
you're gonna you're gonna cause yourself a lot more pain if you don't trust the people that
you hired mother is about the documentation and what i what i despise seeing as organizations
that have one it guy they've got one it guy run of the whole network and they're like
they don't want to spend the money to get an extra i.t gun they have no idea the risk and
the truth is you need three because just like mike said one's going to get one's going to get fed up
with your crap because you're not listening to what he's telling you even though he hired him
he's a smart guy he's going to leave then the next guy is going to get lucky and win the lottery he's
going to leave then the third guy is going to be left there by himself and he doesn't want to work
there by himself because he didn't have any idea what's going on he didn't wasn't there long enough
to be trained by the other two so he's gonna leave too now all this fancy dancy technology that you
spent all this money in in the last couple years putting in you just thrown out the window because
now you have to have a consulting firm come in or other people come in and the first thing that a
security architect or security engineer does when he comes in and he's the one person he's the one
security guy he's going to look at all the stuff that they put in before him he's going to go i
don't like this stuff i want to put it i want to put in this and this works this works better and
i'm more familiar with this um and then you're going to be spending three times as much and you
none of your tools this whole time have been 100 mature so think about that
well my rant is right along those lines it's cyber security's about people first and foremost
it's not about tools technologies anything like that and we need to put more emphasis on that so
that's we'll continue this discussion but we will wrap it up for the day thank you for joining us
rate us comment if you like us great if you don't like us great but let us know and uh also
cyberrants.com you can submit questions anything like that just visit our
our site and uh we want to hear your feedback we will continue to put out uh great information
we have a lot of great stuff coming up so tune in next time and have a great rest of your day