CFH #18 - Juan Valencia

[00:00:00] threat intel reports, how reactionaries should you be? And the R&C conference, how to stand out on the show floor. That in the latest news and trends in the managed security space coming right up, on Cyber For Hire. Building bridges between managed security providers and their clients,

[00:00:20] it's the podcast where MSPs, VCCs, and end users take a United stand-again cybercrime. This is Cyber For Hire. All right, welcome friends to Episode Number 18 of Cyber For Hire, how's everybody doing today? I'm Bradley Barth with SC Media in New York,

[00:00:40] and joining me today on the other side of the Continental Divide, and Utah is my co-host and partner in Cybercrime, Ryan Morris, Principal Consultant with Morris Management Partners. Ryan, it's here, the RSA conference, is in full swing as the airing of this episode.

[00:00:57] I've got to admit my foam-mo is kicking in big time because neither of us happen to make it out there at this particular time, but still always very exciting and hectic time of the year. It's a very hectic time of the year.

[00:01:11] But I will tell you, some of the very best advice that you and I have received from our expert guests is when you go to that show, remember, like put your phone in airplane mode,

[00:01:23] take a burner phone, do not bring your real advice at devices if you can at all afford to do that, because you know who else is also attending the RSA show. All the good guys, also some of the bad guys. That's very true, very good advice.

[00:01:40] I remember the very first time I did one of the deathcon conferences, and I just felt like the entire time, like I was looking over my shoulder like who's sitting next to me, and I remember opening up my computer one time, and just for a split second,

[00:01:54] it started to latch onto the local Wi-Fi connection. And I was like, oh, don't do that, don't do that. So the first time you remember back years ago when everybody was first talking about the built-in camera on your laptop,

[00:02:10] and whether you should have a cover on that, my first reaction when I heard that was, please come on. Let's not be so over reactionary. And then I went to RSA, and literally every white hat in the entire facility had either a stickier,

[00:02:26] or a piece of tape or something over their own camera. And I was like, okay, so maybe I am going to take that to you. Yeah. You can never be too careful, right? So anyway, plenty to cover today as always.

[00:02:42] But some news is just so important that it can't wait, which is why we want to share with everyone, what's top of mind today? So here's your headline.

[00:02:50] The security researcher who goes by the moniker, Costis, has warned that cyber criminals have started abusing the remote monitoring and management tool action one, used by many MSPs and MSSPs to, and they've been using it these adversaries to gain a foothold into already compromised networks

[00:03:10] to perform reconnaissance and execute commands and code. Bleeping computer notes in an article that the software is typically used, normally legitimately, to automate the installation of software updates and patches on endpoints. And the free version of the tools available at no cost for up to 100 endpoints.

[00:03:30] To be clear here, the action one platform itself was not compromised. However, again, any previously compromised company whose admins or whose MSSPs use as action one might be especially vulnerable to this case. But the legal activity to be legitimate.

[00:03:48] So Ryan, why is this top of mind for you? See, I think we are getting one more layer into the onion of understanding our own internal tools and the impact that can have on our clients and their cyber posture.

[00:04:04] Right? We've heard about actual RMMs and PSA tools being compromised. But in this case, the tool itself is absolutely fine and it's doing exactly what it was designed to do. Deliver code and automate tasks install software.

[00:04:22] That's what it was used for and I will say, having been around the Manage Services business for a couple of decades now. I remember when the tools first became a thing, right? To do this with regular technology and a lot of Excel spreadsheets.

[00:04:37] And we didn't have automated resources for software distribution or monitoring or anything, right? When that first started coming into play, that was a very important maturing step for the industry. Right? We became real when we could have tools to automate it.

[00:04:54] I think maybe we need at this point to just remember the best advice that any of us have ever received. First take care of your own health, right? You know, put on your mask first before helping anybody else.

[00:05:09] This is an especially shocking type of a situation because it's it's a tool that in normal protocol isn't going to be flag does doing anything inappropriate, right? We always look for normal baseline and then variations from that to figure out what is potentially an alert.

[00:05:29] In this case, hey, it's just doing its job and it's not going to alert anything that's super scary if we are not also checking ourselves.

[00:05:38] So physician first heal myself and then let's go out and start talking to customers because our tool sets are very central and they are a very good multiplying point to get into everything that we do with our customers. So let's make sure our tools sets are clean.

[00:05:58] Very well put Ryan and we certainly want to hear from our audiences. Well on this if you agree or disagree or have any other thoughts, so please write to us at always at cyber for higher at cyberriscaliance.com

[00:06:11] Anyway, that's going to be our top of mind hot take for the day more news later in the show. But first it's time for our featured info set news and strategy topic of the week presenting our big idea.

[00:06:23] In security threat intel reports how reactionary should you be your favorite intelligence feeds or warning of several new campaigns that are victimizing companies much like your clients.

[00:06:37] Maybe they're even targeting MSSPs themselves now what's up to you to assess and prioritize these latest threats and determine to what extent they require you to change your approach.

[00:06:49] And then the first two additional safeguards or update your security awareness messaging what's a reasonable response what's in need jerk over reaction. This session will examine how managed services providers and security professionals in general should and shouldn't react to the latest intel threat intel release.

[00:07:07] And our guest will also review some of his favorite top trends and incidents from this past Verizon data breach investigations report. Further we'd like to welcome in our guest speaker, Juan Valencia executive consulting partner within Verizon enterprise solutions cyber security consulting organization.

[00:07:25] More specifically, Juan leads Verizon's executive consulting team offering executive level advisory services that include risk management risk scoring and strategic journey maps for CIOs and CSOs. He also spearheads Verizon cyber risk monitoring consulting services.

[00:07:43] Juan has been in the info set field for 22 years with stinson companies such as Wakovia and GE prior to joining Verizon he held various info set consulting and corporate positions at one point managing the security governance program of a well known media company.

[00:07:59] Juan, thanks so much for being here. It's great that you could join us and as always you're going to jump right into it. So this is really a subject matter that is applicable to both MSSPs who are managing security for their clients.

[00:08:11] But also really all security practitioners and CSO types that are interested in the latest threat intelligence.

[00:08:17] It's important to find that middle ground when it comes to responding to the latest intel reports. You can't necessarily just constantly be reacting to everything immediately there has to be some level of priority I imagine and some of that is trying to figure out what should qualify as high priority or what's lower priority. So maybe you could take us through that a little bit and how you make that determination.

[00:08:43] There's no question and thanks Bradley appreciate you having me. It's really funny when Ryan was talking earlier about you know how people are talking about putting a little tape on the camera and that and I was like you right now is that's completely over reaction come on that's over blown right and of course you're absolutely right now everybody does it.

[00:09:00] That's what the aircraft comes with that thing now right little little thing you can put on them now right so so, you know where at first we thought it was over reaction we then later found that that hey you know maybe it's not for the reaction that is indeed a possibility.

[00:09:13] Is it a remote possibility? Of course it is right but it isn't the possibility and you know we we we don't want to take any chances in this field and I that is akin to to threat intelligence and how we react to it and how we use.

[00:09:27] And and and how we protect our customers in our own data right it is easy to over react right but then at one point do you say you know maybe maybe maybe maybe there is such thing as a reaction.

[00:09:40] Right and take every case seriously I'll give you an example right I I travel over the country.

[00:09:47] And of course as you know I'm part of the data which a basic history port team here for I said the BIR team so we see all the data right every single day we see data and and we know that you know about 50% or so roughly about 50% of all data reaches start with some kind of human interaction.

[00:10:05] Okay, efficient somebody clicks on something is you and I've clicked they open something is you and I've opened something along those lines right.

[00:10:13] And I and I we see this this email it was it was my boss and then me like a 50 dollar certificate or something but Verizon uses like an external company. And I looked at the link and I'm like you know that just doesn't look right to me.

[00:10:28] Right and well I see this statistics and I am not going to be the one service security consultant that Verizon is going to click on something bring the company down right so.

[00:10:38] So I immediately for that to our internal search right and within five minutes they came back and said no one is fine you can click on the that's a legitimate like okay great.

[00:10:47] And that bothered me you know like you know I think you're thinking that I'm an idiot. Right and then I started thinking now I bet you not I bet you they're grateful for that because they would rather spend five minutes investigating that.

[00:11:01] There's been the next six weeks trying to recover from from from a ransomware attack right so I tied that back to do we overreact you know is there I don't think so now the the the amount of data that we receive.

[00:11:16] And so it is massive absolutely massive right especially in a company like ours where we have you know somewhere on the labor about 10,000 honey pots around the world right you can imagine the kind of data that we're gathering.

[00:11:30] So it is difficult to obviously well virtually possible to look at every possible single packet obviously right so you do have to prioritize.

[00:11:39] So once the tools that's giving the prioritization I don't know that there's any I don't know that the word overreaction should be in our vocabulary right.

[00:11:48] Look again this is from our own data right this is this you know we we we collect a lot of data for for data which is the guess report we have around threat until feeds we have we have the whole infrastructure right so so so and every single time.

[00:12:04] Maybe not every single time but but you know I'm still. Yeah I stopped being surprised when I go on site okay for for an investigation and come to find out that the company wasn't using MFA for critical service for example right.

[00:12:20] That once once once a threat actor gets in it's really flat that works everywhere right. They use the prepared protocols then are these in service side or or client side certificates you know on and on and on right a lot of companies don't use pan.

[00:12:35] You know those kinds of things so I stopped and it's kind of a sad statement to make but I stopped being surprised right at at at some of the things that we see. Therefore my initial overview action is to say we not overreacting.

[00:12:52] Right because you just you just don't know at every week almost every week we're surprised right look.

[00:13:00] Not a week goes by where we don't get a phone call from somebody usually a client saying I am a victim of a ransomware attack and I need to stand up 40 critical in the service from scratch.

[00:13:14] Okay and as you guys know that with the supply chain issues that we've been having lately think about what it would take to stand up 40 critical windows service from scratch.

[00:13:26] Including by the way they procure it to the hardware itself the installation of the software you know the applications what do you do with legacy apps by the way that's my life seems my that's my licensing my current license still cover.

[00:13:41] You know you're hard to work those kinds of things and these are the kinds of things that people don't think about.

[00:13:46] But again I tied that back to how do we react to this and and you'd be surprised how often not reacting on time or now we act in swiftly.

[00:13:58] What cost you I'll give you a quick example and I'm sorry I'm rambling on is that okay if I give you a good. You can go and this is terrific. You could give you some.

[00:14:06] I will only say that it's a company that you can that's the only thing I will say okay and remember you can't spend just.

[00:14:13] Okay but it's a company out in the UK and we were on site they were breached you know they so we were on site I don't have six weeks or so.

[00:14:26] And unfortunately the company just was not very mature you know major company large company not very mature and you know pet submissions right so we went in there did the investigation determine what happened everything you know.

[00:14:41] Come through everything gave them a nice thick 200 page report you know and okay great they're on their own hate this is what we think you should be doing. To remediate about two and a half months don't have you know 10 11 weeks later they called us back same client look.

[00:14:59] We see some funny stuff right and we don't we're not quite sure what it is but it's just not this abnormal activity you know would you mind coming over and taking a look.

[00:15:11] So we sent the same investigator that have been there to an Hamas prior because he had been there six weeks he knew he knew they're they're definitely well.

[00:15:21] And he spent about a day or so a day they have talking around and he went to the CIO and the Cecil. And he said listen I can't prove this to you right now this is just a hunch okay but from what I see it just looks like.

[00:15:36] It's starting to look to me like someone's going to launch a ransomware attack so give us give my team a couple of days but in the meantime I highly suggest that you bring assistance offline.

[00:15:47] Okay while we do this investigation just give us 24 or 48 hours right and and see if we can figure out exactly what what what the third actor's trying to do. And now this was later in the evening seven o'clock in the evening or so.

[00:16:01] And the CIO and the Cecil both said well we don't have the authority to take the systems off life.

[00:16:07] We have to we have to talk to the to the board so they set up a call with a board the very next morning eight thirty the morning first in the morning right.

[00:16:18] And within and those twelve thirteen hours the threat actor managed to encrypt seventy percent of the company's systems. Okay now the only here's the funny part okay.

[00:16:34] Yeah there's nothing funny about this but you know the interesting part the only thirty percent I was not in quick that was because I rogue IT manager. This is a late orders and said to help with this I'm taking my systems offline.

[00:16:48] Okay and and he managed to spare his systems from from that attack okay.

[00:16:55] So now I mean some talk to a C so I go do you have the authority turned on systems to I mean to bring systems offline yes or no right and you said I knew be surprised how many of them go now.

[00:17:07] And then there's the others who say I will not take the job unless I have that authority right but the ones that back to the authority with with a sense of urgency do better. I guess is is is my point right so.

[00:17:20] The data act with with with a sense of urgency whatsoever you know I would have at that point just made a couple of all costs and said I need to take the systems offline right. They chose not to now that end that I'm costing them. Lastly heard.

[00:17:35] You know this could have been you know couple weeks whatever it ended up taking them six weeks to recover from scratch in cost of almost forty six million euro. Okay now because of a lack of urgency. Yeah right so. You know.

[00:17:52] See and that's where where you're coming from and I see I love these real world stories because they do they do bring it back into the question of we're not making this stuff up right like that that's always a common refrain in the security industry as as humans.

[00:18:07] That are naturally drawn to this line of work we're curious we're we're always sniffing we're always looking around going something seems a little bit not right we're not content to just assume that the everything's fine and until it's not fine don't worry about it right.

[00:18:26] I think that's one of those characteristics of a good cyber pro but you know that we all also live in a world of.

[00:18:34] I don't want to come off like the boy who cried wolf I want to be able to present this back to the people because those real world urgency is I find your story especially funny because it's like well we have to think carefully about taking our systems offline.

[00:18:48] You know the ransomware guy he did that for you don't worry about it that's already been taken exactly right exactly that that could have been done how can we as security professionals communicate these kinds of alerts without.

[00:19:03] Without sounding like our hairs on fire without sounding like here comes that guy again he's got another alert because like say they happen every single week.

[00:19:13] Here's another alert here here comes that guy again and all the business people are like I just want to tune that person out because I don't want to be alarmed anymore. How do we do that?

[00:19:25] So one thing that I have found to be very effective is providing people things like what I just did. Are you in case like this right? You know.

[00:19:34] Again we get a lot of data right we analyze a lot of data and I love to throw statistics out there because it brings the point home right one of our partners from BBR gave us this piece of them and there's a piece of a bucket.

[00:19:49] After a fishing exercise is launched the average first click happens within 82 seconds. I met in a half.

[00:19:59] I met in a half okay now our own research for Verizon okay we've we've done some research ourselves and we found out that we call it the in it I might got a cancel what it inevitable.

[00:20:13] I have a of a click the inability of a click okay we call it. Usually generally speaking happens that are at 19 or so email messages. In other words if you send 18 19 messages there is a 100% likelihood that at least one person is going to click.

[00:20:34] Okay now put all the stuff together right these folks this red actors are sending 18 19 messages you're sending 1919 thousand okay and and you know that someone's going to click within the first 32 seconds right.

[00:20:48] And again all it takes is just one person to click one and that's it that you know they got you so one of the things that we try a set from them ready basic stuff because I mean again you will be surprised how often we go on site and there's no MFA place.

[00:21:03] Right so aside from telling you do the basic security one-on-one stuff you need to do you know which we've been screaming at the top of our long stop for for 20 years.

[00:21:16] Aside from that is actually bringing the point home of high important it is I look one click could cost a company 46 million bucks right and be done for so the x million bucks right.

[00:21:27] It is driving home with the average user the importance of this and the consequences of what could happen if we if we're not diligent about about what we click what we look at you know those kinds of things.

[00:21:41] We are the weakest link we're spending hundreds of millions of dollars and in our in our on our fortress right on the perimeter right but I can tell you from experience because we see it every single day okay if somehow.

[00:21:56] If somehow a threat actor managed to get past that past that mode right past that wall it is. Please sir go ahead right move move along you know look.

[00:22:09] One the longest we have found okay of a threat actor you know the dwell time we find right the time between.

[00:22:17] You know that the you your your systems are infiltrated the time that your she is covered right that well time we longest little on this we found us 19 months.

[00:22:27] There was a threat actor in 3 months because a lot of them like you were saying earlier right there they're just sort of they're they're they're already they're already inside they're just waiting for a new zero day or new vulnerability to be announced and then exploited.

[00:22:41] They're not using they're not using these these known vulnerability to break in they've already broken it. So they're just going to yeah sorry no sorry one I was just going to say well because the example that you gave us.

[00:22:55] We're basically it seems like a ransomware attack might be imminent shut down some of your systems right and then they didn't react quite swiftly enough.

[00:23:04] You know is a pretty extreme example in terms of like both the the consequences and you know the the reaction that or the action that that needed to be taken in that case now there are other times or maybe an attack isn't quite so imminent it still might be.

[00:23:20] The priority but maybe not you know something is that really about to happen at any moment so in that case I'd be curious to ask you what would you identify as some of the most important. And then you know the actions that you can take.

[00:23:39] Whether it be a you know when you do get a fairly high priority piece of threat intel like here's a new campaign that might be affecting you or your clients.

[00:23:49] The changes in certain controls and policies would it be security awareness messages would it be maybe you're going to be using those IOCs to go threat hunting.

[00:24:00] What would be the the top of your list for the most important reactions and maybe as part of that since we're talking a little bit about like dwell time and time to respond you know what what would you consider to be for some of these most important actions that you can take an acceptable.

[00:24:18] The reaction time for your organization to implement from initial receipt of that intel to actually taking the response. Right so the third hunting aspect though that is probably the number one. You know staff there second step actually maybe one a is talk with the community a large right.

[00:24:41] We we speak you know we talk with with with with people with when we compete and people with when we work to you know all the other digital fancy investigators.

[00:24:51] Large financial institutions shared data large hospital change shared data that kind of thing that always always helps you know.

[00:25:00] Not as much anymore as it used to back in the past when when when when the the most of the data that was still in a square to contact and you want to do a common point to compromise.

[00:25:08] Assessment right figure out where this whole thing started so you be calling each other right there would be a lot more more more action there but it's still critical to.

[00:25:19] You know again just just shared data and ask around the community hey are you seeing this this for seen we haven't advantage and almost unfair advantage to be honest because.

[00:25:30] We own the pipes right Verizon owns the pipes so if and when it is asked of us with you know within within within limits there's legalities and everything that has to be think you know accounted for this is not a wild west we can't just look at anything and everything.

[00:25:46] But within with with the right permissions with the right legal actions and everything we can be take a look at you know the segment and figure out what what's. You know what's going on there oftentimes we do see patterns so I would say.

[00:26:02] I know it sounds cliche but good to add intelligence darkware hunting the sharing of information with your peers. That that goes a such a long way.

[00:26:12] For all the for all the Intel feeds that are out there and everybody has you know multitude of them you would be surprised right how.

[00:26:23] How you need some of those can be as well right so so we always love to we gather a lot of information from our own MSS feed. Get's data fed from our penetration testing teams from.

[00:26:38] And by the way I don't think we unique I think most of us is piece do do do this right they get data from from you know they're the consultants out there they're ethical hackers the digital forensic investigators are threat intelligence right and that is why.

[00:26:53] Often times an MSSP is a lot more efficient. In detecting threats than then you are on your own right because the MSSP is going to have.

[00:27:07] Data and resources available to it almost immediately that you may not have in your sock right so so yeah the sharing of data the threat intelligence you know you never know what you don't know obviously.

[00:27:20] I think those are the top things that come to my mind as far as as far as you know now then the other side of that is the education aspect of it.

[00:27:28] And that's always a that's been an interesting struggle we getting better but you know still struggle with what they end users. We'll see you and you mentioned what I think is fascinating you have that data right your your intelligence reports and access to the pipes.

[00:27:49] I think again one of the attributes of people who do this for a living we're hungry for that kind of input.

[00:27:55] With the avalanche of information that comes through right there's it's hard to know which ones are the great big ideas so before we let you go today because there's we we talk about this stuff for.

[00:28:08] There's there's so much fascinating stuff and I love those real world examples if you're thinking of it in the context of of your. Exactly the actual reports that you guys put out there the other the contribution investigation report that you've mentioned.

[00:28:23] I want to put that in the context of a segment that we often refer to as what scares you right like because because again the sky's always falling there's always a new threat there's always something going on out there and and you know we try not to be chicken little but some stuff actually comes through so yeah a what are some of the big takeaways from the report this year and be.

[00:28:47] Which one of those actually makes you go that that one might actually be not. I'll tell you the the run of the mail once and then and then I get into into you know a little bit more in that but.

[00:29:00] And then you know where the rest of where ransomware ransomware ransomware you be surprised.

[00:29:05] How often companies you're simply are not ready to deal with ransomware attack it is going to happen to you know how we used to say there's only to touch the companies one company that is being breached and a company that doesn't know that is the breach right.

[00:29:17] It's it's the same thing with ransomware it's only a matter of time right either you you've been a victim of ransomware or you're going to be a victim of ransomware yet again. And it's still a little things like this for example should you have a crypto wallet.

[00:29:29] As a company. Right and if so for how much what is your number. What is your number how much are you willing to pay. What is your timeline how long are you want to be offline right by the way if we disclose our break any laws.

[00:29:47] And so there's all these things that people don't don't consider when we're talking about it's not more is not just the attack itself it's how you react to it that it's actually more important.

[00:29:57] What scares me though do things one of them is being artificial intelligence where now we're already starting to see some cases of folks using. Chagy pt against the calls right for example to create malware okay now.

[00:30:18] You know it's been said that they're taking steps to ensure that it doesn't do the fairies activity but I'm not asking it to create malware I'm asking it to create me assault with a does this it doesn't any better.

[00:30:31] Right I'm going to ask it to write some code and Python and by the way they do a decent job.

[00:30:36] Now right now is still very rudimentary but it's going to get better right the malware that is coming out of these AI engines is very it's not really good right now but give it three years and we'll see right so that's that scares me but let me tell you what scares me more than anything is.

[00:30:56] The the gap in personnel okay. One of the reasons I theorize why we don't seem to be making as much progress as we think we should be.

[00:31:11] It's because there is this vicious little life cycle a seesaw comes in and he or she is going to do a maturity assessment to figure out what the gaps are because you know they need to know right.

[00:31:25] And they put together some kind of road maps and kind of master plan right by the way the seesaw has back you know head count of 20 but only 11 of those are failed and three of those are bar from another team right.

[00:31:40] So so they do the best that can with basically skeleton people because there is no you know people leave you know easily people don't stay in jobs anymore.

[00:31:49] And but these are not either right so every at the the average status he so is about 20 to 22 months I didn't even two years.

[00:31:57] I cannot tell you often going to a company or client and talk to a seesaw and if I go back two years later and the same seesaw still there my first reaction is oh my god he's still here wow.

[00:32:08] So what happens is what happens is here she comes in and that you know the new share comes in and this is what we're going to do and for the first 12 13 months everything runs smoothly right we're going to put you know.

[00:32:21] The rising or any consultant came in and they did an assessment here's we're going to do we're going to put the road map together need as much money and it does these many people blah blah blah.

[00:32:29] Within 13 years that I 13 months I should say it dies off this starts losing scene.

[00:32:34] Okay and then 10 months later that seesaw leaves then there's another gap with two or three months before a new seesaw comes in then an easy so comes in and he or she says well this is how we're going to do things and they start all over again.

[00:32:47] Okay so there's no consistency and there's no continuity right is it as surprised and that we seem to somehow be losing the battle even though there's money being thrown at this.

[00:32:57] Right because it isn't about the money is about the people and and and when the people don't stay in a one role long enough to even make a difference you're going to have this kind of situation.

[00:33:07] So really that's what scares more than anything else more than AI eventually AI we will figure it out, right you know we have very smart people.

[00:33:16] There will figure out how to combat whatever AI comes at us with but but the the idea I read the number and what is it I think is like 3 million job short and and this industry something like that right and that doesn't there's not expected to to obey them in time so.

[00:33:32] But yeah that's why it's that little is that little vicious life cycle of personal you know it's it's a revolving door.

[00:33:38] By the way just all the way from the top all the way to to analyst right so there's no consistency and no kind of that right there is what what scares.

[00:33:48] The I think that is a fantastic point and specifically to our audience you people who are listening our MSS piece and and one touched on this earlier.

[00:33:58] It is very likely it's not just possible it's very likely that your contract with a customer will actually spend more than one seeso right when it comes right out of the this is a killer irony in the industry you're the third party you're the external service provider.

[00:34:15] And yet you are the one who has the continuity with that customer is exactly their environment and that.

[00:34:22] That's a position of value and strength from which a service provider ought to be approaching and saying I understand you're the new sheriff understand you want to bring in let me show you level set and baseline. Now let's figure out where you to go.

[00:34:38] Sure get that thing right away. Yeah they're really good on why this when when a new sheriff comes into town and they say no we're going to bring everything in house for example right we see this off all the time right it's too expensive.

[00:34:49] I don't want to do an MSSP whatever the case may be right then after about three or four months to realize exactly what you said right that that MSSP that service provider is the only consistent thing that's within the program.

[00:35:01] Right and that overhauling that thing is just not going to be worth it. You know we see it all the time you see it all the time but you absolutely right oftentimes it is that services provider who is the the glue that is holding it together.

[00:35:14] While there's this big all you know revolving door of roles and see so it's a CIOs you know about them.

[00:35:21] Which which which brings the whole conversation back full circle right talking about maybe you know over reactions to things and you know there may there are no real over reactions in security.

[00:35:33] When there's a but but maybe one over reaction is you know a CSO coming in and immediately saying I'm going to change everything and get rid of the MSSP that is an over reaction because it is suddenly they realize you know what maybe that's not so wise.

[00:35:49] Sometimes they're brought in with that in mind you know somebody CIO CIO somebody CFO is telling them listen man we're spending way too much money and as MSP you need to figure out how to how to you know do you know so sometimes they come really with their hands shack already right.

[00:36:04] But yeah no you absolutely it that is indeed an over reaction but but other but other than that like you said in terms of responding to threat intelligence always better to over react a little bit then certainly under react.

[00:36:18] And then have a situation like that ransomware attack that you were talking about so thanks very much one I would also be remiss not to at least mention that.

[00:36:27] The next Verizon data breach investigations report the 2023 version I know will be coming out fairly soon I know you can't really tell us anything much about it in terms of what we expect to see but at least we'll give our audience a little bit of the heads up to keep an eye out for the next one.

[00:36:44] So yeah coming out coming on soon the next couple of weeks should be out. All right well we'll keep an eye out for that but in the meantime that's going to wrap up the first half of our show.

[00:36:54] But please return for the second half of our episode which is going to feature our MSSP industry and market strategy topic of the week the RSA conference how stand out on the show for that plus our info second news rundown and our dear cyber for higher advice column segment.

[00:37:10] All coming up so we'll see you in a moment on the other side.

[00:37:14] You know what's frustrating about managing security as an MSP it's knowing that even after you've reviewed a system firewall or end point to make sure it's secure it can still change the next day and you might never find out. Let me tell you that sucks.

[00:37:33] That's why I want to tell you about Lionguard. See some vendors talk about being a single pane of glass but Lionguard actually delivers. They pull data from over 70 systems. You use automation to detect changes and alert you about the things that matter via a ticket in your PSA.

[00:37:49] If you truly want to secure your customers visit MSSP alert dot com slash lionguard. Check it out for yourself or sign up for a demo today. All right welcome back to cyber for higher the managed security podcast once again.

[00:38:03] I'm Bradley Barth with SC media and the first half of our show we talked about how we actually have the necessary MSSPs should be when receiving any relevant and high priority piece of threat intelligence. That conversation featured Juan Valencia at Verizon Enterprise Solutions.

[00:38:21] But right now I'd like to welcome back my co-host Ryan Morris from Morris Management Partners because it's time for us to examine our MSSP industry and market strategy topic of the day. Presenting our big idea in business the RSA conference. How to stand out on the show floor.

[00:38:39] Jugglers, magicians, giveaways, freebies you can find plenty of commotion and distractions on the show floor at the RSA conference or any major cyber convention for that matter.

[00:38:51] If you're a managed security service provider trying to sell your wares it can be a challenge to distinguish yourself and it all the noise and chaos events like these.

[00:39:00] The second will offer tips and recommendations for making your customer impressions more memorable so that you stand out from the rest of your crowd and your marketing messages not lost in the blur.

[00:39:09] At the same time we'll also examine what questions that savvy MSSP leaders should be unlikely we'll be asking on the show floor as they haunt for the right vendor partner. So as always Ryan lets jump right into the heart of the matter.

[00:39:25] You know when you first walk into that show floor there are a lot of companies that are trying to make big bold visual first impressions or give out swag and cha-chkees they do demonstrations, they have mascots huge signage.

[00:39:40] These are all attention getters and can maybe help burn a little bit more of an impression in the brains of attendees but ultimately there does have to be some substance to what you're bringing to the floor is that not true so you know again if you're exhibiting MSSP.

[00:39:57] Or an MSSP who's shopping for services you know you don't want to just be dazzled by the the the the skin deep just the surface level stuff you really want to look for substance.

[00:40:14] I would agree with that and it is more difficult than it's ever been right you like I remember the very first time I went to one of these very big conferences in the industry as a young kid kind of coming into the industry.

[00:40:27] I was dumbfounded by the amount of money that was spent for a single three day event but I was also completely mesmerized by how aggressively and how like be to see type messaging.

[00:40:41] We would see in those kinds of environments in fact my very first day at my very first show I was there with a vendor we were exhibiting and we were we were all assigned a time and I showed up personally 30 minutes late for my booth shift at the at the exhibit that we were doing is not because it wasn't on prem.

[00:41:00] In time it's that I literally got lost in the exhibit hall hadn't find our freaking logo anywhere on the floor what it says to me is.

[00:41:10] These shows are still a very effective and efficient way to centralize an audience to aggregate interaction and to get very fast through to the decision makers and the kinds of conversations that will turn into business decisions.

[00:41:25] That it said you need skills right you need skills on how to exhibit and sell your stuff you need skills on how to attend and actually draw this stuff out.

[00:41:35] If I'm looking at it from the exhibitors point of view I will start with three things and these are absolutely killer lessons that that we've learned the hard way over the years number one make sure every human who is in your exhibit actually knows what the heck we want to accomplish right.

[00:41:52] Just to show up have a conversation and say something in a name like hey you guys have a good event or what cool stuff have you seen out here.

[00:42:02] Why am I paying for an airplane ticket to bring that person to the event and be what impression did I give to the person across the aisle we need to go in with a strategy that sense this is our message out.

[00:42:14] This is our call to action that we want to get back from the audience every human that's ever going to set foot in that booth needs to be schooled and tested that they can deliver the message and ask for the call to action that is absolutely the first thing.

[00:42:30] The second thing that I would say is stories sell right your product is not what is interesting to people quite frankly there is no way in a modern technology world that anybody is going to do.

[00:42:43] That anybody is going to see your booth read your brochure listen to your pitch and go you know that was such a good idea I'm totally going to discontinue the tool I use in my stack and I'm going to download your stuff today.

[00:42:56] And absolutely won't happen what will happen is for people to feel the human connection stories are the most effective way to get that across and you need to have while we are protecting the innocent in most situations and we don't want to give away client names or specific vendor names when we're talking about bad stuff that's been happening out there in the world be careful.

[00:43:19] But be human right like we heard it just earlier when we were talking to one a real company with a real location had an actual scenario and there was a dollar figure attached to a bad decision that was made.

[00:43:32] There's a way to tell a story that brings out the need for your product and if somebody actually says you're right I hadn't thought about solving that problem.

[00:43:44] Can you tell me more about how to solve it then you might eventually get into your messaging but the very best stories we have ever seen it one of these conferences.

[00:43:54] Absolutely nothing to do with the product that you are selling it is the problem you are solving and that's what should be on your billboard that's what should be in signage if you have a demo going on.

[00:44:06] It's not point and click and use your software it is as you always talk about it's about table topics or sizes here's scenario how will you solve this scenario.

[00:44:17] I legitimately don't know how to solve that what would you recommend here's how we can help right that that's a very important thing final one that I'll give you from an exhibitors point of view.

[00:44:27] Verticalize as much as possible right like there's so much software there's so many messages everything comes down to the business model of the person that is going to consume your software and the industry context that they work in everyday.

[00:44:45] Whether it's an end user or a partner that's going to be adopting your stuff when when you're communicating about a horizontal like I can do ransomware.

[00:44:56] Cool you are the only one on the show floor at RSA who said that they could help me solve the ransomware problem I am so glad that I found your booth in the middle of the hall now right everybody's talking horizontally you need to talk vertically.

[00:45:11] Solutions for legal services solutions for financial services how to address the AI problem in in devs set cops when when you're talking to software companies right be vertical about the audience and people might actually go that sounds like me.

[00:45:27] I'd like to hear more about what you can do for me horizontal product based messages I solve ransomware sure you do you do.

[00:45:38] Ryan you know there's a lot of people flowing in and out of every booth on the show floor sometimes face time can be a little limited with perspective clients they may have a whole agenda of places they want to be able to visit.

[00:45:54] I love the idea of leading off with a compelling riveting story to initially capture their attention once you do how and let's say they are interested in want to learn more about how to solve the problem how then do you sort of cram in your meaningful.

[00:46:13] I will elevate your pitch on the show floor in the limited amount of time you have to really sell across your differentiators and then maybe because your time is short what can you maybe also do to reinforce the message.

[00:46:28] I think that's a great point for you to see what you're doing follow up giving out handouts or give away or having some testimonials from some other customers or other ways that they could maybe remember you after the fact.

[00:46:38] It's a great point right and the seasons that trade shows in conferences they they have been they flow with with some pretty universal themes right like there are a few years ago it was if you wanted to get anybody's attention you had to give them like AirPods and then it was portable batteries for yourself on and it was portable music speakers right like.

[00:47:00] Those trends you will notice no matter how much money you put into the swag that will absolutely not book a deal right the gone are the days where somebody will do the trade shows special and we can go back in the back and we can negotiate this and if I can get you to sign on the dotted line.

[00:47:20] Now that doesn't happen anymore what you need is to again define success and what the call to action is the call to action is a one to one conversation somewhere other than the show floor quite frankly right we learn this lesson in Las Vegas in the bowels of the convention center 20 years ago.

[00:47:39] You can't hear nobody is listening nobody's paying attention they're always looking at the free t-shirt in the booth right next to yours.

[00:47:46] What you need is to get them out of that hall and have a serious conversation that can be immediately let's go out and grab a coffee that can be a little bit later today let's get back together and I will give you some more information that could be in four days when they're back in their office and things are a little bit less chaotic.

[00:48:04] This is where I go back to that concept of scripting the message and getting people to understand brevity and focus right we we actually worked on a number of years ago working on big booths for major manufacturers.

[00:48:19] And again, shocking amounts of money that gets spent on these exhibits and you know the booth that has an upstairs and a private meeting room and all of that stuff and a hundred thousand dollars for pens in a single week.

[00:48:34] If you don't get an actual conversation with somebody who's legitimately a decision maker all you did was spend a lot of money on pens. In order to do this you got to actually be willing and able to deliver a message and ask for a meeting in response.

[00:48:53] Again, Chachke's make our industry go round. It's amazing to me in no in no small fashion how much you can get a senior executive to do with you in return for like a cool shirt with a logo.

[00:49:08] Like that's unfortunately still the way things go but what's behind that I think there's a right way to do this and we've coach.

[00:49:16] We actually developed a methodology years ago that we call four forces and if you're curious about that and go to my website and learn a little bit more about that, but four forces is a structured way of delivering a message that is designed to cut through the clutter and actually get people to go oh wait.

[00:49:34] That sounds exactly like me what will you do to help me in that situation. You start by talking about them because that's all they really care about. You move to their relationship with their customer then you move to their competitors and talk about threat exposure.

[00:49:51] And finally you suggest a solution that you might be able to do there's a lot more to it than that but I can give it a very quick explanation there.

[00:49:59] You need to practice that drill that get it to the point where everybody on in the booth is not just here talking about the weather and how much fun it is to be back in person and I actually got an airplane for the first time since the pandemic.

[00:50:13] Yeah cool thanks. What are we here to say who are we going to say it to? What are we going to ask them in response and everybody goes with a KPI right like let's be as rudimentary as you will have X number of conversations that yield Y number of actual into engage conversations that that actually produce the number of follow up opportunities.

[00:50:38] If you don't have those kinds of metrics associated with time on the show floor everybody's going to go out there and go man I worked from seven in the morning until two the next morning.

[00:50:48] I talked to a good Jillian people okay well how many leads did we get from that and how much actual follow up. Yeah, you know I'll get back to you on that.

[00:50:58] You know attending the show as an exhibitor or as a guest as an as an actual attendee.

[00:51:04] Being there's not the point getting the follow up conversation is the point be vertical be story oriented and quite frankly let's actually have conversations with people that are associated with business outcomes not with the feature function of our software.

[00:51:24] I know all the engineers that listen to us just got highs when I said don't talk about yourself where that's not what people are here to hear about they're here to hear about how you can solve a problem.

[00:51:36] So solve problems and tell stories about problems don't talk about software. All right, so Ryan this next question is going to be a two part of and you're going to see how we're going to so so very naturally transition from talking about the exhibiting MSSPs to then.

[00:51:53] The MSSPs who are shopping for vendor partners so here's my two part question.

[00:51:59] If you're exhibiting what kinds of questions should you be ready to field or answer on the spot from potential customers and then if you're shopping for vendor partners as an MSSP or other type of man service.

[00:52:16] What should you be asking when shopping for vendor partners on the show floor. Yep, see so. It's a great way to separate it because it helps both of these sites inform the other side of the conversation right.

[00:52:31] If I am an exhibitor what I need to do is to understand the posture of my customers or potential customers according to their budget. Their human resources and their intention for strategy changes this year, right.

[00:52:48] Are you guys well staffed? Do you have enough humans to get things done? Are you actually investing this year or using budget reductions ironically by the way as an asterisk on that cybersecurity budgets this year in the most recent data that we've seen from the guys over at Gardner just came out recently and they said from a cybersecurity point of view something like.

[00:53:10] 85% of customers still intend to spend more next year on cybersecurity than they did last year that is in spite of the fact that there might be a recession right. So you need to understand do you have enough humans what's your budget posture and how set is your strategy.

[00:53:28] If you have tools to execute or are you still at that I have a problem and I don't know how to solve it. What are your ideas okay.

[00:53:35] There's some qualifying structures that you can get into and you need to understand are these people just kicking tires or they actually hear with money with people to execute and with the intention of going in a slightly different strategic direction.

[00:53:51] So, if you have any of those things is not true. You know I'd love to have a conversation with you and discuss the trends of the industry but that's not a commercial conversation that's not something that's going to lead to an opportunity.

[00:54:02] So we need to be pretty specific about that. It is very possible to fill your pipeline in three days if you do it well on the show floor as an exhibitor.

[00:54:13] The other side of your question everybody's selling have what he's got a free panoramic t-shirt. I need to be able to get through to the integrative ability of solutions that I might be considering.

[00:54:26] Whatever it comes down to from a functional point of view, right if you are MDR if you are PSA if you are actual security alert tools whether you are targeted at a certain set of architecture or whatever.

[00:54:42] The common theme that you will notice across all of that is does your stuff work with my stuff.

[00:54:49] If you introduce brand new technology and then you go yeah, you know what not good for that server platform not compatible with that cloud platform not something that is actually integratable at an API level with your operating tools at the PSA level.

[00:55:05] Every new piece of software you introduce to your environment without direct integration exponentially increases the complexity of the solutions that you that you are operating.

[00:55:17] Everything begins with the compatibility of the tools we consider with the stack we already have you've heard me say in the past don't be a prisoner to standardization and stick with your stack for too long right.

[00:55:32] That's still my general advice be open to change this is our indie we're out there looking for ways to advance the art form and be better at what we do.

[00:55:43] But everything comes back through the world of yes this going to be an isolated instance that I will stand up against my customer set that does not integrate with all of my other existing tools.

[00:55:56] You got to be the world's most magical piece of software for me to even consider that in an operating environment so that's the first filter that I would go through and the second filter that I would add from a shoppers point of view.

[00:56:09] Okay, talk to me about implementation ramp up and pre sales or pre go live support right if you sell me software and the way you do tech support is yeah we've got a bot over there on our website and you can ask it's a MFAQs but you know we don't actually have humans that you can talk to.

[00:56:30] Cool thanks you let me know when you guys grow up and join the grown-up world of software vendors if you don't have a human I can talk to about.

[00:56:38] How I integrate your software how I can test that POC to make sure I'm actually getting real live results from it how I might do the cut over and go live with your software in my environment.

[00:56:50] I need humans right like if you don't have a staff that can support me then my answer is you guys keep working on your tool will come back around in a little while when you have actual real world implementation capabilities.

[00:57:04] Yeah so Ryan as a quick follow up to that then with the last minute or two that we have here just want to ask what in your mind are the biggest telltale signs that you as an MSSP shopper on the show floor.

[00:57:23] are talking to a vendor right now that's basically selling you nothing but fluff and fun versus actually making a meaningful case that they can be.

[00:57:37] And a valuable addition to your vendor ecosystem sort of give me like the biggest telltale sign you can do the take of them a positive or negative perspective that you're dealing with someone who actually knows what they're talking about and.

[00:57:53] Could be a good fit for you versus a vendor that's just basically making a lot of noise on the show floor. Yeah that's a great point because we do ultimately have to have our BS detectors up and be able to actively filter the messages we receive.

[00:58:09] I'll go with two things number one if it's all end customer messaging. You need to be very careful about engaging that company as a service provider right like if they don't have custom messaging targeting service provider partners.

[00:58:27] If they don't understand the business model of an MSSP if they don't understand how the sell two versus sell through works.

[00:58:35] If all they're doing is saying and customers need this in customers need that and they don't understand how it integrates to my stack how I amplify their tool into my install base and then how I need to service that stuff in the real world.

[00:58:51] If everything you see in their booth is end user messaging. Everything you hear is suspect because they might have great software but if they don't know how to work with you as a service provider.

[00:59:03] They're going to introduce more problems to your environment then solutions right no matter how cool the software might actually be from a functional point of view.

[00:59:11] The second thing that I would that I would be focused on is talking about again the the horizontal versus the vertical implementation of these kinds of things right.

[00:59:23] If stories that I'm hearing are all about technical functionality like here's an exploit here's how we help you solve that here's a situation here's how we can help you solve that situation.

[00:59:35] If they don't also understand the impact on my help desk my sales cycle my post implementation customer success and support responsibilities. If all they do is say here's an exploit and here's how we can help you solve it.

[00:59:53] That's cool that's really nice that's like saying here's a really sharp knife wouldn't you like to adopt it in your restaurant.

[01:00:03] That's not what I'm actually paying attention to I'm focused on okay how do I train my chef to use that knife how does it implement into my kitchen environment will it actually accelerate the preparation of food.

[01:00:17] So I can deliver better outcomes to customers who don't want to sit around for an extra 10 minutes if they can't talk to you about the implementation in your world. Right because again, there's there is absolutely no shortage of cool software.

[01:00:33] I think the good news we can take away from our essay. Hey everybody got back on airplanes after the pandemic they're going out there right that's nice.

[01:00:41] There is innovation galore there are literally thousands of new vendors that you and I have never even heard of and they're bringing good thinking and good engineering into the problems that need to be solved. That's great the industry is vibrant I see a ton of really good software.

[01:01:01] But you know my mantra from the very beginning of this show software will never solve the problem it requires the human implementation and delivery of service using software before we can ever get anywhere.

[01:01:17] So let's be excited about the fact that there's cool stuff out there take a great big reusable grocery bag with you and collect all the swag you possibly can carry. But be very keen on your business model in the implementation because good software will never make you profitable.

[01:01:37] All right guys that's our conversation about the RSA conference I'm sure you guys have all kinds of stories the battle stories the good news the bad news.

[01:01:48] The best charge key you ever picked up at this conference we'd love to hear about that and keep this conversation going so please let us know what your feedback is on how to do conferences effectively.

[01:02:02] We would love to hear that kind of stuff cyber for hire at cyberrisca lion's dot com is our inbox and we would we would love to keep that conversation going.

[01:02:13] At this point we're going to shift into the next part of our conversation and before we get into our news items we want to do our segment that we call dear cyber for hire.

[01:02:24] Now this is a situation where we get to be the relationship counselor and look at the real world problems and opportunities that exist in the relationships between MSSPs and their end customers now.

[01:02:37] Sometimes things go wrong and so we're always going to anonymize the details so you can protect the innocent but make no mistake.

[01:02:44] The situation that we're talking about here is a real world problem and so we want to get we want to get the details from that Bradley what do we need to know about relationships in the MSS piece base today.

[01:02:59] All right well I'm going to tell you Ryan because we're back with even more juicy MSSP melodrama and this one comes from the provider side of the relationships so fellas. Q the music dear cyber for hire.

[01:03:14] Everybody's got that one friend who just can't help but be a third wheel putting a strain on your relationship. You know who I'm talking about they drop by uninvited raid your fridge button to your business and then you know.

[01:03:29] Send marketing communications to your customers without giving you a heads up. Okay, let me rewind for a moment. I'm an MSSP with a vendor partner who never seems to give me advanced warning when they decide to announce a product update or a change in their pricing structure.

[01:03:47] Next thing I know customers are calling me up asking how these developments affect them or when should they expect to benefit from this latest version. Honestly, a little for warning would be nice. How do I get this third wheel? I mean third party.

[01:04:04] To exercise a little discretion and how do I reset my customer's expectations when the vendor gets them all worked up. Since he early blind sighted and bewildered by babbling big mouth business partners in Birmingham.

[01:04:21] Ryan this time it actually sounds like the MSSP's beef is really more to do with the vendor than the client. So first time we've tackled this type of conflict for a idea cyber for hire what are your thoughts.

[01:04:35] So my thoughts are no matter how good we are as service providers in managing the relationships with our customers. Finding them engaging them, winning them, managing those relationships on the customer side.

[01:04:50] It is vital that we have an equal level of professional control in the other direction into our supply chain.

[01:04:57] I think we often overlook the impact that vendor tools, vendor channel programs, vendor marketing communications can have not just on us internally but also on the relationships that we have with our end users. So I think this is a very big deal.

[01:05:15] I want to give a little bit of grace to the vendor side here for a second. I understand the problem with embargo management, right? Whether we're in the Marcom world, in the public relations world, in the journalism world.

[01:05:31] We all understand there's this thing where I have an announcement and I want to tell you so that you're prepared to pass it along. But I need you to promise not to leak it through until the moment when I'm actually ready to do that.

[01:05:45] If vendors live in that world and if they give too much advance warning to their channel partners about new products, new programs, new pricing before they're ready to roll that stuff out. It's amazing how direct the impact will be on sales delay, right? Think about it like this.

[01:06:04] I'm going to MSSP and you run my tools in your stack. And I come out and I say, hey guys, in 90 days we're going to come out with version X beyond what is currently capable.

[01:06:16] And it's going to give you the following internal benefits and the following customer facing benefits. These things will make your life better. We really want you to adopt this in your operation.

[01:06:29] And 90 days I might look at my pipeline and go, see, I'm going to stop selling what I'm selling of yours right now.

[01:06:38] And I'm going to wait until the cool stuff is out because I don't want to get that push back from my customer where they come back and go, dude, you sold me the old fashion version. Why didn't you wait until the new one?

[01:06:49] I understand that that's going to be a problem. If I notify you too soon, I'm going to cause sales delay.

[01:06:56] If I notify you too late, I'm going to cause that call from the customer where the customer knows more often than the service provider does about the new capability or the new update to the product family. And that just makes the solution provider look dumb, right?

[01:07:14] You can imagine your customer and you read this article that says brand new capability from XYZ vendor, you go, that's a logo I recognize. That's deployed in my environment.

[01:07:25] I'm going to call my friendly service provider account manager and I'm going to say to them, hey, I just read this article about something that you guys provide to us. Well, what's the ramp up process? What do we need to do?

[01:07:37] And you get the response back from your account manager like, I don't know what you're talking about. I haven't read that article. I don't know. Okay, that's a massive impediment on credibility and so it causes huge problems.

[01:07:53] How soon is too soon? How late is too late? It's a juggling act and so I get it that it's difficult. But being difficult does not mean that it's okay to make end user announcements before you notify your channel partner, right?

[01:08:09] If I'm a product reseller and you do that where you notify the end user and they call me and ask for the new version of a piece of hardware software. In the resale conversation, that's inconvenient, right? I don't want to be the last one to know.

[01:08:24] I'm a service provider environment where I ingest your tools and I use them to provide my services to my customers. That's not just inconvenient, that prior warning to the end customer, that's not just inconvenient, that's existential.

[01:08:40] That has the potential to make me not credible with my customers. That's not cool, right?

[01:08:48] There has to be prior warning and it has to be systematic. I don't know what the magic number of days of forewarning is, but I do know it is absolutely incumbent on the vendor

[01:09:00] To notify your partners first, give them the heads up, secure the acknowledgement that like you heard my announcement, right? You actually, I made an announcement. You know that this is coming. Your customers are going to be calling about this. Let's make sure we're on the same page.

[01:09:18] That's job description fundamentals on the vendor side, not on the service provider side. All right, excellent, great advice as always, Ryan, another relationship saved. Hopefully our listeners have learned from this and don't make the same mistake.

[01:09:37] And remember if you've been struggling with your managed security services relationship, whether you're the user or the provider, we want to hear from you. So please write to us at cyberforhire at cyberriskaliance.com and we might use your letter in a future episode.

[01:09:52] All right, and the meantime is any security practitioner can tell you there's no shortage of headlines, filling up the cyber news feeds every single day.

[01:10:00] And so we wanted to highlight a few items that we curated just for you in this lightning round that we call the security detail. And Ryan's always will begin with you headline number one, 17 House members affected in a DC health insurance provider breach. Tell us more.

[01:10:19] So you know what we often ask that question, what will it take for our government to actually understand the significance of the cyber security question?

[01:10:29] And do something about it, right? We often wonder whether our elected representatives pay attention to cyber security, whether they're educated enough to understand the modern dimensions of cyber security. That's still an open question, right?

[01:10:45] But we often ask that question, what would it take to get them to take it seriously? Unfortunately, I think we might know the answer. And the answer comes in this case in the form of actual members of Congress and their aides and here's another one.

[01:11:02] The next layer, their children or dependence that were actually affected their data, hacked and captured and then exposed out into the world. The insurance market place is called DC health link and it is a place that serves very many customers, right?

[01:11:22] They suffered a breach and that breach yielded a certain amount of data from customers. And then that has now been published back to those members of Congress in many cases, right?

[01:11:35] The data that we see 43 family members of House lawmakers and 231 dependents of their staff members were among the affected. If you're a member of Congress and your child, social security number, private identifiable health information, et cetera,

[01:11:56] if that stuff gets launched off into the dark web, do you think maybe you're going to take that a little bit more seriously than you have in the past?

[01:12:04] I hope so, because if that's not the trigger that causes you to take it seriously, I'm not quite sure what it will be. So bad news potentially good news in the attention span of our elected representatives.

[01:12:18] Headline number two, Bradley, let's move this one back to you, supply chain attack, Begets a second supply chain attack. Oh, what do we need to know?

[01:12:28] Yeah, well, this is just to give you a sense as to how dangerous the reach and ripple effect of supply chain attacks can be.

[01:12:35] Researchers from Mandient have reported that they discovered the vector through which malicious actors last month were able to compromise the 3CX enterprise business communications app for desktop machines such that the network distributed.

[01:12:52] We've already already analyzed the approach and analyzed versions of the software to customers who downloaded it from the company's website. As it turns out, 3CX was in self-infected through a previous supply chain attack when an employee downloaded onto their PC, a weaponized stock trading application.

[01:13:14] The computer was then infected with a back door that allowed the adversaries to steal their company credentials and use them to gain access to move into 3CX systems and eventually laterally move into its windows and macOS build environments.

[01:13:31] This particular incident has been linked to financially motivated North Korean threat actors, or at least that's the attribution that Mandient is going to be in the same way.

[01:13:43] That Mandient is given with moderate confidence and just a final note on this is just that Mandient reports that it's the first time that it's been aware of there being one software supply chain attack directly leading to a second one.

[01:14:01] And so headline number three goes back to you there Ryan, Georgia National Guard to recruit high school students via phone location tracking. So I understand that our all volunteer military is built on the premise of our armed forces being able to connect with and actually recruit interested individuals.

[01:14:25] You know what I know like we went to school, we got those kinds of brochures in the mail, we got those kinds of in person visits in an assembly where the recruiter from the army showed up and talked to you about what your career options were right.

[01:14:38] We understand that needs to happen and I had absolutely no problem with that with that happening because it's essential to the structure of our military.

[01:14:46] However, in the case of the Georgia Army National Guard they have put out an actual RFP into the procurement system asking for providers who can help them use geolocation on private cell phones to identify and target their messages through to high school students.

[01:15:06] Now the way that they've presented this is we won't go after anybody who's not 17 or a high school senior and we won't go after anybody that is.

[01:15:16] That has any other private information that might be that might be disclosed by this and yet the way that they've designed their protocol for this implementation is they're going to just basically place a geofence of a one mile radius around each high school.

[01:15:35] What's within a mile of an average high school? I don't know many cases, a junior high school and elementary school, a daycare, a public swimming pool places where people gather.

[01:15:48] And you know what I know doesn't come with geolocation data when my cell phone enters that fence any information about how old I am and whether or not you should target my phone because I happened to be a 17 year old high school senior.

[01:16:02] Not a 16 year old high school junior. I get where they're coming from but this has tremendous problems associated with the privacy and the implications of targeting youth in their recruiting messages.

[01:16:19] Whether this was the armionational guard or a for profit corporation, I think all of us would have some issues with this kind of geotracking.

[01:16:28] And the way that it can be used to reverse engineer the identification of specific individuals based on their behavior, their location and their timing patterns.

[01:16:39] So this one it jumped up to me as a great big red flag that says service provider might need to reach out via this RFP process and say I'm not just going to respond and offer you my services.

[01:16:52] I'm going to help you edit your protocol so that what you're buying is something that does not violate the privacy and security of all the citizens who happen to ever venture within a mile of a high school big issue. Okay, headline number four Bradley back to you.

[01:17:11] iPhone spy where scare highlights dangers of zero click exploits. What's up? All right, well researchers from citizen lab and Microsoft found at least five people who were hacked via zero click exploit that's called end of days.

[01:17:28] The exploit leverages back dated iPhone calendar invitations to automatically and silently enter the phone without any user interaction or notification.

[01:17:38] And then in fact, the device with spyware from an Israeli surveillance slash spyware firm for a zero click exploit to take hold of victim typically must first visit a compromised website or download a weaponized application.

[01:17:54] You know user activity, especially on personal devices can be especially difficult to track monitor and enforce.

[01:18:01] You know one expert that spoke with S. E. media suggested that companies remind employees within the organizations or or remind if you're an MSSP remind your clients organization not to visit any strange websites for that matter don't download on approved applications onto corporate control devices.

[01:18:23] If you think you might be the target of corporate or nation state espionage. Consider tightening security on mobile devices using MDM policies or features like Apple central lockdown mode.

[01:18:35] By the way, see see tech just reported that the very same Israeli spyware firm behind the exploit and the malware is now closing up shop with this latest controversy serving as the final straw of sorts that sealed the company's fate.

[01:18:54] And so with that, that brings us to drum roll please.

[01:18:59] Our irrelevant news item of the week. This is a real news pitch that Ryan or I have received in our inboxes for reason it inboxes for reasons that are entirely inexplicable to us. Are you ready for the latest one of these Ryan always ready?

[01:19:15] Well, I think you're this one would be good for the RSA crowd actually since this new attraction just opened up yesterday as of the airing of this episode and goes a little something like this.

[01:19:29] Whether you live in San Francisco or are just passing through come work alongside other digital nomads that are brand new expense of high lounge in the heart of the financial district indulge in fabulous espresso drinks craft cocktails.

[01:19:44] There's an astonishing views just show up sign into Wi-Fi and concierge will deliver drinks to your seats. Now first question of the bat Ryan is would that be the unprotected public Wi-Fi that we were just talking about because if so, that's no right there. Well, you know, then it continues think of it like a high end airport lounge meets co-working space.

[01:20:08] Optimized for like-minded individuals coffee in the morning cocktails at night or the reverse no judgment they say. Now actually I might know why to get this email like company used to subscribe to you

[01:20:19] Expansify so I'm not entirely sure if this cafe requires an as expensive by membership or not, but the story behind it apparently from this messaging that I received is that while they while expense by started in San Francisco

[01:20:33] They've been hiring remote workers for over a decade and over time some of the San Francisco-based workers saw this and they also began moving elsewhere to get out of the San Francisco market. So to prevent the office space from just becoming a full on ghost town

[01:20:48] Expansify started thinking about how it could make its office location more alluring and noticing that some of its former San Francisco workers had moved off to all these far-flung locations where they were working out of cafes

[01:21:02] They decided alright, let's make our own high-rise office cafe. So you know Ryan I work from home, but when I did work in our office

[01:21:11] I was always a guy who notoriously loved to get outside of my cubicle or my little office. I ended up doing a working lunch in a restaurant Or I'd find like the lounge and like work on a sofa

[01:21:22] Like the thing on me was the intel on me was like if you're looking for me like the last place to look for me would actually be my normal desk

[01:21:30] But you know listen remote work isn't going away. So do you think this new new is this like the new formula? To justify still having an office space Ryan just like inviting strangers into your building for food and drinking other amusements

[01:21:44] You know like what's next like an office space slash bed breakfast? Yes Well, it's a yes that's next and be it's already in development and there are places where you can rent a

[01:21:59] We will call this a Tokyo style accommodation meaning that there's a public kitchen and a public bathroom and your sleeping accommodation is like a tube in the wall Where you can actually get in that stuff's actually out there

[01:22:15] I find it very interesting from the perspective of expensive. My first question for these guys would be Are you located within walking distance of the convention center in downtown San Francisco? Because if you are you're about to be oversold for capacity during the RSA

[01:22:33] Absolutely a good opportunity, but to to your point right you've always been an office worker who loved to get out I haven't had a full-time office in a building for more than 25 years

[01:22:47] Right like I have been either a field based person a remote worker for a large corporation A guy owned a territory and was responsible for a far-flung team across geographies

[01:23:00] I was working in the remote environment long before the pandemic and I think that the benefits associated with this kind of work Have almost nothing to do with that recent phenomenon, right?

[01:23:13] It's a question of access to good staff no matter where they live. It's a question of the financially responsible thing to do with With your real estate investments on the corporate side. There's there's many conversations to be had

[01:23:28] If they do not make these I think espresso is going to make it a little bit more interesting cocktails will ramp up that interest a little bit more

[01:23:37] You know what would really make it an interesting bit value proposition a hardened cyber security environment that gives somebody the confidence that when you come in here You're in the safe bubble and you don't have to work provided you don't click on stupid stuff, right?

[01:23:54] Like if you can give me cocktails, thanks. If you could give me a hardened cyber security environment where I could work when I am not within my corporate four walls That's a very interesting value proposition. So I would indicate maybe the the expense of I guys

[01:24:14] I like that in your press release, right? If it's not true, solve it. If it is true, you should maybe make that the headline But I will say you know the guys the story about the we work model right like you've seen the documentary. Yeah you understand

[01:24:32] For as as sensationally as that situation crashed and burned for reasons for reasons right? It was still a very very very good business model. I still think fast forward a couple of years and you're going to find more of these co working spaces that are professionalized

[01:24:53] Then you ever have seen before Maybe they weren't the right Shepherds to bring that concept to market but it is the right concept so I just hope this one's located in

[01:25:06] Walking slash thumbling distance of the Moscone center. Yes, well they did mention it's the financial district is the location So not too far. Yes, so you know if anybody who's listening from the RSA show wants to to drop by this high rise cafe

[01:25:27] You know we'd love to hear from you give us a report was it any good You know be curious to know Just exactly what the vibe is there and do they have good cybersecurity because I agree that would be a big differentiator

[01:25:40] But you know with that it looks like we've run out of time Ryan, so we're going to have to wrap things up But do not worry we will be back again soon for episode number 19

[01:25:50] Meanwhile feel free to check out even more cybersecurity podcast content on the SC media and the SSP alert and channel EDA website until next time I'm Bradley Barth and I am Ryan Morris. Please reach out to us via our show page or our email address

[01:26:06] Cyber 4 Higher at cyberriscalines dot com with your comments questions and insights about the business of cybersecurity And then we will be happy to keep this conversation going on the next episode of cyber 4 higher your inside source for cyber outsource